On 21 July 2010, Congress passed the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). Section 1071 of the Dodd-Frank Act amended the Equal Credit Opportunity Act (ECOA) and requires that financial institutions collect and report to the Consumer Financial Protection Bureau (CFPB) certain data regarding applications for credit by women-owned, minority-owned, and small businesses.
The statutory purpose of section 1071 of the Dodd-Frank Act is to facilitate the enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities for women-owned, minority-owned, and small businesses.
What is the Final Rule?
On 30 March 2023, the CFPB issued implementing regulations for section 1071 of the Dodd-Frank Act (final rule). The final rule requires the covered financial institutions to collect and report to the CFPB data on applications for credit from women-owned, minority-owned, and small businesses.
The final rule also addresses the CFPB's approach to privacy interests and data publication, prohibiting discrimination against those who provide this data to covered financial institutions and shielding certain demographic information from underwriters and others. The final rule became effective on 29 August 2023; however, the compliance dates may vary for different covered financial institutions based on the number of covered transactions, as explained later.
To Whom Does the Final Rule Apply?
The final rule applies to “covered financial institutions.” A covered financial institution is a financial institution that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years.
Let us examine what a financial institution, small business, and covered financial transaction mean to fully understand the final rule's scope.
What is a Financial Institution?
A “financial institution” includes any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity.
The rule thus applies to a variety of entities that engage in small business lending, including depository institutions ( i.e., banks, savings associations, and credit unions), online lenders, platform lenders, community development financial institutions (both depository and nondepository institutions), Farm Credit System lenders, lenders involved in equipment and vehicle financing (captive financing companies and independent financing companies), commercial finance companies, governmental lending entities, and nonprofit non-depository lenders.
What is a Small Business?
Pursuant to the final rule, a business is a “small business” if its gross annual revenue for the preceding fiscal year is $5 million or less. Thus, if a business had more than $5 million in gross annual revenue for its preceding fiscal year, it is not a small business pursuant to the final rule. Additionally, non-profit organizations and governmental entities are not small businesses pursuant to the final rule.
What is a Covered Credit Transaction?
A covered credit transaction, also referred to as origination, is an extension of business credit under Regulation B. Thus, covered credit transactions can include loans, lines of credit, credit cards, merchant cash advances, and credit products used for agricultural purposes.
However, the following transactions are exempted from coverage even if they satisfy Regulation B’s definition of business credit:
- Trade credit;
- HMDA-reportable transactions;
- Insurance premium financing;
- Public utilities credit;
- Securities credit; and
- Incidental credit.
Why are ‘Originations’ Important?
For purposes of determining institutional coverage (i.e., whether a financial institution is a covered financial institution) and compliance date tier, financial institutions count covered originations.
A covered origination is a covered credit transaction that the financial institution originated with a small business. Refinancings can be covered originations. However, extensions, renewals, and other amendments of existing transactions are not considered covered originations, even if they increase the existing transaction's credit line or credit amount.
Obligations of Covered Financial Institutions
Following are some primary obligations of the covered financial institutions under the final rule:
Compilation of Reportable Data
The final rule requires a covered financial institution to report data points based on information that could be collected from the applicant or an appropriate third-party source. These data points include:
- A unique identifier;
- The application date;
- The application method;
- The application recipient (indicating whether the application was received directly, or indirectly via an unaffiliated third party);
- The action taken by the covered financial institution on the application; and
- The action taken date.
The covered financial institutions are also required to collect and maintain the following data points which specifically relate to the credit being applied for and information related to the applicant’s business:
- Credit type;
- Credit purpose;
- The amount applied for;
- A census tract based on an address or location provided by the applicant;
- Gross annual revenue for the applicant’s preceding fiscal year;
- A three-digit North American Industry Classification System (NAICS) code for the applicant;
- The number of people working for the applicant;
- The applicant’s time in business;
- The number of the applicant’s principal owners;
- Demographic information collected from an applicant, such as the applicant’s minority-owned business status, women-owned business status, and LGBTQI+ owned business status; and
- The applicant’s principal owners’ ethnicity, race, and sex.
Privacy Obligations
Internal Access Restrictions
As per the final rule, employees and officers of a covered financial institution or its affiliate are prohibited from accessing an applicant’s responses to the final rule’s required inquiries regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding its principal owners’ ethnicity, race, and sex if that employee or officer is involved in making any determination concerning the applicant’s covered application.
Notice Requirement
If a covered financial institution determines that an employee or officer should have access to an applicant's responses to its inquiries regarding the applicant's protected demographic information, it must provide a notice to the applicant regarding that access. Notice must be provided to each applicant whose information will be accessed or, alternatively, the financial institution could provide the notice to all applicants.
Disclosure to Third Parties Not Allowed
In addition, the final rule prohibits a covered financial institution or third party from disclosing this demographic information (i.e., minority-owned, women-owned, and LGBTQI+- owned business statuses and ethnicity, race, and sex information collected pursuant to the final rule) to other parties, except in limited circumstances (i.e compliance with ECOA or Regulation B or as required by law.)
Onward Disclosure by Third Parties Not Allowed
A third party that obtains protected demographic information for the purpose of furthering compliance with ECOA and Regulation B from any further disclosure of such information, except to further compliance with ECOA and Regulation B or as required by law.
Record-Keeping Obligations
Data Retention Requirements
The final rule has recordkeeping requirements, including a requirement for covered financial institutions to retain copies of small business lending application registers and other evidence of compliance for at least three years.
Separated Data
The final rule also includes a requirement to maintain an applicant’s responses to the final rule’s required inquiries regarding an applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding principal owners’ ethnicity, race, and sex separate from the rest of the application and accompanying information.
Deadline to Comply
The final rule is effective 90 days after its publication in the Federal Register. However, compliance with the final rule is not required at that time. To determine when it must begin complying with the final rule, a financial institution must determine which compliance date tier applies to it.
Generally, covered financial institutions must report data to the CFPB by June 1 of the year following the calendar year in which the financial institution collected the data (e.g., data collected for 2024 must be reported by June 1, 2025).
Taken together, these two provisions in the final rule mean that:
- A financial institution must begin collecting data and otherwise comply with the final rule on October 1, 2024, if it originated at least 2,500 covered originations in 2022 and 2023.
- A financial institution must begin collecting data and otherwise complying with the final rule on April 1, 2025, if it:
- Originated at least 500 covered originations in both 2022 and 2023;
- Did not originate 2,500 or more covered originations in both 2022 and 2023; and
- Originated at least 100 covered originations in 2024.
- A financial institution must begin collecting data and otherwise complying with the final rule on January 1, 2026, if it originated at least 100 covered originations in both 2024 and 2025
- but did not originate at least 500 covered originations in both 2022 and 2023.
The final rule also includes a transitional provision that financial institutions may use to determine the number of covered originations they originated in 2022 and 2023. A financial institution may rely on the transitional provision to determine the number of its covered originations for 2022 and/or 2023 if it did not collect sufficient information to determine if some or all borrowers were small businesses pursuant to the final rule or if such information is not readily accessible.
