(Editor’s Note: On March 30, SFNet alerted members that the Consumer Financial Protection Bureau had released its final regulations on Section 1071 of Dodd-Frank, which dictate data lenders must collect about small business loan recipients’ race, ethnicity, gender, and other information. Over the last few years, SFNet has worked to minimize or eliminate the impact on our members. In response to our efforts, in addition to factors being carved out, ABLs that originate less than 100 covered transactions per year are also not subject to the regulations. SFNet will host a webinar focused on the rules and what they mean to our members in early May.)

After more than ten years and extended litigation to compel rulemaking, on March 30, 2023, the Consumer Financial Protection Bureau (CFPB) issued the final rule which implements the small business lending data collection requirements set forth in section 1071 of the Dodd-Frank Act (Section 1071).  The final rule, together with the comments, is just under nine hundred pages.[1]  Broadly presented, the final rule can be broken down into a series of questions to be answered.  First, are the lender, the borrower and the transaction covered by the rule?  Second, what information must be collected and reported?  Third, how is the information reported?  Fourth, when does the rule take effect?

Covered Financial Institutions, Borrowers and Transactions

Under Section 1071, financial institutions are required to compile, maintain and submit data on the type and purpose of any application for “credit”, the census tract for the applicant’s principal place of business, as well as the race, sex and ethnicity of the principal owners of the business, along with a number of other data points.  As with most regulations, the rule begins by broadly sweeping both the regulated parties and regulated transactions under the ambit of the rule.

Broadly stated, the rule requires all “Covered Financial Institutions” to collect and report data on “Covered Credit Transactions” with “Small Business(es)”.  Each term can be separately analyzed for the purpose of compliance with Section 1071.

Covered Financial Institutions are expansively defined as “any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity and that originated at least 100 “covered originations” in each of the two preceding calendar years.[2]  Under this definition, virtually all manner of enterprises engaged in small business lending fall within the coverage of the rule, subject only to the trailing two-year transaction threshold.

In defining Small Business under Section 1071, the CFPB chose to adopt a portion of the Small Business Administration’s (SBA) definition of “small business concern.”  Specifically, the final rule sets an annual gross revenue threshold of $5,000,000[3] or less as the test for whether a business is covered by the rule and subject to reporting.  Notably, non-profit organizations and governmental entities are excluded from the definition of Small Business, and accordingly, transactions and applications relating to such entities are not subject to reporting under Section 1071.  As with the demographic data and information required to be collected, the financial institution is entitled to rely on the credit applicant’s representation regarding its gross annual revenue and need not attempt to verify.  However, to the extent any information is actually verified by the subject financial institution, the verified information is required to control.

Covered Transactions

With the expansive definition of Covered Financial Institution and a bright line test for Small Business, credit providers will need to focus on the definition of Covered Credit Transactions and the various exemptions from the broad underlying definition.  As a baseline, the regulation relies on the definition of Business Credit under Regulation B which covers extensions of credit primarily for business or commercial (including agricultural) purposes, but excluding extensions of credit of the types described in Sections 1002.3 (a)-(d)[4] of Regulation B.  With this broad definition, most forms of lending are swept up within the regulatory scheme.  However, in enacting the rules, the Consumer Financial Protection Bureau (CFPB) appears to have focused on transactions that typically would rely on underwriting the credit risk of the borrower directly (or which are already heavily regulated or subject to disclosure), and accordingly, the rule exempts a significant number of transactions that otherwise would fall under the Regulation B definition.

Among the exemptions from the rule, are trade credit, Home Mortgage Disclosure Act reportable transactions, insurance premium financing, factoring, leases, consumer designated credit used for business or agricultural purposes, as well as capital markets transactions in business credit.

In deciding to exclude factoring from the rule, the CFPB’s analysis focused on the distinction between the absolute sale of an account receivable to a factor rather than the extension of credit based on the promise of future payment directly or indirectly upon collection of the subject account receivable at a later date.  The CFPB relied, in part, on the regulations under the Equal Credit Opportunity Act (ECOA) which expressly exclude factoring from the definition of credit.  Under this analysis, traditional asset-based lending as well as merchant cash advances fall squarely within covered credit transactions, although the covered borrower and institution rules limit the number of ABLs subject to compliance.

