CFPB Finalizes Small Business Lending Data Collection Rule

10 minute read | April.07.2023

On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) released its final rule implementing Section 1071 of the Dodd-Frank Act, which will require financial institutions to collect and provide to the bureau data on lending to small businesses. The bureau issued the rule just one day prior to the deadline in a July 2022 court order that settled litigation brought by several groups, including the California Reinvestment Coalition, seeking to compel the bureau to issue a final rule (covered by InfoBytes here and here). The CFPB said the rule will result in the creation of the “first comprehensive public database” on small business financing practices.

The final rule reflects a number of departures from the CFPB’s September 2021 proposal that are intended to address public comment. 

Covered Institutions

The final rule imposes data collection requirements on “covered financial institutions,” which it defines as essentially any entity that meets both of the following requirements:

  • The entity engages in any financial activity, which broadly construed includes depository institutions, online lenders, platform lenders, community development financial institutions, equipment and vehicle financers (excluding some motor vehicle dealers), farm credit system lenders, general commercial finance companies, providers of merchant cash advances, governmental lending entities and nonprofit lenders
  • The entity originated at least 100 “covered transactions” (defined below) in each of the two preceding calendar years

The 100-transaction threshold for applicability is substantially higher than the 25-transaction threshold included in the proposed rule. However, consistent with the proposal, the CFPB did not include in the final rule any exemptions based on the size (e.g., asset value) of a financial institution.

Covered financial institutions must collect and report data from businesses with $5 million or less in gross annual revenue for the preceding fiscal year.

Covered Transactions

The rule requires covered financial institutions to collect and report data from “covered applications” (defined below) from small businesses for “covered credit transactions,” meaning transactions meeting the definition of “business credit” under existing Regulation B, which implements the Equal Credit Opportunity Act, unless an express exemption applies. Transactions subject to the final rule include business and agricultural purposes:

  • Loans (including non-HMDA-reportable real-property loans)
  • Lines of credit
  • Credit cards
  • Merchant cash advances

Transactions exempt from the rule include:

  • Trade credit
  • Public utilities credit
  • Securities credit
  • Incidental credit
  • Transactions reportable under HMDA
  • Insurance premium financing
  • Factoring
  • Leases
  • Consumer-designated credit (even if used for business or agricultural purposes)

The final rule makes clear the CFPB’s position that most merchant cash advances constitute “credit” subject to ECOA/Regulation B. Excluding factoring products is consistent with existing Regulation B interpretations that a true purchase of accounts receivable is not “credit” subject to ECOA/Regulation B. In commentary to the final rule, the bureau took care to distinguish merchant cash advances from factoring transactions on a number of bases, with the key distinction being that in a merchant cash advance the recipient of the financing has no existing rights to payment that are transferred at the moment the financing is provided, such that the transaction constitutes only a promise to transfer funds at a later date. Using this logic, the bureau has taken the position that merchant cash advances create an effective right to defer payment, and as a result, constitute credit as defined within ECOA.

In a departure from the proposed rule, the CFPB exempted all HMDA-reportable transactions, but business-purpose credit transactions secured by real property that are not subject to HMDA are not exempt. This category of covered transactions could include business financing secured by other-than a dwelling, business financing secured by a primary residence or residential investment property as collateral for inventory financing or working capital, and agricultural-purpose financing secured by a dwelling.

In commentary to the final rule, the bureau confirmed that the rule generally does not apply to motor vehicle dealers, consistent with the carveout for dealers within the Dodd-Frank Act. However, the bureau addressed applicability of the final rule when multiple creditors play a role in a single transaction, including in the indirect auto-finance context, noting that the last financial institution with the authority to set the material terms of the covered credit transaction would be the institution responsible for reporting under the rule. The bureau noted that where a motor vehicle dealer is the last financial institution, the application and transaction will not be subject to reporting under the rule.

Notably, purchases of covered credit transactions (that were reportable at origination) are also not covered transactions subject to the final rule.  

Covered Applications

The term “covered application” is defined more narrowly in the final rule than in the existing Regulation B. Specifically, a “covered application” constitutes an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested. However, for purposes of the final rule, the term excludes the following:

  • Applications for a reevaluation, extension, or renewal on an existing business credit account unless an additional amount of credit is requested
  • Inquiries
  • Prequalification requests
  • Solicitations, offers of credit, or evaluations for additional credit amounts that the financial institution initiates (though, in the event a small business ultimately applies for the relevant credit, such application would itself be covered under the final rule)

Notably, requests for refinancing (with or without an additional credit amount) constitute “covered applications” subject to the final rule.

