On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) issued the long-anticipated small business lending final rule, which implements small business data collection requirements from Section 1071 of the Dodd-Frank Act. This rule is intended to facilitate enforcement of fair lending laws and assist in identifying needs and opportunities in small businesses.
We have compiled a short summarization of the executive summary, including the must-know items included in the final rule for quick reference.
1. Covered Institutions, Transactions, & Businesses
The rule states that a covered financial institution is “any partnership, company, corporation, incorporated or unincorporated association, trust, estate, cooperative organization, or other entity that engages in financial activity, and that originated at least 100 covered originations (emphasis added) in each of the two preceding calendar years.”
According to the executive summary, a financial institution that is not covered may voluntarily collect data under certain circumstances, such as:
- Financial institution recently reported data as a covered financial institution,
- Financial institution is about to become a covered financial institution, or
- Financial institution is not covered but commits to report data it voluntarily collects.
Covered transactions include:
- loans (new or refinanced),
- lines of credit,
- credit cards,
- merchant cash advances, and
- credit products for agricultural purposes.
The rule does not include trade credit, Home Mortgage Disclosure Act-reportable transactions, insurance premium financing, public utilities credit, securities credit, incidental credit, factoring, leases, consumer-designated credit for business or agricultural purposes, purchases of a credit transaction, purchases of an interest in a pool of credit transactions, or purchases of originated covered credit transactions.
The rule covers small businesses, defined as those that had $5 million or less in gross annual revenue for the preceding fiscal year. A financial institution is permitted to rely on an applicant’s representation of gross annual revenue for purposes of determining small business status unless the financial institution verifies the applicant-provided information or if the applicant provides updated information.
Entities not considered small businesses under the rule are nonprofit organizations and governmental entities.
2. Effective Date & Compliance Date
The rule is effective 90 days after its publication (June 28, 2023).
Reporting requirements are tiered as follows:
- October 1, 2024: more than 2,500 covered originations in 2022 and 2023
- April 1, 2025: between 500 and 2,500 covered originations in 2022 and 2023, and 100 covered originations in 2024
- January 1, 2026: more than 100 covered originations in 2024 and 2025
Data collection procedures should be in place by October 1, 2023, as the rule includes a provision requiring financial institutions to determine the number of covered originations for the fourth quarter of 2023, which can be annualized to reflect covered originations using this data for 2022, 2023, or both years.
Financial institutions also are permitted to assume all covered credit transactions originated during 2022 and 2023 were made to small businesses for purposes of determining institutional coverage and compliance date.
Financial institutions will be required to report data to the CFPB by June 1 of the year following the calendar year in which the financial institution collected the data.
3. When You Report vs. What You Report
Covered Originations (When You Report)
It is important to note that extensions, renewals, and other amendments of existing transactions do constitute covered originations regardless of a change in the amount of a credit line or credit amount, which is used to determine an institution’s coverage under the rule.
Covered Applications (What You Report)
Covered applications are defined as “an oral or written request for a covered credit transaction made in accordance with procedures used by the financial institution for the type of credit requested.”
Under the rule, refinanced credits can be covered transactions; however, the following are not reported on the loan application register pursuant to the final rule:
- extensions, renewals, or other amendments of existing transactions (unless the request is for additional credit amounts or a line increase),
- re-evaluation requests, or
- inquiries and prequalification requests.
4. Data Collection & Reporting Requirements
All reportable loans must include 15 data points either generated by the financial institution or collected from the applicant or a third-party source. Denied applications also must include denial reasons. For reportable applications that are approved but not accepted or that result in an origination, there are five additional data points for the amount approved or originated and for pricing information.
Financial institutions also must collect demographic information from applicants, including minority-owned business status, women-owned business status, and LGBTQI+-owned status, as well as the principal owners’ ethnicity, race, and sex.
If the applicant fails or declines to provide demographic information, the financial institution is to report as such. Financial institutions are not permitted to report these points based on visual observation.
Previously collected data can be reused if the data was collected with 36 months of the current covered application and the financial institution has no reason to believe the data is inaccurate.
The data points guide is available online.
5. Collection Form & Filing Guide
The rule includes a sample data collection form that can be used to collect this information and disclose appropriately to the applicant, which will be included as Appendix E of Regulation B.
The filing guide is available online.
6. Limiting Access to Data
The final rule does include a data “firewall” that prohibits employees from accessing responses to the inquiries’ demographic data if the employee is involved in making any determination concerning an applicant’s covered application unless the financial institution determines the employee should have access to one or more data points and provides a notice to the applicants that the employee or officer will access the responses.
7. Record Retention & Disclosure Requirements
The rule does require the financial institution to inform applicants that the institution is not permitted to discriminate based on its responses to demographic information at the time of application.
Small business lending application registers and evidence of compliance must be retained for at least three years.
8. Fair Lending Impact
The rule indicates that financial institutions have processes in place to help ensure that the initial request for applicant-provided data occurs prior to notification of action, the request is prominently displayed, applicants are not discouraged from representing requests, and that applicants can easily respond to the requests.
Financial institutions also must maintain procedures to identify and respond to signs of potential discouragement, including low response rates for this data. The rule includes additional information regarding how low response rates may indicate discouragement or another failure to maintain procedures to collect data at a time “reasonably designed to obtain a response.”
If your bank is seeking additional assistance in preparing for compliance with this rule, experienced professionals at FORVIS can help. For more information, please reach out to one of our professionals or use the Contact Us form below.
Full Final Rule