July 21, 2023

Vol. XL, No. 15

CFPB - Small Business Lending Rule

I. Introduction
The Consumer Financial Protection Bureau (CFPB) has issued a final rule implementing the small business lending data set forth in Section 1071 of the Dodd-Frank Act (Section 1071). The final rule requires covered financial institutions to collect and report certain data about covered applications from small businesses and allows for the creation of the first comprehensive public database that covers small business lending practices.

II. Background
Section 1071 amended the Equal Credit Opportunity Act (ECOA) to require financial institutions to compile data regarding certain business credit applications and report that data to the CFPB. Section 1071 specifies several data points that financial institutions are required to report and provides authority for the CFPB to require financial institutions to report additional datapoints that the CFPB determines would aid in fulfilling Section 1071's purposes. These purposes are facilitating enforcement of fair lending laws and enabling the identification of business and community development needs and opportunities for women-owned, minority-owned and small businesses.

III. Institutions Covered
The final rule applies to "covered financial institutions." A "covered financial institution is any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity, and that originated at least 100 covered originations in each of the two preceding calendar years.

Financial institutions will need to determine if they are covered financial institutions annually. A financial institution that is not a covered financial institution may voluntarily collect data under the final rule in certain circumstances, such as if it recently reported data as a covered financial institution, is about to become a covered financial institution, or is not covered but commits to report data it voluntarily collects.

IV. Transactions Covered
When determining whether it is a covered financial institution and what compliance date tier applies to it, a financial institution must count covered originations, which are certain covered credit transactions that it originated to small businesses. Similarly, a covered financial institution must collect and report data about an application if the application is from a small business and is for a covered credit transaction. Thus, it is important to know how the final rule defines the terms “small business” and “covered credit transaction.”

A. Small Business
Pursuant to the final rule, a “small business” is a small business concern that had $5 million or less in gross annual revenue for its preceding fiscal year. Thus, if a business had more than $5 million in gross annual revenue for its preceding fiscal year, it is not a small business pursuant to the final rule. Additionally, non-profit organizations and governmental entities are not small businesses pursuant to the final rule.

A financial institution is permitted to rely on an applicant’s representations regarding gross annual revenue (which may or may not include affiliate revenue) for purposes of determining small business status. However, if a financial institution verifies applicant-provided gross annual revenue information or if an applicant provides updated gross annual revenue information, the financial institution must use the verified or updated information to determine small business status. 

B. Covered Credit Transaction
Generally, a covered credit transaction is an extension of business credit under Regulation B. Thus, covered credit transactions can include loans, lines of credit, credit cards, merchant cash advances, and credit products used for agricultural purposes.

However, the following transactions are excluded from coverage (i.e., are not covered credit transactions) under the final rule even if they satisfy Regulation B’s definition of business credit:

• Trade credit, which is a financing arrangement wherein a business acquires goods or services from another business without making immediate payment in full to the business providing the goods or services
• HMDA-reportable transactions
• Insurance premium financing, which generally is a financing arrangement wherein a business agrees to repay a financial institution the proceeds advanced to an insurer for payment of the premium on the business’s insurance contract and wherein the business assigns to the financial institution certain rights, obligations, and/or considerations in its insurance contract to secure repayment of the advanced proceeds
• Public utilities credit as defined in Regulation B, 12 CFR 1002.3(a)(1)
• Securities credit as defined in Regulation B, 12 CFR 1002.3(b)(1)
• Incidental credit as defined in Regulation B, 12 CFR 1002.3(c)(1), but without regard to whether the credit is consumer credit, is extended by a creditor, or is extended to a consumer

Furthermore, factoring, leases, consumer-designated credit used for business or agricultural purposes, purchases of a credit transaction, purchases of an interest in a pool of credit transactions, and purchases of a partial interest in a credit transaction (such as through a loan participation agreement) are not covered credit transactions.

C. Covered Organizations
For purposes of determining whether a financial institution is a covered financial institution and the compliance date tier (discussed below), financial institutions count covered originations. A covered origination is a covered credit transaction that the financial institution originated to a small business. Refinancings can be covered originations. However, extensions, renewals, and other amendments of existing transactions are not considered covered originations even if they increase the credit line or credit amount of the existing transaction.

