After years of rulemaking efforts, the Consumer Financial Protection Bureau (CFPB) may issue a final rule later this month that would require lenders to collect and report data on small business loan applications, including applications from minority-owned and women-owned small businesses. According to the CFPB, when it is implemented, the rule will create the first comprehensive database of small business credit applications in the United States.
The anticipated rule would implement Section 1071 of the Dodd-Frank Act, which amended the Equal Credit Opportunity Act (ECOA) to mandate this data collection and reporting. Section 1071 and the CFPB’s anticipated implementing rule are intended to enable governmental entities, communities, and creditors to identify business and community development needs and opportunities for minority-owned and women-owned small business and, perhaps most important here, to facilitate enforcement of federal and state fair-lending laws.
According to the CFPB’s October 2021 Notice of Proposed Rulemaking (NPRM), the “collection and subsequent publication of more robust and granular data regarding credit applications for small businesses, including those that are women- and minority-owned, will provide much-needed transparency to the small business lending market.” The agency noted that the need for that transparency has been highlighted by recent events, including the COVID-19 pandemic, and by a shift away from traditional bank lenders to fintechs and providers of merchant cash advances (MCAs).
“Small businesses are the primary job creators and wealth builders in communities across the country,” said then-CFPB Acting Director Dave Uejio in a statement issued when the proposed rule was initially announced. “Yet too often, small business development is starved for want of access to responsible, fairly priced credit. Today, we are proposing a rule that would help us all learn how small enterprises fare when trying to access financing, and what barriers are holding them back from further prosperity.”
That said, current CFPB Director Rohit Chopra has acknowledged concerns about how the effect of complying with the rule on smaller financial institutions could affect the supply of credit to the nation’s small businesses.
As proposed, the rule would apply to “covered financial institutions,” a term defined to include any financial institution (FI) that originated at least 25 “covered credit transactions” to “small businesses” in each of the two preceding calendar years. The term “covered credit transactions” is defined, in turn, to mean “any extension of business credit” that is not trade credit, public utilities credit, securities credit, or incidental credit. Factoring, leasing, and consumer-designated credit transactions or transactions involving credit secured by investment properties would not be covered credit transactions. But loans, lines of credit, credit cards, and MCAs would be covered credit transactions.
Under those definitions, the rule’s requirements would apply to a variety of entities that engage in small business lending as long as they satisfy the origination threshold, including depository institutions (i.e., banks, savings associations, and credit unions), online lenders, platform lenders, community development financial institutions, lenders involved in equipment and vehicle financing, commercial finance companies, governmental lending entities, and nonprofit lenders.
The rule would require covered FIs to collect and report data regarding any “covered application” from any “small business.” The term “covered application” is defined to include any oral or written request for a covered credit transaction, but does not include any inquiries or prequalification requests or requests for reevaluation, extension or renewal, unless the request seeks additional credit amounts. The term “small business” is defined to include any business whose gross annual revenue for the preceding fiscal year was $5 million or less.
Data Generated by the FI. Covered FIs would be required to generate new data and collect data that they probably already generate. For instance, they would be required to generate a unique identifier for each covered application or covered credit transaction and provide information about each application or transaction that they probably already generate, including information about the application method (i.e., the means by which the applicant submitted its application), the application submitter (i.e., whether the application was submitted directly by the applicant or indirectly via an unaffiliated third party), the action taken on the application (i.e., granted or denied), and the date the action was taken. In addition, covered FIs would have to provide additional information about denied applications (i.e., the reason for the denial) and about granted applications (i.e., the amount approved or originated and pricing information, including the interest rate, total origination charges, broker fees, initial annual charges, additional cost for MCAs or other sales-based financing, and prepayment penalties).
Data Collected from the Applicant. Covered FIs would also be required to collect data from applicants, including information about the type, intended use, and amount of the credit sought as well as geographic data and information about the applicant’s status as a minority-owned or women-owned small business and about the demographics (i.e., ethnicity, race, and sex) of the applicant’s principal owners.
Reporting. Covered FIs would be required to collect the required data on a calendar-year basis and report to the CFPB by June 1 of the following year. The CFPB plans to make the submitted data available to the public annually, with some modifications or deletions to protect privacy. Additionally, the FI would be required to post a statement on its public-facing website that its small business lending application registry is available on the CFPB’s website.
Firewall. Covered FIs would be required to create a firewall, intended to limit certain employees’ and officers’ access to certain data. In a nutshell, and subject to a limited exception, employees or officers who are involved in making any determination concerning a covered applications would be prohibited from accessing information about the applicant’s status as a minority-owned or women-owned small business and about the demographics (i.e., ethnicity, race, and sex) of the applicant’s principal owners.
Recordkeeping. Covered FIs would be required to retain evidence of their compliance with the proposed rule for at least three years, and would be required maintain an applicant’s responses to the Section 1071 inquiry separate from other information related to the applicant’s application.
The CFPB’s anticipated rule implementing Section 1071 of the Dodd-Frank Act would create significant new compliance obligations and require lenders to make substantial operational changes, to the extent they have not already done so. Moreover, the anticipated rule would require lenders to make data publicly available that regulators and class-action plaintiffs’ attorneys might then use to initiate investigations, bring real (or frivolous) lawsuits alleging federal or state fair-lending law violations, and bring third-party challenges to regulatory approval for proposed mergers and acquisitions. All to say, lenders should consider beginning work now to develop the tools they need to comply with the CFPB’s anticipated rule and to understand and address any gaps in their fair lending programs. Those financial institutions not presently analyzing small business lending data for fair lending purposes should consider pro-active assessment to risks.
* Special thanks to Tessa Cierny ˘ for her valuable contributions to this GT Alert.
˘ Not admitted to the practice of law.