On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) published a long-awaited final rule to implement the provisions of section 1071 of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act. Section 1071 requires that financial institutions collect and report specific data concerning applications for small business loans to the CFPB. Like the Home Mortgage Disclosure Act (HMDA) reporting requirements, data collected under section 1071 will be used in the enforcement of existing fair lending laws, including the Equal Credit Opportunity Act (ECOA), the Community Reinvestment Act (CRA), and the Fair Housing Act. A second purpose of the reporting requirements is to allow for better identification of business and community development needs and opportunities of small businesses, including women-owned and minority-owned businesses. The March 30, 2023, final rule (“the rule”) amends Regulation B to implement the provisions of section 1071.
While a review of the 80 plus data fields required to be reported under the rule may invite comparison with the existing HMDA and CRA data reporting requirements, the small business application reporting requirements are not “HMDA for small business loans” or even an expansion of small business loan reporting requirements under the CRA. It cannot be denied that like the existing HMDA and CRA reporting requirements, the rule provides prescriptive instructions for reporting a defined set of data fields. One may even see familiarity in some of the data fields (e.g. action taken date). Notwithstanding any similarities with existing reporting requirements, a successful implementation will involve much more than the addition of new data fields into existing reporting frameworks. Without a doubt, accurate reporting of the various data fields will be a key component in complying with the rule; however, lenders should be aware of the other key considerations that should be taken into account when preparing for proper implementation.
Does the Rule Apply to My Institution?
Under the rule, a covered financial institution is required to compile small business application data onto a small business lending application register (SBLAR) on or before June 1 following the calendar year for which the data is collected. As such, an institution required to report data for applications received in 2025 would be required to file the SBLAR by June 1, 2026. The rule broadly defines the term “financial institution” to include any entity that engages in financial activity, including but not limited to banks, credit unions, online lenders, community development financial institutions, captive financing companies, commercial finance companies, and tax-exempt organizations. The single exclusion identified in the rule is motor vehicle dealers.
Once an entity determines that it meets the financial institution definition, it must then determine whether it is a covered financial institution. Under the rule, a “covered financial institution” is an entity that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years. Unlike HMDA and CRA data reporting requirements, there is no de minimis asset size exception to the new requirements. Only the volume of covered transactions originated for small businesses drives whether an institution is required to file the SBLAR.
In determining whether the definition of covered financial institution is met, it is necessary to evaluate the institution’s volume of covered credit transactions originated for small businesses. Only businesses with gross revenues of $5 million or less in their preceding fiscal year are considered small businesses for the purposes of the rule. Not all extensions of credit to small businesses are considered covered credit transactions. The rule excludes specific categories of credit from the definition, including HMDA reportable transactions, trade credit, insurance premium financing, public utilities credit, securities credit, and incidental credit.
When is My Institution Required to Begin Collecting and Reporting Data?
When an institution is required to begin collecting and reporting data is based on the volume of covered credit transactions originated for small businesses in 2022 and 2023. The rule identifies three distinct tiers based on origination volume.
| Tier | Origination Threshold | Compliance Date | First SBLAR to be Filed |
| Tier 1 | 2,500 or more covered credit transactions for small businesses originated in both calendar year 2022 and calendar year 2023 | October 1, 2024 | June 1, 2025 |
| Tier 2 | 500 or more, but less than 2,500 covered credit transactions for small businesses originated in both calendar year 2022 and calendar year 2023 | April 1, 2025 | June 1, 2026 |
| Tier 3 | 100 or more, but less than 500 covered credit transactions for small businesses originated in both calendar year 2022 and calendar year 2023 | January 1, 2026 | June 1, 2027 |
An institution that does not fall into any of the above tiers due to originating fewer than 100 covered credit transactions for small businesses in 2022 and/or 2023 is required to begin assessing its origination volume in the two preceding calendar years beginning on January 1, 2026, and every year thereafter. For example, if an institution does not fall into the above tiers, it must determine if it originated 100 or more covered credit transactions for small businesses in both calendar years 2024 and 2025 to determine if it is required to begin complying with the requirements on January 1, 2026. The following year, institutions must determine whether they originated 100 more covered credit transactions for small businesses in both 2025 and 2026 to determine if they must begin complying with the requirements on January 1, 2027.
Determining Origination Volume
Now that we know that the compliance dates are determined based on the volume of covered credit transactions originated for small businesses, we should consider how an institution is going to calculate its origination volume. It is certainly possible that some institutions will not have data readily available concerning the origination of covered credit transactions to small businesses. For example, an institution may not have data regarding which of its business loans originated to businesses $5 million or less in gross revenues in their preceding fiscal year.
Fortunately, the rule does recognize the potential difficulty associated with determining origination volume under the rule’s definitions. If an institution is unable to determine the number of covered credit transactions for small businesses that originated in 2022 and 2023 or does not have readily accessible information concerning originations, the institution is allowed to use any reasonable method to estimate its originations to small businesses during these years. The rule provides several methods that can be used to estimate originations for 2022 and 2023. For example, an institution may assume that all covered credit transactions originated for business customers in 2022 and 2023 were originated for small businesses.
