On March 30, after years of rulemaking efforts, the Consumer Financial Protection Bureau (CFPB) issued a final rule implementing Section 1071 of the Dodd-Frank Act. Small business lenders, if they haven’t already, must put in place rigorous data collection techniques, implement security firewalls, and update employee training by their listed compliance date.
Overview
The final rule requires lenders to collect and report data on small business loan applications, including applications from minority-owned, women-owned, and LGBTQI+-owned small businesses. The CFPB’s rule creates the first comprehensive database of small business credit applications in the United States. With Section 1071, the CFPB intends to enable governmental entities, communities, and creditors to identify business and community development needs and opportunities for minority-owned, women-owned, and LGBTQI+-owned small businesses and, perhaps most important here, to facilitate enforcement of federal and state fair-lending laws.
Significant changes appear in the final rule, including the exemption of HMDA/Regulation C-reportable transactions, detailed compliance guidance, increases to the minimum threshold of covered credit transactions, the addition of reporting on LGBTQI+-owned businesses, and clarity surrounding timing and implementation of the data collection and reporting requirements.
Scope
The rule applies to “covered financial institutions,” a term defined to include any financial institution (FI) that originated at least 100 (previously 25) “covered credit transactions” to “small businesses” in each of the two preceding calendar years. The term “covered credit transactions” includes all business credit, including “loans, lines of credit, credit cards, and merchant cash advances” except as explicitly excluded. Factoring, leases, consumer-designated credit transactions, trade credits, or the purchase of an originated credit transaction are not considered covered credit transactions.
Under those definitions, the rule’s requirements apply to a variety of entities that engage in small business lending if they satisfy the origination threshold, including depository institutions (i.e., banks, savings associations, and credit unions), online lenders, platform lenders, community development financial institutions, lenders involved in equipment and vehicle financing, commercial finance companies, governmental lending entities, and nonprofit lenders.
Compliance Implementation Phases
The rule is effective 90 days after it’s published in the Federal Register and adopts a tiered approach to compliance dates, determined by the number of covered credit transactions (CCTs) for small businesses. The compliance date is the date when the FI must begin to collect data, comply with the firewall requirement, and begin to maintain records as detailed below:
No. of Covered Credit Transactions |
Compliance Date |
Reporting Date |
≥ 2,500 CCTs in 2022-2023 |
October 1, 2024 |
June 1, 2025 (reporting data collected Oct.-Dec. 2024) |
≥ 500 CCTs in 2022-2023 |
April 1, 2025 |
June 1, 2026 (reporting data collected Apr.-Dec. 2025) |
≥ 100 CCTs in 2022-2023 |
January 1, 2026 |
June 1, 2027 (reporting data collected calendar year 2026) |
.
Requirements
The nearly 900-page final rule requires covered FIs to collect and report data regarding any “covered application” from any “small business.” The term “covered application” is defined to include any oral or written request for a covered credit transaction, but does not include any inquiries or prequalification requests, solicitations, or requests for reevaluation, extension, or renewal, unless the request seeks additional credit amounts. The term “small business” is defined to include any business whose gross annual revenue for the preceding fiscal year was $5 million or less, but the CFPB reserves the right to adjust this definition for inflation every 5 years.
Data Generated by the FI. Covered FIs are required to generate and collect data, including certain information that they already generate pursuant to Regulation C. For instance, they must generate a unique identifier for each covered application or covered credit transaction and provide information about the application method (i.e., the means by which the applicant submitted its application), the application submitter (i.e., whether the application was submitted directly by the applicant or indirectly via an unaffiliated third party), the action taken on the application (i.e., granted or denied), and the date the action was taken. In addition, covered FIs must now provide additional information about denied applications (i.e., the reason for the denial) and about granted applications (i.e., the amount approved or originated and pricing information, including the interest rate, total origination charges, broker fees, initial annual charges, additional cost for MCAs or other sales-based financing, and prepayment penalties).
Data Collected About the Applicant. Covered FIs are also required to collect data from applicants, including information about the type, intended use, and amount of the credit sought as well as geographic data and information about the applicant’s status as a minority-owned, women-owned, or LGBTQI+-owned small business and about the demographics (i.e., ethnicity, race, and sex) of the applicant’s principal owners. Notably, the CFPB removed the proposed requirement that the FI report on the applicant’s race and ethnicity, if not self-reported by the applicant, via visual observation and surname analysis.
Reporting. Covered FIs are required to collect the required data on a calendar-year basis and report to the CFPB by June 1 of the following year. The CFPB plans to make the submitted data available to the public annually, with some modifications or deletions to protect privacy, which will be addressed after one year of data collection. Additionally, the FI is required to post a statement on its public-facing website that its small business lending application registry is available on the CFPB’s website. Relatedly, the CFPB stated its intention to consider good faith efforts to comply with the rule and will not generally assess penalties for errors in data reporting. Along those lines, the CFPB also published a Filing Instructions Guide, an executive summary, and other resources to help financial institutions understand and comply with the final rule.
Firewall. Covered FIs must create a firewall, intended to limit certain employees’ and officers’ access to certain data. In a nutshell, and subject to a limited exception, employees or officers who are involved in making any determination concerning covered applications are prohibited from accessing information about the applicant’s status as a minority-owned, women-owned, or LGTBQI+-owned small business or about the demographics (i.e., ethnicity, race, and sex) of the applicant’s principal owners.
Recordkeeping. Covered FIs are required to retain evidence of their compliance with the rule for at least three years, and must maintain an applicant’s responses to the Section 1071 inquiry separate from other information related to the applicant’s application.
Key Takeaways
The CFPB’s final rule implementing Section 1071 of the Dodd-Frank Act creates significant new compliance obligations and requires lenders to make substantial operational changes, to the extent they have not already done so. Moreover, the rule requires lenders to make data publicly available that regulators and class-action plaintiffs’ attorneys might then use to initiate investigations, bring real (or frivolous) lawsuits alleging federal or state fair-lending law violations, and bring third-party challenges to regulatory approval for proposed mergers and acquisitions. Large lenders have 18 month to put the tools and systems in place to comply with the CFPB’s final rule and to adapt and mitigate any gaps in their fair lending programs. Those financial institutions not presently analyzing small business lending data for fair lending purposes should consider proactive assessments to risks should they enter the small business lending space.