MVA White Collar Defense, Investigations, and Regulatory Advice Blog

Executive Summary

The Consumer Financial Protection Bureau (the “CFPB”) has published a final rule implementing the requirements of Section 1071 of the Dodd-Frank Act (the “Final Rule”), which mandated data collection on certain credit applications to facilitate enforcement of fair lending laws and the identification of business and community development needs and opportunities for women-owned, minority-owned, and Small Businesses. Section 1071 directed the CFPB to implement rules necessary to carry out, enforce, and compile these data collection requirements. The Final Rule requires reporting of detailed credit application data by a Financial Institution for a calendar year when it originated at least 100 Covered Credit Transactions to Small Businesses during each of the prior two calendar years. As discussed below, the Final Rule establishes a delayed effective compliance date, with the earliest compliance date set at October 1, 2024.

Key Takeaways

Covered Companies: The rule covers any Financial Institution that originates at least 100 Covered Credit Transactions for Small Businesses in each of the prior two calendar years.

• “Financial Institution” is defined broadly to include any form of legal entity that engages in a financial activity.
• “Covered Credit Transactions” include any form of business credit (as defined in 12 C.F.R. §1002.2(g)), unless specifically excluded by the rule.
• “Small Business” means any small business concern (as defined under the Small Business Act, 15 U.S.C. § 632(a) and its implementing regulations) if its gross revenue for the prior fiscal year is $5 million or less (subject to an inflation adjustment).

Compliance Deadline: The compliance deadlines have been both delayed and staggered based on the Financial Institution’s number of originated Covered Credit Transactions to Small Businesses in both 2022 and 2023. The complete compliance calendar is set out below. Reporting is required to be filed by June 1 following any year a Financial Institution has originated at least 100 Covered Credit Transactions during each of the prior two calendar years.

Originates at least 100 Covered Credit Transactions in both 2022 and 2023	Compliance Date	First reporting deadline
- at least 2,500	October 1, 2024	By June 1, 2025, for data collected between October 1, 2024 and December 31, 2024
- at least 500, but less than 2,500	April 1, 2025	By June 1, 2026, for data collected between April 1, 2025 and December 31, 2025
- at least 100, but less than 500	January 1, 2026	By June 1, 2027, for data collected between January 1, 2026 to December 31, 2026
Subsequently originates at least 100 Covered Credit Transactions in any two consecutive calendar years	No earlier than January 1, 2026	By June 1 of the year following a compliance year

Data Collection & Reporting Requirements: The Final Rule requires collection and reporting of detailed data fields on Covered Applications, which include both oral and written requests by applicants for Covered Credit Transactions. The data fields that must be collected and reported are set out below and include information on the applicant, the lender, credit decisioning, the nature of the credit product, pricing terms, and fees and charges.

Covered Financial Institutions must have procedures for collecting and reporting data and related obligations for both oral or written requests for Covered Credit Transactions. The collection procedures must be reasonably designed as to time and manner to obtain a response to the information requests. The institution must also have compliance procedures for identifying and responding to indicia that applicants are being discouraged from responding to requests and for avoiding data collection errors.

Privacy Considerations: Reflecting concerns with the potentially sensitive nature of the data elements required to be gathered and reported, the Final Rule mandates specific data collection, notice and disclosure, and information firewall requirements.

Enforcement and Safe Harbors: The Final Rule provides for both administrative sanctions and civil liability, which means applicants can pursue Covered Financial Institutions for actual damages. The rule does provide for several safe harbors that are set out below.

Overview of Final Rule

The below provides a preliminary overview of the Final Rule. We will provide additional analysis as we continue with our review of the rule and supporting materials.

1.  What changed from the Proposed Rule?

Small Business Definition

Section 2 below outlines in more detail the definition of a “Small Business,” but the definition generally did not change from the proposed rule. The Final Rule, however, does include a requirement providing for the adjustment of the gross annual revenue threshold for inflation or deflation using the Consumer Price Index for all Urban Consumers. Adjustments to the threshold will be made every five years beginning after January 1, 2025. Meaning the first adjustment could occur in 2030 and would become effective on January 1, 2031.

