The Consumer Financial Protection Bureau (CFPB or Bureau) is amending Regulation B to implement changes to the Equal Credit Opportunity Act (ECOA) made by section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). Consistent with section 1071, covered financial institutions are required to collect and report to the CFPB data on applications for credit for small businesses, including those that are owned by women or minorities. The final rule also addresses the CFPB's approach to privacy interests and the publication of data; shielding certain demographic data from underwriters and other persons; recordkeeping requirements; enforcement provisions; and the rule's effective and compliance dates. This final rule is effective August 29, 2023.
In 2010, Congress passed the Dodd-Frank Act. Section 1071 of that Act amended ECOA to require that financial institutions collect and report to the CFPB certain data regarding applications for credit for women-owned, minority-owned, and small businesses. Section 1071's statutory purposes are to (1) facilitate enforcement of fair lending laws, and (2) enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority-owned, and small businesses.
Section 1071 specifies a number of data points that financial institutions are required to collect and report, and also provides authority for the CFPB to require any additional data that it determines would aid in fulfilling section 1071's statutory purposes. Section 1071 also contains a number of other requirements, including those that address restricting the access of underwriters and other persons to certain data; recordkeeping; publication of small business lending data; and modifications or deletions of data prior to publication in order to advance a privacy interest.
Section 1071 directs the CFPB to prescribe such rules and issue such guidance as may be necessary to carry out, enforce, and compile data pursuant to section 1071, and permits it to adopt exceptions to any requirement or to exempt financial institutions from the requirements of section 1071 as it deems necessary or appropriate to carry out the purposes of section 1071. The CFPB is adding a new subpart B to Regulation B to implement the requirements of section 1071.
As envisioned by Congress, the small business lending rule will create our nation's first consistent, comprehensive database regarding lending to small businesses, including small farms. This will fulfill section 1071's statutory purposes by allowing Federal, State, and local enforcement agencies to assess potential areas for fair lending enforcement and by enabling a range of stakeholders to better identify business and community development needs and opportunities for small businesses, including women-owned and minority-owned small businesses. The database, again as dictated by Congress, will not reveal privacy-protected information about any particular small business applicant, and small businesses will retain control over how much of their demographic information they choose to divulge. In addition, the CFPB believes that its final rule will help to sharpen competition in credit supply by creating greater transparency around small business lending. . . .
Data to be collected and reported: The rule addresses the data points that must be collected and reported by covered financial institutions for covered applications from small businesses. Congress specifically enumerated many of these data points in ECOA section 704B(e)(2); for the others, the Congress granted the CFPB express authority in 704B(e)(2)(H) to require financial institutions to compile and maintain, along with enumerated data points, a record of “any additional data that the Bureau determines would aid in fulfilling the purposes” of section 1071. Certain of these data points are or could be collected from the applicant; other data points are based on information within the financial institution's control. Covered financial institutions must not discourage an applicant from responding to requests for applicant-provided data and must otherwise maintain procedures to collect such data at a time and in a manner that are reasonably designed to obtain a response; when collecting data directly from the applicant, the rule identifies certain minimum provisions that must be included within financial institutions' procedures in order for them to be considered “reasonably designed.” . . .
As noted above, the rule includes data points that are, or could be, provided by the applicant. Some data points specifically relate to the credit being applied for: the credit type (which includes information on the credit product, types of guarantees, and loan term); the credit purpose; and the amount applied for. There are also data points that relate to the applicant's business: census tract based on an address or location provided by the applicant; gross annual revenue for the applicant's preceding full fiscal year; the 3-digit North American Industry Classification System (NAICS) code for the applicant; the number of workers that the applicant has; the applicant's time in business; and the number of principal owners the applicant has.
There are also applicant-provided data points on the demographics of the applicant's ownership: first, whether the applicant is a minority-owned business or a women-owned business, along with a new data field capturing whether the applicant is an LGBTQI+-owned business; and second, the ethnicity, race, and sex of the applicant's principal owners. The CFPB refers to these data points collectively as an applicant's “protected demographic information.” Principal owners' ethnicity and race will be collected from applicants using aggregate categories as well as disaggregated subcategories. Principal owners' sex/gender will be collected from applicants without using pre-defined response categories.
