CFPB Finalizes Small Business Lending Data Rule

On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) released its small business lending data collection and reporting rule, required by Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Section 1071 Rule). Similar to the Home Mortgage Disclosure Act (HMDA), which requires lenders to collect and report borrower demographic data regarding certain mortgage applications and loans for each calendar year, the Section 1071 Rule requires banks and non-bank entities that make at least 100 small business loans annually to collect and report loan application, origination, and pricing information, as well as certain applicant/borrower demographic information, in a “small business lending application register.” For purposes of the rule, a small business is one with no more than $5 million of gross revenues in its most recent fiscal year. The Section 1071 Rule amends Regulation B^[1] to implement changes to the Equal Credit Opportunity Act (ECOA)^[2] made by Section 1071.

What Types of Lenders and Transactions Are Subject to the Rule?

Covered Lenders
Covered financial institutions include all types of entities that engage in financial activity, including, among others, banks, online lenders, community development financial institutions, and nonprofit lenders, that originated at least 100 covered loans in each of the two preceding calendar years. Certain auto dealers are excluded from coverage.^[3]

Covered Originations
The volume of “covered originations” a financial institution makes determines whether the institution must collect and report data under the Section 1071 Rule and, if so, the relevant mandatory compliance date (see below). Covered originations are “covered credit transactions” to small businesses. Refinancings can be covered originations, but extensions, renewals, and other amendments of existing transactions are not.

Covered credit transactions include loans, lines of credit, credit cards, merchant cash advances, and agricultural credit products to small businesses, not including nonprofit organizations or governmental entities. Excluded from coverage are:

Trade credit
HMDA-reportable transactions
Insurance premium financing, not including the financing of policy premiums obtained in connection with the financing of goods and services
Public utilities credit
Securities credit
Incidental credit, which is an extension of consumer credit other than public utilities and securities credit that is (i) not made pursuant to the terms of a credit card account; (ii) not subject to a finance charge (as defined in Regulation Z at 12 CFR § 1026.4); and (iii) not payable by agreement in more than four installments^[4]
Factoring
Leases
Consumer-designated credit used for business or agricultural purposes
Purchases of a credit transaction
Purchases of an interest in a pool of credit
Purchases of a partial interest in a credit transaction

Reportable Applications
Covered financial institutions also must report “reportable applications,” which are “covered applications” from a small business. A covered application is an oral or written request for a covered credit transaction made in accordance with the lender’s procedures for the type of credit requested. The definition differs slightly from Regulation B’s definition of “application” in that the following are not considered applications:

Requests for reevaluation, extension, or renewal requests, unless they seek additional credit amounts or a line increase (which is a different approach from the definition of “covered origination”)
Inquiries or prequalification requests
Solicitations, firm offers of credit, and other evaluations that the financial institution initiates, unless the small business subsequently applies for credit

Reportable applications include requests made in accordance with a financial institution’s procedures for a refinancing that would be a covered origination if approved.

What Data Will Need to Be Collected and Reported?

A financial institution will need to collect and report certain data points that it generates about the loan process and outcomes, such as a unique identifier, application date, action taken, and, if applicable, the amount approved and pricing information or denial reasons. Collected data will also include details from the applicant or a third-party source about the potential loan and the applicant, including credit type and purpose, requested loan amount, census tract, and number of employees. Demographic information, including the applicant’s minority-owned, women-owned, and/or LGBTQI+-owned business status, as well as the ethnicity, race, and sex of the applicant’s principal owners (that is, each 25% or more direct equity owner), collectively referred to in this alert as the “Demographic Information,” must be requested from the applicant. The Demographic Information may not be reported by the financial institution based on visual observation, surname, or any other basis. Under certain circumstances, financial institutions may reuse some previously collected applicant-provided Demographic Information.

Covered financial institutions will need to report the required data by June 1 for the previous calendar year. The CFPB will make available the information financial institutions report pursuant to the Section 1071 Rule in a publicly accessible database.

The CFPB provides a sample data collection form that financial institutions may use but are not required to use (see the Appendix to this alert).

What Are the Rule’s Other Requirements?

Covered financial institutions must request the Demographic Information but must also inform applicants that they are not required to provide it. A financial institution also must inform an applicant that it is not permitted to discriminate on the basis of the applicant’s responses about the Demographic Information or whether the applicant provides this information. The sample data collection form includes sample notice language.

Note that while applicants are not required to provide the Demographic Information, financial institutions must not discourage them from providing it and must have procedures in place to identify and respond to potential signs of discouragement, such as low response rates for applicant-provided data. The CFPB has indicated that this prohibition will be a key area of focus for supervision and enforcement.^[5]

With limited exceptions, financial institutions must prevent access to the Demographic Information by anyone involved in making a determination on the applicant’s covered application. Financial institutions are also prohibited from disclosing the Demographic Information to other parties except in limited circumstances.

