ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø

ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø Regulatory Insights

Regulatory attentions on small businesses at both the federal and state levels put forth “consumer protection-like� requirements/expectations. The release of the long-anticipated Dodd-Frank-required �1071 data� collection rule serves to reinforce the focus on small businesses in addition to the significant data collection, data quality, and regulatory reporting requirements and associated analytics (similar to mortgage lending reporting under the Home Mortgage Disclosure Act (HMDA)).  This final rule will subject small business lending to additional supervision under other historically “consumer� laws and regulations. Heightened risk and compliance areas requiring business and risk management include: data (accuracy, privacy, security); fair lending; community development; UDAAP; KYC/AML; operational procedures/training, disclosures; models; and technology (systems upgrades, constraints, reporting). 

______________________________________________________________________________________________________________________________________________

April 2023 **Updated June 2024**

The Consumer Financial Protection Bureau (CFPB) has issued its , which amends Regulation B to implement changes to the Equal Credit Opportunity Act (ECOA) made by Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the rule requires covered financial institutions to collect and report to CFPB data on applications for credit for small businesses, including those that are owned by women or minorities.

The final rule is substantially similar to the proposal (see ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø Regulatory Alert, ), with some modifications including:

• An increase to the qualifying origination threshold for “covered financial institutionsâ€� from 25 to 100 “covered credit transactions.â€�
• Adoption of a phased implementation schedule, with compliance for the largest covered financial institutions to begin October 2024.
• A requirement that applicant’s “protected demographic informationâ€� is to be provided by the applicant; the proposed requirement for loan officers was not adopted.
• Exclusion of loans reportable under HMDA from the data collection and reporting requirements.

The final rule will become effective ninety (90) days after publication in the Federal Register.

**Update: The CFPB issues an , effective August 2, 2024, to extend the compliance dates in the original final rule. (See updated compliance schedule below.)

Highlights from the final rule are outlined below.

Definitions

• â€�Covered financial institutionsâ€� means any financial institution (“partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activityâ€�) that originated at least one hundred (100) “covered credit transactionsâ€� for small businesses within each of the preceding two years (up from the twenty-five (25) transactions in the proposed rule).
• â€�Covered credit transactionsâ€� means a transaction that meets the definition of business credit under Regulation B, such as loans, lines of credit, credit cards, and merchant cash advances (including such credit transactions for agricultural purposes and those that are also covered by HMDA). Certain exclusions apply to:
  • Trade credit, public utilities credit, securities credit, and certain incidental credit. 
  • HMDA-reportable transactions.
  • Insurance premium financing.
• â€�Small businessâ€� means businesses with annual gross revenues of $5 million or less in the previous fiscal year. (Note: the final rule applies to women-owned and minority-owned businesses that meet this definition of a small business; CFPB states that non-profit organizations and governmental entities are not small businesses as they do not satisfy the Small Business Administration’s (SBA) definition of “small business concern.â€�) The final rule anticipates updates to this size standard not more than every five years.
• â€�Covered applicationâ€� means an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested. It does not include either reevaluation, extension, or renewal requests on an existing business credit account, or inquiries or prequalification requests.

Data Collection

The final rule identifies numerous data points that are required to be collected and reported, including:

• Information generated by the financial institution, including unique identifier, application date, application method, application recipient, action taken, action date, amount approved, denial reason (if applicable), and pricing information (interest rate, total origination charges, broker fees, initial annual charges, prepayment penalties).
• Information provided by the applicant or that the financial institution can determine from information provided by the applicant, including information about the:
  • Credit being applied for (credit type, credit purpose, and amount requested).
  • Applicant’s business (census tract, gross annual revenue, NAICS code, number of workers, time in business, number of principal owners).
• Information about the demographics of the applicant’s principal owners, including minority-owned business status, women-owned business status, and LGBTQI+-owned business status (a new data point that expands from SBA), and the ethnicity, race, and sex of the applicant’s principal owners (collectively, “protected demographic informationâ€�). In addition:
  • The final rule includes a sample data collection form, which collects principal ownersâ€� ethnicity and race using aggregate categories and disaggregated subcategories and enables principal owners to self-describe their sex and other demographic information. Note, the final rule did not adopt the proposed requirement to collect this information via visual observation or surname if an in-person applicant did not provide the information for any principal owners.
• Covered financial institutions must not discourage applicants from responding to requests for applicant-provided data and must maintain procedures to collect applicant-provided data at a time and in a manner that are reasonably designed to obtain a response. At a minimum, these provisions should seek to ensure that:
  • The initial request for applicant-provided data occurs prior to notifying an applicant of the final action taken on an application.
  • The request for applicant-provided data is prominently displayed and presented.
  • Applicants are not discouraged from responding to such requests.
  • Applicants can easily respond to such requests.
• Covered financial institutions are permitted to rely on information provided by an applicant or appropriate third-party source but are required to report verified information if choosing to verify applicant-provided information.
• The final rule generally permits the reuse of certain previously collected applicant-provided data to satisfy the requirement to collect and report certain data points, only if:
  • The data was collected within thirty-six (36) months of the current covered application.
  • The financial institution has no reason to believe the data are inaccurate.