D. Reporting Applications
Pursuant to the final rule, a covered financial institution is required to collect and report data and satisfy other requirements for reportable applications. An application is reportable if it is a covered application from a small business.

A covered application is an oral or written request for a covered credit transaction (i.e., an extension of business credit that is not otherwise excluded from coverage under the final rule) that is made in accordance with procedures used by the financial institution for the type of credit requested.

While this definition of covered application is largely consistent with the existing Regulation B definition of “application,” certain circumstances do not constitute covered applications under the final rule, even if they are otherwise considered applications under existing Regulation B. Specifically, the following do not constitute covered applications and are not reported pursuant to the final rule:

• Reevaluation requests, extension requests, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts or a line increase
• Inquiries and prequalification requests
• Solicitations, firm offers of credit, and other evaluations (including evaluations for additional credit amounts or line increases) that the financial institution initiates, unless the financial institution invites the business to apply for the credit and the small business does so

A request from a small business for a refinancing is a reportable application, regardless of whether the small business requests additional credit amounts or a line increase, if the request is for an extension of business credit that is not otherwise excluded from coverage under the final rule and is made in accordance with the procedures the covered financial institution uses for the type of credit requested. 

​(NOTE: The final rule treats amendments, renewals, and extensions that increase the credit line or credit amount of an existing transaction differently when determining the number of covered originations (for purposes of determining institutional coverage and compliance date tier) and when determining whether an application is reportable.)

V. Requirements to Collect and Report Data
Pursuant to the final rule, a covered financial institution is required to collect and report certain data regarding reportable applications (i.e., covered applications from small businesses).

First, the final rule requires a covered financial institution to report data points that the financial institution generates. For all reportable applications, these data points include:

• A unique identifier
• The application date
• The application method (i.e. the means by which the applicant submitted its application)
• The application recipient (indicating whether the application was received directly, or indirectly via an unaffiliated third party)
• The action taken by the covered financial institution on the application
• The action taken date

For reportable applications that are denied, there is an additional data point for denial reasons.

For reportable applications that are approved but not accepted or that result in an origination, there are additional data points for the amount approved or originated and for pricing information. The pricing information includes, as applicable, information regarding the interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, and prepayment penalties.

Second, the final rule requires a covered financial institution to report data points based on information that could be collected from the applicant or an appropriate third-party source. These data points include information specifically related to the credit being applied for and information related to the applicant’s business. These data points are:

• ​Credit type
• Credit purpose
• The amount applied for
• A census tract based on an address or location provided by the applicant
• Gross annual revenue for the applicant's preceding fiscal year
• A three-digit North American Industry Classification System (NAICS) code for the applicant
• The number of people working for the applicant
• The applicant's time in business
• The number of the applicant's principal owners

Third, the final rule requires a covered financial institution to report certain data points based solely on the demographic information collected from an applicant. These data points are:

• The applicant's minority-owned business status, women-owned business status and LGBTQI+-owned business status
• The applicant's principal owners' ethnicity, race and sex

A covered financial institution is required to ask an applicant to provide this demographic information, and to report the demographic information solely based on the responses that the applicant provides for purposes of the final rule. However, a covered financial institution cannot require an applicant or other person to provide this demographic information. If the applicant fails or declines to provide the demographic information necessary to report a data point, the financial institution reports the failure or refusal to provide the information. Financial institutions are not required or permitted to report these data points based on visual observation, surname, or any other basis (including demographic information provided for other purposes). 

The final rule requires a covered financial institution to inform an applicant that the financial institution is not permitted to discriminate on the basis of an applicant’s responses about its minority-owned, women-owned, or LGBTQI+-owned business status, on the basis of responses about any principal owner’s ethnicity, race, or sex, or on the basis of whether the applicant provides this information. Covered financial institutions also must inform an applicant that the applicant is not required to answer the financial institution’s inquiry about the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses, or the inquiries about the principal owners’ ethnicity, race, or sex.

