CFPB publishes proposed rule on small business data collection | Morrison & Foerster LLP


On September 1, 2021, the Consumer Financial Protection Bureau (CFPB or “Bureau”) released its long-awaited small business loan data collection. proposed rule (“Proposed rule” or “Proposal”). The proposed rule would implement Section 1071 of the Dodd-Frank Act, which amended the Equal Credit Opportunity Act (ECOA) to require the CFPB to require financial institutions to collect and report data on loans to women, minorities and small businesses. (collectively, “Small Businesses”) in connection with credit applications. Under the proposed rule, affected financial institutions would be required to disclose small business application data and demographic information on credit applicants.

Federal consumer financial protection laws generally do not apply to credit for business purposes; the ECOA, however, generally applies to consumer and business credit transactions. The Bureau began reviewing the compliance of small business programs with CEAA in 2015. The proposal represents the final step in a more than 10-year process in which the Bureau agreed to resolve a complaint, filed by a group of community organizations, regarding delays in the rule-making process of Section 1071, with the settlement agreement setting specific milestones, including milestones in this proposal, for the rule-making process rules of article 1071.

Dodd-Frank Act, section 1071

The objective of Article 1071 is to “facilitate the application of equitable lending laws and enable communities, government entities and creditors to identify business and community development needs and opportunities for women, minorities and small businesses ”. Section 1071 covers “financial institutions”, defined as any partnership, corporation, partnership, association, trust, estate, cooperative organization or other entity that engages in financial activity.

Article 1071 also covers small businesses, defined as a “small business”, that is to say “a business owned and operated independently and which is not dominant in its field of activity”, as as defined in section 3 of the Small Business Act.

Under Section 1071, financial institutions are required to collect and retain certain data for small business applicants, while restricting access to certain information. As part of data collection, financial institutions must limit or “firewalls” access to data on the race, ethnicity and gender of employees able to make credit decisions regarding these applications. Financial institutions must submit this data to the Bureau annually; thereafter, the Bureau must make the data accessible to the public.


Regulation B implements the ECOA, and the Bureau proposes to add Subpart B to Regulation B to implement Article 1071. The following is a summary of the proposal, including the main defined terms. .

Key words

A covered financial institution would be defined as a “financial institution” that achieves an origination threshold of at least 25 “covered credit transactions” to “small businesses” in each of the previous two calendar years. Under the proposal, “financial institution” would mean “any partnership, company, corporation, association. . . , trust, estate, cooperative organization or other entity that engages in financial activity[.]According to this proposed definition, coverage would not be limited to deposit-taking institutions, but would also cover, for example, fintechs, online lenders, platform lenders, lenders involved in equipment and vehicle financing and financial institutions. trade finance companies. Coverage under the proposal would not include certain other entities, such as motor vehicle dealers.

A covered credit transaction would be a transaction that meets the definition of business credit under Regulation B, including loans, lines of credit, credit cards and cash advances to merchants. These are the financial products covered by the rule. However, a covered credit transaction would not include trade credit, utility credit, securities credit, collateral credit, factoring, leases, consumer credit used for business purposes, and credit. guaranteed by certain investment properties.

A small business would be defined by reference to the definitions of “commercial enterprise” and “small commercial enterprise” in the Small Business Act, as included in section 1071; however, the proposed definition does not include the size measurements of the Small Business Administration to define a small business. Instead, a small business would be defined as a business that had $ 5 million or less in gross annual revenue for its previous fiscal year.

The definition of covered application Closely follows the definition in Regulation B of the request as an oral or written request for a covered credit transaction carried out in accordance with the procedures used by a financial institution for the type of credit requested. The Bureau proposes to exclude from the “covered request” the following activity: (1) requests for reassessment, requests for extension or requests for renewal on an existing business credit account, unless the request is aimed at additional credit amounts; or (2) inquiries and screening requests.

Data gathering

Under the proposed rule, covered financial institutions would be required to collect and maintain the following data points for each covered credit transaction: an assigned unique identifier (for identification and retrieval of files); the date of the request; the method of application; the recipient of the request; types of credit, including loan product, collateral obtained and loan term; purpose of credit; the amount of the claim; the amount approved or issued; the follow-up given to the request; the date of the action taken; pricing information, including interest rate, total setup fees, brokerage fees, upfront annual fees, additional cost of cash advances to merchants or other sales-based financing, and early repayment penalties; and the census tract.

For each applicant, the covered financial institutions would be required to collect: gross annual income; NAICS code; number of workers; duration of the activity; minority-owned enterprise status; status of a business owned by women; ethnicity, race and gender of primary owners (ie, a person who owns at least 25% of the business); and the number of primary owners. Some of these data points, including those regarding method of request, recipient of the request, reasons for denial, and number of primary owners, are included in accordance with the discretion of the Bureau under Section 1071.


The proposal would implement the Section 1071 “firewall” requirement that financial institutions restrict the access of certain employees and officers to certain data collected. The “firewall” provisions would prohibit an employee or officer of a covered financial institution or an affiliate who is involved in making a decision regarding the applicant’s covered claim from accessing the responses of a claimant. applicant to inquiries made by the covered financial institution pursuant to section 1071 regarding whether the applicant is a minority-owned business or a women-owned business and regarding ethnicity, race and status sex of the principal owners of the applicant.

This prohibition would not apply if (1) the covered financial institution determines that it is not possible to restrict the access of that employee or officer; and (2) the covered financial institution provides notice to the requester regarding this access. The proposal includes sample language that a covered financial institution can use to meet the notice requirement.

Data report

Under the proposed rule, affected financial institutions would be required to submit Section 1071 data to the CFPB on a 12 calendar month basis, with the data to be provided by June 1 of the following year. Targeted financial institutions should also provide information about themselves as part of the submission to the Bureau. Covered financial institutions would be required to retain proof of compliance for at least three years. The publication of the data by the Bureau satisfies the legal obligation of the financial institutions concerned to make the data available to the public upon request. The CFPB plans to publish the Section 1071 data on its website and proposes to use a “balancing test” to determine whether and how the agency will modify or remove the data before it is published. After receiving a full year of Section 1071 data, the Bureau plans to issue a policy statement outlining planned changes and deletions.


Comments on the draft rule are due 90 days after posting in the Federal Register, after which the Bureau will review the comments and finalize the rule. Compliance with the final rule will not be required until approximately 18 months after the publication of the final rule in the Federal Register. All Covered Financial Institutions will need to develop new capabilities to comply with Section 1071 data reporting requirements; however, the burden of putting in place the systems necessary to support the new reporting requirements may be felt more severely by smaller financial institutions. There are also privacy concerns that arise from data collection, including the security of the data collected, the privacy of small business applicants, and the risk of re-identification.

[View source.]


Comments are closed.