On March 30, 2023, the Consumer Financial Protection Bureau (“CFPB”) (finally) issued its Final Rule on Section 1071 — only one day ahead of the court-ordered deadline to do so . This means that covered financial institutions (“FIs”), including non-bank commercial lenders, are on the clock to start preparing policies to enable them to collect and report data regarding their small business lending activities.
As you may remember, back in September 2021, the CFPB issued a notice of proposed rulemaking to implement Section 1071 of the Dodd-Frank Act (“The Rule”). The Rule amends existing Regulation B, the implementing regulation associated with the Equal Credit Opportunity Act (“ECOA”), to require lenders to collect and report certain data in connection with small business credit applications, including women- and minority-owned businesses, and report that data to the CFPB.
In order to achieve the CFPB’s above-mentioned goals, The Rule requires lenders making more than 100 small business loans per year to collect and report certain data about the applications they receive, whether accepted or denied. The data required to be collected and reported, includes, among other information: demographic and geographic data; price of credit; and lending decisions. FIs are required to report data to the CFPB on or before June 1 following the calendar year for which data is collected.
The Rule will work in concert with the Community Reinvestment Act to increase transparency in small business lending, promote economic development, and combat unlawful discrimination. There are several important definitions in The Rule, including the definition of a “small business.” The Rule also covers issues involving privacy concerns, recordkeeping and enforcement amount others.
The Rule will become effective 90 days after it is published on the Federal Register, which has not yet occurred as of the date of this alert. The effective date, however, is far less important than the mandatory compliance dates in The Rule. The mandatory compliance dates are staggered depending on the volume of lending a FI does, and FIs will be expected begin collecting data in compliance The Rule as early as October 2024. This means data reporting to the CFPB will begin as early as June 2025.
FIs affected by The Rule as defined in the statute are:
- Savings associations
- Credit unions
- Non-depository financial institutions (such as venture capitalists, insurance firms, and currency exchanges)
The Rule sets forth requirements based upon the size of the FI, and it provides the applicable reporting requirements ranging from FIs originating at least 2,500 to less than 100 small business loans. The types of lending covered under The Rule include: lines of credit; closed-end loans; business credit cards; online credit products; and merchant cash advances. An equally important provision of The Rule excludes loans that are already reportable under the Home Mortgage Disclosure Act (HMDA).
The Rule also excludes some transactions from coverage, such as factoring, leases, consumer-designated credit and credit transaction purchases, purchases of an interest in a pool of credit transactions, and purchases of a partial interest in a credit transaction.
Finally, a unique provision of The Rule provides for a Firewall to be established as to who can have access to certain data once collected. The Rule requires FIs — “where feasible” — to shield an applicant’s demographic information from any employee or officer involved in the credit-making decision. The obvious intent of this provision is to prevent discrimination, but it will be difficult for smaller FIs, with smaller staffs, to create and maintain this firewall. The CFPB built in an exception of sorts for institutions that cannot feasibly firewall this information, but, in a calculated response to the comments received in response to its Notice of Proposed Rulemaking in September 2021, the CFPB declined to develop or define the term “feasible.”
Instead, the CFPB explained that the “feasibility” analysis should not occur on a macro level but, rather, should occur on a more granular, employee-by-employee level. In other words, a FI’s determination that a particular employee or officer should have access to demographic information collected from applicants means that it is not feasible to maintain a firewall as to that particular employee or officer — not the entire FI.
 Back in 2010, Congress enacted requirements for lenders to make data available to the public on their small business lending activities. The CFPB did not issue rules to implement this requirement immediately, however. The California Reinvestment Coalition sued the CFPB in 2019, which resulted in a court order requiring the CFPB to finalize The Rule by March 31, 2023.