The CFPB is not finalizing its proposed requirement to have financial institutions collect race and ethnicity via visual observation or surname if an in-person applicant does not provide any ethnicity, race, or sex information for any principal owners; instead, the final rule requires that these data be reported based only on information provided by the applicant.
The CFPB is providing lenders with a sample data collection form, in both digital and paper form, to assist them in collecting protected demographic data from applicants. Although the contents of the sample form reflect certain legal requirements that financial institutions must follow, their use of the sample form is not itself required under the final rule. Rather, it is an available resource to financial institutions.
In addition, the rule includes data points that will be generated or supplied solely by the financial institution. These data points include, for all applications: a unique identifier for each application for or extension of credit; the application date; the application method (that is, the means by which the applicant submitted the application); the application recipient (that is, whether the financial institution or its affiliate received the application directly, or whether it was received by the financial institution via a third party); the action taken by the financial institution on the application; and the action taken date. For denied applications, there is also a data point for denial reasons. For applications that are originated or approved but not accepted, there is a data point for the amount originated or approved, and a data point for pricing information (which includes, as applicable, interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, and prepayment penalties). . . .
Reporting data to the CFPB; publication of data by the CFPB and other disclosures; and privacy considerations: Financial institutions must collect small business lending data on a calendar year basis and report it to the CFPB on or before June 1 of the following year. Financial institutions reporting data to the CFPB are required to provide certain identifying information about themselves as part of their submission. The CFPB is releasing, concurrently with this final rule, technical instructions for the submission of small business lending data in a Filing Instructions Guide.
The CFPB will make available to the public, on an annual basis, the application-level data submitted to it by financial institutions, subject to modifications or deletions made by the CFPB, to advance privacy interests. To ease burden on covered entities, CFPB publication of application-level data will satisfy financial institutions' statutory obligation to make data available to the public upon request. At this time, the CFPB is not making a final decision on the best way to protect privacy interests through pre-publication modification and deletion of reported data. Assessing the many comments it received in this area, the CFPB is preliminarily of the view that its privacy assessment will focus primarily on whether (and, if so, how) small business lending data, individually or in combination with other data, pose re-identification risk for small businesses and, as a result, for their owners. The CFPB also anticipates taking account of compelling risks to financial institution privacy interests. The CFPB does not anticipate that it can carry out the necessary analysis of pre-publication modifications and deletions without at least one full year of application-level data. The CFPB intends to further engage with stakeholders on the issue of data publication before it resolves on a particular approach to protecting privacy interests through modifications and deletions. Finally, the CFPB anticipates publishing select aggregate data—i.e., data that does not include application-level information—before it publishes application-level data.
In addition, the final rule prohibits a financial institution or third party from disclosing protected demographic information, except in limited circumstances. . . .
The final rule broadly permits financial institutions to work with third parties, including industry consortia, to develop services and technologies to aid in collecting and reporting data. So long as they meet the obligations stated in the rule, including collecting data in a manner that does not discourage small businesses from providing it, financial institutions are free to work with third parties to assist them with their compliance obligations, whether that is with respect to data collection, maintenance or reporting. The CFPB plans to work with consortia or other entities seeking to assist financial institutions to deploy industry-identified solutions. For example, the CFPB plans to provide Application Programming Interfaces in an open-source environment to assist financial institutions' technology partners to develop accurate and efficient data reporting tools.
Small business lending rulemaking--Section 1071:
https://www.consumerfinance.gov/1071-rule/
Regulation B compliance materials:
https://www.consumerfinance.gov/compliance/compliance-resources/small-business-lending-resources/small-business-lending-collection-and-reporting-requirements
Regulation B technical assistance:
https://www.consumerfinance.gov/data-research/small-business-lending-data/
Regulation B policy guidance:
https://www.federalregister.gov/d/2023-07231
Regulation B final rule FRN:
https://www.federalregister.gov/d/2023-07230 [422 pages]
