IDC Names Securiti a Worldwide Leader in Data PrivacyView
On 21 July 2010, Congress passed the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). Section 1071 of the Dodd-Frank Act amended the Equal Credit Opportunity Act (ECOA) and requires that financial institutions collect and report to the Consumer Financial Protection Bureau (CFPB) certain data regarding applications for credit by women-owned, minority-owned, and small businesses.
The statutory purpose of section 1071 of the Dodd-Frank Act is to facilitate the enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities for women-owned, minority-owned, and small businesses.
On 30 March 2023, the CFPB issued implementing regulations for section 1071 of the Dodd-Frank Act (final rule). The final rule requires the covered financial institutions to collect and report to the CFPB data on applications for credit from women-owned, minority-owned, and small businesses.
The final rule also addresses the CFPB's approach to privacy interests and data publication, prohibiting discrimination against those who provide this data to covered financial institutions and shielding certain demographic information from underwriters and others. The final rule became effective on 29 August 2023; however, the compliance dates may vary for different covered financial institutions based on the number of covered transactions, as explained later.
The final rule applies to “covered financial institutions.” A covered financial institution is a financial institution that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years.
Let us examine what a financial institution, small business, and covered financial transaction mean to fully understand the final rule's scope.
A “financial institution” includes any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity.
The rule thus applies to a variety of entities that engage in small business lending, including depository institutions ( i.e., banks, savings associations, and credit unions), online lenders, platform lenders, community development financial institutions (both depository and nondepository institutions), Farm Credit System lenders, lenders involved in equipment and vehicle financing (captive financing companies and independent financing companies), commercial finance companies, governmental lending entities, and nonprofit non-depository lenders.
Pursuant to the final rule, a business is a “small business” if its gross annual revenue for the preceding fiscal year is $5 million or less. Thus, if a business had more than $5 million in gross annual revenue for its preceding fiscal year, it is not a small business pursuant to the final rule. Additionally, non-profit organizations and governmental entities are not small businesses pursuant to the final rule.
A covered credit transaction, also referred to as origination, is an extension of business credit under Regulation B. Thus, covered credit transactions can include loans, lines of credit, credit cards, merchant cash advances, and credit products used for agricultural purposes.
However, the following transactions are exempted from coverage even if they satisfy Regulation B’s definition of business credit:
For purposes of determining institutional coverage (i.e., whether a financial institution is a covered financial institution) and compliance date tier, financial institutions count covered originations.
A covered origination is a covered credit transaction that the financial institution originated with a small business. Refinancings can be covered originations. However, extensions, renewals, and other amendments of existing transactions are not considered covered originations, even if they increase the existing transaction's credit line or credit amount.
Following are some primary obligations of the covered financial institutions under the final rule:
The final rule requires a covered financial institution to report data points based on information that could be collected from the applicant or an appropriate third-party source. These data points include:
The covered financial institutions are also required to collect and maintain the following data points which specifically relate to the credit being applied for and information related to the applicant’s business:
As per the final rule, employees and officers of a covered financial institution or its affiliate are prohibited from accessing an applicant’s responses to the final rule’s required inquiries regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding its principal owners’ ethnicity, race, and sex if that employee or officer is involved in making any determination concerning the applicant’s covered application.
If a covered financial institution determines that an employee or officer should have access to an applicant's responses to its inquiries regarding the applicant's protected demographic information, it must provide a notice to the applicant regarding that access. Notice must be provided to each applicant whose information will be accessed or, alternatively, the financial institution could provide the notice to all applicants.
In addition, the final rule prohibits a covered financial institution or third party from disclosing this demographic information (i.e., minority-owned, women-owned, and LGBTQI+- owned business statuses and ethnicity, race, and sex information collected pursuant to the final rule) to other parties, except in limited circumstances (i.e compliance with ECOA or Regulation B or as required by law.)
A third party that obtains protected demographic information for the purpose of furthering compliance with ECOA and Regulation B from any further disclosure of such information, except to further compliance with ECOA and Regulation B or as required by law.
The final rule has recordkeeping requirements, including a requirement for covered financial institutions to retain copies of small business lending application registers and other evidence of compliance for at least three years.
The final rule also includes a requirement to maintain an applicant’s responses to the final rule’s required inquiries regarding an applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding principal owners’ ethnicity, race, and sex separate from the rest of the application and accompanying information.
The final rule is effective 90 days after its publication in the Federal Register. However, compliance with the final rule is not required at that time. To determine when it must begin complying with the final rule, a financial institution must determine which compliance date tier applies to it.
Generally, covered financial institutions must report data to the CFPB by June 1 of the year following the calendar year in which the financial institution collected the data (e.g., data collected for 2024 must be reported by June 1, 2025).
Taken together, these two provisions in the final rule mean that:
The final rule also includes a transitional provision that financial institutions may use to determine the number of covered originations they originated in 2022 and 2023. A financial institution may rely on the transitional provision to determine the number of its covered originations for 2022 and/or 2023 if it did not collect sufficient information to determine if some or all borrowers were small businesses pursuant to the final rule or if such information is not readily accessible.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128