An Overview of the CFPB’s Small Business Lending Collection and Reporting Rule
On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) released its long-anticipated final rule implementing the small business lending data collection and reporting requirements of the Dodd-Frank Act. The rule will be included as a new subpart B of the existing Regulation B, which implements the Equal Credit Opportunity Act (ECOA). According to the CFPB, the rule is intended to, among other things, increase transparency in small business lending by requiring lenders to collect and report certain information about the applications they receive.
Who is subject to the rule?
The rule applies to “covered financial institutions”, which is broadly defined to include small business lenders of all stripes, including banks, thrifts, credit unions, CDFIs, finance companies, and other nonbank lenders. To fall within the rule’s purview, such entities much have originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years. A “covered credit transaction” is an extension of business credit, which, subject to several exceptions and exclusions, includes loans, lines of credit, credit cards, merchant cash advances, and ag loans. It’s important to note that refinancings, according to the rule’s commentary, will likely be considered covered credit transactions when determining if a lender is subject to the rule, but not extensions, renewals, and amendments of existing transactions. Finally, for purposes of the rule, a small business is simply defined as a business that had $5 million or less in gross annual revenue for its preceding fiscal year (subject to an inflationary adjustment every five years beginning in 2025).
What are the reporting requirements?
The rule requires lenders to collect and report certain data points for covered applications it receives from a small business. This includes both oral and written requests for an extension of business credit made in accordance with the lenders application procedures for that type of credit. A “covered application”, again, includes a request to refinance, but does not include reevaluation, extension, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts or a line of credit increase. Inquiries and prequalification requests are also not included in this definition.
The data required to be collected and reported under the rule falls into three general categories:
Data provided by the lender
- Unique identifier
- Application date
- Application method
- Application recipient
- Action taken on the application
- Action taken date
- Amount approved and pricing information (for applications approved but not accepted or that result in an origination) or denial reason (for denied applications)
Data collected from the applicant or an appropriate third-party source
- Credit type
- Credit purpose
- Amount applied for
- Census tract based on address or location provided by the applicant
- Gross annual revenue for applicant’s preceding fiscal year
- NAICS code for applicant
- Number of people working for the applicant
- Applicant’s time in business
- The number of the applicant’s principal owners
Data based solely on demographic information collected from an applicant
- Applicant’s minority-owned business status, women-owned business status, and LGBTQI+-owned business status
- Applicant’s principal owners’ ethnicity, race, and sex
Regarding this third category, while the rule requires the lender to ask the applicant for the demographic information and to report it based solely on the responses provided, the lender is not permitted to require the applicant or any other person provide the information. Should an applicant fail, refuse or decline to provide the demographic information, this occurrence must be reported by the lender. Finally, it’s important to note that lenders are not permitted under the rule to report the demographic data points based on visual observation, surname, or any other basis, including information provided to the lender for other purposes.
What else is required under the rule?
A lender must also inform an applicant that the institution is not permitted to discriminate on the basis of: 1) the applicant’s responses about its minority-owned, women-owned, or LGBTQI+-owned business status, 2) on the basis of the applicant’s responses about any principal owner’s ethnicity, race, or sex, or 3) on the basis of whether the applicant provides this information. The rule also requires covered lenders to inform an applicant that they are not required to answer the institution’s inquiry about the applicant’s minority-owned, women-owned and LGBTQI+-owned business status, or the inquiries about the principal owners’ ethnicity, race, or sex.
The rule additionally prohibits a lender from discouraging applicants from responding to requests for those data points that must or can be provided by an applicant (known as “applicant-provided data”). Furthermore, covered lenders are required to maintain procedures to collect applicant-provided data at a time and in a manner that are reasonably designed to obtain a response and, at a minimum ensure that: the initial request for applicant-provided data occurs prior to notifying an applicant of the final action taken on an application, the request for applicant-provided data is prominently displayed and presented, applicants are not discouraged from responding to such requests, and applicants can easily respond to such requests. Lenders must also maintain procedures to recognize and respond to indications of the types of prohibited discouragement described above, such as low response rates in applicant-provided data.
Can data be reused?
The rule does permit covered lenders, at their option, to reuse applicant-provided data if: 1) the data was collected within 36 months of the current application (except that gross annual revenue data must have been collected within the same calendar year of the application), and 2) the lender has no reason to believe the data is inaccurate. If lender decides to reuse previously collected data on the applicant’s time in business, it must update the data to reflect the passage of time since the data was collected. Finally, a lender may not reuse applicant-provided demographic data unless it was collected in connection with a prior covered application pursuant to the rule.
What are the reporting deadlines?
