On March 30, the Consumer Financial Protection Bureau issued its final rule to implement Section 1071 of the Dodd-Frank Act.  Section 1071 amended the Equal Credit Opportunity Act to require financial institutions to collect and report certain data in connection with credit applications made by small businesses, including women- or minority-owned small businesses.  The final rule was accompanied by a “Grace Period Policy Statement” and a “Statement on Enforcement and Supervisory Practices Relating to Small Business Lending Rule under the Equal Credit Opportunity Act and Regulation B.”  Below we discuss key provisions of the final rule, including noteworthy changes from the CFPB’s proposal, and the CFPB’s accompanying Statements.

On April 17, 2023 from 1:00 p.m. to 2:30 p.m. ET, Ballard Spahr’s Consumer Financial Services Group will hold a webinar, “The CFPB’s Final Section 1071 Rule on Small Business Data Collection: What You Need to Know.”  To register, click here.

Key provisions of the final rule include the following:

“Covered Financial Institution” Definition. As defined in Section 1002.105(a), a “financial institution” is any entity that engages in financial activity and includes both depository institutions and non-depository institutions such as online lenders, platform lenders, lenders involved in equipment and vehicle financing (captive financing companies and independent financing companies), and commercial finance companies.  Motor vehicle dealers are excluded.  A “covered financial institution” is defined in Section 1002.105(b) as a financial institution that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years.

“Small Business” Definition. Section 1002.106(b) defines a “small business” as having the same meaning as a “small business concern” in the Small Business Act and that had gross annual revenue in the prior year of $5 million or less. The gross revenues threshold is to be adjusted for inflation every five years.

“Covered Application” Definition. Section 1002.103(a) defines a “covered application” as “an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested.”  A request from a small business for a refinancing, unless otherwise excluded by the final rule, is a “covered application” even if no additional credit is requested.  Excluded from that definition pursuant to Section 1002.103(b) are (1) reevaluation, extension, or renewal requests on an existing business account, unless the request seeks additional credit, and (2) inquiries and prequalification requests.  (However, even if a reevaluation, extension or renewal request on an existing business account includes a request for additional credit, the transaction is not counted for purposes of determining if the financial institution is a covered financial institution.)

“Covered Credit Transaction” Definition. Section 1002.104 defines a “covered credit transaction” as an extension of credit primarily for business or commercial (including agricultural) purposes, but excluding (1) trade credit, (2) transactions reportable under the Home Mortgage Disclosure Act (HMDA), (3) insurance premium financing, (4) public utilities credit, (5) securities credit, and (6) incidental credit.  The exclusions for HMDA-reportable transactions and insurance premium financing were not included in the CFPB’s proposal. In addition to loans, lines of credit, and credit cards, “covered credit transactions” include merchant cash advances and other sales-based financing.  Consistent with the CFPB’s proposal, “covered credit transactions” also do not include (1) factoring, (2) leases, (3) consumer-designated credit that is used for business or agricultural purposes, or (4) the purchase of an originated credit transaction, an interest in a pool of credit transactions, or a partial interest in a credit transaction such as through a loan participation agreement.

Data Points. The final rule, in Sections 1002.107 and 1002.108, requires a covered financial institution to collect and annually report to the CFPB data on covered applications from small businesses.  The data that must be reported and collected consists of:

  • Unique identifier, application date, application method, application recipient
  • Credit product, guarantees, loan term, credit purpose, amount applied for, amount approved or originated
  • Action taken, action taken date, denial reasons
  • Pricing information (interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, prepayment penalties
  • Census tract, National American Industry Classification Code, number of workers, time in business
  • Number of principal owners
  • Minority-owned, women-owned and LGBTQI-owned business statuses
  • Ethnicity, race, and sex of principal owners

With respect to the demographic information described in the last two bullet points, a financial institution cannot require an applicant to provide such information.  If the applicant fails or declines to provide the information necessary to report a data point, the financial institution must report the failure or refusal to provide the information.  However, financial institutions are not required or permitted to report these data points based on visual observation, surname, or any other basis, which differs from the approach under the Home Mortgage Disclosure Act (HMDA).  Under the Bureau’s proposal, if an applicant did not provide ethnicity or race information for at least one principal owner, the financial institution would have been required to collect at least one principal owner’s ethnicity and race based on visual observation and/or surname.

