By Heather MacKinnon, WBA VP-Legal
As expected, the Bureau of Consumer Financial Protection (CFPB) hit its end-of-March target date with the release of its final small business loan data collection and reporting rule. The final rule revises Regulation B, which implements the Equal Credit Opportunity Act (ECOA), to require the collection and reporting to CFPB of certain data on applications for credit by small businesses.
Compliance officers, originators, and loan processors are now shifting their efforts to more fully understand the requirements of the new rule and to creating implementation and training plans. To assist with beginning to understand the scope and general concepts of the final rule, below is a summary of the final rule.
Who Must Comply with the Rule
Covered Financial Institutions
Coverage of the rule is based upon the level of certain loan origination activity, not upon the asset size of a financial institution. The final rule applies to “covered financial institutions.” A covered financial institution is one that originated at least 100 “covered credit transactions” for small businesses in each of the two preceding calendar years.
Covered Credit Transactions
Generally, a covered credit transaction is one that meets the definition of business credit under existing Regulation B section 1002.2(g), unless the credit is specifically excluded by the final rule. Business credit includes loans, lines of credit, credit cards, merchant cash advances, and agricultural-purpose credit.
The final rule excluded from the definition of covered credit transactions:
- Trade Credit
- HMDA-Reportable Transactions
- Insurance Premium Financing
- Public Utilities Credit
- Securities Credit
- Incidental Credit
The final rule also excludes factoring, leases, and consumer-purpose credit. A transaction qualifies as consumer-purpose credit if the financial institution offers or extends the credit primarily for personal, family, or household purposes. For example, an open-end credit account used for both personal and business/agricultural purposes is not business credit under Section 1071 unless the financial institution designated or intended for the primary purpose of the account to be business/agricultural-related.
For purposes of counting originations to determine whether the bank is a covered financial institution, transactions that extend, renew, or otherwise amend an existing transaction are not counted as originations even if they increase the credit line or credit amount of the existing transaction. A refinancing can be a counted as a covered origination. A refinancing occurs when an existing obligation is satisfied and replaced by a new obligation undertaken by the same borrower. For example, if a financial institution originates 50 term loans and 30 lines of credit for small businesses in each of the preceding two calendar years, along with 25 line increases for small businesses in each of those years, the financial institution is not a covered financial institution because it has not originated at least 100 covered credit transactions in each of the two preceding calendar years.
Originated vs Application
For purposes of determining coverage of the final rule, Section 1071 focuses on counting the number of covered credit transactions originated. A financial institution qualifies as a covered financial institution based on total covered credit transactions originated for small businesses, rather than covered applications received from small businesses. For example, if in both 2024 and 2025, a financial institution that received 105 covered applications from small businesses and originated 95 covered credit transactions for small businesses, then for 2026, the financial institution is not a covered financial institution.
Preceding Calendar Years
Also, the definition of a covered financial institution refers to preceding calendar years. For example, in 2029, the two preceding calendar years are 2027 and 2028. Accordingly, in 2029, a financial institution does not meet the loan-volume threshold if it did not originate at least 100 covered credit transactions for small businesses both during 2027 and during 2028.
Small Business
The final Section 1071 defines “small business” to mean a business with gross annual revenue of $5 million or less for its preceding fiscal year.
When to Collect Section 1071 Data
Once a financial institution determines it is a covered financial institution under Section 1071, the institution will need to collect and report data related to any “covered application” from a small business. The data collected and reported applies to covered applications approved and denied; not just for those covered applications approved.
Covered Application
A covered application is an oral or written request for business credit covered by the rule (covered credit transaction) that is made in accordance with procedures used by the financial institution for the type of credit requested. The final rule gives some latitude to financial institutions to establish their own application procedures, including designating the type and amount of information it will require from an applicant.
The term “procedures” refers to the actual practice followed by the financial institution as well as its stated application procedures. For example, if a financial institution’s stated policy is to require all applications to be in writing on the financial institution’s application form, but the financial institution also makes credit decisions based on oral requests, the financial institution’s procedures are to accept both oral and written applications.
The final rule excludes reevaluations, extensions, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts. The final rule also excludes inquiries and prequalification requests from the definition of covered application. However, an applicant’s request to refinance and to request additional credit amounts on an existing account both constitute covered applications.
