By the time a model reaches your underwriting stack, a large share of its inputs and logic may live somewhere you do not control. A scoring vendor holds the training data. A data broker supplies the attributes. A platform partner runs the inference. When an examiner asks you to prove that decision did not produce a disparate impact, you cannot point at a black box and shrug. The earlier modules in this course assumed you could reach the data: lineage, consent, proxy testing, point-in-time features. This module is about the case where the data sits behind someone else's terms of service, and the access you need has to be written into the contract before you sign it.
The control you are buying is not the model. It is the right to inspect the data and outcomes well enough to run your own fair-lending review. That right does not come standard.
The legal expectation does not transfer with the data
Outsourcing the model does not outsource the obligation. Under the Equal Credit Opportunity Act and Regulation B, the creditor is accountable for the decision regardless of who built the scoring logic. If you take adverse action, you owe the applicant specific reasons, and a "the vendor's model decided" answer does not satisfy 12 CFR 1002.9.
Supervisors have made the same point about model and vendor risk. The Federal Reserve and OCC's longstanding model-risk guidance, SR 11-7, states plainly that model risk management applies to vendor and third-party models, not only to ones you build in-house. The common examination finding is the "bought, not built" gap: a bank assumes a purchased model arrived pre-validated and never tests it against its own outcomes.
The 2023 Interagency Guidance on Third-Party Relationships (final June 6, 2023, from the Fed, FDIC, and OCC) folds this into contract negotiation. It treats audit rights, performance reporting, and subcontractor visibility as things you address before signing, not after a problem surfaces.
If you cannot independently test the vendor's data and outputs for protected-class disparities, you have accepted the liability without the means to manage it.
What "audit rights" actually has to cover
Audit rights are often reduced to a single boilerplate clause granting you the right to inspect "books and records." For fair-lending work that is close to useless. You need named, specific access to four things.
1. Outcome data at the application level
You need decision-level records, not aggregate dashboards. To run disparate-impact testing you have to join the vendor's scores and decisions to your own applicant population and proxy-derived demographics. That requires the score, the decision, the timestamp, and a key you can match to your records, delivered on a cadence you set rather than one the vendor offers.
2. The inputs the model consumed
Module 4 covered proxy variables and disparate-impact testing, and Module 8 covered point-in-time correctness. Neither is possible if the vendor will not tell you which features the model used and which values it saw at decision time. You do not necessarily need the model weights. You do need the feature set and the input values per decision.
3. Change notice and version control
A vendor can retrain or swap a model and silently shift its behavior toward a protected class. The contract should require advance notice of material model or data changes, with enough lead time to retest before the new version reaches your applicants.
4. Subcontractor and data-source visibility
The interagency guidance specifically flags subcontractors. If your scoring vendor buys attributes from a data broker, that broker's data quality is now your fair-lending exposure. You want disclosure of material subcontractors, the right to object, and assurance that your audit and data-access rights flow down to them.
The trade-secret wall, and how to get around it
The predictable vendor response is that the model and its training data are proprietary. That objection is real, and you usually will not win full access to the source code or weights. You do not need to.
Fair-lending testing is an outcomes discipline. You can run disparity analysis and regression-based testing on inputs and outputs without ever seeing the internals. The contractual move is to separate the right to inspect outcomes and inputs from the right to inspect the model itself, and to anchor the first in your regulatory obligation rather than in curiosity about how the model works. Vendors that sell to regulated lenders generally understand that an examiner can compel this, so the negotiation is about format and cadence, not whether the access exists at all.
A worked example
A regional lender licenses a cash-flow underwriting score from a fintech vendor. The contract grants "reasonable audit rights upon thirty days' notice." Eighteen months in, the lender's own monitoring flags a 9-point approval-rate gap by an age-correlated proxy. The compliance team asks the vendor for decision-level scores and input features to run a controlled regression.
The vendor refuses. The contract never named decision-level data, the score is "proprietary output," and the input features are "trade secret." The thirty-day audit clause turns out to mean an annual SOC 2 walkthrough, not a data extract. The lender cannot test its own portfolio for the disparity it already detected, and it cannot produce input-mapped adverse-action reasons. It is now exposed on a finding it cannot investigate, with a vendor it cannot compel until renewal.
The fix costs nothing at signing and is unwinnable afterward. Before signing, the lender should have secured: monthly decision-level extracts (score, decision, timestamp, match key) under a defined schema; the feature list plus per-decision input values; advance notice of model changes with a retest window; and flow-down of these rights to any subcontracted data source. None of that requires the model weights. All of it makes the disparity testable.
The takeaway
Treat fair-lending access as a procurement deliverable, not a legal afterthought. Build a standard data-and-audit rider that names decision-level outcomes, model inputs, change notice, and subcontractor flow-down, and make it a gating requirement for any vendor that touches a credit decision. The right to test for disparate impact is worth almost nothing once the ink is dry, so the only place to win it is at the table before you sign.