In analyzing leases and leasing, the CFPB has opted not to make any distinction between “true leases” or finance (or capital) leases.”  In adopting the rule, the CFPB opted to rely on the UCC Article 2A definition of a lease.  The CFPB cited the near uniformity of adoption of Article 2A and the difficulty of parsing on a transaction-by-transaction basis the distinction between types of lease.  The CFPB acknowledged that many leases may operate or appear in many respects like loans, however, it believes that on balance that leases do not involve the type of credit extension 1071 was seeking to regulate and that it has ample ability to oversee and regulate abuses in the small business credit market without including leases.

Information to be Collected

Assuming the criteria for reporting coverage under the final rule is met, the Covered Financial Institution is required to collect (or in certain cases attempt to collect) the following data points:

For applications that are denied, there is an additional data point for denial reasons. If a transaction is approved, but not accepted, or which actually proceeds, the amount approved or originated and pricing information also are reportable.  The pricing information includes, as applicable, information regarding the interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, and prepayment penalties.

In addition to the above points, Covered Financial Institutions must request:

• The applicant’s minority-owned business status,
• women-owned business status,
• and LGBTQI+-owned business status (this inquiry must permit a free form text answer),[5] and
• the applicant’s principal owners’ ethnicity, race, and sex.

Of critical importance, the applicant must be informed that they need not provide this information. The Covered Financial Institution may rely entirely on the information provided by the applicant without investigation and may not make its own assessment if the information is not so provided.  The Covered Financial Institution must inform the applicant that none of the demographic information can be used to discriminate on the basis of any information provided.  Helpfully, the final rule includes a standardized form with the required inquiries and notices.^[6]

Covered Financial Institutions must report transaction data by June 1 of each year for the transactions during the preceding year.  The CFPB has provided a Filing Instructions Guide, which contains additional information regarding the submission of data.^[7]  The final rule provides that a Covered Financial Institution is required to make available to the public on its website, or otherwise upon request, a statement that the covered financial institution’s small business lending application register, as modified by the CFPB, is or will be available from the CFPB.  The CFPB will be reviewing the data collected and determining whether privacy concerns dictate limiting disclosure after it has collected the first full year of data.

The final rule requires the Covered Financial Institution to firewall access to certain data.  Employees and officers of a covered financial institution or its affiliate are prohibited from accessing an applicant’s responses to the final rule’s required inquiries regarding minority-owned, women-owned, and LGBTQI+-owned business statuses if that employee or officer is involved in making any determination concerning the subject application.  This prohibition does not apply to an employee or officer if the covered financial institution determines that the employee or officer should have access to one or more applicants’ responses to these inquiries, and the covered financial institution provides a notice to the applicants whose responses will be accessed.  As an alternative, a covered financial institution can provide the notice to a broader group of applicants, up to and including all applicants.  An applicant’s responses to the final rule’s required inquiries regarding an applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding principal owners’ ethnicity, race, and sex must be separated stored apart from the rest of the application.

Phase In and Compliance Schedule

The CFPB has adopted a phased compliance schedule for Covered Financial Institutions based on transaction volume with the earliest compliance date being October 1, 2024.  The initial compliance date is based on transaction volume for Covered Financial Institutions during calendar years 2022 and 2023.

A financial institution must begin collecting data and otherwise complying with the final rule on October 1, 2024 if it originated at least 2,500 covered originations in both 2022 and 2023.

A financial institution must begin collecting data and otherwise complying with the final rule on April 1, 2025 if it: (i) originated at least 500 covered originations in both 2022 and 2023; (ii) did not originate 2,500 or more covered originations in both 2022 and 2023; and (iii) originated at least 100 covered originations in 2024.

A financial institution must begin collecting data and otherwise complying with the final rule on January 1, 2026 if it originated at least 100 covered originations in both 2024 and 2025.

Moving Forward

In adopting the final rule, the CFPB has indicated that it continues and will continue to evaluate the implementation of the rule and can be expected to adjust some of the requirements and timelines. Financial institutions and industry professionals will need to continue to monitor the rollout of the finale rule and should begin preparing to comply with the rule by the applicable compliance date.