10 minute read | April.07.2023
On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) released its final rule implementing Section 1071 of the Dodd-Frank Act, which will require financial institutions to collect and provide to the bureau data on lending to small businesses. The bureau issued the rule just one day prior to the deadline in a July 2022 court order that settled litigation brought by several groups, including the California Reinvestment Coalition, seeking to compel the bureau to issue a final rule (covered by InfoBytes here and here). The CFPB said the rule will result in the creation of the “first comprehensive public database” on small business financing practices.
The final rule reflects a number of departures from the CFPB’s September 2021 proposal that are intended to address public comment.
The final rule imposes data collection requirements on “covered financial institutions,” which it defines as essentially any entity that meets both of the following requirements:
The 100-transaction threshold for applicability is substantially higher than the 25-transaction threshold included in the proposed rule. However, consistent with the proposal, the CFPB did not include in the final rule any exemptions based on the size (e.g., asset value) of a financial institution.
Covered financial institutions must collect and report data from businesses with $5 million or less in gross annual revenue for the preceding fiscal year.
The rule requires covered financial institutions to collect and report data from “covered applications” (defined below) from small businesses for “covered credit transactions,” meaning transactions meeting the definition of “business credit” under existing Regulation B, which implements the Equal Credit Opportunity Act, unless an express exemption applies. Transactions subject to the final rule include business and agricultural purposes:
Transactions exempt from the rule include:
The final rule makes clear the CFPB’s position that most merchant cash advances constitute “credit” subject to ECOA/Regulation B. Excluding factoring products is consistent with existing Regulation B interpretations that a true purchase of accounts receivable is not “credit” subject to ECOA/Regulation B. In commentary to the final rule, the bureau took care to distinguish merchant cash advances from factoring transactions on a number of bases, with the key distinction being that in a merchant cash advance the recipient of the financing has no existing rights to payment that are transferred at the moment the financing is provided, such that the transaction constitutes only a promise to transfer funds at a later date. Using this logic, the bureau has taken the position that merchant cash advances create an effective right to defer payment, and as a result, constitute credit as defined within ECOA.
In a departure from the proposed rule, the CFPB exempted all HMDA-reportable transactions, but business-purpose credit transactions secured by real property that are not subject to HMDA are not exempt. This category of covered transactions could include business financing secured by other-than a dwelling, business financing secured by a primary residence or residential investment property as collateral for inventory financing or working capital, and agricultural-purpose financing secured by a dwelling.
In commentary to the final rule, the bureau confirmed that the rule generally does not apply to motor vehicle dealers, consistent with the carveout for dealers within the Dodd-Frank Act. However, the bureau addressed applicability of the final rule when multiple creditors play a role in a single transaction, including in the indirect auto-finance context, noting that the last financial institution with the authority to set the material terms of the covered credit transaction would be the institution responsible for reporting under the rule. The bureau noted that where a motor vehicle dealer is the last financial institution, the application and transaction will not be subject to reporting under the rule.
Notably, purchases of covered credit transactions (that were reportable at origination) are also not covered transactions subject to the final rule.
The term “covered application” is defined more narrowly in the final rule than in the existing Regulation B. Specifically, a “covered application” constitutes an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested. However, for purposes of the final rule, the term excludes the following:
Notably, requests for refinancing (with or without an additional credit amount) constitute “covered applications” subject to the final rule.
The data points that must be collected fall into three broad categories:
The bureau in an appendix to the rule issued a sample form that financing institutions may choose to use for purposes of collecting the Category 3 data.
In a departure from the precedent set in HMDA, the final rule does not require financial institutions to obtain any demographic data through visual observation. Instead, Category 3 data points must be based solely on information provided by the applicant.
Consistent with ECOA, the final rule includes a firewall requirement providing that officers and employees of a financial institution or its affiliates involved in making any determination concerning an application for credit not have access to the applicant’s protected demographic data (Category 3 data points). When an exception applies, they must disclose it. Commentary to the final rule provides guidance as to what constitutes being “involved in making any determination concerning a covered application.”
Data pursuant to the new rule will be annually collected and published by the bureau, subject to modifications and deletions for privacy purposes, and will occur after the bureau has obtained a full year of reported data. In a departure from the proposed rule, the bureau is no longer committing to issue modification and deletion decisions through a policy statement.
Specifically, the CFPB intends to publish:
Notably, the CFPB does not intend to establish a separate program by which researchers may have access to unmodified data. Instead, only a singular published data set will be available to all users, with the exception of state or federal regulators, to whom the bureau may provide additional data access (e.g., to facilitate ECOA enforcement).
CFPB’s privacy analysis will focus on reducing re-identification risk for applicants. Its current view is that the privacy assessment need not consider financial institution privacy interests, except to the extent that it identifies a compelling risk to them.
The rule is effective 90 days after its publication in the Federal Register, with compliance required beginning October 1, 2024, at the earliest; institutions that originate a moderate or low volume of covered transactions have until April 1, 2025, or January 1, 2026. To facilitate the transition, covered financial institutions are permitted to begin collecting applicants’ protected demographic data one year prior to their applicable compliance date.
The CFPB will provide a 12-month enforcement grace period for institutions attempting to comply in good faith. For covered financial institutions required to comply beginning on October 1, 2024, and for any financial institutions that make a voluntary submission for the first time for data collected in 2024, the grace period will cover the first three months of data collected in 2024 (October 1 through December 31), as well as the first nine months of data collected in 2025 (from January 1 through September 30). Similarly, structured grace periods shall apply to financial institutions subject to later compliance dates.
During this grace period, the CFPB said the following policies apply:
In tandem with the final rule, the CFPB issued policy guidance addressing enforcement and supervisory practices relating to the final rule. The CFPB will focus on ensuring that covered financial institutions comply with the rule’s prohibition on discouraging applicants from providing responsive information, in particular by designing data collection procedures that:
The bureau indicated it will compare a financial institution’s response rates to those of other financial institutions of a similar size, type, and geographic reach to guide enforcement activities.
The CFPB has issued a substantial body of documentation to assist financial institutions in understanding and implementing the final rule. Resources released to date include: