The regulatory perimeter inside which AI-driven CRE credit decisions now have to operate, and the per-decision evidence the regulators ask for.
Every framework below is enforceable today or about to be. Velma evidence is the format both sides expect.
Sorted by soonest deadline first.
Largest data providers must enable consumer-authorized access to financial account data (including credit and lending data) with documented governance, security, and audit trails.
Open-banking data flows touch CRE underwriting and small-business lending. Tier 2 and 3 dates follow through 2030.
Final phase of the 2023 amendments (encryption, asset inventory, and access-control review) must be live across all NY-licensed entities including CRE lenders, CMBS originators, and special servicers.
NY DFS examiners now expect operational evidence on first request, with no remediation grace period.
Companies with > $1B in revenue doing business in California must disclose Scope 1, 2, and (from 2027) Scope 3 emissions, including building portfolio emissions for CRE owners and operators.
Pulls CRE asset performance into a new disclosure regime. Audit-grade attestation is the format regulators want.
Lenders originating 100–499 covered small-business credit transactions annually must begin reporting demographic and pricing data, with fair-lending evidence on demand.
Captures most non-bank CRE lenders to small operators. Brings algorithmic non-discrimination evidence into the smallest tier.
Member states must transpose the revised PLD into national law. AI-enabled financial-services software is treated as a product. Defect-based liability with reversed burden of proof in many cases.
Brings strict-liability exposure onto AI-driven CRE underwriting and portfolio-monitoring tools. Evidence of governance becomes the affirmative defense.
End of the first transition year. The 50% output floor begins biting. Internally-modelled CRE exposures cannot fall below 50% of standardised risk-weighted assets, rising annually through 2030.
EU bank CRE books recalibrate. Governed-model evidence is required to justify the internal-model output that determines the floor.
PRA's UK implementation of Basel III Endgame. Revised credit-risk capital standards for CRE exposures, market-risk framework, and operational-risk standardised approach take effect for all UK-regulated banks.
UK CRE-lending balance sheets recalculate under new risk weights. Governed model evidence drives the capital outcome.
Listed small and medium-sized enterprises in the EU (including many CRE asset holders) must begin sustainability reporting against the European Sustainability Reporting Standards for the 2026 fiscal year.
Adds an audit-grade ESG layer onto every listed CRE owner-operator in the EU. Building-level emissions evidence is the input.
Second-tier covered data providers (medium-sized banks, credit unions, and non-bank lenders) must enable consumer-authorized financial-data access with the same governance, security, and audit requirements as Tier 1.
Brings most CRE non-bank lenders inside the federal open-banking regime. Audit-trail evidence of access controls becomes examinable.
End of the three-year transition. Full revised capital calculations apply, including standardized credit risk weights for CRE exposures and the operational risk capital floor.
Strategic capital planning for CRE loan books anchors to this date. Governed model evidence is the input.
The examiner can cite any of these on first request.
Large U.S. banks (>$100B) phase in revised credit, market, and operational risk capital calculations (including CRE exposures) through 2028.
Capital treatment of CRE loan books tightens. Governed model evidence is required for the capital calculation.
Covered small-business lenders (including many CRE lenders to small operators) must collect, retain, and report data on applications; fair-lending evidence is now examinable.
First-tier compliance is live. Evidence of non-discriminatory model behavior becomes a direct §1071 defense.
Federal financial-institution examiners now evaluate AI and ML model governance, including third-party AI providers, as part of the standard IT examination.
Brings AI evidence into the routine bank examination process, including for CRE lenders.
Housing providers, lenders, and screening services using AI in tenant or borrower selection must ensure compliance with disparate-impact analysis and the Fair Housing Act.
First federal guidance specifically addressing AI screening in housing. CRE owner-operators are squarely in scope.
Lenders using AI to deny credit must provide accurate and specific reasons in adverse-action notices. Generic statements are unfair, deceptive, and abusive.
Audit-trail explainability is now a UDAAP requirement. Generic black-box decisions are sanctionable.
Banks with elevated CRE exposure must maintain risk-management practices commensurate with concentration. Stress-testing, portfolio monitoring, and workout planning.
Examiner focus following 2023 bank stress. Governed portfolio-monitoring evidence is directly relevant.
Regulated financial-services firms operating in New York must maintain a cybersecurity program, governance, third-party assessment, incident reporting, and audit trail.
Amended 2023 to include heightened CISO accountability and 72-hour incident reporting. Live for CRE lenders, servicers, and CMBS originators.
Large national banks must maintain a governance framework (including model risk) with board-level oversight, three-lines-of-defense, and independent risk management.
Foundation for modern CRE underwriting examination. AI-driven decisions are evaluated under the same lens.
Annual supervisory stress tests of capital adequacy under hypothetical macroeconomic scenarios, including CRE loss projections.
In force for large banks. Governed model evidence is expected in the DFAST submission.
Framework for identifying, measuring, and managing model risk across underwriting, pricing, and portfolio-monitoring models, with independent validation and ongoing audit.
The anchor model-risk regulation for U.S. CRE lenders. Examiners now ask for AI-specific evidence under SR 11-7.
Five stages. The evidence artifact. Sealed forecasts at horizon. Isometric DFD-0.
Formal safety models, ODD, assurance cases, reviewer briefs.
How we are set up and why the trust structure matters.
Direct line to the inventor. No demo, no deck.
Thirty minutes. Architecture, not sales. On the regulatory surface you already know.