Compliance Date

The Final Rule changed the compliance timeline in the proposed rule from approximately 18 months after publication in the Federal Register to a delayed and staggered approach, set forth above, based on the volume of Covered Credit Transactions originated by the institution in calendar years 2022 and 2023.

Non-Statutory Data Points

Some commentators to the proposed rule advocated that the CFPB only collect those data points specifically enumerated in Section 1071. The CFPB, however, cited express authority from Congress allowing it to collect “any additional data that the Bureau determines would aid in fulfilling the purposes” of Section 1071. The CFPB confirmed its decision to include a new data field requirement capturing whether the applicant is an LGBTQI+-owned business. To be considered an LGBTQI+-owned business one or more LGBTQI+ individuals must both (i) own or control more than 50 percent of the business, and (ii) accrue 50 percent or more of the net profits or losses of the business. These standards also apply to the definition of a minority-owned business and a women-owned business.

Use of Visual Observation and/or Surname

If an applicant to a Covered Application refused to provide the race or ethnicity of the applicant’s principal owner, the proposed rule required the institution to make the determination based on visual observation and/or surname. The Final Rule removed this requirement.

Compliance Procedures for Indicia of Reporting Discouragement

The Final Rule includes provisions requiring an institution to have compliance procedures to identify and respond to indicators that applicants are being discouraged from providing data and indicates that low response rates may be an indicator of potential discouragement.

2.  Who is required to report?

The Final Rule requires any entity that is a “Covered Financial Institution” to comply with its collecting and reporting requirements. The definition of Covered Financial Institution includes any Financial Institution that originated at least 100 Covered Credit Transactions for Small Businesses in each of the two preceding calendar years. As a result of this definition, the need to comply with the Final Rule is assessed on an annual basis.

What is the definition of a “Financial Institution”?

A “Financial Institution” under the Final Rule includes any entity that engages in any financial activity. The CFPB highlighted in its commentary the breadth of the definition, which applies to more than just depository institutions, but also includes, but is not limited to, online and platform lenders, community development financial institutions, commercial and equipment finance companies, and government and nonprofit lending entities. If an entity engages in lending and is otherwise originating 100 Covered Credit Transactions for Small Businesses in each of the two preceding calendar years, the entity will likely meet the definition of a “Covered Financial Institution.”

What are Covered Credit Transactions and how are they counted?

Section 3 below outlines the types of credit transactions that are covered by the data collection rule. In terms of counting the number of originated Covered Credit Transactions, whether an institution is required to report data for a particular calendar year depends on the number of originated transactions, at least 100, in each of the preceding two calendar years. 

For purposes of calculating the number of Covered Credit Transactions originated in calendar years 2022 and 2023, an institution is permitted to use any reasonable method to estimate its originations for these two years if it is otherwise unable to determine the exact number. The official interpretations provide a non-exclusive list of methods the CFPB has deemed reasonable.

If multiple Financial Institutions are involved in originating the transaction, only the last institution with authority to set the material terms of the credit transaction is required to count the transaction against the origination threshold.

What is a Small Business?

The definition of “Small Business” did not generally change from the proposed rule and has the same meaning as “business concern or concern” and “small business concern” under the Small Business Act (“SBA”) if its gross annual revenue for its preceding fiscal year is $5 million or less. This excludes non-profits because under the SBA’s definition of business concern, the business entity must be organized to make a profit. The business entity must also “operate primarily within the United States or makes a significant contribution to the U.S. economy through payment of taxes or use of American products, materials or labor.” As noted above, the gross annual revenue threshold is subject to periodic adjustment for inflation.

3.  What types of applications need to be reported?

“Covered Applications” by Small Businesses for “Covered Credit Transactions” must be reported, whether those Covered Applications are approved or denied.

What is a Covered Application?