Financial institutions also must make available on their websites, or otherwise upon request, a statement that their small business lending application register, as modified by the CFPB, is or will be available from the CFPB. The Section 1071 Rule includes language that can be used for this statement.

Financial institutions must retain copies of their small business lending application registers and other evidence of compliance for at least three years, and they must maintain an applicant’s responses regarding the Demographic Information separate from the rest of the application and accompanying information.

What Are the Mandatory Compliance Dates?

The dates by which financial institutions will have to comply with the Section 1071 Rule are tiered based on small business loan volume as of 2022 and 2023,^[6] as follows:

October 1, 2024, for lenders that originate at least 2,500 small business loans annually
April 1, 2025, for lenders that originate 500 – 2,499 small business loans annually
January 1, 2026, for lenders that originate 100 - 499 small business loans annually

The CFPB states that it intends to propose a related rule that would provide additional implementation time for certain small lenders that have successfully served their local communities, as measured by their Community Reinvestment Act performance and/or other similar measures.

We Can Help

The practical impacts of the Section 1071 Rule will vary greatly depending on lenders’ current practices and procedures. Several of the rule’s provisions will require different approaches for compliance depending on specific facts and circumstances, including requirements related to the determination of the relevant applicant owner demographics to report, the treatment of multiple applicants, the impact of mergers and acquisitions, and voluntary data collection and reporting. For specific recommendations on how to prepare for compliance with the Section 1071 Rule, or if you would like additional information about any of the issues discussed in this alert, please contact Danielle Reyes.

^[1] 12 CFR Part 1002.
^[2] 15 USC 1691 et seq.
^[3] Generally, the Section 1071 Rule does not apply to motor vehicle dealers, as defined in section 1029(f)(2) of the Dodd-Frank Act, that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. 12 USC 5519.
^[4] 12 CFR1002.3(c)(1).
^[5] Consumer Financial Protection Bureau, Statement on Enforcement and Supervisory Practices Relating to the Small Business Lending Rule under the Equal Credit Opportunity Act and Regulation B (March 30, 2023), available at https://files.consumerfinance.gov/f/documents/cfpb_1071-enforcement-policy-statement.pdf.
^[6] That is, the rule applies on a particular date if the financial institution originates the minimum number of loans indicated for that date in both 2022 and 2023. A transitional provision in the rule allows financial institutions that did not collect sufficient information to determine whether borrowers were small businesses under the rule to annualize the number of covered originations in the last quarter of 2023 for both 2022 and 2023, or alternatively to assume that all covered credit transactions originated in those years were made to small businesses. Going forward, to be required to comply with the rule in any given year, the financial institution must be a covered financial institution, i.e., make at least 100 covered originations, for that year.

Contacts

Danielle Reyes
Partner
dreyes@goodwinlaw.com
Washington, DC+1 202 346 4103
/en/people/r/reyes-danielle

What Types of Lenders and Transactions Are Subject to the Rule?

What Data Will Need to Be Collected and Reported?

What Are the Rule’s Other Requirements?

What Are the Mandatory Compliance Dates?

We Can Help

Contacts

Danielle Reyes

Related Content

Kansas Becomes Fourth State to Enact Law Regulating Earned Wage Access Services

15 Questions Fintechs Should Ask Potential Bank Partners in Due Diligence

California Insurance Reform Creates Opportunity

SEC Adopts Reforms Relating to Investment Advisers Operating Exclusively Through the Internet

Agencies Extend Applicability Date of Certain Provisions of their CRA Final Rule

Traps for the Unwary: Using Alternative Credit Data to Expand Credit Access to LMI Individuals and Underrepresented Communities

Wisconsin Becomes Third State to Enact Law Regulating Earned Wage Access Services

FinCEN Publishes an Administrative Ruling Regarding Customer Identification Program and Customer Due Diligence Requirements for Designated Beneficiaries of Individual Retirement Accounts

UK Crypto Regulation Is ‘Catching Up’ to Other Markets While Maintaining ‘Bottom-Up’ Benefits (Investment Week)

Frazier Healthcare Partners Completes Acquisition of RevSpring

Fintech in Focus – Maximizing Value in a Challenging Funding Environment

5 Fintech Predictions for 2024: A Light at the End of the Tunnel (Finextra)

Goodwin CLE Days 2024

Goodwin Named a Top Firm by Chambers Fintech 2024

Women in Digital Assets Forum - London (2023)

Arvin Abraham Appointed to the Bank of England and HM Treasury’s C-Suite CBDC Engagement Forum

Consumer Financial Services

Fintech