bankingPrimary sector: BankingLast reviewed: May 12, 2026

Upstart

Name: Upstart — AI Governance Scoring (EFROS Index)
Creator: Stefan Efros
Published: 2026-05-13
License: https://creativecommons.org/licenses/by/4.0/

Upstart Holdings, Inc. · EFROS US AI Vendor Governance Index entry

By Stefan Efros, CEO & Founder, EFROS

Updated · June 4, 2026

Composite governance score

74/ 100B

B = strong posture. Deployable in regulated workloads with documented compensating controls.

Axes scored: 9 / 11

Trust-center maturity: 3 / 5

Sector weighting: Banking

About this vendor

AI lending platform with CFPB no-action letter history. Operates as a partner for community banks and credit unions that want AI-driven origination without building it internally. CFPB scrutiny and fair-lending audit history are unusually deep.

Enterprise tier: Upstart Referral Network, Upstart Auto Retail, Upstart for Banks (white-label AI lending platform)
Vendor homepage: https://www.upstart.com

Twelve-axis governance scoring

Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).

Axis	Status	EFROS note	Source
BAA / DPA available	Yes	Upstart signs DPAs and data-handling agreements with partner banks. BAA-eligible where PHI exposure exists in partner-bank datasets.	Upstart Security
Training-data opt-out	Yes	Partner-bank customer data processed under contracted purpose limitation. Cross-bank model training only with consortium consent.	Upstart Privacy
US data residency option	Yes	US data residency standard.	Upstart Security
SOC 2 Type II report	Yes	Upstart holds SOC 2 Type II.	Upstart Security
ISO/IEC 42001 attestation	No	No ISO/IEC 42001 attestation.	Public posture review
NIST AI RMF self-attestation	Partial	Upstart publishes Responsible AI + fair-lending governance documentation.	Upstart Responsible AI
Colorado AI Act readiness	Partial	Upstart has publicly engaged on Colorado AI Act readiness for credit decisioning.	Upstart customer documentation
HHS-OCR Section 1557 readiness	N/A	Banking-vertical positioning.	Upstart positioning
FRB SR 11-7 readiness	Yes	Upstart has CFPB no-action letter history (Sept 2017 plus 2020 renewal): an unusually deep fair-lending audit paper trail. SR 11-7-grade validation documentation maintained for partner-bank examiner needs.	CFPB No-Action Letter history
ABA Formal Op 512 readiness	N/A	Banking-vertical positioning.	Upstart positioning
Subprocessor list public	Partial	Subprocessor list available to enterprise customers.	Upstart Security

Trust-center maturity

3/ 5

Mature security documentation. CFPB engagement history is the differentiating compliance artifact. Trust portal less self-serve than enterprise platform vendors.

Source: Upstart Security

Deep dive

Overview

Upstart is unusually defensible on fair-lending because of the CFPB no-action letter history. No other US AI lending vendor has that paper trail. The white-label partner model lets community banks deploy AI lending under Upstart's compliance umbrella, which is operationally easier than standing up internal validation. The cost is platform dependence: partner banks operate within Upstart's product roadmap rather than building proprietary capability.

Strengths

CFPB no-action letter history (Sept 2017 plus 2020 renewal)
Unusually deep fair-lending audit paper trail
Partner-bank model. Origination under Upstart compliance umbrella
SR 11-7-grade validation maintained for partner needs

Weaknesses

Platform dependence. Partner banks operate within Upstart's roadmap
No ISO/IEC 42001
Subprocessor transparency NDA-gated

Best-fit use case

Community banks and credit unions wanting AI-driven personal lending or auto origination without internal model risk management capacity. The CFPB engagement history reduces partner-bank examiner risk.

Avoid when

Banks that want proprietary AI capability or are concerned about platform dependence. Building on FICO or licensing Zest AI keeps decisioning closer to in-house.

Operator's take

Deploy Upstart when community banks and credit unions wanting AI-driven personal lending or auto origination without internal model risk management capacity. The CFPB engagement history reduces partner-bank examiner risk. The composite score of 74 (grade B) reflects a defensible posture for regulated US workloads. Skip the vendor when banks that want proprietary AI capability or are concerned about platform dependence. Building on FICO or licensing Zest AI keeps decisioning closer to in-house. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.

How this scoring is computed

The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.

Read the full methodology →

Disagree with this scoring?

EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).

Disagree with a score?

Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Upstart, submit a formal challenge — we re-verify against the source and respond within 14 days.

Similar vendors (same category or sector)

Vendors in the same category as Upstart, padded with vendors that share its primary sector. All scored on the same twelve axes — useful for head-to-head shortlisting.

B80 / 100

FICO Falcon Fraud Manager + FICO Score AI

Fair Isaac Corporation

View posture →

B74 / 100

Zest AI

View posture →

C56 / 100

Hummingbird

Hummingbird RegTech, Inc.

View posture →

C68 / 100

Unit21

Unit21, Inc.

View posture →

Where Upstart shows up in the rest of the Index

Upstart is scored in every state and (where applicable) sector slice of the Index. Use these views to compare Upstart against its peers from a state or sector lens rather than category.

banking sector view →california view →colorado view →new york view →illinois view →texas view →

Disclaimer. Scoring as of 2026-05-13. Posture changes frequently — re-verify with the vendor's trust center before contract. This page is informational; it is not legal advice. EFROS clients get a refreshed posture review as part of the AI Governance Audit.

Take the scoring into production

The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.

Reserve $5K AI Governance Audit Run AI Risk Score →See full Index →