Last week, it was reported that the Consumer Financial Protection Bureau (“CFPB”) told a court that, within a year, the CFPB would release an “outline of proposals” for collecting data from firms that make loans to small businesses.
Section 1071 of the Dodd-Frank Act amended the Equal Credit Opportunity Act, effective July 21, 2011, to require financial institutions, in the case of any application for credit for women-owned, minority-owned, or small businesses, to inquire whether the business is a women-owned, minority-owned, or small business and to maintain a record of the responses, itemized to disclose specified data points, somewhat akin to the longstanding requirements for mortgage loans under the Home Mortgage Disclosure Act (“HMDA”). Applicants were to be free to refuse to provide the information, and loan underwriters generally were not to have access to the information. The information was to be compiled and maintained in accordance with regulations issued by the CFPB and submitted to the CFPB annually and made available to the public. Section 1071 expressly provides that the CFPB “shall prescribe such rules and issue such guidance as may be necessary to carry out, enforce, and compile data pursuant to this section,” but does not provide a specific date by which the CFPB is to issue such rules, even though other provisions in the Dodd-Frank Act requiring CFPB rulemakings mandated issuance of rules by specific dates. However, the CFPB is authorized to “adopt exceptions to any requirement of this section” and to exempt any financial institution or class of financial institutions as it deems necessary or appropriate to carry out the purposes of the statute. The statute expresses its purposes as being “to facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority-owned, and small businesses.”
The CFPB has not proposed or prescribed such rules, but, in April, 2011, the CFPB’s General Counsel issued a public letter addressed to the Chief Executive Officers of financial institutions to the effect that Section 1071 is not self-executing and that compliance will not be required until such rules are prescribed, because appropriate procedures, information safeguards, and privacy protections need to be established to ensure that data is collected in a consistent standardized fashion. That understanding went unchallenged until last May.