On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) issued its final rule governing small business lending data collection and reporting (Final Rule). The Final Rule implements section 1071 of the Dodd-Frank Act to amend the Equal Credit Opportunity Act (ECOA) and Regulation B. The Final Rule was due to take effect on August 29, 2023, with rolling mandatory compliance dates depending on providers' volume. However, it was stayed nationwide on October 26 when the US District Court for the Southern District of Texas entered a preliminary injunction, enjoining the CFPB from implementing and enforcing the rule pending the US Supreme Court's reversal of the Fifth Circuit's decision in Community Financial Services Association of America, Limited v. CFPB(CFSA v. CFPB). The District Court also ordered the CFPB to extend the Final Rule's compliance deadlines to compensate for the period stayed in the event of such a reversal.
On May 16, the US Supreme Court reversed the Fifth Circuit's decision in CFSA v. CFPB, upholding the CFPB's funding structure. This ruling directly implicates the grounds for the preliminary injunction ruling and has left the industry wondering whether – and when – the stay will be lifted. Below is a detailed discussion of the Final Rule and its implications for small business lending and alternative financing operations.
Background and Key Requirements of the Final Rule
The Final Rule requires a "covered financial institution" to collect, report, and make public certain data on small business applications for "covered credit transactions." The scope of the Final Rule is broad and covers not only conventional loans, lines of credit and credit cards, but also alternative financing products such as merchant cash advances (which, if structured properly, are traditionally considered to be a non-loan product).
The primary objectives of the rule are to enhance transparency in small business lending and facilitate enforcement of fair lending practices. Essential data points that must be collected include:
- Business and personal demographic information
- Amount and type of credit applied for
- Purpose of the credit
- Pricing of the credit transaction
- Geographic location of the borrower
These requirements are detailed in 12 C.F.R. Part 1002 and aim to facilitate the identification of discriminatory lending patterns and encourage equitable treatment across all borrower demographics.
Immediate Implications of the Supreme Court's Ruling
The CFPB took immediate action in the wake of the Supreme Court's ruling by issuing informal guidance regarding extension of the Final Rule's compliance deadlines:
- For Tier 1 institutions, the compliance date is extended from October 1, 2024, to July 18, 2025, with the initial filing required by June 1, 2026.
- For Tier 2 institutions,the compliance date is extended from April 1, 2025, to January 16, 2026, with the initial filing required by June 1, 2027.
- For Tier 3 institutions,the compliance date is extended from January 1, 2026, to October 18, 2026, with the initial filing required by June 1, 2027.
The CFPB announced that these compliance deadline extensions will be memorialized in an interim final rule.
Implications of the Final Rule for Financing Providers
Financing providers including banks, online lenders, and merchant cash advance or revenue share companies should reassess their operational and compliance strategies to prepare for and fully implement the data collection and reporting requirements mandated by the Final Rule. Key considerations include:
- Understanding Coverage and Obligations
- Eligibility for Coverage: Entities must determine if they are "covered financial institutions" annually based on their prior two years' originations. Specifically, those that originated at least 100 "covered originations" to small businesses in each of the two preceding calendar years are covered.
- Definition of Covered Originations: "Covered originations" generally include all new credit transactions to small businesses except for those that renew, extend, or amend existing transactions without additional credit being extended.
- Data Collection Requirements
- Reportable Data Points: Collect extensive data on credit applications from small businesses including business and applicant demographics, loan amount and type, purpose, action taken, pricing information, and more.
- Compiling and Reporting: Accurate compilation and timely reporting of this data are mandatory. Covered entities are required to report annually, with the specifics dictated by the volume of their credit extensions.
- Compliance Dates and Tiers
- Staged Compliance Dates: Compliance requirements may vary by the volume of transactions, with phased implementation dates. Entities should confirm their specific compliance dates, which will be adjusted based on new guidelines following the Supreme Court ruling.
- Procedural Adherence
- Application Procedures: Establish clear procedures for receiving and processing credit applications to ensure compliance. This includes determining what constitutes a covered application and handling prequalification and inquiries correctly.
- Safe Harbor Provisions: Utilize safe harbor provisions for collecting demographic information to avoid non-compliance penalties. Ensure all demographic data collection is justifiable under current rules.
- Recordkeeping and Privacy
- Maintaining Records: Keep detailed records of all credit applications and the related compliance data for a prescribed period.
- Firewall Requirements: Implement robust data protection measures to safeguard applicant data, separating it from other business processes, as required by the firewall provisions of the rule.
Financing providers should rigorously train their staff on these requirements to ensure that all team members understand the criteria for covered transactions, the data collection needs, and the implications of non-compliance. Regular audits and updates to compliance protocols will be essential to adapt to any regulatory updates or changes in business operations. Finally, if not already doing so, financing providers should consider pro-active periodic testing of reportable outputs to determine whether they raise any issues under ECOA and Regulation B.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.