On September 1, 2021, the Consumer Financial Protection Bureau (CFPB or “Bureau”) issued its long-awaited small business lending data collection proposed rule (“Proposed Rule” or “Proposal”). The Proposed Rule would implement Section 1071 of the Dodd-Frank Act, which amended the Equal Credit Opportunity Act (ECOA) to direct the CFPB to require financial institutions to collect and report loan data on women-owned, minority-owned, and small businesses (collectively, “Small Businesses”) in connection with applications for credit. Under the Proposed Rule, covered financial institutions would be required to disclose application data from Small Businesses and demographic information about credit applicants.
Federal consumer financial protection laws typically do not apply to business-purpose credit; the ECOA, though, generally applies to both consumer-purpose and business-purpose credit transactions. The Bureau began examining ECOA compliance of small business programs in 2015. The Proposal represents the latest step in an over 10-year process, which included the Bureau agreeing to settle a complaint, filed by a group of community organizations, related to delays in commencing the Section 1071 rulemaking proceeding, with the settlement agreement setting forth specific milestones—including milestones for this Proposal—for the Section 1071 rulemaking process.
The purpose of Section 1071 is to “facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities for women-owned, minority-owned and small businesses.” Section 1071 covers “financial institutions,” defined as any partnership, company, corporation, association, trust, estate, cooperative organization, or other entity that engages in any financial activity.
Section 1071 also covers small businesses, defined as a “small business concern,” meaning “one which is independently owned and operated and which is not dominant in its field of operation,” as defined in Section 3 of the Small Business Act.
Under Section 1071, financial institutions are required to collect and maintain certain data for Small Business applicants, while also restricting access to certain information. As part of the data collection, financial institutions must limit or “firewall” access to the race, ethnicity, and sex data from employees in a position to make credit decisions about those applications. Financial institutions must submit this data to the Bureau annually; thereafter, the Bureau must make the data available to the public.
Regulation B implements the ECOA, and the Bureau is proposing to add Subpart B to Regulation B to implement Section 1071. The following is a summary of the Proposal, including key defined terms.
A covered financial institution would be defined as a “financial institution” that meets an origination threshold of at least 25 “covered credit transactions” to “small businesses” in each of the two preceding calendar years. Under the Proposal, “financial institution” would mean “any partnership, company, corporation, association . . . , trust, estate, cooperative organization, or other entity that engages in any financial activity[.]” Under this proposed definition, coverage would not be limited to depository institutions, but also would cover, for example, fintechs, online lenders, platform lenders, lenders involved in equipment and vehicle financing, and commercial finance companies. Coverage under the Proposal would not include certain other entities, such as motor vehicle dealers.
A covered credit transaction would be a transaction that meets the definition of business credit under Regulation B, including loans, lines of credit, credit cards, and merchant cash advances. These are the financial products covered under the rule. However, a covered credit transaction would not include trade credit, public utilities credit, securities credit, incidental credit, factoring, leases, consumer-designated credit used for business purposes, and credit secured by certain investment properties.
A small business would be defined by reference to the definitions of “business concern” and “small business concern” in the Small Business Act, as included in Section 1071; however, the proposed definition does not include the Small Business Administration’s size metrics for defining a small business concern. Instead, a small business would be defined as a business that had $5 million or less in gross annual revenue for its preceding fiscal year.
The definition of covered application closely follows the Regulation B definition of application as an oral or written request for a covered credit transaction made in accordance with procedures used by a financial institution for the type of credit requested. The Bureau proposes to exclude from “covered application” the following activity: (1) reevaluation requests, extension requests, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts; or (2) inquiries and prequalification requests.
Under the Proposed Rule, covered financial institutions would be required to collect and maintain the following data points for each covered credit transaction: an assigned unique identifier (for identification and retrieval of files); the application date; the application method; the application recipient; credit types, including the credit product, guarantees obtained, and loan term; credit purpose; the application amount; the amount approved or originated; the action taken on the application; the date of the action taken; pricing information, including interest rate, total origination charges, broker fees, initial annual charges, the additional cost for merchant cash advances or other sales-based financing, and prepayment penalties; and the census tract.
For each applicant, covered financial institutions would be required to collect: gross annual revenue; NAICS code; number of workers; length of time in business; minority-owned business status; women-owned business status; ethnicity, race, and sex of principal owners (i.e., a person who owns at least 25% of the business); and number of principal owners. Some of these data points, including those regarding the application method, application recipient, denial reasons, and number of principal owners, are included pursuant to the Bureau’s discretionary authority under Section 1071.
The Proposal would implement the Section 1071 “firewall” requirement that financial institutions limit the access of certain employees and officers to certain collected data. The “firewall” provisions would prohibit an employee or officer of a covered financial institution or an affiliate who is involved in making any determination concerning the applicant’s covered application from accessing an applicant’s responses to inquiries made by the covered financial institution pursuant to Section 1071 regarding whether the applicant is a minority-owned business or a women-owned business and regarding the ethnicity, race, and sex of the applicant’s principal owners.
This prohibition would not apply if (1) the covered financial institution determines that it is not feasible to limit the access of that employee or officer; and (2) the covered financial institution provides a notice to the applicant regarding that access. The Proposal includes sample language that a covered financial institution can use to satisfy the notice requirement.
Under the Proposed Rule, covered financial institutions would be required to submit Section 1071 data to the CFPB on a 12‑calendar-month basis, with data due June 1 of the following year. Covered financial institutions also would have to provide information about themselves as part of the submission to the Bureau. Covered financial institutions would be required to retain evidence of compliance for at least three years. Bureau publication of data satisfies the covered financial institutions’ statutory obligation to make data available to the public upon request. The CFPB plans to publish Section 1071 data on its website, and proposes to employ a “balancing test” to determine whether and how the agency will modify or delete data prior to publication. After receiving one full year of Section 1071 data, the Bureau plans to issue a policy statement setting forth intended modification and deletions.
Comments on the Proposed Rule are due 90 days after publication in the Federal Register, after which the Bureau will consider comments and finalize the rule. Compliance with the final rule will not be required until approximately 18 months after publication of the final rule in the Federal Register. All covered financial institutions will have to build out new capabilities to comply with the Section 1071 data reporting requirements; however, the burden of building out the systems necessary to support new reporting requirements may be felt more acutely by small financial institutions. There also are privacy concerns that arise from the collection of data, including security of data collected, privacy of small business applicants, and re-identification risk.