The term “covered application” does not include solicitations, firm offers of credit, or other evaluations initiated by the financial institution because in these situations the business has not made a request for credit. For example, if a financial institution sends a firm offer of credit to a business for a $10,000 line of credit, and the business does not respond, it is not a covered application because the business never made a request for credit. However, using the same example, if the business seeks to obtain the credit offered, assuming the requirements of a covered application are otherwise met, the business’ request constitutes a covered application.
Timing and Manner of Collection
As a general standard, a covered financial institution must not discourage an applicant from responding to requests for applicant-provided data and must otherwise maintain procedures to collect such data at a time and in a manner that are reasonably designed to obtain a response. A financial institution is given flexibility to establish procedures that work best for its particular lending model and product offerings, provided the procedures are reasonably designed to collect the applicant-provided data.
The final rule provides considerations to include in a financial institution’s procedures in order for the collection of applicant-provided data to be consider “reasonably designed”:
- The initial request for applicant-provided data occurs prior to notifying an applicant of final action taken on a covered application.
- The request for applicant-provided data is prominently displayed or presented.
- The collection does not have the effect of discouraging an applicant from responding to a request for applicant-provided data.
- Applicants can easily respond to a request for applicant-provided data.
While financial institutions may have flexibility concerning when applicant-provided data is collected, commentary in the final rule provides that under no circumstance may the initial request for applicant-provided data occur simultaneous with or after notifying an applicant of final action taken on a covered application. Generally, the earlier in the application process the financial institution initially seeks to collect applicant-provided data, the more likely the timing of collection is reasonably designed to obtain a response. The final rule does allow for some previously collected data to be reused, and sets forth when previously collected data must be updated.
In collecting data from its small business customers, financial institutions are permitted to rely upon information provided by the applicant, or appropriate third-party sources. Institutions are not required to verify the data. However, if the financial institution does verify applicant statements or information for its own business purposes, such as statements relating to gross annual revenue or time in business, the financial institution must report the verified information.
What Data is to be Collected
Covered financial institutions are to collect data regarding covered applications from small business loan applications. The collected data will later be reported to CFPB and made public in accordance with the reporting and publication components of the final rule.
The following is a list of the data points to be collected, a brief description, and Regulation B references. The final rule sets forth specific filing instructions for codes to be used for particular data fields. The specific filing instructions are not included in the summary chart below but may be pulled from resources provided at the end of the article.
| Data Point | Description | Regulation B Reference |
|---|---|---|
| Unique Identifier | An alphanumeric application or unique loan identifier | §1002.107(a)(1), comments 107(a)(1)-1 and -2 |
| Application Date | Date application was received | § 1002.107(a)(2), comments 107(a)(2)-1 through -4 |
| Application Method | Means by which application was submitted | §1002.107(a)(3), comment 107(a)(3)-1 |
| Application Recipient | Whether application was submitted directly or indirectly to bank | §1002.107(a)(4), comment 107(a)(4)-1 |
| Credit Type: Credit Product | Credit product applied for or originated | §1002.107(a)(5)(i), comments 107(a)(5)-1 through -6 |
| Credit Type: Guarantee Type | Type(s) of guarantees for credit product | §1002.107(a)(5)(ii), comment 107(a)(5)-7 |
| Credit Type: Loan Term | Number of months after which legal obligation mature or terminate, measured from date of origination. Special measure date rule for transactions involving real property | §1002.107(a)(5)(iii), comment 107(a)(5)-8 |
| Credit Purpose | Purpose credit was applied for or originated | §1002.107(a)(6), comments 107(a)(6)-1 through -8 |
| Amount Applied For | Initial amount of credit or credit limit requested by applicant | §1002.107(a)(7), comments 107(a)(7)-1 through -5 |