Reporting, Publication, Data Access, and Recordkeeping

• Calendar year data collection is required with reporting to CFPB by June 1 of the following year. CFPB has provided a Filing Instructions Guides on its website, .
• Data provided to the CFPB will be made publicly available through the CFPB’s website, subject to certain modifications or deletions as determined by the CFPB to “balanceâ€� the privacy risks to applicants/borrowers and the disclosure benefits (to include facilitating enforcement of fair lending laws and enabling the identification of business and community development needs and opportunities for small businesses). CFPB states that it “will determine what, if any, modifications and deletions are appropriate after it obtains a full year of data.â€�
• The final rule requires limiting access to applicantsâ€� data, particularly the applicant’s “protected demographic informationâ€� (minority-owned, women-owned, and LGBTQI+-owned business statuses and principal ownersâ€� ethnicity, race, and sex), and prohibits employees and officers of a covered financial institution or its affiliate from accessing the information if that employee or officer is involved in making any determination concerning the applicant’s covered application (referred to generally as a “firewallâ€�). Likewise, employees and officers are prohibited from disclosing applicantsâ€� data to other parties, except in limited circumstances.
• The final rule requires:
  • Retention of copies of small business lending application registers and other evidence of compliance for at least three (3) years after the application register is required to be submitted to the CFPB.
  • Maintenance of applicantsâ€� responses regarding “protected demographic informationâ€� separate from the rest of the application and accompanying information.

Effective Date and Compliance Date Tiers

• **Update: The final rule, which was to become effective August 29, 2023, was subject to a stay by a federal Texas court pending the outcome of the Supreme Court decision in CFPB v CFSA. The interim final rule extends the compliance dates of the final rule by 290 days, which is the time between the date the stay was imposed and the court’s decision. As such, pursuant to the CFPB interim final rule, compliance is required for covered financial institutions based on the following criteria:
  • “Tier 1â€� - A financial institution must begin collecting data and otherwise complying with the final rule on July 18, 2025, if it originated â‰� 2,500 covered credit transactions in both calendar years 2022 and 2023. The first filing deadline is June 1, 2026.
  • “Tier 2â€� - A financial institution must begin collecting data and otherwise complying with the final rule on January 16, 2026 (with a first filing deadline of June 1, 2027), if it meets all of the following:
    • Originated â‰� 500 covered credit transactions in both 2022 and 2023.
    • Did not originate 2,500 or more covered credit transactions in both 2022 and 2023.
    • Originated â‰� 100 covered credit transactions in 2024.
  • “Tier 3â€� - A financial institution must begin collecting data and otherwise complying with the final rule on October 18, 2026, if it originated â‰� 100 covered credit transactions in both 2024 and 2025. The first filing deadline is June 1, 2027.
• Note:
  • Financial institutions are permitted to begin collecting protected demographic information required by the rule beginning 12 months prior to their compliance date.
  • Financial institutions may, but are not required, to use their originations of covered credit transactions in calendar years 2023 and 2024 rather than 2022 and 2023 to determine their compliance date,
  • The initial data submissions from Tier 1 and Tier 2 financial institutions to CFPB will only cover data collection from their respective compliance dates through the end of the relevant calendar years.
  • CFPB intends to provide a 12-month grace period from these compliance dates in which it will generally not require data resubmission or assess penalties with respect to errors in the data submissions covering the first 12 months of data collected. Any examinations of these initial data submissions will consider the good faith efforts of the financial institutions to comply with the data collection and reporting requirements and will assists financial institutions in diagnosing compliance weaknesses.