Financial institutions and other lenders subject to the rule must certify and report data to the CFPB by June 1 of the year following the calendar year in which they collected the data. Each year, the CFPB intends to publish a Filing Instructions Guide to assist entities with the filing process, and the Guide for data to be collected in 2024 is already available on the CFPB’s website.
How is the information to be reported?
Appendix E of the rule includes a sample data collection form that can be used by covered lenders to collect applicant-provided data. The form includes sample language informing applicants as to its purpose and other important disclosures.
Will the reported data be made public?
The rule states the CFPB will make submitted data publicly available on an annual basis, subject to any modifications or deletions needed to advance privacy interests. As part of this process, the CFPB intends to release higher level, aggregate data prior to releasing application-level data. Notably, while the rule requires covered institutions to make data available to the public upon request, the CFPB’s aforementioned publication efforts will satisfy this obligation if the institution publishes an acceptable statement on its website that its small business lending application register is or will be available from the CFPB. The small business lending application register is the data reported, or required to be reported, annually to the CFPB pursuant to the rule.
Regarding access, the rule requires covered institutions to restrict employees and officers from accessing an applicant’s responses to the demographic data points if the employee or officer is involved in making any determination concerning the application. The rule provides an exception, however, if an institution determines an officer or employee should have access to such data because it would not be feasible to maintain a firewall as to that particular employee and appropriate notice is provided to the impacted applicants. Additionally, the rule prohibits covered institutions and third parties from disclosing demographic information except to further compliance with the rule or as required by law.
What are the recordkeeping requirements?
A covered institutions is required to retain evidence of compliance with the rule, including copies of its small business lending application register, for at least three years after the register is required to be submitted to the CFPB. Furthermore, a covered institution must separately maintain applicant demographic data responses separately from the rest of an application. Finally, as part of its reporting of data and maintenance of information required by the rule, a covered financial institution may not include any personally identifiable information concerning an applicant, such as name, address, telephone number, or email address, except as otherwise required by the rule.
What is the rule’s effective date?
While the rule is now effective, compliance will be phased in for lenders based on their number of covered originations for the years 2022 and 2023 as follows:
- If a lender originated at least 2,500 covered originations in both 2022 and 2023, it must begin collecting data and complying with the rule on October 1, 2024.
- If a lender 1) originated at least 500 covered originations in 2022 and 2023, 2) did not originate 2,500 or more covered originations in both 2022 and 2023, and 3) originated at least 100 covered originations in 2024, then it must begin collecting data and complying with the rule on April 1, 2025.
- If a lender originated at least 100 covered originations in both 2024 and 2025, but did not originate at least 500 covered originations in both 2022 and 2023, then it must begin collecting data and complying with the rule on January 1, 2026.
For those institutions which are unable to determine the number of covered originations for the entirety of 2022 and 2023 because they were not tracking the necessary data, the rule includes a transitional provision to account for such challenges.
Are there any other notable provisions?
- Safe harbors – The rule provides safe harbors for institutions in which certain entries and conclusions, which are later determines to be incorrect, do not constitute violations of the rule or ECOA.
- Bona fide errors – The rule defines a bona fide error in compiling, maintaining, or reporting data as it pertains to a covered application as one that was unintentional and occurred despite the maintenance of procedures reasonably adapted to avoid such an error. Any errors deemed to be a bona fide errors will not be considered violations of the rule or ECOA.
What resources are available to assist the industry in implementing and complying with the rule?
The CFPB has a variety of FAQs, guides, and other resources devoted to compliance with the rule available on its website: https://www.consumerfinance.gov/compliance/compliance-resources/small-business-lending-resources/small-business-lending-collection-and-reporting-requirements.
What are the key takeaways?
Even though the tiered compliance dates are over a year away, banks and other lenders which engage in small business lending should begin to monitor their relevant lending activity now to determine whether they are likely to be subject to the rule. Continuous monitoring of such information will also be necessary going forward, especially for those institutions with small business lending that begins to approach 100 covered transactions a year. Those with sufficient small business lending activity to trigger application of the rule should review the requirements carefully in advance of the relevant compliance date.
It should be noted that the U.S. Supreme Court is currently considering the legality of the CFPB’s funding mechanism and other litigation is pending which may ultimately delay the compliance dates or negate certain portions of the rule. However, covered institutions should still take the time now to ensure sufficient systems and processes are, or will be in place to collect, report, and maintain data in compliance with the rule.
Finally, affected institutions should review the CFPB website referenced above for news and updated resources pertaining to the small business lending rule. The CFPB has continuously added to and supplemented these materials since the final rule was first published, and periodically hosts webinars on the topic.