CFPB Proposes Enforcement of Small Business Fair Lending Through Increased Data Collection and Reporting

On September 1, 2021, the Consumer Financial Protection Bureau (CFPB) issued its anticipated Notice of Proposed Rulemaking (NPRM) under Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. The proposed rule will impact financial institutions of all types and sizes (e.g., depository institutions, nonbank lenders, and fintechs) and is shaping up to be similar to the Home Mortgage Disclosure Act (HMDA)—but for small business lending. The CFPB is releasing this guidance with the objectives of identifying development opportunities and risks for small businesses, including those that are women-owned and minority-owned, as well as enforcing fair lending practices.

In this client alert, Guidehouse summarizes the NPRM and offers considerations on how financial institutions can start to prepare for the finalized rule. The CFPB has indicated the comment window for the NPRM is 90 days from when the proposed rule is published in the Federal Register. For more background on the CFPB’s Section 1071 rollout and small business fair lending initiatives, please visit our previous client alert CFPB Expands Enforcement View to Include Small Business Lending.

In the NPRM, the CFPB has laid out:

• Definitions for terms such as a covered financial institution, covered credit transaction, covered application, and small business. 
• Data collecting and reporting requirements (including defined data points required to be collected and reported) on small business lending. 
• Requirements for notifications that impacted financial institutions would be required to provide to applicants.
• Requirements for impacted financial institutions to have policies and procedures around data collection and reporting.
• Requirements around access limitations to certain data (e.g., segregating those making decisions on credit applications from those with access to certain data points).¹

What is a “Covered Financial Institution”?

When defining terms such as “covered financial institution” in its proposed ruling, the CFPB appears to be addressing feedback provided by the panel convened pursuant to the Small Business Regulatory Enforcement Fairness Act (SBREFA) in December 2020.²

The CFPB has adopted the definition of a “financial institution” as “any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity.”³

To be subject to Section 1071 reporting requirements, the covered financial institution definition denotes that the covered financial institution originates at least 25 covered credit transactions for small businesses in each of the two preceding calendar years. Those institutions that do not meet the loan origination minimum threshold of 25 would be exempt from Section 1071 collection and reporting.

What is a “Covered Credit Transaction”?

Per the proposed rule, a “covered transaction” would be any oral or written application for a credit transaction with a small business, including, “among other things, loans, lines of credit, credit cards, and merchant cash advances (including such credit transactions for agricultural-purposes and those that are also covered by the Home Mortgage Disclosure Act of 1975 (HMDA)).”⁴

However, the CFPB provides the distinction that the credit transactions below would not be covered:

1. Financing arrangements wherein a business acquires goods or services from another business without making immediate payment to the business providing the goods or services (i.e., trade credit).
2. Public utilities credit as defined in Regulation B, 12 CFR 1002.3(a)(1).
3. Securities credit as defined in Regulation B, 12 CFR 1002(b)(1) 
4. Incidental credit as defined in Regulation B, 12 CFR 1002.3(c)(1), but without regard to whether the credit is consumer credit, is extended by a creditor, or is extended to a consumer.
5. In addition to the transactions above, factoring, leases, consumer-designated credit used for business purposes, and credit secured by certain investment properties would not be covered credit transactions.⁵

By including HMDA-reportable transactions in Section 1071 covered credit transactions, the CFPB may ease some compliance burdens on financial institutions by mitigating potential process changes that may have needed to occur if HMDA and Section 1071 data needed to be segregated from one another. Conversely, including merchant cash advances and credit transactions for agricultural purposes speaks to the wide scope of Section 1071 and its intended impact to non-depository credit institutions, as well as banks.

What is a “Covered Application”?

The proposed rule would require covered financial institutions to collect and report data on “covered applications” from small businesses.

A “covered application” is currently defined as “an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested.”⁶

While similar to the definition of application within the existing Regulation B, the CFPB’s definition of “covered application” excludes re-evaluation requests, extension requests, or renewal requests on existing business credit accounts unless the request seeks additional credit amounts, and excludes inquiries and prequalification requests. 

What is considered a “Small Business”?

The CFPB’s definition for “small business” was inspired by the Small Business Act and Small Business Administration (SBA) definitions of “business concern” and “small business concern.”  However, the CFPB based its definition on gross annual revenue rather than SBA size standards.