Covered Applications are any oral or written request for a Covered Credit Transaction made in accordance with procedures used by a Financial Institution for the type of credit requested. This does not include a reevaluation, extension, or renewal on an existing account (although applications involving additional credit amount requests or for a refinancing are Covered Applications), or inquiries or prequalification requests. Solicitations and firm offers of credit do not qualify as “Covered Applications.”

What is a Covered Credit Transaction?

The CFPB broadly defines Covered Credit Transaction as “an extension of business credit”, unless otherwise excluded. The Final Rule excludes: (1) trade credit, (2) Home Mortgage Disclosure Act reportable transactions, (3) insurance premium financing, (4) public utilities credit, (5) securities credit, and (6) incidental credit. The CFPB relies on the definition of “credit” under 15 USC 1691a(d), which states credit is “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.” As such, the extension of credit must be “primarily for business or commercial (including agricultural) purposes.” Factoring, leases, consumer-designated credit that is used for business or agricultural purposes, or credit transaction purchases, purchases of originated Covered Credit Transactions, purchases of an interest in a pool of credit transactions, and purchases of a partial interest in a credit transaction do not constitute a “Covered Credit Transaction.”

What if there are multiple Covered Credit Transactions requested at one time?

If an applicant makes a request for two or more Covered Credit Transactions (a term loan and a line of credit, for instance) on the same application, the Financial Institution reports each request as a separate Covered Application. If the applicant requests multiple lines of credit on a single account, then whether one or multiple credit applications must be reported depends on the procedures used by the institution for that type of credit account (one credit application would be reported if the procedures treat each requested line of credit as a subcomponent of a single account while multiple credit applications would result if the institution’s procedures consider each credit line a separate account).

If an applicant makes a single request for credit that does not specify the type of credit product required, then it should be reported as a single application. If after making a request for one Covered Credit Transaction, the customer subsequently adds requests for additional Covered Credit Transactions, the institution must report a Covered Application for each Covered Credit Transaction.

Who reports if there are multiple lenders to one transaction?

If more than one Financial Institution was involved in the origination of the Covered Credit Transaction, then only the last Covered Financial Institution with the authority to set the material terms of the transaction is required to report the application.

4.  When does a Covered Financial Institution begin collecting information?

The Final Rule will be effective 90 days after being published in the Federal Register. However, a Covered Financial Institution will have until its applicable compliance date to begin collecting and reporting data.  

Financial Institutions that expect to be Covered Financial Institutions under the Final Rule are permitted, but are not required, to collect and report information regarding whether an applicant for a Covered Credit Transaction is a minority-owned business, a women-owned business, and/or an LGBTQI+ owned business under §1002.107(a)(18), and the ethnicity, race, and sex of the applicant’s principal owners under §1002.107(a)(19) beginning 12 months prior to the compliance date, but if they do so, must comply with all requirements in §1002.107(18) & (19), §1002.108, and §1002.111(b) & (c) for the information collected.

If a Financial Institution initially collects data regarding whether an applicant for a Covered Credit Transaction is a minority-owned business, a women-owned business, or an LGBTQI+-owned business, and the ethnicity, race, and sex of the applicant’s principal owners pursuant to §1002.107(a)(18) and (19), but later concludes that it should not have collected such data, the institution does not violate the SBA or the Final Rule if, at the time it collected the data, it had a reasonable basis to believe the applicant was a Small Business and otherwise complied with §§ 1002.107, 1002.108, and 1002.111 with respect to the data.

5.  What data needs to be collected for reporting?

The table below shows what data will need to be reported by Covered Financial Institutions. Institutions should also review the “Sample data collection form” in Appendix E to Part 1002.

