LendingIQ logo

Use case #0003

Thin-File AI and Financial Inclusion: The Compliance Framework

Financial inclusion is not a regulatory concession — it is a regulatory objective. The ECB / EBA's targeted lending obligations guidelines, the EU basic banking access framework, and the EU SME guarantee programmes all express a consistent policy intention: that formal credit should reach the underserved, and that the institutions extending it should do so responsibly, transparently, and with appropriate borrower protection. The Thin-File AI is built to satisfy all three requirements simultaneously.

The Regulatory Context for Alternative Data Credit Scoring

The use of alternative data in credit decisioning is not unregulated — but the regulation is enabling rather than restrictive when the practices are sound. The ECB / EBA's open banking / PSD2 data framework, launched in 2021 and expanded significantly through 2023 and 2024, is the regulatory infrastructure that makes VAT and bank statement data available for credit decisioning with explicit, revocable borrower consent. The GSTN API for lenders provides access to VAT filing data with consent from the registered taxpayer. The GDPR 2023 governs the collection, processing, and storage of the personal and financial data that the Thin-File AI uses.

Each of these frameworks creates obligations — on consent collection, data minimisation, purpose limitation, and the borrower's right to explanation of automated decisions — that the Thin-File AI is designed from the ground up to satisfy. Compliance with the financial inclusion regulatory framework is not retrofitted onto the Thin-File AI. It is structural.

"The ECB / EBA's financial inclusion mandate and the GDPR's data protection requirements are not in tension. Both point toward the same architecture: consent-based data use, explainable automated decisions, and transparent borrower communication. The Thin-File AI is that architecture."

The Regulatory Framework — Mapped to Thin-File AI Practices

ECB / EBA / AA Framework

open banking / PSD2 aggregator Consent Architecture

ECB / EBA open banking / PSD2 aggregator Circular 2021 / bank-AA Directions

All financial data — bank statements, SEPA Instant history, investment accounts — must be accessed through the AA framework with explicit, informed, purpose-specific, revocable borrower consent. The Thin-File AI uses only bank-AA registered aggregators. Consent is purpose-limited to "credit assessment for this application" and expires on application closure. Borrowers may revoke consent at any stage and withdraw their application.

AA-licensed aggregator integration ✓ Purpose-specific consent collection ✓ Consent revocation pathway available ✓ Consent log maintained per application ✓
GSTN API

VAT Data Access via Borrower Consent

GSTN API for Lenders Framework · IT Act 69

VAT filing data is accessed via the GSTN's lender API infrastructure — which requires the registered VAT taxpayer to explicitly authorise access. The Thin-File AI collects this consent during onboarding, accesses only the data types authorised (turnover, filing dates, ITC — not invoice-level data), and does not retain raw VAT data beyond the processing period specified in the consent. GSTN data is used solely for credit assessment and not shared with third parties.

GSTN API integration with registered lender credentials ✓ Taxpayer consent obtained before any data pull ✓ Data minimisation — aggregate metrics only retained ✓ Raw data purged post-assessment ✓
GDPR 2023

Automated Decision Transparency and Borrower Rights

GDPR 6, 7, 11 — Automated Processing Obligations

The GDPR requires that when a significant decision about a person is made solely by automated means, the person must be informed and must be able to obtain a meaningful explanation. The Thin-File AI generates a plain-language explanation of every credit decision — approval or rejection — that specifies which data sources were used, which factors drove the outcome, and what the borrower can do to improve their score. Every borrower also has the right to request a human review of the automated decision within 30 days.

Plain-language decision explanation per application ✓ Data sources used disclosed per decision ✓ Actionable improvement guidance for rejections ✓ Human review request pathway — 30-day window ✓
ECB / EBA Fair Practices

Anti-Discrimination and Fairness in Alternative Data Scoring

ECB / EBA EBA consumer protection standards · Emerging AI Fairness Guidelines

Alternative data models carry a specific fairness risk: variables that appear neutral may be proxies for protected characteristics. VAT turnover is correlated with business sector; SEPA Instant inflow patterns may reflect regional economic cycles; utility payment history may reflect infrastructure availability rather than borrower discipline. The Thin-File AI's fairness audit checks monthly approval rates and score distributions by gender, geography, and religion-adjacent indicators — and flags any statistically significant disparity for model review.

Monthly proxy variable audit ✓ Gender approval rate parity monitored ✓ Geography approval rate benchmark ✓ Disparity escalation to Board Risk Committee ✓
targeted lending obligations

targeted lending Classification and Regulatory Credit Reporting

ECB / EBA targeted lending ECB guide / EBA guideline 2020 / SME Development Act

Thin-file loans to micro and small enterprises typically qualify as targeted lending obligations — a significant institutional benefit for banks and banks with targeted lending targets. The Thin-File AI automatically classifies each application by targeted lending eligibility (enterprise category, turnover threshold, borrower gender for the women micro-entrepreneur category) and generates the SME documentation package required for targeted lending reporting. This classification is verified against SME Udyam registration data where available.