The proposed definition for “small business” looks to “whether the business had $5 million or less in gross annual revenue for its preceding fiscal year.”⁷

What Data will be Collected and Reported? 

The data to be collected and reported falls into three categories: 

1. Data generated or provided by the financial institution. 
2. Data provided by the applicant at the time of application. 
3. Data regarding demographics of the applicant’s principal owners.  

This data will either be gathered by the financial institution from the applicant as part of the application or generated by the financial institution based on the information provided as part of the credit decision process. The table below details the 23 data fields being proposed and the origin of the data provided by the financial institution or applicant.

Table 1: CFPB Proposed Data Points for Small Business Lending Data Collection

Covered financial institutions currently would be permitted to leverage previously collected data if:

“(1) The data were collected within the same calendar year as the current covered application.
 (2) The financial institution has no reason to believe the data are inaccurate.”⁹

For additional detail on the NPRM data points to be collected, refer to the CFPB’s Proposed Data Points for Small Business Lending Data Collection, which provides further description of each data field.

Required Notices

As part of the NPRM, the CFPB has outlined notices that covered financial institutions will be required to provide to applicants as part of the application process. The below lists these required notices.

• The “non-discrimination notice” that financial institutions must provide to applicants, which indicates that that financial institution is not permitted to discriminate on the basis of an applicant’s minority-owned business status, woman-owned business status, or on any principal owner’s ethnicity, race, or sex.  
• A notice that informs an applicant that “it is not required to provide a response to the financial institution’s inquiries regarding minority-owned business status, women-owned business status, and the principal owners’ ethnicity, race, and sex.”
• A statement made available to the public on the covered financial institution’s website or otherwise on request that details that its small business lending application register, as modified by the CFPB, will be available on the CFPB’s website.
• For instances where covered financial institutions cannot limit the access of an employee or officer involved in decisioning a covered application to an applicant’s response to Section 1071 inquiries regarding whether the applicant is a minority-owned business or women-owned business, or regarding the ethnicity, race, or sex of the applicant’s primary owners, the covered financial institution must provide a notice to each applicant whose information will be accessed. Alternatively, the covered financial institution is permitted to provide the notice to a broad group of applicants.¹⁰

What is the Timeline for Rulemaking and Implementation?

The CFPB has proposed that its final rule to implement Section 1071 would become effective 90 days after the final rule’s publication in the Federal Register. Currently, the CFPB is proposing an 18-month implementation period for covered financial institutions from publication in the Federal Register. The NPRM is requesting comment on alternative approaches to the compliance deadline, including an approach that provides all covered financial institutions two years from the publication date for compliance and another that varies the compliance deadline based on the size of the financial institution.

The CFPB is also proposing a transitional ruling that would allow covered financial institutions to begin collecting certain demographic data ahead of the compliance date to allow covered institutions to essentially test current systems, processes, and procedures ahead of a compliance deadline.

Once in effect, the CFPB is proposing that covered financial institutions be required to collect data each calendar year, and report this data to the CFPB by June 1 of the following year.  

The graphic below details the implementation timeline for the CFPB’s ruling. 

Graphic 1: Currently Proposed Implementation Timeline for Section 1071 Reporting

Considerations for Financial Institutions

The impacts of Section 1071 are going to be felt across the financial services industry as the regulation impacts organizations of all types and sizes—both smaller financial institutions and larger. For organizations that already provide HMDA data for loans secured by a dwelling, they might be one step ahead; however, Guidehouse foresees the efforts that will need to be undertaken to implement and comply will be vast—given current application and origination processes and procedures, the complexity of data collection, as well as ongoing maintenance. Financial institutions should start their evaluations now to get ahead of the curve.  Key areas to consider are:

Governance & Oversight:

• Updating and maintaining policies, procedures, and training that take fair lending regulations in consideration
  
• Third-party oversight over partners responsible for origination data collection
  

Data Management:

• Ability to coordinate and consolidate information across organizations and business lines to ensure compliance with data collection requirements
• Updating origination systems and applications to ensure required data can be captured
• Ensuring data quality controls are in place to validate the accuracy and integrity of applicant data that is captured during the credit application process
• Warehousing data and maintaining data securely with appropriate access restrictions to applicant data to meet required privacy and access requirements
• Maintaining appropriate data record retention as mandated
• Confirming data reporting controls are implemented and performing effectively to validate the accuracy and completeness of data to be reported.