On March 30, 2023, the Consumer Financial Protection Bureau ("CFPB" or "Bureau") issued its long-awaited small business lending data collection final rule ("Final Rule"). The Final Rule implements Section 1071 of the Dodd-Frank Act, which amended the Equal Credit Opportunity Act (ECOA), to direct the CFPB to require financial institutions to collect and report loan data on women-owned, minority-owned, LGBTQI+-owned, and small businesses (collectively, "Small Businesses") in connection with applications for credit. Under the Final Rule, covered financial institutions are required to disclose application data from Small Businesses and demographic information about credit applicants. The Final Rule applies to a variety of entities that engage in small business lending and meet the origination threshold.
Federal consumer financial protection laws typically do not apply to business-purpose credit; the ECOA, though, generally applies to both consumer-purpose and business-purpose credit transactions. The Bureau began examining ECOA compliance of small business programs in 2015. The Final Rule represents the culminating step in a 10+ year process, which included a not-so-gentle nudge from a group of community organizations that sued the Bureau for its lengthy delays and resulted in a settlement that set deadlines for completion of the process.
Dodd-Frank Act Section 1071
The purpose of Section 1071 is to "facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities for women-owned, minority-owned and small businesses." Section 1071 covers "financial institutions," defined as any partnership, company, corporation, association, trust, estate, cooperative organization, or other entity that engages in any financial activity.
Section 1071 also covers small businesses, defined as a "small business concern," meaning "one which is independently owned and operated and which is not dominant in its field of operation," as defined in Section 3 of the Small Business Act.
Under Section 1071, financial institutions are required to collect and maintain certain data for Small Business applicants, while also restricting access to certain information. As part of the data collection, financial institutions must limit or "firewall" access to the race, ethnicity, and sex data from employees in a position to make credit decisions about those applications. Financial institutions must submit this data to the Bureau annually; thereafter, the Bureau must make the data available to the public.
The Final Rule
Regulation B implements the ECOA, and the Bureau is proposing to add Subpart B to Regulation B to implement Section 1071. We set out below the key provisions below, highlighting the primary changes from the Proposal.
Key Terms
A covered financial institution is a "financial institution" that meets an origination threshold of at least 100 "covered credit transactions" to "small businesses" in each of the two preceding calendar years. This threshold reflects an increase from the threshold of at least 25 covered transactions in the Proposal.
Despite use of the term "financial institution" to determine covered entities, the definition of "financial institutions" goes far beyond chartered depository institutions and includes any "entity that engages in any financial activity." "Financial institutions" covered by the Final Rule therefore extends to fintechs, Farm Credit System lenders, online lenders, platform lenders, government lending entities, nonprofit, nondepository lenders, lenders involved in equipment and vehicle financing, and commercial finance companies. Notably, auto dealers are left out of the definition and therefore are not covered by the Final Rule.
The metric for determining coverage is covered originations, which include covered credit transactions and refinancings, but not extensions, renewals, or other amendments of existing transactions.
A covered credit transaction is a credit transaction originated to a small business, that is an extension of business credit under Regulation B, including loans, lines of credit, credit cards, and merchant cash advances, and credit products used for agricultural purposes.
There are several transactions excluded from coverage, including trade credit, a financing arrangement where a business acquires good or services from another business without making immediate full payment to that business; insurance premium financing; specific types of credit defined in Regulation B, public utilities credit, securities credit, and incidentals credit; and transactions reported under the Home Mortgage Disclosure Act.
In instances where multiple creditors are involved in a single transaction, the last financial institution with the authority to set the material terms of the covered credit transaction would be responsible for reporting under the Final Rule. Setting the material terms of the covered credit transaction could include selecting among competing offers, or modifying pricing information, amount approved or originated, or repayment duration. When a motor vehicle dealer is the last financial institution involved, the application and transaction are not reportable under the Final Rule.
A small business is defined by reference to the definitions of "business concern" and "small business concern" in the Small Business Act, as included in Section 1071; however, the final definition does not include the Small Business Administration's size metrics for defining a small business concern. Instead, a small business is defined as a business that had $5 million or less in gross annual revenue for its preceding fiscal year. It's worth noting that nonprofit organizations and governmental entities are not small businesses under the Final Rule because they are not considered a "small business concern" under the SBA's definition.
As discussed below, the Final Rule requires data collection regarding covered applications in addition to covered financial transactions. The definition of covered application closely follows the Regulation B definition of application as an oral or written request for a covered credit transaction made in accordance with procedures used by a financial institution for the type of credit requested. Excluded from "covered applications" are (1) reevaluation requests, extension requests, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts; (2) inquiries and prequalification requests; and (3) solicitations, firm offers of credit, and other evaluations initiated by the financial institution (unless the financial institution invites a small business to apply and the small business does).
