CFPB Small Business Lending Data (Section 1071)

Definitions

• “Covered financial institutions” means any financial institution (“partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity”) that originated at least one hundred (100) “covered credit transactions” for small businesses within each of the preceding two years (up from the twenty-five (25) transactions in the proposed rule).
• “Covered credit transactions” means a transaction that meets the definition of business credit under Regulation B, such as loans, lines of credit, credit cards, and merchant cash advances (including such credit transactions for agricultural purposes and those that are also covered by HMDA). Certain exclusions apply to:
  • Trade credit, public utilities credit, securities credit, and certain incidental credit 
  • HMDA-reportable transactions
  • Insurance premium financing
• “Small business” means businesses with annual gross revenues of $5 million or less in the previous fiscal year. (Note: the final rule applies to women-owned and minority-owned businesses that meet this definition of a small business; CFPB states that non-profit organizations and governmental entities are not small businesses as they do not satisfy the Small Business Administration’s (SBA) definition of “small business concern.”) The final rule anticipates updates to this size standard not more than every five years.
• “Covered application” means an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested. It does not include either reevaluation, extension, or renewal requests on an existing business credit account, or inquiries or prequalification requests.

Data Collection

The final rule identifies numerous data points that are required to be collected and reported, including:

• Information generated by the financial institution, including unique identifier, application date, application method, application recipient, action taken, action date, amount approved, denial reason (if applicable), and pricing information (interest rate, total origination charges, broker fees, initial annual charges, prepayment penalties).
• Information provided by the applicant or that the financial institution can determine from information provided by the applicant, including information about the:
  • Credit being applied for (credit type, credit purpose, and amount requested)
  • Applicant’s business (census tract, gross annual revenue, NAICS code, number of workers, time in business, number of principal owners.)
• Information about the demographics of the applicant’s principal owners, including minority-owned business status, women-owned business status, and LGBTQI+-owned business status (a new data point that expands from SBA), and the ethnicity, race, and sex of the applicant’s principal owners (collectively, “protected demographic information”). In addition:
  • The final rule includes a sample data collection form, which collects principal owners’ ethnicity and race using aggregate categories and disaggregated subcategories and enables principal owners to self-describe their sex and other demographic information. Note, the final rule did not adopt the proposed requirement to collect this information via visual observation or surname if an in-person applicant did not provide the information for any principal owners.
• Covered financial institutions must not discourage applicants from responding to requests for applicant-provided data and must maintain procedures to collect applicant-provided data at a time and in a manner that are reasonably designed to obtain a response. At a minimum, these provisions should seek to ensure that:
  • The initial request for applicant-provided data occurs prior to notifying an applicant of the final action taken on an application.
  • The request for applicant-provided data is prominently displayed and presented.
  • Applicants are not discouraged from responding to such requests.
  • Applicants can easily respond to such requests.
• Covered financial institutions are permitted to rely on information provided by an applicant or appropriate third-party source but are required to report verified information if choosing to verify applicant-provided information.
• The final rule generally permits the reuse of certain previously collected applicant-provided data to satisfy the requirement to collect and report certain data points, only if:
  • The data was collected within thirty-six (36) months of the current covered application.
  • The financial institution has no reason to believe the data are inaccurate.

Reporting, Publication, Data Access, and Recordkeeping

• Calendar year data collection is required with reporting to CFPB by June 1 of the following year. CFPB has provided a Filing Instructions Guides on its website, here.
• Data provided to the CFPB will be made publicly available through the CFPB’s website, subject to certain modifications or deletions as determined by the CFPB to “balance” the privacy risks to applicants/borrowers and the disclosure benefits (to include facilitating enforcement of fair lending laws and enabling the identification of business and community development needs and opportunities for small businesses). CFPB states that it “will determine what, if any, modifications and deletions are appropriate after it obtains a full year of data.”
• The final rule requires limiting access to applicants’ data, particularly the applicant’s “protected demographic information” (minority-owned, women-owned, and LGBTQI+-owned business statuses and principal owners’ ethnicity, race, and sex), and prohibits employees and officers of a covered financial institution or its affiliate from accessing the information if that employee or officer is involved in making any determination concerning the applicant’s covered application (referred to generally as a “firewall”). Likewise, employees and officers are prohibited from disclosing applicants’ data to other parties, except in limited circumstances.
• The final rule requires:
  • Retention of copies of small business lending application registers and other evidence of compliance for at least three (3) years after the application register is required to be submitted to the CFPB.
  • Maintenance of applicants’ responses regarding “protected demographic information” separate from the rest of the application and accompanying information.

Effective Date and Compliance Date Tiers

• The final rule is effective ninety (90) days after publication in the Federal Register. However, compliance with the final rule is not required at that time. Below are summaries of when different compliance date tiers become effective for various companies:
  • “Tier 1” - A financial institution must begin collecting data and otherwise complying with the final rule on October 1, 2024, if it originated ≥ 2,500 covered credit transactions in both calendar years 2022 and 2023.
  • “Tier 2” - A financial institution must begin collecting data and otherwise complying with the final rule on April 1, 2025, if it meets all of the following:
    • Originated ≥ 500 covered credit transactions in both 2022 and 2023.
    • Did not originate 2,500 or more covered credit transactions in both 2022 and 2023.
    • Originated ≥ 100 covered credit transactions in 2024.
  • “Tier 3” - A financial institution must begin collecting data and otherwise complying with the final rule on January 1, 2026, if it originated ≥ 100 covered credit transactions in both 2024 and 2025.
• Note: The initial data submissions from Tier 1 and Tier 2 financial institutions to CFPB will only cover data collection from their respective compliance dates through the end of the relevant calendar years.
• Note: CFPB intends to provide a 12-month grace period from these compliance dates in which it will generally not require data resubmission or assess penalties with respect to errors in the data submissions covering the first 12 months of data collected (for example, for Tier 1 institutions, the grace period will cover the 3 months of data collected in 2024 and 9 months of data collected in 2025). Any examinations of these initial data submissions will consider the good faith efforts of the financial institutions to comply with the data collection and reporting requirements and will assists financial institutions in diagnosing compliance weaknesses.