In addition to adopting the proposal’s requirement for covered financial institutions to maintain procedures to collect applicant-provided data at a time and in a manner reasonably designed to obtain a response, the final rule, in Section 1002.107(c), expressly prohibits a financial institution from discouraging an applicant from responding to requests for applicant-provided data.  Like the proposal, the final rule requires covered financial institutions to maintain procedures to identity and respond to indicia of potential discouragement and provides that a low response rate for applicant-provided data may indicate discouragement or other failure by a financial institution to maintain procedures to collect applicant-provided data that are reasonably designed to obtain a response. 

Compliance Dates; Special Transitional Rules. The final rule will be effective 90 days after it is published in the Federal Register.  However, compliance with the rule will not be required as of that date.  Pursuant to the final rule, a financial institution is a covered financial institution subject to the rule’s data collection and reporting requirements if it originated 100 or more covered transactions in each of the prior two calendar years.  However, in Section 1002.114(b), the final rule contains staggered compliance dates that differ depending on the number of covered originations a covered financial institution originated in 2022 and 2023.  These dates are as follows:

  • A financial institution must begin collecting data and otherwise complying with the final rule on October 1, 2024 if it originated at least 2,500 covered originations in both 2022 and 2023.
  • A financial institution must begin collecting data and otherwise complying with the final rule on April 1, 2025 if it:
    • Originated at least 500 covered originations in both 2022 and 2023;
    • Did not originate 2,500 or more covered originations in both 2022 and 2023; and
    • Originated at least 100 covered originations in 2024.
  • A financial institution must begin collecting data and otherwise complying with the final rule on January 1, 2026 if it originated at least 100 covered originations in both 2024 and 2025.

The staggered compliance dates based on origination volume represents a change from the CFPB’s proposal which would have required compliance no later than 18 months after the final rule’s effective date regardless of origination volume.

The final rule, in Section 1002.114(c), also contains special transitional rules that a financial institution can use to determine the number of covered originations it originated in 2022 and/or 2023 if it did not collect sufficient information to determine if some or all borrowers were small businesses pursuant to the final rule or if such information is not readily accessible.  In addition to other methods, the final rule permits a financial institution to assume that every covered credit transaction it originates for business customers in 2022 and 2023 is to a small business.

Grace Period Policy Statement; Statement on Enforcement and Supervisory Practices.  In response to comments on the proposal, the CFPB issued a “Grace Period Policy Statement” with the final rule that sets forth how it intends to exercise its supervisory and enforcement discretion following a covered financial institution’s initial compliance date.  The Statement provides a grace period covering a financial institution’s first 12 months of data submission if the financial institution has had made good faith efforts to comply with the final rule.  To explain its decision not to provide a longer grace period as requested by some commenters, the CFPB noted that it believes a 12-month grace period “is sufficient, especially given the other accommodations the Bureau is making to ensure that financial institutions are not unduly penalized for good faith errors, such as the bona fide error provision and the various safe harbors the Bureau has finalized in this rule….”

The final rule was also accompanied by a “Statement on Enforcement and Supervisory Practices Relating to Small Business Lending Rule under the Equal Credit Opportunity Act and Regulation B.”  In the Statement, the CFPB indicates that it intends to use its enforcement and supervisory authorities to focus on compliance by covered financial institutions with the final rule’s prohibition against discouraging applicants from submitting responsive information.  Specifically, the CFPB intends to look at institutions’ response rates for data requested from applicants and, as appropriate, “consider how a lender’s response rates compare to financial institutions of a similar size, type, geographic reach, or other relevant factors….”  The CFPB also intends to look at irregularities in a particular response (such as high rates relative to similar institutions of a response indicating the applicant does not wish to provide the requested information) “because that could indicate steering, improper interference, or other potential discouragement or obstruction of applicants’ preferred responses.”  The Statement also describes the CFPB’s expectations for what institutions should be doing to identify and respond to potential indicia of discouragement.  The CFPB expects covered financial institutions to assess response rates not only on an institution level, but also on other levels, such as by division, location and loan officer. 

HMDA Comparison.  While the CFPB looked to HMDA data collection and reporting requirements in developing the final rule, the final rule in some cases follows, or closely follows, the approach under HMDA, and in other cases differs from the approach under HMDA.  Institutions subject to the requirements of both HMDA and the final rule will need to closely focus on the similarities and differences to avoid compliance errors.     

The CFPB also issued the following materials concurrently with the final rule: