CFPB Issues Small Business Loan Data Collection Final Rule – Significant Changes in Final Rule
On March 30, 2023, the CFPB issued its long-awaited final rule implementing Dodd-Frank Act section 1071, which creates a small business loan data collection and reporting requirement under ECOA. We wrote about the proposed rule here. This final rule has some significant changes from the proposal. This rule will be used by the government to enforce fair lending laws, including redlining, against small business lenders. In addition, the rule represents a substantial implementation cost (and headache) and ongoing compliance burden. Please find below a brief overview of a few aspects of the final rule, and a few thoughts.
1. Implementation Period
The rule will become effective 90 days after publication in the Federal Register. But the implementation period is much longer. There is a staggered period of mandatory compliance dates based on loan volume.
· October 1, 2024 for covered financial institutions that originated at least 2,500 covered transactions to small businesses in each of 2022 and 2023.
· April 1, 2025 for covered financial institutions that originated at least 500 covered transactions to small businesses in each of 2022 and 2023.
· January 1, 2026 for covered financial institutions that originated at least 100 covered transactions to small businesses in each of 2022 and 2023.
Such financial institutions can begin collecting the minority, women, and/or LGBTQI+ status and the race/ethnicity/sex information 12 months prior to the applicable compliance date. Also, a financial institution that did not collect sufficient information to determine small-business status in 2022 and 2023 is permitted to use a reasonable method to estimate the numbers.
Financial institutions that did not originate at least 100 covered transactions in each of 2022 and 2023, but subsequently originate at least 100 transactions in two consecutive calendar years must comply, but no earlier than January 1, 2026.
2. Who and What Loans Are Subject?
The rule applies to “covered financial institutions,” which is defined broadly to mean essentially any entity that engages in any financial activity, that originated at least 100 “covered credit transactions for small businesses” in each of the two preceding calendar years.
The rule applies to “covered applications” from “small businesses” for “covered credit transactions,” which is business credit, subject to exclusions for certain types of credit. “Small business” is defined to cross-reference the term “small business concern” in 15 U.S.C. § 632(a), as implemented in 13 CFR § 121.101 through 121.107. But the rule says a business counts as a small business if its gross annual revenue, as defined in § 1002.107(a)(14), for its preceding fiscal year is $5 million or less, which figure will be adjusted every 5 years for inflation. The forms of business credit that are excluded are trade credit, HMDA-reportable loans, insurance premium financing, public utilities credit, securities credit, and incidental credit.
3. What data must be collected and reported?
The rule requires covered financial institutions to collect about twenty data points for each small business loan application. A very general overview of the required data is below:
1. Unique identifier for the specific transaction, starting with a legal entity identifier (LEI)
2. Application date – the date the application was received, or the date shown on the form
3. Application method – whether the application was submitted directly or indirectly
4. Application recipient – whether the application was submitted directly or through a third party
5. Credit type - the credit product, the types of guarantees obtained, and the loan term
6. Credit purpose – the purpose of the credit
7. Amount applied for – the amount of credit or credit limit requested
8. Amount approved or originated – the amount approved but not accepted, or originated
9. Action taken – whether the application was originated, approved but not accepted, denied, withdrawn by the applicant, or incomplete
10. Action taken date – the date of the action taken
11. Denial reasons – the principal reasons the application was denied
12. Pricing information – interest rate, total origination charges, broker fees, initial annual non-interest charges, additional cost information for merchant cash advances or other sales-based financing, prepayment penalties
13. Census tract – where the funds will be principally applied, or if unknown the address of the business
14. Gross annual revenue – the applicant’s gross annual revenue for the preceding fiscal year
15. NAICS code – the 3-digit NAICS code for the applicant
16. Number of workers – the number of non-owners working for the applicant
17. Time in business – the time the applicant has been in business
18. Minority-owned, women-owned, and LGBTQI+-owned business status – the applicant must also be informed that the financial institution cannot discriminate based on this information
19. Ethnicity, race, and sex of the principal owners – the applicant must also be informed that the financial institution cannot discriminate based on this information
20. Number of principal owners – the number of principal owners
Note that, as with the HMDA rule, the specific information that must be collected and reported is discussed in very detailed commentary to the rule. The requirements are also fleshed out more in the filing guide produced by the CFPB, which is available here.
Financial institutions can rely on information provided by the applicant, but if the financial institution verifies applicant-provided data, it must report the verified data. Financial institutions are also prohibited from discouraging applicants from responding to requests for information, and must maintain procedures to collect the information in a manner reasonably designed to obtain a response.
The rule requires reporting of information on or before June 1 for the previous calendar year’s data, and an authorized representative of the financial institution must certify to the accuracy and completeness of the data.
4. Demographic Information - Final Rule Adds LGBTQI+ Data
Significantly, as I discuss below, the final rule was expanded from the proposal to require collection and reporting of data on the LGBTQI+ status of the business and principal owners. The final rule utilizes sample data collection forms for the demographic information that were also modified from the proposal in a few ways.
