Data-Driven Credit Decisions: Legal Boundaries of Automated Lending under CCD II

By Sandra Danciu (associate), with the review of Camelia Ianțuc (Counsel), Filip & Company

Automated lending is often presented as a story of efficiency — faster approvals, better customer experience, and scalable growth. Under the Consumer Credit Directive II (Directive (EU) 2023/2225) ( “CCD II”), however, the real question is no longer how quickly credit can be granted, but whether each decision can be justified as prudent, evidence-based, and legally defensible. In that sense, CCD II marks a clear shift: compliance is no longer about how models operate, but about the quality of the outcomes they produce.

Model risk is balance sheet risk

The first transformation lies in the move from individual credit judgment to model-driven decision-making. Traditional underwriting distributes risk across individual decisions, each supported by identifiable financial criteria and human assessment. Automated lending consolidates that risk into the model itself: its calibration, its data inputs, and the way it is applied across the portfolio. When a model is wrong, it is not wrong once; it is wrong systematically. The consequence is that what appears to be an operational tool may become, in reality, a balance sheet risk multiplier.

CCD II directly addresses this shift by anchoring creditworthiness assessment in verifiable, documented evidence. Credit decisions must be based on accurate and relevant information (e.g., income, liabilities, financial commitments) and, where necessary, supported by independent verification. This effectively forces automated systems to operate within an evidentiary framework: data must be traceable, inputs must be controlled, and outcomes must be reproducible. The exclusion of certain data sources, such as social media or sensitive categories, further narrows the space for unconstrained model design. What emerges is a clear legal boundary: automated lending is permissible only to the extent that it replicates, and can demonstrate, the discipline of prudent underwriting.

In practice, a model is no longer sufficient because it performs well in development or back-testing environments; it must produce decisions that can be reconstructed and defended under scrutiny.

Moreover, Romania’s draft legislation transposing CCD II reinforces portfolio-level accountability by empowering the National Authority for Consumer Protection to require creditors, following a sanction, to align all materially similar contracts within 90 days, ensuring that compliance remediation is applied consistently across automated lending portfolios and product lines.

Growth versus discipline

If the first risk introduced by automation is structural, the second is behavioural. Systems designed to optimise speed and conversion inevitably create pressure towards higher approval rates. In a competitive market, this can translate into rapid growth in origination volumes, but also into a gradual erosion of credit discipline. The danger is not immediately visible. Portfolios may initially perform well, particularly in benign economic conditions, masking the fact that risk thresholds have shifted.

CCD II intervenes by reframing creditworthiness as a legally mandated process rather than a commercial choice. Creditors are required to carry out a thorough assessment before concluding a credit agreement, to document the procedures followed, and to retain the underlying information. Where automation is used, consumers must be informed and given the possibility to request human intervention and receive a meaningful explanation. Rejections based on database consultations must be communicated promptly, together with the relevant data sources. These requirements collectively impose a level of transparency and accountability that is difficult to reconcile with purely volume-driven decisioning.

The CCD II also extends discipline into the lifecycle of the credit relationship. A significant increase in total credit (e.g., 15% of the total credit under Romania’s draft legislation transposing CCD II) cannot be granted without a renewed assessment of creditworthiness. This acts as a direct constraint on model-driven expansion strategies that might otherwise increase exposure without revisiting the borrower’s capacity to repay. 

When models meet reality: the stress test

Automated systems are inherently backward-looking, trained on historical data that often reflects stable or growth environments. Their apparent precision can deteriorate rapidly when those conditions

no longer hold. Correlations break down, borrower behaviour shifts, and the assumptions embedded in the model lose predictive power.

From a financial perspective, this is where losses materialise most sharply. Defaults rise not incrementally, but in clusters; risk segmentation becomes less reliable; and the impact on capital and provisioning can be immediate. What was previously a well-performing portfolio can deteriorate with surprising speed.

Although CCD II is primarily framed as a consumer protection instrument, its requirements implicitly point towards resilience across the credit cycle. The obligation to base decisions on accurate and up-to-date information, to maintain and review assessment procedures, and to reassess creditworthiness before increasing exposure all operate as safeguards against pro-cyclical drift. These elements require lenders to ensure that their decision frameworks remain valid not only in stable conditions, but also under stress.

For FinTechs, these developments have a direct structural consequence: the traditional “scale first, govern later” model no longer holds under CCD II. Credit automation must be designed as a controlled system from inception, not retrofitted with governance after growth. That means embedding auditability, traceable data inputs, and contemporaneous documentation of decision logic directly into the model architecture, alongside continuous validation against realised portfolio performance. In this environment, growth is only sustainable where it remains matched by the firm’s ability to evidence how credit decisions are made, and why they are defensible at scale.

Given the complexity of translating these obligations into operational processes, early legal structuring is often critical to avoid misalignment between regulatory expectations and automated lending architecture as it evolves.