On September 14, 2023, the CFPB released Frequently Asked Questions (FAQs) regarding the Small Business Data Collection Rule (the “Rule”). These FAQs are in addition to the set published in June 2023, which are dated. Some, but not all, of the FAQs are discussed below.
Covered Credit Transactions
A few of the updated FAQs relate to the definition of a “covered credit transaction,” which includes the following topics:
- Consumer-designated credit: The FAQs reiterate that consumer-designated credit is excluded from the Rule, even if the proceeds are used for business or agricultural purposes, as long as the credit is offered or extended primarily for personal, family or household purposes.
- Letters of credit: The CFPB reiterates that letters of credit are excluded from coverage of the Rule. The FAQ defines a letter of credit as an instrument issued by a bank that promises, upon the presentation of certain documents and/or satisfaction of certain conditions, to direct payment to a beneficiary of the instrument. Letters of credit are not extensions of credit. However, if the letter of credit results in an extension of credit, then that extension may be a covered transaction.
- Participation loans: A participation loan is generally a covered credit transaction. The purchase of a partial interest in a credit transaction through a loan participation agreement is not considered a covered credit transaction. However, if the lead lender is the only financial institution needed to make a credit decision to originate the loan, or the lead lender is the last financial institution with authority to set material terms of the loan, then the lead lender would count the loan as a covered credit transaction (assuming the criteria for coverage are met).
- Trade credit exclusion and application to loans for goods/services from a retailer: An extension of credit by a financial institution, other than the supplier, the proceeds of which will be used to purchase goods or services from a retailer is not considered trade credit. Trade credit, which is excluded from the definition of a covered credit transaction, is a financing arrangement wherein a business acquires goods or services from another business without making immediate payment in full to the business providing the goods or services.
- The CFPB clarified that an individual’s personal income is not considered when calculating a sole proprietorship’s gross annual revenue, because it is not revenue earned by the for-profit business applying for a covered credit transaction.
- The CFPB clarified that a guarantor’s revenue is excluded from determining whether a borrower is a small business. As a reminder, the definition of an applicant does not include other persons who are or may become contractually liable regarding an extension of business credit, such as guarantors, sureties, or endorsers.
The updated FAQs include a new section regarding record retention requirements, which covers:
- General record retention requirements: The CFPB reiterates that there are two primary record retention requirements. First, a covered financial institution must retain evidence of compliance the Rule, including a copy of its small business lending application register (LAR), for at least three years after submitting it to the CFPB. Second, a covered financial institution must maintain the demographic information collected pursuant to the Rule separate from the rest of the application and accompanying information.
- Record retention requirements if a covered financial institution relies on the exception to the firewall prohibition: A covered financial institution must still maintain demographic information collected pursuant to the Rule (and separately from the rest of the application), even if the financial institution relies on the exception to the firewall provision. The FAQs clarify that the exception to the firewall prohibition does not extend to the record retention requirements.
The CFPB added a new section to discuss the rule’s requirement to shield demographic information from employees involved in decision-making, known as the “firewall” provision. This section offers the following information, among other items, regarding the firewall:
- Determining whether to establish a firewall: If covered financial institution determines that an employee involved in decision-making should have access to the demographic information in order to fulfill his or her job duties, it means it is not feasible to establish and maintain the firewall as to that employee. The covered financial institution is not required to perform a separate analysis of the feasibility of establishing or maintaining a firewall. It is only required to determine whether the employees and officers who are involved in making determinations concerning covered applications should have access to protected demographic information. A determination that one employee or officer (or one group of employees or officers) should have access to demographic information protected by the firewall does not mean that it is not feasible to establish and maintain the firewall for other employees who are involved in decision-making.
- Complying with the rule when a covered financial institution determines it cannot maintain a firewall: The rule allows a covered financial institution to meet an exception to the firewall rule if it determines that it is not feasible to maintain a firewall with regard to an employee or a group of employees. In order to meet the exception in the rule, the financial institution must determine which employees make decisions on covered applications, then determine which of those employees should have access to protected demographic information to fulfil other job duties. A covered financial institution may make this determination on an individual-by-individual basis, or it may determine that a group of employees or officers with the same job description or assigned duties should have access for purposes of the exception. For example, there may be one employee or a group of employees who make decisions on covered applications, and also have other job duties, such as preparing reports, for which they should have access to protected demographic information. The financial institution is then required to establish a firewall with respect to the employees who do not need to access protected demographic information, and provide the required notice to applicants. The required notice can be sent to specific applicants or a broad group of applicants depending on the circumstances.
- Covered financial institutions may use current systems or processes for determining which employees should have access to data: A covered financial institution may use any lawful factors to determine whether an employee should have access to demographic information collected from applicants. For example, a covered financial institution may consider its size, the number of employees and officers within the relevant line of business or at a particular branch or office location, the number of covered applications the covered financial institution has received or expects to receive, and its current or reasonably anticipated staffing levels, operations, systems, processes, policies, and procedures. A covered financial institution is not required to change its systems or processes for the sole purpose of determining which employees and officers should have access.
- Access of employees and officers to the data after final action on the application is taken: An employee or officer who is involved in making a determination concerning a covered application may not have access to the applicant’s protected demographic information after the final action is taken on that applicant’s covered application.
- Documentation evidencing a firewall: The firewall provision does not include any specific documentation requirements. However, a covered financial institution is generally required to retain evidence of compliance with the rule for three years. Documentation evidencing compliance with the firewall provision may include items such as job descriptions or procedures that support the financial institution’s determinations of who should have access to demographic data.