Borrower Information	Covered Financial Institution	Credit Information	Pricing Information
Type of address	Unique identifier for the Covered Application (must begin with Covered Financial Institution’s Legal Entity Identifier)	Application date	Interest rate type
Census tract number	Name of the Covered Financial Institution	Application method	Initial rate period
Census tract	Headquarters Address	Application Recipient	Fixed rate: interest rate
Gross annual revenue	Name and business contact information of a person to receive questions on Section 1071 data submission	Credit type	Variable rate transactions: margin
NAICS code	Federal prudential regulator, if applicable	Type of Guarantee	Variable rate transaction: index name
Number of workers	Federal TIN	Credit product	Variable rate transaction: index value
Time in business	Legal Entity Identifier (“LEI”)	Loan term	Total origination charges
Business ownership status (e.g. Minority-owned, women-owned, LGBTQI+-owned)	RSSD ID number, if applicable	Credit Purpose	Broker fees
Number of Principal Owners	Type of Financial Institution (from list provided)	Amount applied for	Initial annual charges
Ethnicity of principal owners	Whether voluntarily reporting Covered Applications for Covered Credit Transactions.	Amount approved or originated	Additional cost for merchant cash advances or other sales-based financing
		Action taken	Prepayment penalties could be imposed
		Action taken date	Prepayment penalty exists
		Denial reasons

Certain of the data elements above have predetermined responses in the Final Rule. For example, “Action Taken” is limited to the following responses (1) originated, (2) approved but not accepted, (3) denied, (4) withdrawn by the applicant, or (5) incomplete. For a more detailed review of the specific fields and expected or predetermined form responses, please review the CFPB’s 2024 Filing Guide.

Collecting the data

Prior to notifying an applicant of the action taken on a covered credit application, Covered Financial Institutions must collect the data either by written responses (in-person, online or mail) or orally (telephone, video, or in-person). The Final Rule provides sample data collection worksheets. The Final Rule also explicitly prohibits Covered Financial Institutions from discouraging an applicant from responding to inquiries for information. Covered Financial Institutions are required to maintain procedures to monitor compliance with the Final Rule and respond to any indicia of potential discouragement. Under the Final Rule, low response rates are considered a potential indicator of discouragement. The rule also establishes instances in which previously collected data can continue to be used by the institution.

 “Protected demographic information”

The CFPB’s commentary to the Final Rule uses the term “protected demographic information” to refer to information concerning whether the applicant is a minority-owned business, women-owned business, or an LGBTQI+ business and the ethnicity, race, and sex of the principal owners. The Final Rule requires a principal owner’s ethnicity and race to be collected from applicants using pre-defined aggregate categories and disaggregated subcategories. Applicants must be provided with free-form text fields to respond to a request for the principal owner’s sex/gender and to disaggregated subcategories for race and for Hispanic or Latino ethnicity. Applicants must also be permitted to select as many disaggregated subcategories as they chose for the ethnicity and race of the principal owner(s).

Reliance on data

Financial Institutions may generally rely on information provided from the applicant (and so are under no obligation to independently verify the information). If, however, the Financial Institution seeks to verify applicant-provided information, then it must report the verified data. This does not apply, however, with respect to a response by an applicant as to protected demographic information or a response that the applicant does not wish to provide such information or otherwise failed to respond. In this case, and even if the institution verifies or otherwise obtains the information for other purposes, the institution must report the substantive response provided by the applicant, which includes a failure to respond or a response indicating that the applicant does not wish to respond to the question.

If there is a conflict in information provided by the applicant regarding protected demographic information (for instance, providing the principal’s owners ethnicity but also responding that the applicant does not wish to provide the information), then the institution should report the substantive response provided (the principal owner’s indicated ethnicity) rather than reporting that the applicant declined to provide information.

Financial Institutions are permitted to use autocorrect and predictive text when requesting an applicant’s data, so long as the technology does not restrict the applicant’s ability to write in its own response.

Information Firewall

To protect information collected from applicants, the Final Rule requires Covered Financial Institutions to prohibit access to information concerning protected demographic information from any employee or officer participating in any decision regarding the evaluation of a Covered Application or the creditworthiness of the applicant. The firewall applies to any underwriter, or any other employee or officer involved in reviewing or decisioning a specific Covered Application or the creditworthiness of a specific applicant. Employees or officers that only perform ministerial functions or develop policies, procedures, or market credit products are not considered to be part of the credit determination process and therefore not subject to the firewall.

