CFPB’s Small Business Lending Data Collection Rule Increases Operational Burdens and Regulatory Risk for Lending to Small Businesses
On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) issued the long-awaited final version of its rules on Small Business Lending under the Equal Credit Opportunity Act. The new rule imposes significant burdens and risks on lenders, and will likely result in significant amounts of loan-related data being made public, as discussed below. The lenders and loans/applications covered include:
- Any financial institution that made over 100 covered loans in each of the previous two calendar years have data collection and reporting requirements in regard to covered small business loans.
- Covered small business loans are business or commercial loans to any company that earned $5 million or less in its previous fiscal year.
Thus the rule has a broad application, covering a wide scope of lenders and loans. The full text of the CFPB’s Small Business Lending Data Collection Rule can be found here.
The rule will implement the small business lending data collection requirements created by Section 1071 of the Dodd-Frank Act by amending Regulation B of the Equal Credit Opportunity Act (ECOA). The CFPB derives its rulemaking authority from both Section 1071 and the ECOA, and has indicated that the primary purposes of this rule are to facilitate the enforcement of fair lending laws created by the Dodd-Frank Act, and to create a database available to the public that can be used to more effectively identify business and community development needs and serve women-owned, minority-owned, LGBTQ+-owned and small businesses.
Likely Issues for Lenders
Regardless of its intended purposes, the rule creates significant and potentially costly issues for lenders, such as:
- The need to develop a complex operational process to gather, store and report data on loans to small businesses;
- Significant compliance and risk oversight;
- The need to inquire from applicants and borrowers about detailed ownership information.
- Heightened regulatory fair lending scrutiny in regards to lending to small businesses;
- Increased exposure to fair lending claims from private applicants and borrowers, and regulators.
Compliance Deadline Dates
The deadline for compliance with this rule depends on the number of covered small business loans the lender made in each of 2022 and 2023:
- 2,500 hundred loans or more – comply by October 1, 2024.
- 500 to 2,499 business loans – comply by April 1, 2025.
- 100 to 499 small business loans – comply by January 1, 2026.
A financial institution that did not originate at least 100 covered credit transactions for small businesses in each of calendar years 2022 and 2023 but subsequently originates at least 100 such transactions in two consecutive calendar years must comply no earlier than January 1, 2026.
Lenders and Loans Covered by the Rule
The lenders and lending activity covered by this rule are broad. The rule applies to covered financial institutions that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years. Each phrase in that coverage definition must be considered:
- Covered Financial Institution: A “covered financial institution” is any financial institution that has originated at least 100 covered credit transactions for small businesses in each of the preceding two calendar years. A “financial institution” is any partnership, company, corporation, association, trust, estate or other entity that engages in financial activity. This definition covers a wide variety of lenders, including depository institutions, online lenders, platform lenders, and commercial finance companies.
- Small business: Essentially, a small business is one with $5 million or less in gross annual revenue during its preceding fiscal year. The definition actually refers to the definitions of “business concern” and “small business concern” in the Small Business Act (SBA), but CFPB diverges from these definitions by imposing the $5 million revenue limit.
- Covered credit transaction: A credit transaction covered by the rule is an extension of credit primarily for business or commercial purposes. This would cover loans, lines of credit, and merchant cash advances, but would not include factoring transactions, leases, and credit secured by certain investment properties.
- Single Family Residential Loans Not Covered - Home Mortgage Disclosure Act (HDMA) Overlap: If a loan meets the definition of a “covered loans” under HMDA, those loans are not covered by this new rule, and do not need to be reported as small business lending loans. This is because the new small business lending data collection rule specifically excludes all loans defined as “covered loans” in HDMA Regulation C.
Data Collected and Reported
The data collection and reporting requirements are detailed and stringent. Lenders who already do residential lending data collection and reporting under the rules implementing the HMDA will be familiar with the many of the types of data and the methods for collecting and reporting the data. They may find it somewhat easier to implement these small business lending requirements. However, for other lenders not already doing HMDA reporting, there are likely to be steep learning curves and difficult operational implantation processes.
If a financial institution does fall within the purview of the rule, it is required to collect data on all loan applications it receives and loans it provides. The scope of the data required is wide ranging.  The data falls into two basic categories:
- Information about the application and the loan, such as
- application date
- application method
- credit type
- amount applied for and borrowed
- action taken in regards to the application
- Information about the applicant/borrower and the owners of the applicant/borrower, such as
- applicant’s gross annual revenue
- number of workers for the applicant
- whether the applicant is a women-owned, minority-owned, and/or LGBTQ+-owned business
- the ethnicity, race and sex of any individual who owns 25% or more of the applicant
Gathering this scope of information will require the buildout of operational processes and significant training for personnel.
Data for the previous calendar year must be collected and reported on June 1st of the following year, and can be reported individually or through the parent of a financial institution.
Publication of Data
The CFPB will publish the data it collects on its website, with such modifications and deletions as it determines are appropriate. In conjunction with this publication, each financial institution covered by the Rule will be required to publish a statement on its website informing its visitors that the data it has reported is available on the CFPB’s website. 
Depending on the scope of the modifications and deletions to lenders’ data the CFPB chooses to make, it appears that individuals, as well as attorneys and interest groups, will have access to broad arrays of lenders’ data, including data related to fair lending issues. This will increase litigation risks for lenders, and along with regulatory reviews of the data, will require lender reviews of their own data as described below.
Enforcement, “Bona Fide Error” Exception and Safe Harbors
It is expected that the CFPB will aggressively monitor compliance with this rule, and any violation is subject to administrative sanctions and/or civil liability, as provided by Sections 704 and 706 of the ECOA.
In addition to administrative sanctions and civil liability for non-compliance, the rule will expose lenders to an increased likelihood of regulatory fair lending investigations and enforcement actions. The CFPB has stated that a key purpose of the rule is to examine small business lending from a fair lending perspective.
Bona Fide Error: A financial institution can escape sanction and liability if its non-compliance was a “bona fide error.” In other words, the institution must show that the error was unintentional and occurred despite maintenance of procedures reasonably adapted to avoid such errors. A financial institution is presumed to maintain procedures reasonably adapted to avoid error, if based on a random sample of applicants, the number of errors found in a financial institution’s data submission is no greater than 6.4% for institutions processing 100 to 130 applications annually to 2.5% for the institutions processing more than 100,000 applications annually. An error is not bona fide if, based on the circumstances, it is reasonable to believe that the institution intentionally committed the error or failed to maintain adequate procedures.
Limited Safe Harbors: The rule also creates certain limited safe harbors where errors associated with collecting and reporting data on an applicant’s census tract, NAICS code, small business status, and application would not constitute violations.
Consequences of the Rule – Economic Costs and Reputational Risks
Most, if not all, financial institutions will have to build out overlays to their loan application system that allow for the collection of data they are required to report to the CFPB. They will also have to engage in ongoing training on, and compliance and risk oversight of these processes. They will have to develop methods for meaningful review of their data in order to identify possible issues and take remedial actions.
The CFPB estimates that, depending on the covered financial institution, costs associated with preparing and implementing this reporting system can rise to as much as $100,000, and require hundreds of hours spent by junior, mid-level and senior employees. Further, the CFPB estimates that the overall market impact of these costs to financial institutions could be as great as $160 million dollars. Following implementation the CFPB estimates that the ongoing cost of maintaining these systems and abiding by the rules could range from $8,300 to $243,000, depending on the institution. Even if one accepts the CFPB estimates, the costs of compliance with these rules are will likely be significant for all institutions, and have the potential to affect how these institutions run their businesses.
As discussed above, in addition to the economic costs associated with these rules, financial institutions also face economic and reputational risks in relation to their lending practices. In making their credit decision process public information, financial institutions can be scrutinized for who they choose or choose not to lend to, running the risk of being labeled as a discriminatory lender. Even more, this data could be utilized by class action attorneys and advocacy groups to initiate investigations and litigation.
Need to Begin Implementation
The CFPB has signaled that these rules will not become mandatory for 18 months following their release. Given the dangers associated with the failing to comply with these rules, and the difficulty and complexity of building out, testing and implementing similar data processes, it would be a best practice for all financial institutions covered by this rule to further study and begin implementing this rule as soon as possible. The CFPB has communicated that they will aggressively enforce these regulations, so failure to be prepared once collection and reporting become mandatory could result in serious consequences.
Buchalter is a leading nationally recognized financial services law firm, having served large, medium and small financial institutions for over 90 years. Our Financial Services Regulatory Industry Group provides counseling and analysis across the wide range of regulatory and compliance issues facing such institutions, and the Group’s seasoned attorneys are experienced in the corporate, compliance and risk management issues such as those raised by this holding. You can reach out to any members of the Financial Services Regulatory Industry Group for assistance.
 Small Business Lending under the Equal Credit Opportunity Act, Consumer Financial Protection Bureau (Docket No. CFPB-2021-0015) (March 30, 2023).
 12 CFR Part 1002.
 15 USC 1691 et. seq.
 Small Business Lending under the Equal Credit Opportunity Act, at p. 55.
 Id. at 3.
 Id. at 2-3.
 Id. at 4.
 12 CFR 1002.2(g) (definition of “Business Credit” under Regulation B).
 Small Business Lending under the Equal Credit Opportunity Act, at p. 61.
 12 CFR Part 1003
 12 CFR Part 1003.2(e).
 For a full list of the data that will be collected, refer to 12 CFR 1002.107.
 Small Business Lending under the Equal Credit Opportunity Act, at p. 525.
 Although generally available to the public, the CFPB intends to create a firewall that will prevent the employees of a financial institution involved in credit decisions from accessing demographic information reported by applicants. This is unless a financial institution can demonstrate it that an officer or employee should have access to the applicant’s responses and institution’s inquiries about the applicant’s protected demographic information. If this is the case, these employees may access the data as long as the financial institution provides notice to applicant of this access at the time applicant provides the information. Id., at p. 62.
 Id. at p. 63-64.
 Id. at p. 38.
 Id., at p. 64, 881.
 Id., at p. 64, 813.
 Id., at p. 814.
 Id., at 882-883.
 Id. at p. 752-53.
 Id. at p. 756.
 Id at p. 760.
This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.
Link to article