With respect to the ownership status of the small business, of note is that the proposed rule only required collection of information on the minority and women-owned status of the business. The final rule expands that requirement to include “LGBTQI+-owned” business status. The final rule defines “LGBTQI+ individual” as an “individual who identifies as lesbian, gay, bisexual, transgender, queer, or intersex.” Whether a business counts as minority, women, or LGBTQI+-owned is defined as when more than 50 percent of the ownership or control is held by one or more such individuals, and more than 50 percent of its net profits or losses accrue to one or more such individuals. The CFPB stated that it expanded the rule to cover LGBTQI+-owned business status because “the Bureau believes that LGBTQI+-owned businesses may experience particular challenges accessing small business credit.” At the same, however, the CFPB “acknowledges commenters’ concerns that requesting information as to whether applicants are LGBTQI+-owned businesses could be offensive, be considered an invasion of privacy by applicants, or damage bank-customer relationships.” But the CFPB pointed to the language in its sample data collection form for this information as mitigating that reaction.
With respect to race and ethnicity data requirements, there is some similarity to the aggregate and disaggregated categories in the current HMDA rule. But there are some differences, and some new decisions by the CFPB in this final rule regarding race and ethnicity categories. There is discussion in the preamble about the CFPB’s decisions on which specific aggregate and disaggregated categories to include in the final rule, especially those that are different from the HMDA rule. For example, the CFPB had sought comment in the proposal on whether it should add an additional category for Middle Eastern or North African, but decided not to collect data on “Middle Eastern or North African populations at this point in time, whether as an aggregate ethnicity or race category, a disaggregated ethnicity or race subcategory, or through some other inquiry, due to uncertainty about how a Middle Eastern or North African category should be defined.” But the CFPB did add disaggregated categories to the Black or African American aggregate category that do not appear in the HMDA rule, as it has proposed. The CFPB stated that, “the Bureau believes it is important to collect information about principal owners that identify with subgroups within the Black or African American community, particularly as the Black or African American community in the United States diversifies.” The disaggregated categories are African American, Ethiopian, Haitian, Jamaican, Nigerian, Somali, and Other (with examples of “Barbadian, Ghanaian, South African, and so on”). Also of note, the CFPB did not include a requirement for financial institutions to report ethnicity or race based on visual observation or surname.
With respect to the sex data requirements, the proposed sample data collection form was modified to account for LGBTQI+ reporting. The proposed sample data collection form asked for principal owners’ “sex,” and had the categories: Male, Female, and “the applicant prefers to self-describe their sex” with a free-form text field. The final rule’s sample data collection has a couple changes from the proposal. First, the final sample data collection form asks for the owners’ “sex/gender” instead of only the “sex.” Second, the form eschews the “Male” and “Female” categories used in the proposal and only contains one free-form text field. The CFPB stated that it “interprets ECOA’s and Regulation B’s prohibitions against discrimination on the basis of ‘sex’ to include discrimination based on sexual orientation and gender identity.” Regarding this change, the CFPB stated that it, “believes that an approach that allows principal owners to designate their sex/gender with the ability to write-in or provide additional information (such as in a free-form field on a paper or electronic form) will encourage applicant self-identification using terminology that may change over time.” Regarding concerns about free-form text field leading to data analysis issues, the CFPB stated that, “some commenters expressed concerns that collecting data via write-in text fields may lead to data analysis issues. The Bureau anticipates that its review of responses to the sex/gender inquiry will result in data that could be used by the Bureau and other regulators and, once grouped into categories, publicly released subject to any necessary modifications or deletions for privacy purposes.”
Note that the commentary and filing guide contain detailed requirements regarding how the race, ethnicity, and sex/gender information must be collected.
5. Some Thoughts
The implementation of this rule will be a huge undertaking for small business lenders. For entities that may become subject to the rule’s requirements next year, the time to begin analyzing and understand the rule is now. Also, the devil is in the details. The commentary and the filing guide will be important to carefully review.
In addition, the rule will be used by the government and the public for fair lending enforcement purposes. It will also be prudent for small business lenders to analyze their fair lending risks and understand what their data may show before the government gets its hands on it. We believe it is likely that the government, including the CFPB, will use this dataset to support redlining claims against small business lenders. Lenders should also note this rule’s expansion to address specifically LGBTQI+ issues, which could indicate that this is a priority area for the CFPB.
It will also be important which data the CFPB will make public from the dataset, which is not specified in this rule (although the CFPB did incude a preliminary assessment of privacy risks from some data points is in the preamble, which states the CFPB’s intention to include the demographic information, including the free-form sex data in some form, in the public data). The CFPB stated that it will determine what, if any, modifications and deletions to the public data are appropriate for privacy concerns after it obtains a full year of data. I hope to cover this issue in a future blog post.
Finally, it will be interesting to see if this rule will be challenged. As we’ve written about before here, the Supreme Court will hear a case next term on whether the CFPB’s funding structure is unconstitutional. This could provide a legal mechanism to challenge this rule.
There are other parts of the rule that we have not addressed in this blog post. You can find the final rule here. Please contact me at rich@garrishorn.com to discuss any of the issues in this post, other parts of the final rule, or other fair lending matters.