The firewall requirement does not apply if the institution determines that it is not feasible to limit the employee’s or officer’s access because of such person should have access to the information. The institution, however, must provide notice to each applicant whose protected demographic information will be accessed, informing the applicant that one or more employees or officers involved in making determinations concerning the application may have access to the applicant’s protective demographic information. This notice, if in writing, must be provided together with, but sequentially before, the non-discrimination notice provided about collecting the applicant’s protected demographic information. If notice is provided orally, it must come before the applicant is asked about their protected demographic information or business status. The Final Rule provides sample language for a notice.

6.  When do Covered Financial Institutions report?

A Covered Financial Institution must submit its small business lending application register on or before June 1 following the calendar year for which data is required to be collected and reported. Therefore, an institution required to comply with the Final Rule by October 1, 2024 would report the data it collected from October 1, 2024 through December 31, 2024 no later than June 1, 2025. If the last day for submission falls on a date that is not a business day, then the submission will be timely if it’s submitted no later than the next business day.

Importantly, an authorized representative from the Covered Financial Institution with knowledge of the data must certify to the accuracy and completeness of the data reported. Institutions are required to post a disclosure on their website that its small business lending application register, as modified by the CFPB pursuant to Section 1002.110(c), is or will be available on the CFPB’s website.

Subsidiaries

A Covered Financial Institution that is a subsidiary of another Covered Financial Institution must complete a separate small business lending application register, but that subsidiary may submit its small business lending application register either directly or through its parent to the CFPB.

7.  What data will the CFPB publish?

The Final Rule states the CFPB will publish annually on their website the data Covered Financial Institutions’ report, subject to any deletions or modifications the CFPB determines would advance privacy interests. The CFPB may also elect to make any compilations and aggregations of the data publicly available.

8.  What are the recordkeeping requirements?

Record Retention

Covered Financial Institutions must maintain evidence of compliance with §1002 (“this subpart”) (including a copy of its small business lending application register) for at least three years after the register is required to be submitted to the CFPB.

Separating Certain Information

Financial Institutions must maintain, separate from the application and accompanying information, an applicant’s responses to the Financial Institution’s inquiries as to:

• whether an applicant for a Covered Credit Transaction is a minority-owned business, women-owned, and LGBTQI+-owned under §1002.107(18); and
• the ethnicity, race, and sex of principal owners under §1002.107(19).

Additionally, when compiling the data or when reporting the data, a Financial Institution must not include any name, specific address, telephone number, email address, or any personally identifiable information concerning any individual who is, or is connected with, an applicant, other than as required by §1002.107 or §1002.111(b).

9.  How will the rule be enforced?

Violations of the Final Rule are subject to both administrative sanctions and civil liability. The Final Rule provides certain safe harbors, outlined below, and establishes threshold numbers for bona fide errors that will not result in violations. Bona fide errors are unintentional and occur despite the institution utilizing reasonably designed procedures to avoid errors. If the CFPB identifies data errors during random sampling, the institution will be presumed to have used reasonable procedures for accuracy (the errors will be deemed bona fide errors) if the number of errors falls beneath tolerance thresholds that have been set by the CFPB based on the number of covered transactions originated by the institution. See Table 1 in Appendix F to the Final Rule for the CFPB’s tolerance thresholds.

Safe Harbors

The Final Rule provides four safe harbors for incorrect entry of certain data points under certain conditions as outlined below.

Data Point	Safe Harbor Requirement
Incorrect application date entry	Safe harbor provided if the application date entered is within three business days of the actual application date.
Census tract	Safe harbor provided for an incorrect census tract entry if the institution correctly used a geocoding tool provided by the FFIEC or the CFPB.
NAICS code	Safe harbor provided for an incorrect NAICS code if the first three digits of the NAICS code were provided by the applicant or a third-party source or identified by the institution under reasonably designed procedures.
Incorrect determination of Small Business status	Safe harbor provided if an institution had a reasonable basis for believing an applicant was a Small Business at the time the data was collected but it is later determined that the applicant was not a Small Business, provided the institution complies with §1002.107, §1002.108, and §1002.111.