The Consumer Financial Protection Bureau (CFPB, the Bureau) promulgated on March 30 its final rule implementing Section 1071 of the Dodd-Frank Act. The rule requires that covered financial institutions collect and report to the Bureau data on applications for credit by small businesses (those having gross revenue of under $5 million in their latest fiscal year).

Information to be collected from small businesses will include their principals’ race, ethnicity, and gender in addition to geographic and industry information, lending decisions, and credit pricing. The new data on small business lending will be compiled into a publicly available database, and according to the Bureau’s press release will “give investors and lenders more insights to identify new opportunities that support economic growth, help policymakers measure the effectiveness of any government programs, and provide a data-driven approach to detect potential discrimination.”

Coverage & Implementation Details

As noted in its press release, the Bureau’s small business lending rule covers “diverse forms of credit by all types of lenders.” The “diverse forms of credit” covered generally will reach any extension of business credit under Regulation B (which protects applicants from discrimination in any aspect of a credit transaction), including closed-end loans, lines of credit, business credit cards, online credit products, and merchant cash advances.

However, several exemptions apply, most notably for transactions reportable under the Home Mortgage Disclosure Act (HMDA), trade credit wherein a business acquires goods or services from another business without making immediate payment in full, and insurance premium financing. Also not covered are factoring, leases, consumer-designated credit used for business or agricultural purposes, and purchases of (1) a credit transaction, (2) a pool of such transactions, or (3) a partial interest in such a transaction, for example through a loan participation agreement.

In addition, the rule defines “covered financial institutions” broadly to reach “all types of lenders” so long as the lender meets the threshold of 100 or more small business loan originations in each of the two preceding calendar years. Accordingly, covered financial institutions may include, but are not limited to, depository institutions (i.e., banks, savings associations, and credit unions), online lenders, platform lenders, community development financial institutions, lenders involved in equipment and vehicle financing, farm credit system lenders, commercial finance companies, merchant cash advance providers, governmental lending entities, and nonprofit lenders.

The rule provides for a staggered implementation, with the largest lenders being required to report first while lenders making fewer small business loans have additional time to comply with the rule’s requirements. The following compliance dates apply based upon the number of small business loans originated by a given financial institution:

  • October 1, 2024 for lenders originating at least 2,500 small business loans annually
  • April 1, 2025 for lenders originating at least 500 small business loans annually
  • January 1, 2026 for lenders originating at least 100 small business loans annually

Notably, under the rule, small businesses will be responsible for self-identifying, as appropriate, as women, minority, or LGBTQ+ owned, and lenders may rely upon the financial and other information provided by small businesses. Loan officers will not be required to make their own determinations of an applicant’s race, ethnicity, or any other demographic information.

The final rule contains a short, plain-language form that lenders may, but are not required to, use to collect the demographic data of the applicant’s principals. And although small businesses may choose not to provide demographic data, lenders are prohibited from discouraging applicants from providing such information.

Key Takeaways

  • Traditional financial institutions have been aware of this forthcoming requirement for more than a decade. Others, including more recent market entrants such as fintechs and other non-bank financial institutions, may have been less aware that this rule was coming and should evaluate whether they meet the threshold of 100 or more small business loan originations in each of the two preceding calendar years.
  • One may expect that the CFPB eventually will scrutinize reported small business lending data for potential violations of the Equal Credit Opportunity Act (ECOA). While the CFPB will have the ability to enforce the final information-collection rule itself, the agency may be confined to referring possible ECOA violations in connection with business credit to the Federal Trade Commission (FTC) and the Department of Justice. The FTC has recently taken several actions to enforce “consumer” protection laws in the small business lending context, and both agencies have substantial existing fair lending analytics expertise. In addition, private parties may bring claims under the civil enforcement provisions of ECOA, including individual and class action claims against creditors for actual and punitive damages. The information that small business lenders report under the rule, which will be made publicly available on the CFPB’s website, will provide a new resource for plaintiffs’ attorneys seeking to bring allegations of fair-lending violations.
  • Given the CFPB’s limited jurisdiction, state enforcement agencies that regulate or license small business lending, most notably California, are likely to be primary users of the information in the database as well. Reporting information that suggests rates in excess of state usury limits or unlicensed lending activity could create significant state enforcement risks for reporting lenders. Small business lenders who will be subject to the reporting requirements should take advantage of the interim window to confirm they hold all required licenses in the states where they originate loans and are monitoring any applicable usury limits, particularly in a rising interest environment.
  • Covered financial institutions should begin planning their compliance approach now. The rule creates significant new compliance obligations for lenders that will require changes to loan application intake, tracking, privacy, and recordkeeping procedures. Other tangential requirements also apply, including that covered financial institutions must:
    • Establish a “firewall,” subject to certain exceptions, to ensure that applicants’ demographic information is not considered by underwriters or other in making credit decisions.
    • Maintain procedures to identify and respond to signs of potential discouragement of applicants in providing the requested information, including low response rates for applicant-provided data.
    • Include on their website a statement that their small business application register will be made public by the CFPB.
  • According to the CFPB’s press release, the Bureau intends initially to focus its supervisory and enforcement activities on ensuring that lenders do not discourage applicants from submitting information. In addition, covered financial institutions will have a 12-month grace period during which the CFPB—for institutions under its jurisdiction—will not assess penalties for errors in data reporting, and will conduct examinations only to assist institutions in diagnosing compliance weaknesses, to the extent that these institutions engaged in good faith compliance efforts.