| Amount Approved or Originated | Credit amount or credit limit approved or originated | §1002.107(a)(8), comments 107(a)(8)-1 through -6 |
| Action Taken | Action bank took on application | §1002.107(a)(9), comments 107(a)(9)-1 through -5 |
| Action Taken Date | Date bank took action on application | §1002.107(a)(10), comments 107(a)(10)-1 through -5 |
| Denial Reasons | Principal reason(s) for denial | §1002.107(a)(11), comment 107(a)(11)-1 and -2 |
| Pricing Information: Interest Rate Type | Type of interest rate that applies | 1002.107(a)(12)(i), comments 107(a)(12)-1 through-3 |
| Pricing Information: Initial Rate Period | Term of any initial rate period | §1002.107(a)(12)(i), comment 107(a)(12)-1, and comments 107(a)(12)(i)-2 |
| Pricing Information: Fixed Interest Rate Value | If fixed interest rate, the rate | §1002.107(a)(12)(1)(A), comments 107(a)(12)-1, and comments 107(a)(12)(i)-1 through -3 |
| Pricing Information: Variable Index Rate | If variable or adjustable rate, the index value | §1002.107(a)(12)(i)(B), comment 107(a)(12)-1, and comments 107(a)(12)(i)-1 through -3, and -5 |
| Pricing Information: Variable Interest Rate Margin Value | If variable rate product has margin, the margin | §1002.107(a)(12)(i)(B), comment 107(a)(12)-1 and comments 107(a)(12)(i)-1 through -3 |
| Pricing Information: Variable Interest Rate Index Name | Name of variable rate product’s index | §1002.107(a)(12)(i)(B), comment 107(a)(12)-1, and comment 107(a)(12)(i)-4 |
| Pricing Information: Total Origination Charges | Total amount of origination charges | §1002.107(a)(12)(ii), comment 107(a)(12)-1, and comments 107(a)(12)(ii)-1 though -6 |
| Pricing Information: Total Broker Fees | Total amount of broker fees charged at origination | §1002.107(a)(12)(iii), comment 107(a)(12)-1, and comments 107(a)(12)(iii)-1 and -2 |
| Pricing Information: Initial Annual Charges | Total amount of non-interest charges scheduled to be imposed first annual period | §1002.107(a)(12)(iv), comment 107(a)(12)-1, and comments 107(a)(12)(iv)-1 through -6 |
| Pricing Information: MCA/Sales Based Financing Costs | Amount applicant required to pay to receive merchant cash advance or other sales-based financing transaction | §1002.107(a)(12)(v), comment 107(a)(12)-1, and comment 107(a)(12)(v)-1 |
| Pricing Information: Prepayment Penalty Availability | Whether bank may charge prepayment penalty | §1002.107(a)(12)(vi)(A), comment 107(a)(12)-1, comments 107(a)(12)(vi)-1 and -2 |
| Pricing Information: Prepayment Penalty Included | Whether terms of contract include prepayment penalty | §1002.107(a)(12)(vi)(B), comment 107(a)(12)-1, comments 107(a)(12)(vi)-1 and -2 |
| Census Tract: Address Type | Address type used to determine census tract | §1002.107(a)(13), comments 107(a)(13)-1 through -4 |
| Census Tract: Tract Number | Census tract number | §1002.107(a)(13), comments 107(a)(13)-1 through -4 |
| Gross Annual Revenue | Gross annual revenue for applicant in preceding FY | §1002.107(a)(14), comments 107(a)(14)-1 through -4 |
| NAICS Code | Industry type of applicant’s business | §1002.107(a)(15), comments 107(a)(15)-1 through -3 |
| Number of Workers | Range of non-owner workers working for applicant | §1002.107(a)(16), comments 107(a)(16)-1 through -3 |
| Time in Business | Number of years applicant’s time in business | §1002.107(a)(17), comments 107(a)(17)-1 through -3 |
| Business Ownership Status | Whether applicant is minority-owned, women-owned, or LGBTQI+-owned | §1002.107(a)(18), 1002.102(m), 1002.102(s), 1002,102(f), and comments 107(a)(18)-1 through -9, Appendix E |
| Number of Principal Owners | Total number of owners that have at least a 25% direct ownership interest | §1002.107(a)(20), 1002.102(o), comments 107(a)(20)-1 through -3 |
| Ethnicity of Principal Owners 1,2,3 and 4 | Principal owner(s) ethnicity | §1002.107(a)(19), comments 107(a)(19)-1 through -13, and -16, Appendix E |
| Race of Principal Owners 1,2,3 and 4 | Principal owner(s) race | §1002.107(a)(19), comments 107(a)(19)-1 through -12, -14, and -16, Appendix E |
| Sex/Gender of Principal Owners 1,2,3 and 4 | Principal owner(s) sex/gender | §1002.107(a)(19), comments 107(a)(19)-1 through -12, and -15, Appendix E |
Firewall
As a general requirement of the final rule, an employee or officer involved in making any determination concerning an applicant’s covered application must not have access to an applicant’s responses to inquiries regarding whether the applicant is a minority-owned business, a women-owned business, or an LGBTQI+-owned business, or regarding the ethnicity, race, and sex of the applicant’s principal owners. “Have access” means that the employee or officer may need to collect, see, consider, refer to, or otherwise use the information to perform that person’s assigned job duties.
