CFPB Finalizes Rule On Small Business Lending Data Collection

On March 30, 2023, the Consumer Financial Protection Bureau ("CFPB") issued a final rule ("Rule"), which amended Regulation B to implement changes to the Equal Credit Opportunity Act made by section 1071 of the Dodd-Frank Act.

BACKGROUND

Section 1071 requires financial institutions to collect and report to the CFPB data on applications for credit for small businesses, including those that are owned by women or minorities, in order to (i) facilitate the enforcement of fair lending laws, and (ii) enable communities, governmental entities, and creditors to identify the business and community development needs and opportunities of women-owned, minority-owned, and small businesses. Under section 1071, authority is vested in the CFPB to require any data that it determines would aid in fulfilling section 1071's statutory purposes, and to prescribe such rules and issue guidance as may be necessary to carry out, enforce, and compile data pursuant to section 1071.

THE RULE

Consistent with the provisions of section 1071, the Rule requires covered financial institutions to collect and report certain data points regarding covered applications for credit for small businesses, including those that are owned by women and minorities. As defined by the Rule:

• "Financial institution" broadly refers to any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity. The term encompasses a variety of entities that engage in small business lending, such as traditional depository institutions, commercial finance companies, and nontraditional financial entities such as online lenders and platform lenders.

• "Covered financial institution" refers to a financial institution that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years. There is no asset-based exemption threshold for depository institutions, or any other general exemptions for particular categories of financial institutions.

• "Covered credit transaction" refers to a transaction that meets the definition of business credit under the existing Regulation B (e.g., loans, lines of credit, credit cards, merchant cash advances, and credit products used for agricultural purposes), but with some exceptions. For example, the Rule excludes, among other things, transactions that are reportable under the Home Mortgage Disclosure Act ("HMDA") and purchases of originated covered transactions. Notably, both of these exclusions were incorporated into the final rule as a result of comments the CFPB received in response to the proposed rule.

• A "covered application" refers to an oral or written request for a covered credit transaction that is made in accordance with the procedures used by a financial institution for the type of credit requested. A covered application does not include reevaluations, extensions, or renewal requests of existing business credit accounts, unless the request seeks additional credit amounts, or inquiries and prequalification requests.

To determine whether a business qualifies as a "small business," the Rule looks to whether the business had $5 million or less in gross annual revenue for its preceding fiscal year. The CFPB notes that after January 1, 2025, it anticipates making updates to this size standard every five (5) years (as needed) to account for inflation.

The Rule identifies certain data points that financial institutions are expected to collect and report, some of which are within the financial institution's control (e.g., a unique identifier for each application, the application date, the application method, etc.), and others that are collected from third parties or from the applicants.

Some examples of data to be collected from applicants consist of the type and amount of credit being applied for and credit purpose, as well as "protected demographic information" (which refers to demographics of the applicant's ownership, such as whether the applicant is a minority-owned business, women-owned business, or an LGBTQI+-owned business, and the ethnicity, race, and sex of applicants' principal owners). The Rule defines a "principal owner" as a natural person that owns 25% or more of the business. The definition excludes entities and trusts, and indirect ownership and control.

While the collection and reporting of information from applicants, including the protected demographic information, is contingent upon an applicant's voluntary provision of the data, final comments to the Rule make clear that financial institutions are expected to maintain procedures to collect such data at a time and in a manner "reasonably designed" to obtain a response from its applicants on such data points. To aid lenders in collecting protected demographic information, the CFPB is providing a sample data collection form.

Additional provisions of the Rule address the CFPB's considerations of privacy of data, the publication of the data collected and reported, recordkeeping requirements imposed on financial institutions, and enforcement of the Rule by the CFPB.

EFFECTIVE DATE OF THE RULE

The Rule is set to take effect 90 days after its publication in the Federal Register. At such time, the requirement for compliance with the Rule will be guided by a phased-in approach. Lenders originating at least 2,500 small business loans annually will be required to collect data starting October 1, 2024. Lenders originating at least 500 loans annually must collect data starting in April 1, 2025. Finally, lenders that originate at least 100 loans annually must collect data starting January 1, 2026. Data is required to be collected on a calendar year basis and reported to the CFPB on or before June 1 of the following year.

NOTEWORTHY POINTS ON ENFORCEMENT

• The CFPB's Statement on Enforcement and Supervisory Practices Relating to the Small Business Lending Rule under the Equal Credit Opportunity Act and Regulation B ("Enforcement Policy Statement") provides useful insight into prospective supervisory and enforcement actions by the CFPB. Specifically, the Enforcement Policy Statement makes clear that:
  • A financial institution's method for collecting information from an applicant should not be designed to have the effect of discouraging applicants from submitting responsive information.
  • Requests for data from financial institutions should be prominent to applicants and should be made prior to notifying an applicant of the lender's decision on the application.
  • Financial institutions are expected to identify and respond to potential indicia of discouragement in their practices, policies, and procedures, including low response rates from applicants to the financial institutions' requests. Any indicia of discouragement should result in prompt investigation by the financial institution, and any identification of discouragement or improper conduct should result in prompt remedial action.
  • The CFPB intends to use its enforcement and supervisory authority to focus on covered financial institutions' compliance with requirements relating to the Rule's prohibition against discouraging applicants from submitting responsive information.

The Rule significantly expands reporting requirements for financial institutions underwriting small business loans.

While the CFPB notes that the Rule is intended to minimize overlap with other rules requiring reporting on similar data points to avoid duplicate efforts,¹ compliance with the Rule will nonetheless require a heavy lift from financial institutions in order to ensure that they are maintaining the applicable policies and procedures for the collection and reporting of the data points identified in the Rule. Navigating the complexities of the Rule, and implementing applicable policies and procedures, may also be challenging for FinTechs that aren't accustomed to the reporting requirements imposed on traditional depository institutions.

Footnote

1. The Rule will not require reporting of any HMDA-reportable applications. Further, the CFPB intends to coordinate with other agencies to further harmonize the Rule with other similar regulations. Proposed amendments to Community Reinvestment Act regulations would eliminate reporting on small businesses and small farms to be replaced exclusively by data from this Rule.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.