Auto targeted lending classification per application ✓ Udyam registration verification ✓ Women entrepreneur category flag ✓ targeted lending reporting package for regulatory submission ✓

The Consent Architecture: How the AI Obtains and Manages Alternative Data Access

1
Consent Disclosure

Borrower Informed of All Data Sources Before Any Pull is Initiated

Before the Thin-File AI initiates any data retrieval, the borrower receives a plain-language disclosure listing every data source that will be accessed, the specific data types (VAT turnover and filing dates — not invoice details; bank balance and transaction categories — not full statement; SEPA Instant aggregate inflows — not individual transaction recipients), the purpose (credit assessment for this application only), and the retention period (raw data purged within 48 hours of decision; aggregate metrics retained for model monitoring for 3 years). Consent is granular: the borrower may consent to VAT and bank data but decline SEPA Instant / open banking, and the AI will work with the available consented data.

2
Consent Collection — Explicit and Recorded

OTP-Based Consent Confirmation — Logged With Timestamp and Application Reference

Consent is confirmed via OTP — the same phone number associated with the VAT registration and bank account. This creates a verifiable link between consent and identity. The consent record is stored with the application file: timestamp, OTP confirmation, data sources consented to, data sources declined, and the version of the consent disclosure shown. This record satisfies both the GDPR's explicit consent requirement and the AA framework's consent log obligation.

3
Data Access — Minimised, Purposeful, Time-Limited

Only Consented Data Retrieved · Only Aggregate Metrics Processed · Raw Data Purged

The AA aggregator and GSTN API pull only the specific data types consented to, for the specific time window specified (18 months bank, 8 quarters VAT, 12 months SEPA Instant / open banking). The raw data is processed within the Thin-File AI's secure environment to compute the 28 aggregated metrics that feed the scoring model. Raw transaction records are not stored after metric computation — only the computed metrics are retained. This is data minimisation in practice: the model needs the signal, not the source records.

4
Decision and Explanation

Every Decision Explained in Plain Language — With the Right to Human Review

Whether the application is approved or rejected, the borrower receives a plain-language explanation identifying the top factors that drove the decision, the specific metrics that were strongest and weakest, and — for rejections — the specific changes that would improve their score (e.g., "Bringing your average bank balance above €1.5L and maintaining VAT filing regularity for 4 more quarters would lift your Thin-File Score by approximately 35–45 points"). The right to human review is stated in every communication.

The What-If Explanation: Giving Rejected Borrowers a Genuine Path

The most powerful compliance feature in the Thin-File AI's borrower communication is the what-if improvement model. For every rejected application, the AI models the specific, quantified changes the borrower could make to their financial behaviour that would bring their Thin-File Score to the approval threshold. This is not a generic "improve your creditworthiness" message — it is a specific, personalised roadmap.

Rejection Improvement Roadmap — Application TF-2025-2841 (Declined — TFS 612)
VAT Filing Regularity
Current: 4 late in 8 quarters
Target: Max 1 late in 8 quarters
→ +28 points (achievable in 12 months)
Bank Balance Average
Current: €38,000 avg
Target: €80,000+ avg (3 months)
→ +18 points (achievable in 3 months)
SEPA Instant Inflow Consistency
Current: CoV 0.44 (volatile)
Target: CoV below 0.25
→ +12 points (business mix change needed)
VAT Turnover Trend
Current: Flat for 4 quarters
Target: Two consecutive growth quarters
→ +16 points (6–12 months)
Combined Impact
Current TFS: 612
Projected TFS: 686 (above 650 threshold)
→ Eligible in 12–18 months
5Regulatory frameworks addressed — AA, GSTN API, GDPR, Fair Practices, targeted lending
GranularConsent architecture — per data source, purpose-specific, revocable at any stage
48hrsRaw data purge window — only aggregated metrics retained post-assessment
targeted lendingAuto Priority Sector classification — qualifying thin-file loans reported for targeted lending targets

Responsible Inclusion Is the Only Sustainable Kind

The lender that extends thin-file credit without a sound consent architecture, explainable decisions, and fairness monitoring is not doing financial inclusion — it is creating a compliance liability and a reputational risk while charging a premium. The Thin-File AI's compliance framework is not the cost of doing inclusion responsibly. It is the structure that makes inclusion sustainable at scale: borrowers who understand their decisions, regulators who can inspect the practices, and a model that continuously checks whether it is treating all borrower populations fairly. Done this way, thin-file lending is not a risk the institution tolerates in pursuit of social impact. It is a soundly governed, regulatorily aligned, commercially viable expansion of the loan book into the market that every other lender has measured incorrectly and therefore missed.

← Back to Thin-File Credit Agent AI