CFPB Finalizes Rule on Small Business Lending Data CollectionApril 11, 2023
The Consumer Financial Protection Bureau (“CFPB”) has issued the long-awaited Small Business Lending Rule (“Final Rule”), which implements the small business lending data collection requirements set forth in section 1071 of the Dodd-Frank Act. Under the Final Rule, covered financial institutions are required to collect and report information about the small business credit applications they receive, including geographic and demographic data, lending decisions, and the price of credit.
A summary of the Final Rule is set forth below, including when compliance is required. The applicable compliance date will depend on the number of covered originations that a covered financial institution originated in 2022 and 2023.
I. Key Definitions
Covered Financial Institution
The Final Rule applies to “covered financial institutions.” As defined in Section 1002.105(a), a “financial institution” is any entity that engages in financial activity and includes both depository institutions and non-depository institutions such as online lenders, platform lenders, lenders involved in equipment and vehicle financing (captive financing companies and independent financing companies), and commercial finance companies. A “covered financial institution” is defined in Section 1002.105(b) as a financial institution that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years.
Section 1002.106(b) defines a “small business” as having the same meaning as a “small business concern” in the Small Business Act (“SBA”) and that had gross annual revenue in the prior calendar year of $5 million or less. The gross revenues threshold is to be adjusted for inflation every five years. Additionally, non-profit organizations and governmental entities are not small businesses pursuant to the Final Rule because they do not satisfy the SBA’s definition of small business concern. Therefore, covered financial institutions are not required to report data regarding applications from such businesses and entities.
A “covered application” is an oral or written request for a covered credit transaction that is made in accordance with procedures used by the financial institution for the type of credit requested. Excluded from that definition pursuant to Section 1002.103(b) are (1) reevaluation, extension, or renewal requests on an existing business account, unless the request seeks additional credit, and (2) inquiries and prequalification requests.
Covered Credit Transaction
Generally, a “covered credit transaction” is an extension of business credit under Regulation B. Section 1002.104 defines a “covered credit transaction” as an extension of credit primarily for business or commercial (including agricultural) purposes, but excluding (1) trade credit, (2) transactions reportable under the Home Mortgage Disclosure Act (“HMDA”), (3) insurance premium financing, (4) public utilities credit, (5) securities credit, and (6) incidental credit.
A “covered origination” is a covered credit transaction that the financial institution originated to a small business. The term “covered origination” is used to determine institutional coverage (i.e., whether a financial institution is a covered financial institution) and the applicable compliance date (discussed below).
II. Requirements to Collect and Report Data
Pursuant to the Final Rule, a covered financial institution is required to collect and report certain data regarding reportable applications (i.e., covered applications from small businesses).
First, the Final Rule requires a covered financial institution to report data points that the financial institution generates. For all reportable applications, these data points include:
- A unique identifier;
- The application date;
- The application method (i.e., the means by which the applicant submitted its application);
- The application recipient (indicating whether the application was received directly, or indirectly via an unaffiliated third party);
- The action taken by the covered financial institution on the application; and
- The action taken date.
Please note that for reportable applications that are denied, there is an additional data point for denial reasons. As for reportable applications that are approved but not accepted or that result in an origination, there are additional data points for the amount approved or originated and for pricing information.
Second, the Final Rule requires a covered financial institution to report data points based on information that could be collected from the applicant or an appropriate third-party source (e.g., business information products). These data points include information specifically related to the credit being applied for and information related to the applicant’s business. These data points include:
- Credit type;
- Credit purpose;
- The amount applied for;
- A census tract based on an address or location provided by the applicant;
- Gross annual revenue for the applicant’s preceding fiscal year;
- A three-digit North American Industry Classification System (“NAICS”) code for the applicant;
- The number of people working for the applicant;
- The applicant’s time in business; and
- The number of the applicant’s principal owners.
Third, the Final Rule requires a covered financial institution to report certain data points based solely on the demographic information collected from an applicant. These data points are:
- The applicant’s minority-owned business status, women-owned business status, and LGBTQI+-owned business status; and
- The applicant’s principal owners’ ethnicity, race, and sex.
Please note that a covered financial institution is required to ask an applicant to provide this demographic information, and to report the demographic information solely based on the responses that the applicant provides for purposes of the Final Rule. However, a covered financial institution cannot require an applicant or other person to provide this demographic information. Covered financial institutions are not required or permitted to report these data points based on visual observation, surname, or any other basis (including demographic information provided for other purposes).
Additionally, the Final Rule requires a covered financial institution to inform an applicant that the financial institution is not permitted to discriminate on the basis of an applicant’s responses about its minority-owned, women-owned, or LGBTQI+-owned business status, on the basis of responses about any principal owner’s ethnicity, race, or sex, or on the basis of whether the applicant provides this information. Covered financial institutions also must inform an applicant that the applicant is not required to answer the financial institution’s inquiry about the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses, or the inquiries about the principal owners’ ethnicity, race, or sex.
Lastly, covered financial institutions must maintain procedures to identify and respond to signs of potential discouragement, including low response rates for applicant-provided data.
III. Reporting Data to the CFPB
The data required to be collected under the Final Rule is to be reported by each covered financial institution to the CFPB annually. The data is due on or before June 1 following the calendar year for which data are compiled and maintained, and is to be submitted on a small business lending application register in the format prescribed by the CFPB. An authorized representative of the covered financial institution with knowledge of the data must certify to the accuracy and completeness of the data reported.
IV. Requirements to Limit Access to Certain Data
The Final Rule implements the statutory requirement to limit certain persons’ access to certain data (i.e., the firewall). Employees and officers of a covered financial institution or its affiliate are prohibited from accessing an applicant’s responses to the required inquiries regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding its principal owners’ ethnicity, race, and sex if that employee or officer is involved in making any determination concerning the applicant’s covered application.
This prohibition does not apply to an employee or officer if the covered financial institution determines that the employee or officer should have access to one or more applicants’ responses to these inquiries, and the covered financial institution provides a notice to the applicants whose responses will be accessed.
V. Recordkeeping Requirements
The Final Rule has recordkeeping requirements, including a requirement to retain copies of small business lending application registers and other evidence of compliance for at least three years. It also includes a requirement to maintain an applicant’s responses to the Final Rule’s required inquiries regarding an applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding principal owners’ ethnicity, race, and sex separate from the rest of the application and accompanying information.
VI. Grace Period
The Final Rule includes a transitional provision that financial institutions may use to determine the number of covered originations they originated in 2022 and 2023. A financial institution may rely on the transitional provision to determine the number of its covered originations for 2022 and/or 2023 if the institution did not collect sufficient information to determine if some or all borrowers were small businesses pursuant to the Final Rule or if such information is not readily accessible.
VII. Safe Harbors and Other Provisions
The Final Rule also includes provisions regarding enforcement, bona fide errors, and safe harbors. It has safe harbors for certain incorrect entries of census tracts, NAICS codes, and application dates. It also has a safe harbor regarding incorrect determinations of small business status, covered credit transactions, and covered applications.
VIII. Compliance Dates
The dates by which a covered financial institution is initially required to comply with the requirements of the Final Rule are based on the number of covered credit transactions originated in 2022 and 2023. The breakdown is as follows:
- 114(b)(1). A covered financial institution that originated at least 2,500 covered credit transactions for small businesses in each of calendar years 2022 and 2023 shall comply with the requirements beginning October 1, 2024.
- 114(b)(2). A covered financial institution that is not subject to (b)(1) above and that originated at least 500 covered credit transactions for small businesses in each of calendar years 2022 and 2023 shall comply with the requirements beginning April 1, 2025.
- 114(b)(3). A covered financial institution that is not subject to (b)(1) or (2) above and that originated at least 100 covered credit transactions for small businesses in each of calendar years 2022 and 2023 shall comply with the requirements beginning January 1, 2026.
- 114(b)(4). A financial institution that did not originate at least 100 covered credit transactions for small businesses in each of calendar years 2022 and 2023 but subsequently originates at least 100 such transactions in two consecutive calendar years shall comply with the requirements, but in any case, no earlier than January 1, 2026.
The CFPB has stated that it intends to focus its supervisory and enforcement activities in connection with the Final Rule on ensuring that lenders do not discourage small business loan applicants from providing responsive data, including responses to the requests to provide demographic information about their ownership. Therefore, financial institutions covered by the Final Rule should further study and begin implementing this rule as soon as possible.
This advisory is a general overview of the Final Rule and is not intended as legal advice. The Final Rule is very detailed and must be reviewed in its totality.
If you have any questions about the Final Rule, please feel free to contact Joseph D. Simon at (516) 357-3710 or via email at firstname.lastname@example.org, Kevin Patterson at (516) 296-9196 or via email at email@example.com, Elizabeth A. Murphy at (516) 296-9154, or via email at firstname.lastname@example.org, or Gabriela Morales at (516) 357-3850 or via email at email@example.com.
 A “small-business concern” is generally a business deemed to be one which is independently owned and operated and which is not dominant in its field of operation. 15 U.S.C. 632.