On March 30, 2023, the US Consumer Financial Protection Bureau (“CFPB”) published its long-awaited final rule requiring lenders to collect and report data about their small business lending activities. The final rule implements Section 1071 of the Dodd-Frank Act, which was designed to effectuate fair lending laws with respect to women-owned, minority-owned and small businesses. The final rule was issued just one day before a court-mandated deadline for finalization, and more than 10 years after the enactment of the Dodd-Frank Act.

As those who reviewed the proposed version of the rule may suspect, the requirements under the finalized rule are extensive. For lenders already used to complying with the Home Mortgage Disclosure Act's (“HMDA”) reporting requirements for mortgage loans, the implementation process will be challenging. But for lenders who do not currently collect and report under HMDA, implementation of the Section 1071 rule is likely to be particularly taxing.

The final rule requires “covered financial institutions” to collect and report certain data regarding their small business lending activities, which generally includes credit extended to businesses with $5 million or less in gross annual revenue. Lenders that must comply with the new collection and reporting requirements include depository institutions, online lenders, platform lenders, community development financial institutions, lenders involved in equipment and vehicle financing, farm credit system lenders, commercial finance companies, merchant cash advance providers, governmental lending entities, and non-for-profit lenders. Lenders will be required to collect and report extensive data about the transaction, the small business applicant, and the principal owners of the business. The CFPB set forth a multi-tier implementation schedule, with the timeline to start collecting the required data ranging between October 24, 2024 and January 1, 2026, depending on the number of small business loans a lender originates.

The final rule also requires lenders to develop a “firewall” to limit access to certain sensitive data. Specifically, employees and officers responsible for making a determination about a small business applicant's application are prohibited from accessing data collected about the applicant's status as a minority-owned, woman-owned, or LGBTQI+-owned business or about the ethnicity, race, and sex of the applicants' principal owner(s). There are certain exceptions if the lender has a business justification for permitting access and a disclosure is provided to the applicant. In addition, the final rule prohibits a covered financial institution or third party from disclosing collected demographic information to other parties, except in limited circumstances.

For those in the industry who have been closely following the Section 1071 rulemaking, the final rule contains some key changes from the proposed rule issued in September 2021. The changes reflect the CFPB's consideration of more than 2,100 public comments on the proposal, as well as extensive public input predating the proposal. Notably, the final rule does not require a lender to visually observe and report demographic information about an applicant applying in-person when the applicant has chosen not to furnish such information. In addition, the final rule adds identification as an LGBTQI+-owned business to the list of reporting categories. And, in a welcome departure from the proposed rule, HMDA-reportable mortgage loans that are already required to be reported under HMDA will not need to be reported again under the final rule. The final rule also requires lenders to maintain procedures to identify and respond to signs of potential discouragement, including low response rates for applicant-provided data. In Policy Guidance issued concurrently with the Section 1071 rule, the CFPB warned lenders that it intends to focus its supervisory and enforcement activities on ensuring lenders do not discourage applicants from providing responsive data.

This brief overview provides some early insights into the newly-published final rule, which has wide-reaching ramifications for the industry. Stay tuned for a more comprehensive update on the key aspects of the final rule as we continue to digest this 888-page rulemaking.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.