The Consumer Financial Protection Bureau’s Proposed Rules on Small Business Data Collection: Nine Things To Know

by David Stein, Eric MogilnickiJeremy NewellMichael Nonaka, and Andrew Smith 

On Wednesday, September 1, 2021, the Consumer Financial Protection Bureau (“Bureau”) issued a notice of proposed rulemaking for proposed rules that would require creditors to collect and report data about lending to small businesses, focusing on minority-owned and women-owned small businesses (the “Proposed Rules”). The Bureau issued the Proposed Rules to implement Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2011. Section 1071 amended the Equal Credit Opportunity Act (“ECOA”) to create a mandatory data collection and reporting requirement for business lending to promote the ECOA’s fair lending objectives. In July 2021, the Bureau committed to issuing the Proposed Rules no later than September 30, 2021, as part of a settlement agreement reached in a lawsuit brought by consumer advocates in 2019 regarding the delayed issuance of rules to implement Section 1071. Comments on the Proposed Rules are due 90 days after publication in the Federal Register.

I. The Proposed Rules apply to a broad range of “covered financial institutions” that originated at least 25 “covered credit transactions” for “small businesses” in each of the two preceding calendar years.

Under the Proposed Rules, covered financial institutions include depository institutions and a variety of non-depository institution lenders, such as online lenders, platform lenders, equipment and vehicle finance companies, and commercial finance companies.

II. The Proposed Rules define “small business” by reference to the definitions of “business concern” and “small business concern” in the Small Business Act and Small Business Administration (“SBA”) regulations along with a proposal to adopt a simplified size standard.

The Bureau proposes a simplified size standard for a small business of $5 million or less in gross annual revenue for the preceding fiscal year, rather than applying the SBA’s industry-specific size standards. The SBA would need to approve this alternate small business size standard under the Small Business Act, 15 U.S.C. § 631 et seq.

III. The Proposed Rules would require data collection and reporting on “covered applications” for “covered credit transactions.”

“Covered credit transactions” broadly encompass any extension of business credit that qualifies as business credit under the Equal Credit Opportunity Act (“ECOA”) and Regulation B, subject to express exclusions for trade credit, public utilities credit, securities credit, and incidental credit. In addition, the Bureau indicated that factoring transactions, leases, consumer-designated credit used for business purposes, and credit secured by certain investment properties would not be considered covered credit transactions.

A “covered application” is an oral or written request for a covered credit transaction made in accordance with the procedures used by the financial institution for the type of credit requested. A “covered application” does not include inquiries, prequalification requests, or reevaluation, extension, or renewal requests on an existing business credit account unless the request is for an additional amount of credit.

IV. The Proposed Rules would require covered financial institutions to compile, maintain, and report to the Bureau 21 data points regarding covered applications from small business, even though the statute, on its face, requires data collection about minority-owned and women-owned businesses that are not small businesses.

The 21 data points are:

  1. A unique alphanumeric identifier for the covered application;
  2. Application date;
  3. Application method (direct or indirect);
  4. Application recipient (direct to the financial institution or an affiliate, or indirect via a third party);
  5. The type of credit applied for or originated, including the credit product, types of guarantees obtained or required, and loan term, if applicable;
  6. Credit purpose;
  7. Amount applied for;
  8. Amount approved or originated, as applicable;
  9. Action taken (originated, approved but not accepted, denied, withdrawn, or incomplete);
  10. Action taken date;
  11. For denied applications, the principal reasons for denial;
  12. For originated or approved applications, pricing information, including interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, and prepayment penalties;
  13. Census tract;
  14. Gross annual revenue of the applicant;
  15. Six digit North American Industry Classification system (“NAICS”) code for the applicant;
  16. Number of non-owner workers;
  17. Time in business;
  18. Whether the applicant is a minority-owned business and whether the status is based on previously collected information;
  19. Whether the applicant is a women-owned business and whether the status is based on previously collected information;
  20. The ethnicity, race, and sex of the applicant’s principal owners, whether such data are reported based on previously collected data, and whether reporting is based on visual observation or surname; and
  21. The number of principal owners.

These 21 data elements go well beyond the 12 data elements mandated for collection and reporting by Section 1071(b)(1). The 12 statutory data elements are: (1) whether the applicant is a women-owned, minority-owned, and/or small business; (2) application/loan number; (3) application date; (4) loan/credit type; (5) loan/credit purpose; (6) credit amount/limit applied for; (7) credit amount/limit approved; (8) type of action taken; (9) action taken date; (10) census tract (principal place of business); (11) gross annual revenue; and (12) race, sex, and ethnicity of principal owner(s).

Covered financial institutions must maintain procedures to collect the required data elements at a time and in a manner reasonably designed to obtain a response and may rely on and reuse data previously collected within the same calendar year.

V. The Bureau provides detailed guidance on data collection and reporting in appendices to the Proposed Rule and generally relies on applicant self-reporting without financial institution verification with one exception.

Appendix E of the Proposed Rules provides a sample form for collecting data on small business applicants. Appendices F and G of the Proposed Rules, respectively, provide detailed instructions for the collection and reporting of small business applicants’ minority-owned and women-owned business status and the ethnicity, race, and sex of small business applicants’ principal owners.

The exception to reliance on self-reported data is that covered financial institutions must collect at least one principal owner’s race and ethnicity via visual observation and/or surname if the institution meets in person with any principal owners, including via electronic media, and the applicant does not voluntarily provide such data for at least one principal owner.

VI. The Proposed Rules create a firewall to prohibit the employees or officers of a covered financial institution who are involved in underwriting from accessing an applicant’s responses to minority-owned business status, women-owned business status, and principal owner race, ethnicity, or sex.

The Proposed Rules contain an exception to the firewall where the financial institution determines that it is not feasible to limit such access and the institution provides a notice to each applicant whose responses may be accessed by underwriting personnel.

VII. The Proposed Rules would require annual reporting of the data collected from or about small business applicants on or before June 1 following the calendar year when the data are collected and record retention for at least three years after the date on which the data are submitted to the Bureau.

Data submissions must be submitted in a format prescribed by the Bureau and in accordance with procedures that will be outlined in a forthcoming Filing Instructions Guide. Certain information about the financial institution must accompany each submission. Where multiple financial institutions are involved in a covered credit transaction, only one covered financial institution (i.e., the institution that makes the credit decision) reports the transaction.

Records of submissions must be retained for at least three years from the date of submission for compliance purposes. Applicant responses must be kept separate from the rest of the application.

VIII. The Proposed Rules indicate that the Bureau generally will make the reported data publicly available, subject to any deletions or modifications that the Bureau determines, in its discretion, would advance a privacy interest.

The Bureau proposes to use a “balancing test” to assess the risks and benefits of public disclosure and anticipates issuing a policy statement setting forth its proposed modifications and deletions after it receives one full year of reported data. The Bureau also may, in its discretion, compile and aggregate the data submitted by financial institutions and make such compilations or aggregations public.

IX. The Proposed Rules provide for a mandatory compliance date of 18 months after publication of the final rule in the Federal Register.

David Stein is of counsel, and Eric MogilnickiJeremy NewellMichael Nonaka, and Andrew Smith are partners at Covington & Burling LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.