“Involved in making any determination concerning a covered application from a small business” means participating in a decision regarding the evaluation of a covered application from a small business or the creditworthiness of a small business applicant for a covered credit transaction.
The “firewall” will not apply if the financial institution determines that it is not feasible to limit an employee’s or officer’s access to an applicant’s responses. It is not feasible to limit access if the financial institution determines that an employee or officer involved in making any determination concerning a covered application from a small business should have access to one or more applicants’ responses.
Notice
In order to satisfy the firewall exception, a financial institution must provide a notice to each applicant whose responses will be accessed. The notice is found in Appendix E to the final rule.
Reporting
On or before June 1 following the calendar year for which data are compiled and maintained, a covered financial institution must submit its small business lending application register in the format prescribed by CFPB. An authorized representative of the covered financial institution with knowledge of the data need certify to the accuracy and completeness of the data reported.
A covered financial institution is also to report:
- Its name.
- Its headquarters address.
- Name and business contact information of a person that CFPB or other regulators may contact about the financial institution’s submission.
- Its Federal prudential regulator, if applicable.
- Its Federal Taxpayer Identification Number (TIN).
- Its Legal Entity Identifier (LEI).
- Its Research, Statistics, Supervision, and Discount identification (RSSD ID) number, if applicable.
- Parent entity information, if applicable, including:
- The name of the immediate parent entity;
- The LEI of the immediate parent entity, if available;
- The RSSD ID number of the immediate parent entity, if available;
- The name of the top-holding parent entity;
- The LEI of the top-holding parent entity, if available; and
- The RSSD ID number of the top-holding parent entity, if available.
- The type of financial institution that it is, indicated by selecting the appropriate type or types of institution from the list provided.
- Whether the financial institution is voluntarily reporting covered applications from small businesses.
Covered financial institutions are to follow CFPB’s Filing Instructions Guide for the submission of data.
Publication of Reported Data
CFPB is required to make public data reported to it by financial institutions, subject to deletions or modifications made by CFPB if CFPB determines that the deletion or modification of data would advance a privacy interest. Data will be published on an annual basis. CFPB also has the authority to compile and aggregate data and may publish such data as it deems appropriate.
The final rule requires a covered financial institution to make available to the public on its website, or otherwise upon request, a statement that its small business lending application register is or will be available from CFPB.
The final rule also prohibits a covered financial institution from disclosing or providing to a third party information it collected regarding whether a small business is minority-owned, women-owned, or LGBTQI+-owned or information regarding the ethnicity, race, and sex of principal owners except as permitted by law.
Recordkeeping
A covered financial institution must retain evidence of compliance with Section 1071, which includes a copy of its small business lending application register, for at least three years after the register is required to be submitted to CFPB.
The financial institution is also required to maintain, separately from the rest of the application and accompanying information, an applicant’s response to the institution’s inquiries regarding whether the applicant is a small business, is minority-owned, women-owned, or LGBTQI+-owned, or information regarding the ethnicity, race, and sex of the applicant’s principal owners.
In reporting a small business lending application register, maintaining the register, and maintaining a separate record of information, a financial institution must not include any name, specific address, telephone number, email address, or any other personally identifiable information concerning any individual who is, or is connected with, an applicant.
Enforcement
Violations of Section 1071 rules subjects a covered financial institution to administrative sanctions and civil liability.
Bona Fide Errors
The final rule provides that a bona fide error in compiling, maintaining, or reporting data with respect to a covered application is one that was unintentional and occurred despite the maintenance of procedures reasonably adapted to avoid such an error. A bona fide error is not a violation of Section 1071.