​The final rule includes a sample data collection form that covered financial institutions can use to collect this demographic information from applicants and to provide these required notices (https://files.consumerfinance.gov/f/documents/cfpb_sbl_sample-data-collection-form.pdf). As illustrated in this form, covered financial institutions generally must collect principal owners’ ethnicity and race using aggregate categories and disaggregated subcategories. Covered financial institutions must allow applicants autonomy to describe a principal owner’s sex through free-form text or a verbal self-description. 

Covered financial institutions cannot discourage applicants from responding to requests for applicant-provided data and must maintain procedures to collect applicant-provided data at a time and in a manner that are reasonably designed to obtain a response. With regard to data collected directly from an applicant, these procedures must, at a minimum, have provisions to ensure that:

• The initial request for applicant-provided data occurs prior to notifying an applicant of the final action taken on an application
• The request for applicant-provided data is prominently displayed and presented
• Applicants are not discouraged from responding to such requests
• Applicants can easily respond to such requests

Additionally, covered financial institutions must maintain procedures to identify and respond to signs of potential discouragement, including low response rates for applicant-provided data. The final rule notes that low response rates may indicate discouragement or another failure by a covered financial institution to maintain procedures to collect applicant-provided data at a time and in a manner that are reasonably designed to obtain a response. The final rule also addresses how a covered financial institution should report certain data if, despite having such procedures in place, it is unable to obtain the data from an applicant.

Covered financial institutions are permitted to rely on information provided by an applicant or appropriate third-party source, but a covered financial institution is required to report verified information if it chooses to verify applicant-provided information. (Covered financial institutions are not permitted to verify an applicant’s responses to the final rule’s required inquiries regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses, or about the principal owners’ ethnicity, race, or sex. These data points must be reported based solely on an applicant’s responses to the covered financial institution’s inquiries).

​The final rule permits the reuse of certain previously collected applicant-provided data in certain circumstances. Generally, a covered financial institution is permitted, but not required, to reuse certain previously collected applicant-provided data to satisfy the requirement to collect and report certain data points if: (1) the data were collected within thirty-six months of the current covered application(except that gross annual revenue must have been collected within the same calendar year as the current covered application); and (2) the financial institution has no reason to believe the data are inaccurate. A covered financial institution that decides to reuse previously collected data to report the time in business data point must update the previously collected data to reflect the passage of time since that data was collected. A covered financial institution may only reuse previously collected demographic information—data regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses or data regarding the principal owners’ ethnicity, race, or sex-if the data were previously collected pursuant to the final rule. 

VI. Requirements to Report Data to the CFPB and Provisions Regarding Availability and Publication of Data
Generally, covered financial institutions must report data to the CFPB by June 1 of the year following the calendar year in which the financial institution collected the data (e.g., data collected for 2024 must be reported by June 1, 2025). Covered financial institutions submitting data to the CFPB must provide certain identifying information about themselves as part of their submissions. The CFPB has provided a Filing Instructions Guide, which contains additional information regarding the submission of data. It is available at (https://www.consumerfinance.gov/dataresearch/small-business-lending/filing-instructions-guide/). 

Subject to certain modifications or deletions that the CFPB determines would advance a privacy interest, data that financial institutions submit to the CFPB will be made available to the public on an annual basis. The CFPB will determine what, if any, modifications and deletions are appropriate after it obtains a full year of data. 

The CFPB will announce the specific timing and method for issuing these determinations at a later date. Additionally, the CFPB anticipates that it will release higher-level, aggregate data before releasing application-level data. Any publication of aggregate data will be dependent on multiple factors, including privacy considerations, the volume of data received, and trends in the data received. 

The CFPB’s publication of data will satisfy covered financial institutions’ statutory obligation to make data available to the public upon request. More specifically, the final rule provides that a ​covered financial institution is required to make available to the public on its website, or otherwise upon request, a statement that the covered financial institution’s small business lending application register, as modified by the CFPB, is or will be available from the CFPB. The final rule includes language that a covered financial institution could use for this statement.

