Skip to Content

CFPB Publishes Final Small Business Lending Data Collection Rule

Publications - Client Alert | April 13, 2023



In 2010, pursuant to Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), the Consumer Financial Protection Bureau (the “CFPB”) amended Regulation B to implement changes to the Equal Credit Opportunity Act (the “ECOA”). Such changes included requiring covered financial institutions to collect and report to the CFPB data on applications for credit for small businesses. The effectiveness of Section 1071 was suspended until the adoption of the final implementing rule, which was initially published in September 2021. On April 30, 2023, the CFPB published its 888 page-final rule implementing Section 1071. The final rule and related information and materials can be found on the CFPB website.

Effective Date of the Small Business Lending Data Collection Rule

90 days after date of publication in the Federal Register, which has not yet occurred as of the date of this publication.

Compliance Dates

Covered financial institutions must comply with the final rule beginning October 1, 2024, April 1, 2025, or January 1, 2026 (depending on the number of covered transactions originated by the financial institution).

Summary of Final Small Business Lending Data Collection Rule

Section 1071 of the Dodd-Frank Act amended the ECOA to require financial institutions to collect and report to the CFPB certain data regarding applications for credit for small businesses. Section 1071 specifies a number of data points that financial institutions are required to collect and report, and also contains a number of other requirements, including those that address recordkeeping, restricting the access of underwriters to certain collected data, and the publication of the collected data by the CFPB. 

Covered Financial Institutions 
A “financial institution” is defined to include any partnership, company, corporation, association, trust, estate, cooperative organization or other entity that engages in any financial activity. The rule thus applies to a variety of entities that engage in small business lending, including depository institutions (i.e., banks, savings associations and credit unions), online lenders, platform lenders, community development financial institutions (both depository and non-depository institutions), Farm Credit System lenders, lenders involved in equipment and vehicle financing (both captive and independent financing companies), commercial finance companies, governmental lending entities and nonprofit non-depository lenders. The rule uses the term “covered financial institution” to refer to those financial institutions that are required to comply with its data collection and reporting requirements. A covered financial institution is defined as a financial institution that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years.

Covered Credit Transactions
Covered financial institutions are required to collect and report data regarding covered applications from small businesses for covered credit transactions.  A “covered credit transaction” is one that meets the definition of business credit under existing Regulation B, with certain exceptions. Transactions within the scope of the rule include loans, lines of credit, credit cards, merchant cash advances and credit products used for agricultural purposes. The CFPB excluded, among other things, trade credit, factoring, true leases, consumer-designated credit that is used for business or agricultural purposes, and to motor vehicle dealers that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles or both. In addition, the CFPB has added exclusions for transactions that are reportable under the Home Mortgage Disclosure Act of 1975 (HMDA) and insurance premium financing.  Purchases of originated covered credit transactions are not reportable.

Covered Applications
A “covered application” – which triggers data collection, reporting and related requirements when submitted by a small business – is defined as an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested. Certain applications are not covered applications for purposes of the rule, including (1) reevaluation, extension or renewal requests on existing business credit accounts, unless the request seeks additional credit amounts, or (2) inquiries and prequalification requests.

Small Business Definition
A covered financial institution is required to collect and report data on a covered application from a “small business,” which is defined as a business that had $5 million or less in gross annual revenue for its preceding fiscal year.

Data To Be Collected And Reported
The rule addresses the data points that must be collected and reported by covered financial institutions for covered applications from small businesses. There are nearly 30 pieces of data for each covered credit application that must be gathered and reported (e.g., whether the business is minority-, women- or LGBTQI+-owned; the principal owners’ ethnicity, race and sex; whether the application was approved or denied (including the reasons for denial); and a host of detailed pricing and fee related information). Certain of the data points must or could be collected from the applicant; other data points are based on information within the financial institution’s control. Covered financial institutions must not discourage an applicant from responding to requests for applicant-provided data and must otherwise maintain procedures to collect such data at a time and in a manner that are “reasonably designed” to obtain a response. When collecting data directly from the applicant, the rule identifies certain minimum provisions that must be included within financial institutions’ procedures in order for them to be considered “reasonably designed.” The rule also addresses what financial institutions should do if, despite having such procedures in place, they are unable to obtain certain data from an applicant. Furthermore, the rule makes clear that a financial institution may rely on information from the applicant, or appropriate third-party sources, when compiling data. If the financial institution verifies particular information, however, it must report that verified information. Financial institutions are permitted to reuse previously collected data in certain circumstances, rather than having to request it from the applicant for each covered application.

