The Consumer Financial Protection Bureau (CFPB) issued a final rule to require certain financial institutions to collect, and report to the CFPB, data on small business credit applications. The rule amends the CFPB's Regulation B to implement changes to the Equal Credit Opportunity Act (ECOA) required by Section 1071 of the Dodd-Frank Act.
Industry-driven solutions to data collection so that groups of financial institutions and third parties, including industry associations, can develop technologies to assist in lenders' collection and reporting of data.
The fact sheet notes that the final rule is intended to foster transparency and accountability by requiring financial institutions to collect and disclose data about small business loan recipients' race, ethnicity, and gender, as well as geographic information, lending decisions, and credit pricing.
The information to be provided to the CFPB will be compiled in a comprehensive, publicly available database to help policymakers, borrowers, and lenders better address economic development needs and adapt to future challenges.
Covered Financial Institutions
The final rule applies Section 1071's requirements to any covered financial institution that both:
Engages in any financial activity.
In each of the two preceding calendar years originates to small businesses (see Small Businesses Under the Final Rule) at least 100 credit transactions that are covered by the final rule (see Covered Credit Transactions) (origination threshold). The origination threshold represents an increase from the 25 credit transactions in the proposed rule.
Depository and non-depository community development financial institutions.
Lenders involved in equipment and vehicle financing.
Farm credit system lenders.
Commercial finance companies.
Merchant cash advance providers.
Governmental lending entities.
The final rule applies to both traditional banks and credit unions, as well as non-banks.
Small Businesses Under the Final Rule
Under the final rule, a small business is a small business concern as defined in 15 U.S.C. § 632(a), as implemented by regulations issued by the US Small Business Administration (SBA) in 13 C.F.R. §§ 121.101 to 121.107. However instead of using the SBA's size standards, the final rule defines a business as small if it had $5 million or less in gross annual revenue for its preceding fiscal year. Every five years after January 1, 2025, the CFPB will adjust the gross annual revenue threshold based on changes to the Consumer Price Index for all Urban Customers, rounded to the nearest multiple of $500,000.
Under the final rule, a covered financial institution may rely on an applicant's representations regarding its gross annual revenue to determine if it is a small business. However, if the covered financial institution verifies, or receives updated information regarding, an applicant's gross annual revenue, the covered financial institution must use the verified or updated information when determining small business status.
Covered Credit Transactions
The final rule requires a covered financial institution to collect and report data and satisfy other requirements for any oral or written requests (covered applications) for business credit (as defined in Regulation B) for small businesses (covered credit transaction), including those businesses owned by:
Minorities. The final rule defines minorities as individuals who are:
American Indian or Alaska Native;
Black or African American;
Native Hawaiian or Other Pacific Islander; or
Hispanic or Latino.
Individuals who identify as lesbian, gay, bisexual, transsexual, queer, or intersex (LGBTQI+).
A business is owned by women, minorities, or LGBTQI+ individuals if they hold more than 50% of the business's ownership or control and more than 50% of the business's net profits or losses accrue to them.
Under the final rule:
A covered application excludes:
any revaluation, extension, or renewal request on an existing business credit unless the request seeks additional credit;
inquiries and prequalification requests; and
solicitations, firm offers of credit, and other evaluations initiated by a financial institution unless the financial institution invites a business to apply for, and the business applies for, credit.
However, a small business's request for a refinancing is a covered application if it is for a covered credit transaction, whether the small business asks for additional credit amounts or a line increase.
Covered credit transactions include loans, lines of credit, credit cards, and merchant cash advances (including credit transactions for agricultural purposes). However, covered credit transactions exclude:
insurance premium financing (that is, a financing arrangement under which a business agrees to repay a financial institution the proceeds advanced to an insurer to pay the premium on the business's insurance contract and the business assigns certain rights, obligations, or considerations in the insurance contract to the financial institution as security for repayment of the advanced proceeds);
consumer-designated credit used for business or agricultural purposes; and
purchases of an interest in a pool of credit transactions and of partial interests in a credit transaction (for example, through a loan participation agreement).
Data to Be Collected and Reported
For each covered application from a small business, the final rule requires a covered financial institution to collect and report data that:
A financial institution generates or provides, including:
a unique identifier for the covered application or covered credit transaction;
the application date;
how the small business submitted the covered application;
whether the covered application was received directly or indirectly through an unaffiliated third party;
the action taken by the covered financial institution;
the action taken date;
for a denied covered application, the denial reasons; and
for an originated or approved covered application that was not accepted by the small business, the amount approved and the pricing information (including the interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, and prepayment penalties).
A small business could provide, or a covered financial institution could determine by reviewing information provided by the small business or a third party, including information related to the credit being applied for and to the small business.
The final rule requires the following information relating to the credit being applied for:
the credit type (including the credit product, types of guarantees, and loan term);
the credit purpose; and
the amount applied for.
The final rule requires the following information relating to the small business:
a census tract based on an address or location provided by the small business;
the small business's gross annual revenue for its preceding fiscal year;
the number of the small business's non-owner workers;
the small business's time in business; and
the number of principal owners of the small business. A principal owner is an individual who directly owns at least 25% of the small business's equity.
Based solely on information collected from the small business, address the demographics of the small business and its principal owners (demographic information), including:
the small business's minority-owned, women-owned, or LGBTQI+-owned business status; and
the principal owners' ethnicity, race, and sex. Financial institutions must collect the information on a principal owner's ethnicity and race using aggregated categories and disaggregated subcategories. For information about a principal owner's sex, a financial institution must use the term "sex/gender" when requesting this information and must allow small businesses to describe a principal owner's sex through free-form text or verbal self-description when collecting this information.