VII. Requirements to Limit Access to Certain Data
The final rule implements the statutory requirement to limit certain persons’ access to certain data. Accordingly, pursuant to the final rule, employees and officers of a covered financial institution or its affiliate are prohibited from accessing an applicant’s responses to the final rule’s required inquiries regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding its principal owners’ ethnicity, race, and sex if that employee or officer is involved in making any determination concerning the applicant’s covered application. This prohibition does not apply to an employee or officer if the covered financial institution determines that the employee or officer should have access to one or more applicants’ responses to these inquiries, and the covered financial institution provides a notice to the applicants whose responses will be accessed. Alternatively, a covered financial institution can provide the notice to a broader group of applicants, up to and including all applicants.

​In addition, the final rule prohibits a covered financial institution or third party from disclosing this demographic information (i.e., minority-owned, women-owned, and LGBTQI+-owned business statuses and ethnicity, race, and sex information collected pursuant to the final rule) to other parties, except in limited circumstances. 

VIII. Recordkeeping Requirements
The final rule has recordkeeping requirements, including a requirement to retain copies of small business lending application registers and other evidence of compliance for at least three years. It also includes a requirement to maintain an applicant’s responses to the final rule’s required inquiries regarding an applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding principal owners’ ethnicity, race, and sex separate from the rest of the application and accompanying information.

IX. Effective Date and Compliance Date Tiers
The final rule is effective August 29, 2023. However, compliance with the final rule is not required at that time. In order to determine when it must begin complying with the final rule, a financial institution must determine which compliance date tier applies to it. Generally, the compliance date tiers in the final rule differ depending on the number of covered originations that a financial institution originated in 2022 and 2023. Additionally, in order to be required to comply with the final rule in a given year, a financial institution must be a covered financial institution (as discussed above) for that year. Taken together, these two provisions in the final rule mean that:

• A financial institution must begin collecting data and otherwise complying with the final rule on October 1, 2024, if it originated at least 2,500 covered originations in both 2022 and 2023.
• A financial institution must begin collecting data and otherwise complying with the final rule on April 1, 2025, if it:
  • Originated at least 500 covered originations in both 2022 and 2023
  • Did not originate 2,500 or more covered originations in both 2022 and 2023
  • Originated at least 100 covered originations in 2024
• A financial institution must begin collecting data and otherwise complying with the final rule on January 1, 2026, if it originated at least 100 covered originations in both 2024 and 2025 but did not originate at least 500 covered originations in both 2022 and 2023.

X. Transitional Provision for Determining Number of Covered Originations
Some financial institutions may not be able to readily determine if transactions originated in 2022 or early 2023 are covered originations because they don’t know if a borrower is a small business as defined in the final rule. Thus, the final rule includes a transitional provision that financial institutions may use to determine the number of covered originations they originated in 2022 and 2023. A financial institution may rely on the transitional provision to determine the number of its covered originations for 2022 and/or 2023 if it did not collect sufficient information to determine if some or all borrowers were small businesses pursuant to the final rule or if such information is not readily accessible. Such institutions may count covered originations for the last quarter of calendar year 2023 (October 1 through December 31), and then annualize the number of its covered originations based on this information. The financial institution could use this annualized number to determine its covered originations for 2022, 2023, or both years. 

Financial institutions are also permitted to assume that all covered credit transactions originated during a calendar year were made to a small business for purposes of determining institutional coverage and compliance date tier pursuant to the final rule.

For example, if a financial institution currently does not obtain an applicant’s gross annual revenue or otherwise determine if an applicant had revenue of $5 million or less in its preceding fiscal year, it is not likely to know how many covered originations it had in 2022 and 2023. Pursuant to the final rule, the financial institution could obtain information about the borrower’s small business status for the covered credit transactions it originated on or after October 1, 2023. If the financial institution determines that it originated 90 covered credit transactions to small businesses between October 1 and December 31, 2023, the financial institution could use 360 as its annualized number of covered originations for 2023. The financial institution could also use this number for its covered originations for 2022. The financial institution would not be required to begin collecting data or otherwise complying with the final rule before January 1, 2026. 

Alternatively, the financial institution could assume that all of the covered credit transactions that it originated in 2022 and 2023 were made to a small business and, thus, are covered originations. For example, if the same financial institution originated 370 covered credit transactions in 2022, it is not required to begin collecting data or otherwise complying with the final rule before January 1, 2026.