A financial institution is presumed to maintain procedures reasonably adapted to avoid such errors with respect to a given data field if the number of errors found in a random sample of the financial institution’s submission for the data field does not equal or exceed a threshold specified by CFPB for this purpose in Appendix F to the rule. However, an error is not a bona fide error if either there is a reasonable basis to believe the error was intentional or there is evidence that the financial institution does not or has not maintained procedures reasonably adapted to avoid such errors.
Safe Harbors
The final rule provides for a few safe harbors which are not violations of Section 1071:
- Incorrect entry for application date. It is not a violation if the date reported is within three business days of the actual application date.
- Incorrect entry for census tract. It is not a violation if the census tract reported was obtained correctly using a geocoding tool provided by FFIEC or CFPB.
- Incorrect entry for NAICS code. It is not a violation if the financial institution obtained the 3-digit NAICS code by either (a) relying on an applicant’s representations or on an appropriate third-party source, regarding the NAICS code; or (b) identifying the NAICS code itself, provided that the financial institution maintains procedures reasonably adapted to correctly identify a 3-digit NAICS code.
- Incorrect determination of small business status, covered credit transaction, or covered application. It is not a violation if the financial institution that initially collects data regarding whether an applicant for a covered credit transaction is a minority-owned business, a women-owned business, or an LGBTQI+-owned business, and the ethnicity, race, and sex of the applicant’s principal owners but later concludes that it should not have collected such data, if the financial institution, at the time it collected this data, had a reasonable basis for believing that the application was a covered application for a covered transaction from a small business.
Compliance Dates
The final rule provides for staggered implementation dates:
- A covered financial institution that originated at least 2,500 covered credit transactions for small businesses in each of calendar years 2022 and 2023 shall comply beginning October 1, 2024.
- A covered financial institution that originated less than 2,500 but at least 500 covered credit transactions for small businesses in each of calendar years 2022 and 2023 shall comply beginning April 1, 2025.
- A covered financial institution that originated less than 500 but at least 100 covered credit transactions for small businesses in each of calendar years 2022 and 2023 shall comply beginning January 1, 2026.
Covered financial institution is permitted, but not required, to collect information regarding whether an applicant for a covered credit transaction is a minority-owned business, a women-owned business, and/or an LGBTQI+-owned business, and the ethnicity, race, and sex of the applicant’s principal owners beginning 12 months prior to its applicable compliance date.
A financial institution that is unable to determine the number of covered credit transactions it originated for small businesses in each of calendar years 2022 and 2023 for purposes of determining its compliance, because for some or all of this period it does not have readily accessible the information needed to determine whether its covered credit transactions were originated for small businesses is permitted to use any reasonable method to estimate its originations to small businesses for either or both of the calendar years 2022 and 2023.
A financial institution that did not originate at least 100 covered credit transactions for small businesses in each of calendar years 2022 and 2023 but subsequently originates at least 100 such transactions in two consecutive calendar years shall comply with the requirements no earlier than January 1, 2026.
Summary and Resources
CFPB has released its final Section 1071 rule which revises Regulation B to require covered financial institutions to collect and report certain data on applications for credit by small businesses, retain records for compliance with the rule, and to create a firewall to keep some collected data away from certain employees and officers unless notice is given to applicants.
As compliance officers shift to more fully understand the requirements of the new rule and to creating implementation and training plans, the following resources have been created by CFPB regarding its rule.
Final Section 1071 Rule: https://files.consumerfinance.gov/f/documents/cfpb_1071-final-rule.pdf
CFPB has created a Section 1071 Implementation Webpage which hosts several helpful materials, including an executive summary of the rule, a data point chart, sample data collection forms, and CFPB’s Filing Instruction Guide.
The webpage may be viewed at: https://www.consumerfinance.gov/compliance/compliance-resources/small-business-lending-resources/small-business-lending-collection-and-reporting-requirements/
CFPB also created a question portal for Section 1071-related questions. The portal may be found at: https://sblhelp.consumerfinance.gov/
FIPCO is working closely with legal counsel to obtain the necessary steps to ensure programming and form revisions are put in place to comply with the 1071 Rule.