As recently discussed on our podcast here, section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) amended the Equal Credit Opportunity Act (ECOA) to require lenders to collect information about small business credit applications they receive, including geographic and demographic data concerning the principal owners, lending decisions, and the price of credit. The Consumer Financial Protection Bureau (CFPB or Bureau) issued its proposed rule in 2021, and after considering the over 2,500 comments it received, on March 30, 2023, the CFPB issued the massive, highly technical, and complicated Final Rule. The Final Rule and its accompanying discussion and analysis, as well as the Official Commentary totals 888 pages exclusive of the 123-page Filing Instruction Guide and numerous other documents released by the Bureau. In this first in a multi-post blog series, we will provide a high-level overview of the Final Rule.

What is the Final Rule Designed to Do?

The Final Rule is intended to promote fair lending enforcement by the Bureau and other regulators, in much the same way that HMDA has facilitated enforcement in the mortgage industry. The required collection of women-owned, minority-owned, or LGBTQI+-owned businesses and demographic data concerning principal owners will lead to close scrutiny of small business lenders’ fair lending performance by the CFPB, other regulators, and consumer advocacy groups in the future.

Which Small Business Lenders are Covered?

The Final Rule applies to small business lending. A “small business” is defined under the Final Rule as an entity that had $5 million or less in gross annual revenue for its preceding fiscal year. The CFPB plans to update this threshold every 5 years to account for inflation.

The Final Rule applies to “covered financial institutions,” which are generally defined as entities that engage in any financial activity and originate at least 100 covered small business credit transactions in each of the two preceding calendar years. Financial institutions will need to determine if they are covered by the rule on an annual basis.

It is important to note that the Final Rule applies to a wide variety of business entities that engage in small business lending, including depository institutions, online lenders, platform lenders, community development financial institutions, lenders involved in equipment and vehicle financing, farm credit system lenders, commercial finance companies, merchant cash advance providers, and even governmental lending entities and non-profit lenders.

What Types of Credit are Covered?

The Final Rule defines a “covered credit transaction” as an extension of business credit under Regulation B. Covered credit transactions include closed-end loans, lines of credit, business credit cards, online credit products, merchant cash advances, and credit products used for agricultural purposes by banks, credit unions, and other lenders.

However, some transactions are excluded from coverage under the Final Rule even if they satisfy Regulation B’s definition of business credit. Examples include trade credit, HMDA-reportable transactions, insurance premium financing, public utilities credit, securities credit, and incidental credit as defined in Regulation B without regard to whether the credit is consumer credit, is extended by a creditor, or is extended to a consumer. Also, factoring, leases, consumer-designated credit used for business or agricultural purposes, purchases of a credit account, purchases of an interest in a pool of credit transactions, or a partial interest in a credit transaction (like a loan participation agreement) are not covered credit transactions. Notably, indirect auto retail installment contracts are not likely to be covered by the rule, because the auto dealer is the last party with the authority to set the terms of the credit transaction, but auto dealers are exempt from the Final Rule under § 1022 of the Dodd-Frank Act.

What are the Data Collection Requirements?

The Final Rule requires covered financial institutions to collect and report three types of data concerning small business loan applications.

First, covered financial institutions are required to report certain data points that the financial institution itself generates, such as the unique application identifier number and the action taken on the application by the institution, as well as reasons for denial (for declined applications).

Second, covered financial institutions are required to report data points that are based on information that either could be collected from the applicant or through a third-party source. Those data points include information related to the applicant’s business, credit type, credit purpose, and the amount the applicant applied for.

Third, covered financial institutions are required to report certain demographic information requested and collected from the applicant. Those data points relate to the applicant’s status as a minority-owned, women-owned, or LGBTQI+-owned business, and the race, sex, and ethnicity of the applicant’s principal owners.

As will be discussed in more detail in a later post, § 1002.107(c)(3) and (4) of the Final Rule require a covered financial institution to maintain procedures designed to identify and respond to indicia of potential discouragement of applicants from providing responsive information, including low response rates. According to the CFPB, a low response rate for applicant-provided data may indicate that the financial institution has engaged in discouragement or has failed to maintain procedures to collect applicant-provided data that are “reasonably designed to obtain a response.”

Importantly, unlike the data collection and reporting transitional periods, there is no grace period for discouragement and the CFPB intends to focus its supervisory and enforcement work on covered lenders’ compliance with its prohibition.

What are the Data Reporting Requirements?

Generally, covered financial institutions must report small business loan data to the CFPB by June 1 of the year following the calendar year in which the financial institution collected the data. For example, data collected during 2024 would be reported on June 1, 2025. While the Final Rule will be effective 90 days after publication in the Federal Register, the compliance dates are dependent on the financial institution’s total number of covered originations.

The data submitted to the CFPB will generally be made available to the public, subject to certain modifications or deletions that the Bureau determines “would advance a privacy interest.” The CFPB will make that determination after it obtains a full year’s worth of small business loan data. Notably, the CFPB’s publication will satisfy covered financial institutions’ statutory obligation to make that data available to the public upon request.

What is the “Firewall Provision?”

Under the Final Rule, employees and officers of a covered financial institution or affiliate are prohibited from accessing an applicant’s responses to the small business’ ownership status and the principal owners’ race, sex, and ethnicity questions if the employee or officer is involved in making any determination concerning the application.

However, that prohibition does not apply to an employee or officer if the financial institution determines that he or she may need to have access to one or more of the applicant’s responses to these inquiries, and the institution provides notice to the applicants whose responses will be accessed. Alternatively, the institution can provide notice to a broader group of applicants, up to and including all applicants. Operationally, this provision could pose compliance difficulties for small business lenders.

Are There any Safe Harbors in the Final Rule?

The Final Rule’s “safe harbor” provisions relate to incorrect entries for census tracts, NAICS codes, and application dates. There is also a safe harbor provision for incorrect determination of small business status, covered credit transactions, and covered applications. All of these provisions are designed to create some leeway for covered financial institutions to make de minimis errors.