The CFPB has provided a sample data collection form to assist in collecting protected demographic data from applicants. Although the contents of the sample form reflect certain legal requirements that financial institutions must follow, their use of the sample form is not itself required under the rule. Rather, it is an available resource to financial institutions.

The CFPB’s rule implements a requirement in the rule that certain data collected from applicants be shielded from underwriters and certain other persons (or, if a firewall is not feasible, a notice is given to the applicant).  Generally, an employee or officer of a financial institution or a financial institution’s affiliate that is involved in making any determination concerning a covered application is prohibited from accessing the applicant’s responses to the inquiries about protected demographic information that the financial institution makes pursuant to the rule. This prohibition does not apply to an employee or officer, however, if the financial institution determines that an employee or officer should have access to an applicant’s responses to its inquiries regarding the applicant’s protected demographic information and the financial institution provides a notice to the applicant disclosing that access. The notice must be provided to each applicant whose information will be accessed or, alternatively, the financial institution could provide the notice to all applicants. The final rule does not require specific language for that notice but does provide sample language that a covered financial institution may use. 

Reporting Data to the CFPB; Publication of Data by the CFPB
Financial institutions must collect small business lending data on a calendar year basis and report it to the CFPB on or before June 1 of the following year. The CFPB released, concurrently with the final rule, technical instructions for the submission of small business lending data in a Filing Instructions Guide.

The CFPB will make available to the public, on an annual basis, the application-level data submitted to it by financial institutions, subject to modifications or deletions made by the CFPB to advance privacy interests. The CFPB’s publication of application-level data will satisfy financial institutions’ statutory obligation to make data available to the public upon request.

The CFPB is finalizing provisions regarding treatment of bona fide errors under the rule in general, along with several safe harbors for particular kinds of errors. Relatedly, covered financial institutions will have a 12-month grace period during which the CFPB will not assess penalties for errors in data reporting, and will conduct examinations only to assist institutions in diagnosing compliance weaknesses, to the extent that those institutions engaged in good faith compliance efforts.

Effective and Compliance Dates; Transitional Provisions
The final rule will become effective 90 days after publication in the Federal Register. The CFPB adopted a tiered compliance date schedule, recognizing that smaller and mid-sized lenders would have particular difficulties complying within the single 18-month compliance period originally proposed. Compliance with the rule beginning October 1, 2024 is required for financial institutions that originated at least 2,500 covered transactions in each of 2022 and 2023; April 1, 2025 for financial institutions that originated at least 500, but less than 2,500, covered transactions in each of 2022 and 2023, and at least 100 covered transactions in 2024; and January 1, 2026 for financial institutions that originated at least 100 covered transactions in each of 2024 and 2025. Covered financial institutions may begin collecting applicants’ protected demographic information one year prior to their compliance date to help prepare for coming into compliance with the final rule. The CFPB is also adopting a new provision to permit financial institutions that do not have ready access to sufficient information to determine their compliance tier (or whether they are covered by the rule at all) to use reasonable methods to estimate their volume of originations to small businesses for this purpose.

Compliance and Technical Assistance
The CFPB is supporting small business lenders with a variety of compliance and technical tools to help them determine if they are covered by this new rule, and if so when their obligations arise. For covered lenders, the agency is also making available a range of resources to assist with effective implementation of the rule, including a small entity compliance guide. These materials are available here. The CFPB is also launching a dedicated regulatory and technical support program that can provide assistance in response to questions about collection and reporting obligations, and a range of technical resources to make it easier to report data to the CFPB. The support program and related materials are available here.

Use of Technology Partners and Industry Consortia for Data Collection and Reporting
The final rule broadly permits financial institutions to work with third parties, including industry consortia, to develop services and technologies to aid in collecting and reporting data. So long as they meet the obligations stated in the rule, including collecting data in a manner that does not discourage small businesses from providing it, financial institutions are free to work with third parties to assist them with their compliance obligations, whether that is with respect to data collection, maintenance or reporting. The CFPB plans to work with consortia and other entities seeking to assist financial institutions to deploy industry-identified solutions. For example, the CFPB plans to provide Application Programming Interfaces in an open-source environment to assist financial institutions’ technology partners to develop accurate and efficient data reporting tools.

Please reach out Mike Tobak, Emily McProud, Jeff Makovicka or Bryan Handlos with any questions or for additional assistance.

CFPB Publishes Final Small Business Lending Data Collection Rule