XI. Limiting Access to Certain Data (Firewall)
​The final rule implements the statutory requirement to limit certain persons’ access to certain data (i.e., the firewall). As a result, a covered financial institution should establish a process to ensure that demographic information, subject to the exception described below, is kept out of the hands of those with lending authority (an employee or officer “involved in making any determination” concerning a reportable application).

Pursuant to the final rule, employees and officers of a covered financial institution or its affiliates are prohibited from accessing an applicant’s response to the final rule’s required inquiries regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding its principal owner’s ethnicity, race, and sex if that employee or officer is involved in making any determination concerning the applicant’s covered application. 

A. Activities that Do Not Constitute "Being Involved in Making a Determination"

• Developing policies and procedures, designing or programming computer or other systems, or conducting marketing
• Discussing credit products, loan terms, or loan requirements with a small business before it submits a reportable application
• Making or participating in a decision after the covered financial institution has taken final action on the reportable application, such as a decision about servicing or collecting a covered credit transaction
• Using a check box form to confirm whether an applicant has submitted all necessary documents or handling a minor or clerical matter during the application process, such as suggesting or selecting a time for an appointment with an applicant
• Gathering information (including demographic information collected pursuant to the final rule) and forwarding the information or a reportable application to other individuals or entities
• Reviewing the previously collected data to determine if it can be reused for a later reportable application pursuant to the final rule

B. Activities that Do Constitute "Being Involved in Making a Determination"

• Making or participating in a decision to approve or deny a specific reportable application
• Making or participating in a decision regarding the reason(s) for denial of a reportable application
  
• Making or participating in a decision that a guarantor or collateral is required in order to approve a specific reportable application
  
• Making or participating in a decision regarding the credit amount or credit limit that will be approved for a specific reportable application
  
• Making or participating in a decision to set one or more of the other terms that will be offered for a specific covered credit transaction. This includes, but is not limited to, making or participating in a decision regarding the interest rate, the loan term, or the payment schedule that will be offered for a specific covered credit transaction
  
• Recommending that another decision maker approve or deny a specific reportable application, provide a specific reason for denying a reportable application, require a guarantor or collateral in order to approve a reportable application, approve a credit amount or credit limit for a covered credit transaction, set one or more other terms for a covered credit transaction, make a counteroffer regarding a reportable application, or set a specific term for such a counteroffer
  

C. Exception to Firewall
​The final rule provides for an exception to the firewall, if the bank determines the “employee or officer should have access to one or more applicant responses.” There are times an “employee or officer is assigned one or more job duties that may require the employee or officer to collect, see, consider, refer to, or otherwise use information subject to the prohibition.” Where the bank deems the employee or officer should have access, the bank must provide “a notice to the applicants whose responses will be accessed” or “to a broader group of applicants, “up to and including all applicants.” 

XII. Safe Harbors and Other Provisions
The final rule also includes provisions regarding enforcement, bona fide errors, and safe harbors. It has safe harbors for certain incorrect entries of census tracts, NAICS codes, and application dates. It also has a safe harbor regarding incorrect determinations of small business status, covered credit transactions, and covered applications. For example, if a covered financial institution initially determines that an applicant for a covered credit transaction is a small business, but then later concludes the applicant is not a small business, the covered financial institution would not be in violation of ECOA or the final rule if, at the time it collected the demographic data required by the final rule, it had a reasonable basis for believing that the application was from a small business. In this situation, the covered financial institutions not required to report the application but is nonetheless required to comply with certain other provisions of the final rule in order to avail itself of this safe harbor. 

XIII. Section 1071 Frequently Asked Questions
The CFPB has published a series of frequently asked questions which can be accessed at https://www.consumerfinance.gov/compliance/compliance-resources/small-business-lendingresources/small-business-lending-collection-and-reporting-requirements/small-business-lendingrule-faqs/. 

The foregoing Compliance Update is for informational purposes only, and does not constitute legal advice. As a reminder, the NBA general counsel is the attorney for the Nebraska Bankers Association, not its member banks. The general counsel is available to assist members with finding resources to help answer their questions. However, for specific legal advice about specific situations, members must consult and retain their own attorney.

---

Full-Text PDF