Required Data Points

The data points that must be collected fall into three broad categories:

  • Category 1. Data points generated by the financial institution. This category includes (i) data points required to be reported for all applications; (ii) data points required only for applications that are denied; and (iii) data points required only for applications that are approved. They include:

    • For All Covered Applications:

      • Unique identifier
      • Application date
      • Application method
      • Whether the application was received directly or by way of an unaffiliated third party
      • Action taken by the covered financial institution
      • Date of action taken

    • For Denied Applications:

      • Denial reason

    • For Approved Applications:

      • Amount approved or originated
      • Pricing information (as applicable):

        • Interest rate
        • Origination charges
        • Broker fees
        • Initial annual charges
        • Cost for MCA or sales-based financing
        • Prepayment penalties

  • Category 2. Data points based on information collected from the applicant or third parties:

    • Credit type
    • Credit purpose
    • The amount applied for
    • A census tract based on an address or location provided by the applicant
    • Gross annual revenue for the applicant’s preceding fiscal year
    • A three-digit North American Industry Classification System (NAICS) code for the applicant
    • The number of people working for the applicant
    • The applicant’s time in business
    • The number of the applicant’s principal owners

  • Category 3. Data points based on information collected solely from the applicant:

    • The applicant’s minority-owned business status, women-owned business status, and LGBTQI+-owned business status
    • The applicant’s principal owners’ ethnicity, race, and sex

The bureau in an appendix to the rule issued a sample form that financing institutions may choose to use for purposes of collecting the Category 3 data.  

In a departure from the precedent set in HMDA, the final rule does not require financial institutions to obtain any demographic data through visual observation. Instead, Category 3 data points must be based solely on information provided by the applicant. 

Firewall Requirement

Consistent with ECOA, the final rule includes a firewall requirement providing that officers and employees of a financial institution or its affiliates involved in making any determination concerning an application for credit not have access to the applicant’s protected demographic data (Category 3 data points). When an exception applies, they must disclose it. Commentary to the final rule provides guidance as to what constitutes being “involved in making any determination concerning a covered application.”

Use and Publication of Results

Data pursuant to the new rule will be annually collected and published by the bureau, subject to modifications and deletions for privacy purposes, and will occur after the bureau has obtained a full year of reported data. In a departure from the proposed rule, the bureau is no longer committing to issue modification and deletion decisions through a policy statement.

Specifically, the CFPB intends to publish:

  • Application-Level Data. Application-level data will be published for all data fields, subject to a full privacy analysis.
  • Aggregate Analyses. Aggregate analyses of 1071 data. The bureau anticipates publishing select aggregated data prior to publishing application-level data.

Notably, the CFPB does not intend to establish a separate program by which researchers may have access to unmodified data. Instead, only a singular published data set will be available to all users, with the exception of state or federal regulators, to whom the bureau may provide additional data access (e.g., to facilitate ECOA enforcement).

CFPB’s privacy analysis will focus on reducing re-identification risk for applicants. Its current view is that the privacy assessment need not consider financial institution privacy interests, except to the extent that it identifies a compelling risk to them.

Effective Date

The rule is effective 90 days after its publication in the Federal Register, with compliance required beginning October 1, 2024, at the earliest; institutions that originate a moderate or low volume of covered transactions have until April 1, 2025, or January 1, 2026. To facilitate the transition, covered financial institutions are permitted to begin collecting applicants’ protected demographic data one year prior to their applicable compliance date.

The CFPB will provide a 12-month enforcement grace period for institutions attempting to comply in good faith. For covered financial institutions required to comply beginning on October 1, 2024, and for any financial institutions that make a voluntary submission for the first time for data collected in 2024, the grace period will cover the first three months of data collected in 2024 (October 1 through December 31), as well as the first nine months of data collected in 2025 (from January 1 through September 30). Similarly, structured grace periods shall apply to financial institutions subject to later compliance dates.

During this grace period, the CFPB said the following policies apply:

  • Examinations of initial data submissions will be framed as diagnostic, and intended to help institutions identify gaps and make improvements for further years
  • The CFPB will not require data resubmission unless errors identified in the initial submission are material
  • Any errors or instances of non-compliance identified during the grace period will not result in penalties being assessed if good faith efforts were made to comply

Enforcement Approach

In tandem with the final rule, the CFPB issued policy guidance addressing enforcement and supervisory practices relating to the final rule. The CFPB will focus on ensuring that covered financial institutions comply with the rule’s prohibition on discouraging applicants from providing responsive information, in particular by designing data collection procedures that:

  • Ensure that requests for data are prominent to applicants
  • Ensure that applicants can easily respond to data requests
  • Ensure that data requests are initially made prior to notifying an applicant of the financing provider’s decision on the application
  • Monitor for low response rates and any other significant irregularities in responses that may indicate steering, interference, discouragement, or obstruction of applicant responses both holistically and by division, location, and individual
  • Provide adequate training to individuals involved in data collection from loan applicants
  • Ensure that prompt remedial action is taken if discouragement or related improper conduct is identified
  • Ensure that the time and manner of the financial institution’s collection procedures generally serve the end goal of obtaining responsive information, maximizing the collection of responses and minimizing missing or erroneous data.

The bureau indicated it will compare a financial institution’s response rates to those of other financial institutions of a similar size, type, and geographic reach to guide enforcement activities.


The CFPB has issued a substantial body of documentation to assist financial institutions in understanding and implementing the final rule. Resources released to date include:

For more information on the final rule, please contact Marshall Bell, John Coleman, Manley Williams or an Orrick attorney with whom you have worked in the past.