A covered financial institution must ask the small business to provide demographic information and must report it based solely on the small business's responses. In a change from the proposed rule, if the small business does not provide demographic information, the covered financial institutions cannot permit or require the reporting of demographic information based on visual observation, surname, or any other basis.
When it requests a small business to provide demographic information, a covered financial institution must inform an applicant that:
the financial institution may not discriminate based on the small business's responses; and
the small business is not required to answer the financial institution's inquiry for demographic information.
The final rule includes a sample data collection form that a financial institution can (but is not required to) use to collect the demographic information and to provide the required notices.
The final rule:
Requires covered financial institutions to maintain procedures to collect data to be provided by a small business at a time and in a manner that is reasonably designed to obtain a response, including:
making the initial request for the information before notifying a small business of the final action on its application;
displaying and presenting the request prominently;
not discouraging responses to the request; and
allowing a small business to easily respond to the request.
It also addresses how covered financial institutions should report data they cannot obtain from a small business despite these procedures.
Prohibits covered financial institutions from discouraging a small business from responding to a request for information to be provided by it. A covered financial institution must maintain procedures to identify and respond to signs of possible discouragement, such as a low response rate to a request for information. The enforcement policy statement:
explains how a covered financial institution can identify and respond to possible indications of discouragement; and
indicates the CFPB's intention to focus its enforcement and supervisory work on covered financial institutions' compliance with this prohibition.
Permits covered financial institutions to rely on written or oral statements and on information provided by a small business. However, if a covered financial chooses to verify the information institution, it must report the verified information.
Permits a covered financial institution to reuse previously collected information provided by a small business if:
it collected the information within 36 months of the small business's current application (or, for annual gross revenue information, in the same calendar year as the application); and
the covered financial institution has no reason to believe the information is inaccurate.
If a financial institution reuses previously collected information about a small business's:
time in business, it must update this information to reflect the passage of time since it collected this information; or
demographic information, it must have collected this information under the final rule.
Reporting of Collected Data
The final rule requires a covered financial institution to:
Collect data on a calendar-year basis and report it to the CFPB by June 1 of the following calendar year.
Make available to the public on its website, or otherwise on request, a statement that the covered financial institution's collected small business data, as modified by the CFPB to protect privacy interests, is or will be available on the CFPB's website. The final rule includes a sample of such a statement.
Under regulators' Community Reinvestment Act proposal, reporting under the final rule will satisfy Community Reinvestment Act reporting requirements.
The CFPB will make the reported data publicly available on an annual basis. The CFPB's publication of this data will satisfy a covered financial institution's obligation to make this data publicly available on request.
Limited Access to Certain Data
The final rule prohibits an employee or officer of a covered financial institution from accessing a small business's responses to inquiries for its demographic information if the person is involved in making any determination regarding the small business's covered application. However, such a person may access these responses if the covered financial institution both:
Determines that the employee or officer must have access to the demographic information.
Provides the small business with a notice about the access.
The final rule also prohibits a covered financial institution's or third party's disclosure of demographic information to other parties, except in limited circumstances.
Covered financial institutions must:
Retain evidence of compliance, including a copy of small business lending application registers, for at least three years.
Segregate a small business's responses to inquiries for its demographic information from the rest of the small business's application and accompanying information.
Final Rule Safe Harbors
The final rule includes safe harbors for:
Incorrect entries of census tracts, NAICS codes, and application dates.
Incorrect determinations of small business status.
The CFPB notes that if a covered financial institution initially determines an applicant for a covered credit transaction is a small business but later concludes it is not a small business, the covered financial institution would not violate ECOA or the final rule if, when it collected the small business's demographic information, it had a reasonable belief that a small business submitted the application. Although the covered financial institution does not need to report this demographic information, it must comply with other provisions of the final rule.
In addition, covered financial institutions will have a 12-month grace period during which the CFPB will not assess penalties for errors in data reporting, and the CFPB will conduct examinations only to assist institutions in diagnosing compliance weaknesses, to the extent that these institutions engaged in good faith compliance efforts.
Final Rule Effective Date and Compliance Dates
The final rule will be effective August 29, 2023. However, the final rule contains a variety of "compliance date tiers" that differ depending on the number of covered credit transactions to small businesses (covered originations) a financial institution originated in 2022 and 2023. As set out in the final rule, a covered financial institution must begin collecting data and otherwise complying with the final rule on:
October 1, 2024, if it originated at least 2,500 covered originations in both 2022 and 2023.
April 1, 2025, if it:
originated at least 500 covered originations in both 2022 and 2023;
did not originate 2,500 or more covered originations in both 2022 and 2023; and
originated at least 100 covered originations in 2024.
January 1, 2026, if it originated at least 100 covered originations in both 2024 and 2025.
Lenders with less than 100 covered originations must comply with fair lending laws.
The final rule also contains a transitional provision that a financial institution can use to determine how many covered originations it originated in 2022 or 2023 if it did not collect sufficient information to determine if some or all borrowers were small businesses under the final rule or if such information is not readily accessible. Under this transitional provision, a covered financial institution may count the number of its covered originations during the last quarter of 2023 and then annualize this number to come up with its covered originations for 2022 and 2023.
In addition, covered financial institutions may assume that all covered credit transactions originated in a calendar year were made to small businesses to determine its compliance date tier.
A financial institution may begin collecting demographic information before the compliance date.
The CFPB intends to issue a supplementary proposal that would, if finalized, provide additional implementation time for small lenders that have demonstrated high levels of success in serving their local communities, as measured by their performance under relevant frameworks like the Community Reinvestment Act and similar state laws.