CFPB’s New Small Business Data Collection Rule: Considerations for Lenders

5 Min Read By: Marisa A. Sotomayor, Jamie Dycus, George K. Komnenos

A new rule (12 CFR Part 1002, the “Rule”) issued in final form by the Consumer Financial Protection Bureau (the “CFPB”) earlier this year, though subject to legal challenges and delay, will impose a host of data collection and reporting obligations on lenders to small businesses. This article provides a high-level overview of key considerations for lenders in light of such enhanced future obligations.

A. Statutory Background:

The Rule, issued on March 30, 2023, implements Section 1071 (“Section 1071”) of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Section 1071, which amended the Equal Credit Opportunity Act, requires lenders who receive applications for small business loans to obtain, maintain, and periodically report to the CFPB certain information about applicants. Further, Section 1071 contemplates that the CFPB will make public the information it receives.

B. The Rule:

Application: The Rule’s reporting requirements apply to any financial institution with at least one hundred “covered originations” in each of the two previous calendar years. “Financial institution” is defined broadly to cover a range of entities engaging in “any financial activity”— i.e., this definition, and by extension, the Rule, could apply to both “traditional” bank lenders and alternative or direct lenders or private credit funds. Covered originations are certain types of credit extensions to “small businesses” (defined as businesses with gross revenues of no more than $5 million in the fiscal year preceding the time of determination).

Requirements: Lenders must report to the CFPB three types of data in connection with each consumer request (importantly, whether written or oral) for a covered credit transaction, including any refinancing of existing debt:

  • data generated by lenders (e.g., method of credit application and actions taken regarding such application);
  • data collected from applicants or third parties (e.g., credit purpose, amount requested, and details about the applicants’ business); and
  • demographic data collected from applicants, including minority-owned business status and information about principal owners.

Additionally, lenders must maintain certain policies and procedures, including:

  • Procedures reasonably designed to obtain a response to each request for applicant-provided demographic and other data.
  • Methods to recognize and address “indicia of potential discouragement”—i.e., practices that might cause applicants to decline to provide requested information. Note the CFPB issued a statement that it will “use its enforcement and supervisory authorities to focus on covered lenders’ compliance with” this requirement.
  • A “firewall” so that, with certain exceptions, persons making credit and other relevant determinations regarding a covered application by a small business do not have access to sensitive information provided by applicants pursuant to the Rule.

Unintentional errors occurring despite maintenance of appropriate procedures will not result in violations of the Rule. There is a presumption that unintentional errors below a numerical threshold are bona fide in nature. Safe harbors for certain types of inaccuracies in reported data also apply.

C. Compliance Considerations:

Smaller lenders will have more time to prepare for compliance than larger lenders. Compliance requirements will be phased in, starting in October 2024 for lenders with at least 2,500 covered originations in the aggregate for both 2022 and 2023. This timing may be affected by litigation for some lenders as described below.

Among other things, lenders must:

  • Analyze potentially covered credit transactions to determine whether the Rule applies and, if so, collect and provide accurate required data. In addition to developing effective routines to ensure careful and timely reporting, this process involves accurately identifying relevant data for each covered transaction, such as:
    • the purpose and type of credit;
    • the application method for such credit;
    • the reportable amounts (applied for and approved amounts);
    • pricing information; and
    • as applicable, reasons for approval or denial of such credit.
  • Collect and accurately analyze information about applicants, including by identifying relevant demographic and other characteristics.
  • Maintain procedures to “identify and respond to indicia of potential discouragement” in the credit and lending process.
  • Develop practices to ensure proper maintenance of the above-mentioned “firewall.” This would involve accurately identifying which persons are (or are not) involved in determining whether to extend credit to a given applicant.

D. Concluding Observations:

The Bureau’s Rule implementing Section 1071 has been the subject of considerable controversy. The rulemaking followed a lawsuit filed by community groups seeking to compel the Bureau to promulgate the Rule, and the process generated voluminous comments, many critical of the new burdens the Rule will impose on lenders. Currently, litigation is pending in federal district court in Texas in which the American Bankers Association and the Texas Bankers Association contend the Rule must be set aside. On July 31, 2023, the court in that case preliminarily enjoined the Bureau from enforcing the Rule against ABA and TBA members pending a decision in CFPB v. Community Financial Services Association, in which the Supreme Court will review the decision of the Fifth Circuit that the CFPB’s funding structure is unconstitutional. Since then, multiple other trade groups representing community banks, credit unions, and others have intervened in the Texas case and requested that implementation of the Rule be enjoined as to their members as well. The Kentucky Bankers Association has also filed a new separate lawsuit together with a group of Kentucky-based lenders similarly contending the Rule must be set aside.

As a practical matter, however, small business lenders would be wise to ensure they can meet future compliance obligations under the Rule. As sketched above, the Rule imposes substantial new administrative burdens, and compliance could prove costly and challenging, especially for community and local institutions. The Rule also seems likely to present challenges for larger institutions, whose existing frameworks for collecting demographic and other consumer information (for example, as required by federal fair lending laws) may not map easily onto the Rule’s distinct requirements. Notably, the Rule is part of a growing trend towards greater regulatory scrutiny over commercial lending, with a particular emphasis on small business transactions—in recent years, state regulators in jurisdictions such as California, Utah, New York, and Virginia have enacted laws mandating broad disclosures by commercial lenders. Considering the Rule’s broad applicability, the numerous new requirements it imposes, and the Bureau’s stated intention to make the Rule’s provisions concerning “discouragement” an enforcement priority, industry participants that engage in small business lending should work with counsel to prepare for compliance.


Connect with a global network of over 30,000 business law professionals


Login or Registration Required

You need to be logged in to complete that action.