On September 1, 2021, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking (NPRM) requesting public comment on its proposed rule to implement Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). The publication of the NPRM in the Federal Register on October 8, 2021, commences the 90-day comment period – and comments on the proposed rule must be received on or before January 6, 2022.
Section 1071 of the Dodd-Frank Act amended the Equal Credit Opportunity Act to require that certain financial institutions collect and report to the CFPB certain data regarding applications for credit made by small businesses, including women-owned businesses and minority-owned businesses1, among other requirements. Section 1071 has two stated purposes: “to facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority-owned, and small businesses.” As proposed, the rule would not require financial institutions to collect and report women-owned business status and minority-owned business status for businesses that are not small.
In the NPRM, the CFPB recognizes the ongoing transformation of the small business lending landscape, including the increasing role that fintech companies, among others, are playing in providing financing to small businesses. If finalized, the proposed rule would amend Regulation B to implement Section 1071’s requirements. The proposed rule would apply to a range of entities that engage in small business lending and create the first comprehensive database of small business credit applications in the US.
Financial institutions and transactions covered by proposed rule
The proposed rule would impose requirements on a “covered financial institution” to collect and report certain data regarding “covered applications” from “small businesses” for “covered credit transactions.”
What’s a ‘covered financial institution’?
The CFPB proposes to define a “covered financial institution” as a “financial institution that originated at least 25 covered credit transactions to small businesses in each of the two preceding separate calendar years.” A “financial institution” would include “any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity.” According to the CFPB, the definition of a covered financial institution would capture a range of entities that engage in small business lending, “including depository institutions (i.e., banks, savings associations, and credit unions), online lenders, platform lenders, community development financial institutions (both depository and nondepository institutions), lenders involved in equipment and vehicle financing (captive financing companies and independent financing companies), commercial finance companies, governmental lending entities, and nonprofit nondepository lenders.”2 The proposed rule would not include an asset-based exemption for depository institutions or other general exemptions for financial institutions.
What’s a ‘covered application’?
The proposed rule would define a “covered application” as “an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested.” The CFPB would exempt from the definition of a covered application: “(1) reevaluation, extension or renewal requests on an existing business credit account, unless the request seeks additional credit amounts; and (2) inquiries and prequalification requests.”
What’s a ‘covered credit transaction’?
The CFPB proposes to define a “covered credit transaction” as a transaction that meets the “business credit” definition of Regulation B, which would include, among other things, loans, lines of credit, credit cards and merchant cash advances. A “covered credit transaction” would exempt trade credit, public utilities credit, securities credit and incidental credit, as well as factoring, leases, consumer-designated credit used for business purposes and credit secured by certain business properties.
What’s a ‘small business’?
The proposed rule would define a “small business” by reference to the definition of “small business concern” in the Small Business Act and the implementing regulations of the Small Business Administration (SBA). However, the proposed definition would not apply the SBA’s size standards for defining a small business concern; rather, it would look to whether the business had $5 million or less in gross annual revenue in its preceding fiscal year.
Data to be collected and reported, and publication of reported data
The CFPB would require a covered financial institution to collect and report more than 20 data points regarding covered applications from small businesses for covered credit transactions. (For a summary of the data points that the proposed rule would require covered financial institutions to collect and report, refer to the CFPB’s “Proposed data points for small business lending data collection”). These data points generally fall within three categories:
- Data points that are generated or supplied by the financial institution.
- Data points that are or could be provided by the applicant (or otherwise determined based on information provided or authorized by the applicant).
- Data points that address the demographics of the applicant’s principal owners or ownership status.
Of particular note, the data points include whether a small business applicant is women-owned or minority-owned, and the ethnicity, race and sex of the small business applicant’s “principal owners” (the CFPB refers to such data collectively as “protected demographic information”).3 However, the proposed rule would not require applicants to respond to a financial institution’s requests for protected demographic information. Consistent with the requirements of Section 1071, the proposed rule would require covered financial institutions to, unless it is not feasible, limit certain employees’ and officers’ access to application responses containing protected demographic information by creating a “firewall.”
The proposed rule would require covered financial institutions to collect data on a calendar-year basis and report the data to the CFPB by June 1 of the following year. A covered financial institution would also be required to provide certain information about itself as part of its annual submission. One of these data points is the type of covered financial institution, and the CFPB is proposing inclusion of a “fintech” category.
The CFPB also proposes making data submitted by covered financial institutions available to the public annually on the CFPB’s website. However, the CFPB would first employ a “balancing test” to determine whether to modify or delete certain data in the interest of privacy.
Next steps and outlook
Financial institutions have time to prepare for the anticipated requirements. If implemented, the final rule would become effective 90 days after its publication in the Federal Register, and it would not require compliance until approximately 18 months later. The CFPB is also proposing transitional provisions that would ease implementation of the rule by covered financial institutions.
The CFPB’s anticipated publication of data collected and reported by covered financial institutions pursuant to Section 1071 and the CFPB’s implementing rule is likely to elevate fair lending issues with respect to small business lending, which may become subject to the levels of regulatory and public scrutiny observed with home mortgage lending.
- A business would be considered a “women-owned business” or “minority-owned business” if (a) more than half of its ownership or control is held by one or more women or “minority individuals,” respectively, and (b) more than half of its net profits or losses accrue to one or more women or minority individuals, respectively. A “minority individual” would mean “a natural person who is American Indian or Alaska Native, Asian, Black or African American, Native Hawaiian or Other Pacific Islander, and/or Hispanic or Latino.”
- The requirements do not extend to motor vehicle dealers.
- “Principal owner” would be defined as “a natural person who directly owns 25 percent or more of the equity interests of a business.”