On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) issued the long-awaited final version of its rules on Small Business Lending under the Equal Credit Opportunity Act.³ The new rule imposes significant burdens and risks on lenders and will likely result in significant amounts of loan-related data being made public, as discussed below. The lenders and loans/applications covered include:

• Any financial institution that made over 100 covered loans in each of the previous two calendar years has data collection and reporting requirements in regard to covered small business loans. Covered small business loans are business or commercial loans to any company that grossed $5 million or less in revenue in its previous fiscal year.

Thus, the rule has a broad application, covering a wide scope of lenders and loans. The full text of the CFPB’s Small Business Lending Data Collection Rule can be found by clicking the link below.

https://www.consumerfinance.gov/rules-policy/final-rules/small-business-lending-under-the-equal-credit-opportunity-act-regulation-b/

The rule will implement the small business lending data collection requirements created by Section 1071 of the Dodd-Frank Act by amending Regulation B⁴ of the Equal Credit Opportunity Act (ECOA).⁵ The CFPB derives its rulemaking authority from both Section 1071 and the ECOA.⁶ The CFPB has indicated that the primary purposes of this rule are to facilitate the enforcement of fair lending laws created by the Dodd-Frank Act and to create a database available to the public that can be used to more effectively identify business and community development needs and serve women-owned, minority-owned and LGBTQ+-owned small businesses.

Likely Issues for Lenders

Regardless of its intended purposes, the rule creates significant and potentially costly issues for lenders, such as:

• The need to develop a complex operational process to gather, store and report data on loans to small businesses;
• Significant compliance and risk oversight;
• The need to inquire from applicants and borrowers about detailed ownership information.
• Heightened regulatory fair lending scrutiny in regard to lending to small businesses; and
• Increased exposure to fair lending claims from private applicants and borrowers, and regulators.

Compliance Deadline Dates

The deadline for compliance with this rule depends on the number of covered small business loans the lender made in each of 2022 and 2023:

• 2,500 business loans or more —
  comply by October 1, 2024
• 500 to 2,499 business loans —
  comply by April 1, 2025
• 100 to 499 small business loans —
  comply by January 1, 2026

A financial institution that did not originate at least 100 covered credit transactions for small businesses in each of calendar years 2022 and 2023 but subsequently originates at least 100 such transactions in two consecutive calendar years must comply no earlier than January 1, 2026.

Lenders and Loans Covered by the Rule

The lenders and lending activity covered by this rule are broad. The rule applies to covered financial institutions that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years.⁷ Each phrase in that coverage definition must be considered:

• Covered Financial Institution: A “covered financial institution” is any financial institution that has originated at least 100 covered credit transactions for small businesses in each of the preceding two calendar years.⁸ A “financial institution” is any partnership, company, corporation, association, trust, estate or other entity that engages in financial activity. This definition covers a wide variety of lenders, including depository institutions, online lenders, platform lenders, and commercial finance companies.⁹
• Small business: Essentially, a small business is one with $5 million or less in gross annual revenue during its preceding fiscal year. The definition actually refers to the definitions of “business concern” and “small business concern” in the Small Business Act (SBA), but CFPB diverges from these definitions by imposing the $5 million gross revenue limit.¹⁰
• Covered credit transaction: A credit transaction covered by the rule is an extension of credit primarily for business or commercial purposes.¹¹ This would cover loans, lines of credit, and merchant cash advances, but would not include factoring transactions, leases, and credit secured by certain investment properties.¹²
• Single Family Residential Loans Not Covered — Home Mortgage Disclosure Act (HDMA)¹³ Overlap: If a loan meets the definition of a “covered loan” under HMDA, those loans are not covered by this new rule, and do not need to be reported as small business lending loans. This is because the new small business lending data collection rule specifically excludes all loans defined as “covered loans” in HDMA Regulation C.¹⁴

Data Collected and Reported

The data collection and reporting requirements are detailed and stringent. Lenders who already do residential lending data collection and reporting under the rules implementing the HMDA will be familiar with the many types of data and the methods for collecting and reporting the data. They may find it somewhat easier to implement these small business lending requirements. However, for other lenders not already doing HMDA reporting, there are likely to be steep learning curves and difficult operational implantation processes.

If a financial institution does fall within the purview of the rule, it is required to collect data on all loan applications it receives and loans it provides. The scope of the data required is wide-ranging.15 The data falls into two basic categories:

• Information about the application and the loan, such as:
  • application date
  • application method
  • credit type
  • amount applied for and borrowed
  • action taken in regards to the application
• Information about the applicant/borrower and the owners of the applicant/borrower, such as:
  • applicant’s gross annual revenue
  • number of workers for the applicant
  • whether the applicant is a women-owned, minority-owned, and/or LGBTQ+‑owned business
  • the ethnicity, race and sex of any individual who owns 25% or more of the applicant

Gathering this scope of information will require the buildout of operational processes and significant training for personnel.

Data for the previous calendar year must be collected and reported on June 1 of the following year and can be reported individually or through the parent of a financial institution.

Publication of Data

The CFPB will publish the data it collects on its website with such modifications and deletions as it determines are appropriate. In conjunction with this publication, each financial institution covered by the rule will be required to publish a statement on its website informing its visitors that the data it has reported is available on the CFPB’s website.^{16 17}

Depending on the scope of the modifications and deletions to lenders’ data the CFPB chooses to make, it appears that individuals, as well as attorneys and interest groups, will have access to broad arrays of lenders’ data, including data related to fair lending issues. This will increase litigation risks for lenders, and along with regulatory reviews of the data, will require lender reviews of their own data.

Enforcement, “Bona Fide Error” Exception and Safe Harbors

It is expected that the CFPB will aggressively monitor compliance with this rule, and any violation is subject to administrative sanctions and/or civil liability, as provided by Sections 704 and 706 of the ECOA.¹⁸

In addition to administrative sanctions and civil liability for non-compliance, the rule will expose lenders to an increased likelihood of regulatory fair lending investigations and enforcement actions. The CFPB has stated that a key purpose of the rule is to examine small business lending from a fair lending perspective.¹⁹

Bona Fide Error: A financial institution can escape sanction and liability if its non-compliance was a “bona fide error.” In other words, the institution must show that the error was unintentional and occurred despite maintenance of procedures reasonably adapted to avoid such errors.²⁰ A financial institution is presumed to maintain procedures reasonably adapted to avoid error if, based on a random sample of applicants, the number of errors found in a financial institution’s data submission is no greater than 6.4% for institutions processing 100 to 130 applications annually to 2.5% for the institutions processing more than 100,000 applications annually.²¹ An error is not bona fide if, based on the circumstances, it is reasonable to believe that the institution intentionally committed the error or failed to maintain adequate procedures.²²

Limited Safe Harbors: The rule also creates certain limited safe harbors where errors associated with collecting and reporting data on an applicant’s census tract, NAICS code, small business status, and application would not constitute violations.²³

Consequences of the Rule — Economic Costs and Reputational Risks

Most, if not all, financial institutions will have to build out overlays to their loan application system that allow for the collection of data they are required to report to the CFPB. They will also have to engage in ongoing training on, and compliance and risk oversight of, these processes. They will have to develop methods for meaningful review of their data in order to identify possible issues and take remedial actions.

The CFPB estimates that, depending on the covered financial institution, costs associated with preparing and implementing this reporting system can rise to as much as $100,000, and require hundreds of hours spent by junior, mid-level and senior employees.²⁴ Further, the CFPB estimates that the overall market impact of these costs to financial institutions could be as great as $160 million dollars.²⁵ Following implementation the CFPB estimates that the ongoing cost of maintaining these systems and abiding by the rules could range from $8,300 to $243,000, depending on the institution.²⁶ Even if one accepts the CFPB estimates, the costs of compliance with these rules will likely be significant for all institutions and have the potential to affect how these institutions run their businesses.

As discussed above, in addition to the economic costs associated with these rules, financial institutions also face economic and reputational risks in relation to their lending practices. In making their credit decision process public information, financial institutions can be scrutinized for who they choose or choose not to lend to, running the risk of being labeled as a discriminatory lender. Even more, this data could be utilized by class action attorneys and advocacy groups to initiate investigations and litigation.

Need to Begin Implementation

Given the dangers associated with failing to comply with these rules, and the difficulty and complexity of building out, testing and implementing similar data processes, it would be a best practice for all financial institutions covered by this rule to further study and begin implementing this rule as soon as possible. The CFPB has communicated that they will aggressively enforce these regulations, so failure to be prepared once collection and reporting become mandatory could result in serious consequences.