Data Collection
Covered financial institutions must collect and maintain the following data points for each covered credit transaction: an assigned unique identifier (for identification and retrieval of files); the application date; the application method; the application recipient; credit types, including the credit product, guarantees obtained, and loan term; credit purpose; the application amount; the amount approved or originated; the action taken on the application; the date of the action taken; pricing information, including interest rate, total origination charges, broker fees, initial annual charges, the additional cost for merchant cash advances or other sales-based financing, and prepayment penalties; and the census tract.
For each applicant, covered financial institutions are required to collect gross annual revenue; NAICS code; number of workers; length of time in business; minority-owned business status; women-owned business status; LGBTQI+-owned business status, ethnicity, race, and sex of principal owners (i.e., a person who owns at least 25% of the business); and number of principal owners. Some of these data points, including those regarding the application method, application recipient, denial reasons, and number of principal owners, are included pursuant to the Bureau's discretionary authority under Section 1071. The Final Rule includes model application forms covered entities can use to collect the required information.
Collection of Demographic Data
In addition to identifying data points for collection, the Final Rule specifies how covered financial institutions must describe the required collection to applicants, including that financial institutions are prohibited from discriminating based on the applicant's responses, and that applicants may decline to answer these questions.
To further ensure the collection of Demographic Data, the Final Rule requires that covered financial institutions have procedures to ensure Demographic Data is collected before the application is decisioned and the request for this data is prominently presented. Relatedly, they also must have policies to ensure that applicants can easily respond to requests and are not discouraged from responding to such requests.
In a key change from the Proposal, the Bureau eliminated the requirement that financial institutions guess the ethnicity and race of applicants. But, where the Bureau gave with one hand, it took away with the other by including a provision in the Final Rule that indicates it may hold financial institutions responsible for low response rates, explaining that low response rates may indicate that covered financial institutions are discouraging applicants from responding or otherwise failing to maintain procedures to collect Demographic data.
Along with the Final Rule, the CFPB issued a Policy Statement regarding the agency's intent to focus enforcement and supervisory authority on compliance with the prohibition of discouraging applicants from providing responsive information.
Firewall
The Final Rule implements the Section 1071 "firewall" requirement that financial institutions bar access to the applicant's responses by employees and officers involved in making application determinations. There is a "feasibility" exception as long as the financial institution provides notice to applicants. The Final Rule includes sample notice language.
Data Reporting and Tiered Compliance
Under the Final Rule, covered financial institutions must collect the required data on a calendar year basis and submit the data to the CFPB by June 1 of the following year. The CFPB will make the data available to the public but has not yet determined how it will protect applicant privacy.
The Final Rule provides tiered-compliance deadlines, starting with the financial institutions that have the largest number of covered originations in 2022 and 2023.
- Tier 1: Financial institutions with at least 2,500 covered originations in both 2022 and 2023 must begin collecting data and complying with the rule on October 1, 2024, and report data by June 1, 2025.
- Tier 2: Financial institutions with between 500 and 2, 499 covered originations in both 2022 and 2023 must begin collecting data and complying with the rule on April 1, 2025, and report data by June 1, 2026.
- Tier 3: Financial institutions with between 100 and 499 covered originations in both 2022 and 2023 must begin collecting data and complying with the rule beginning January 1, 2026, and report data by June 1, 2027.
Covered financial institutions are required to retain evidence of compliance for at least three years. These staggered compliance dates provide more time than the across-the-board 18-month compliance deadline in the Proposal. The CFPB also issued a Grace Period Policy Statement explaining it will apply a grace period for a financial institution's first year of data submission as long as the financial institution has made a good faith effort to comply.
Key Takeaways
With some exceptions, the CFPB largely finalized the rule as proposed. Although the compliance deadlines may seem far in the future, covered financial institutions should start preparing to comply given the broad scope of entities covered by the Final Rule and the significant data collection and reporting obligations.
As they prepare policies and procedures, covered entities should look to the Bureau's Policy Statement indicating supervisory and enforcement priorities with regards to Section 1071. In the Statement, the Bureau indicates it intends to focus on any evidence that a financial institution is discouraging applicants from providing responses. The Bureau will compare response rates across institutions and look at outliers, which it explains may indicate improper interference or discouragement. In the Statement, the Bureau states its expectation that covered entities will do their own ongoing assessment of response rates across the institution as well as between relevant categories such as locations and loan officers. Covered entities will not only have to develop policies and procedures for extensive data collection and reporting, but also policies and procedures to monitor and test for compliance, evaluation of and response to possible unintended discouragement, and any fair lending concerns.
Of note, the Bureau issued the Final Rule and the Policy Statement at a time when the constitutionality of the Bureau's funding is being considered by the U.S. Supreme Court in Consumer Financial Protection Bureau (CFPB) v. Community Financial Services Association of America (CFSA). Other Bureau actions are being challenged on the basis of the Fifth Circuit's decision in that case, which the CFPB described as "call[ing] into question virtually every action the CFPB has taken in the 12 years since it was created" in seeking Supreme Court review. It is not yet clear what, if any, impact this open constitutional question will have on the Final Rule.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved
