The rule requires that lenders collect and report extensive applicant data to the CFPB, intended to deter discrimination and promote economic growth.

By Parag Patel, Victor Razon, and Deric Behar

On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) finalized a regulation implementing Section 1071 of the 2010 Dodd-Frank Act. The regulation requires lenders, including fintech lenders, to collect and report certain demographic and financial data to the CFPB for credit applications received from small businesses. The purpose of the regulation is to promote economic development, increase transparency and accountability, and address unlawful discrimination in small business lending. The CFPB intends to establish a comprehensive and publicly accessible database containing the small business credit application data collected in connection with this regulation.

Lenders in Scope

The regulation applies to both traditional and alternative small business lenders. A “covered financial institution” includes but is not limited to banks, credit unions, and fintech lenders that originated more than 100 covered loans in each of the two preceding calendar years to businesses that generated up to US$5 million in gross annual revenue for their preceding fiscal year. Covered credit transactions include but are not limited to closed-end loans, lines of credit, online credit products, and merchant cash advances.

Data Requirements

Subject to certain exclusions, a covered financial institution must collect and report the following data elements in connection with an application (i.e., an oral or written request for a covered credit transaction) from a small business:

  • A unique identifier
  • The application date
  • The application method (i.e., the means by which the small business submitted its application)
  • The application recipient (indicating whether the application was received directly or indirectly via an unaffiliated third party)
  • The action taken by the covered financial institution on the application
  • The reason for any denial of credit, if applicable
  • The date of the action taken
  • Credit type
  • Credit purpose
  • The amount applied for
  • A census tract based on an address or location
  • Gross annual revenue for the preceding fiscal year
  • A three-digit North American Industry Classification System (NAICS) code
  • The number of people employed
  • The total length of business operation
  • The number of principal owners
  • The minority-owned business status, women-owned business status, and, LGBTQI+-owned business status
  • The principal owners’ ethnicity, race, and sex

Importantly, the Equal Credit Opportunity Act protects the final two data points on the list. This demographic data may therefore not be accessed by officers and employees of a covered financial institution or its affiliates if they are involved in making any determination concerning an application for credit.

Given the expected complexity of implementing compliant processes, policies, and procedures, annual reporting requirements are phased in depending on the institution’s volume of lending. Generally, a covered financial institution must begin to collect required data starting:

  1. October 1, 2024, if it originates at least 2,500 covered credit transactions to small businesses annually
  2. April 1, 2025, if it originates at least 500 covered credit transactions to small businesses annually
  3. January 1, 2026, if it originates at least 100 covered credit transactions to small businesses annually

Although covered institutions must ask applicants for the data points noted above, they cannot require applicants to provide the information. The CFPB, however, stated in non-binding policy guidance issued at the same time as the final rule that it would investigate and enforce any potential “indicia of discouragement,” including low response rates and irregularities in a particular response. Such irregularities “may indicate steering, improper interference, or other potential discouragement or obstruction of applicants’ preferred responses.”

Practical Implications for Firms

Since the federal rule imposes new and extensive data collection and reporting requirements on commercial lenders, in-scope firms should review their operations and compliance programs in order to plan for additional resources and program enhancements. The CFPB stated, however, that it will provide a one-year grace period on enforcement for institutions attempting to comply in good faith.

This rule reflects a growing trend to regulate commercial lending. In fact, certain states — notably New York, California, Utah, and Virginia — have recently enacted laws subjecting commercial lenders to disclosure requirements.

The rule will become effective 90 days after its publication in the Federal Register.

Divergent Views on the Final Rule

On May 15, 2023, Congresswomen Maxine Waters and Nydia Velázquez, the respective ranking members of the House Financial Services Committee and House Small Business Committee, sent a letter to the CFPB commending the implementation of the final rule. Specifically, the letter applauds the CFPB for implementing a regulation intended to improve credit access for underserved communities and combat lending discrimination. The letter asks the CFPB to provide a briefing to Democratic members of the House in the near future regarding the final rule.

In contrast, and despite the CFPB’s intention to “foster transparency and accountability” and “create a level playing field” with the rulemaking, Patrick McHenry, Chairman of the House Financial Services Committee, sharply criticized the final rule. He said that it “impos[es] overly burdensome reporting requirements on smaller lenders,” and vowed to “explore all options—including the Congressional Review Act—to ensure it does not take effect.”

Latham & Watkins will continue to monitor developments in this area.