Another permissible method to determine volume is to ask applicants to self-report whether their gross annual revenues in the preceding fiscal year were $5 million or less from October 1, 2023, to December 31, 2023. The results may then be annualized to estimate origination volume. As an example, if 20 applicants during the period indicate a gross annual revenue of $5 million or less in the preceding fiscal year, the number may be quadrupled to annualize the originations. In this example, an institution could assume that 80 covered credit transactions were originated for small businesses in both calendar year 2022 and calendar year 2023. The rule also provides additional methodologies that may be used to estimate origination volume in 2022 and 2023.
It is crucial that institutions begin to determine whether they have the necessary data readily available, and if not, to begin considering how they will estimate origination volume. Although the compliance date will be determined by 2022 and 2023 data, it is not necessary to wait until the end of 2023 to begin this assessment. As a best practice, institutions should begin examining what data is available for 2022. If the data available is inadequate, it is likely that this will be the case with at least a portion of the 2023 data.
After examining the data, the institution can then consider the methodology that it will employ to estimate origination volume in 2022 and 2023. Institutions are permitted to use any reasonable method to estimate volume and are not limited to those methods detailed in the rule. Regardless of the method chosen, institutions should document how they determined that data was not readily available, and that the methodology used to estimate the data is reasonable. Additionally, written procedures should detail the methodology that will be used and provide sufficient detail for employees to understand the methodology.
If an institution chooses to ask applicants to self-report whether their gross annual revenues in the preceding fiscal year are $5 million or less, the processes concerning the self-reporting should be detailed within the written procedures. The documented procedures need to include who will be responsible for collecting the information, when in the application process it will be collected, and where it will be documented. Furthermore, adequate training should be provided to all employees who will be involved in the process.
Applicant-Provided Data
While filing the SBLAR will require the reporting of 80 plus data fields, particular consideration should be given to the process for collecting certain information from applicants when an application for a covered loan to a small business is submitted. For example, institutions will be required to ask whether the applicant is a minority-owned, women-owned, or LGBTQIA+-owned business as well as the number of the applicant’s principal owners and the ethnicity, race, and sex of the principal owners.
While on the surface, the above data collection requirements may seem similar to the HMDA demographic information requirements, some distinct differences should be noted. The rule contains an explicit prohibition from discouraging an applicant’s response to requests for applicant-provided data. Additionally, institutions must maintain procedures to collect this data at a time and manner that are reasonably designed to obtain a response. To be considered to meet these criteria, the institution’s procedures must provide for the following:
- The initial request for applicant-provided data occurs prior to notifying the applicant of the final action taken on the covered application.
- The initial request for applicant-provided data is prominently displayed or presented.
- The collection does not have the effect of discouraging an applicant from responding to a request for applicant-provided data.
- Applicants can easily respond to a request for applicant-provided data.
Each institution should consider the procedures it will implement to comply with the above provisions well ahead of its mandatory compliance date. As an example, the rule allows institutions the flexibility to make the initial request for applicant-provided data at any time prior to notifying the applicant of the final application. Notwithstanding that flexibility, the rule does note that in general, the earlier in the application process an institution makes the initial request for data, the more likely the timing of the collection is reasonably designed to obtain a response. Each institution will not only have to determine when this initial request will be made, but also how the request will be made, who will make the request, and where the information will be documented. It should be noted that under the recordkeeping provisions of the rule, the information must be maintained separately from the application and accompanying information.
The rule contains a sample data collection form that can be used to capture applicant details such as:
is
- Minority-owned, women-owned, or LGBTQI+-owned business information (business ownership status)
- The number of principal owners
- The race, sex, and ethnicity (demographic information) of the principal owners
The sample form also contains certain disclosures that must be provided to applicants. A consideration for each institution is how the data collection form and required disclosures will be furnished to applicants. For example, if an institution chooses to collect the data at the time an application is submitted online, how will the form and disclosures be incorporated into the online application? The way data is collected needs to ensure that the request for information is prominently displayed or presented, that the applicant is not discouraged from responding to the request, and that the applicant can easily respond to the request.
Unlike HMDA demographic information collection, the rule does not require or permit that business ownership status, or the demographic information of the principal owners, be collected based on visual observation or surname, including when the information request is made in person. Consequently, the prohibition on discouraging applicants from providing the requested information becomes more critical. The rule explicitly requires that institutions maintain procedures to detect and address indications of potential discouragement, including low response rates for applicant-provided data.
The rule specifically states that a low response rate may be indicative of discouragement or a failure to maintain reasonably designed procedures. Moreover, an institution’s response rate may be compared to the response rate of comparable financial institutions based on factors such as size, type, and geography. Adequate procedures should be implemented to monitor for low response rates, including response rates by division, location, loan officer, or other factors to identify potential discouragement. Additionally, the procedures require adequate training is given to employees responsible for collecting the data as well as the investigation of indications of discouragement and the implementation of corrective action if discouragement is identified.
Prohibition on Access to Certain Information (Firewall)
The rule implements a statutory provision of the Dodd-Frank Act that prohibits access by employees or officers involved in making a decision on the application to two pieces of information collected from applications: Whether the applicant is a minority-owned, women-owned, or LGBTQIA+-owned business and the ethnicity, race, and sex of the applicant’s principal owners. An employee or officer is considered to be involved in the decision-making process if they participate in a decision regarding the evaluation of the application or the creditworthiness of the applicant. The prohibition applies to both employees and officers of the institution as well as those of the institution’s affiliates.
The rule provides an exception from the prohibition if the institution determines that it is not feasible to limit the access of an employee or an officer. This means the institution determines an employee or officer involved in the determination should have access to the information for one or more applicants. For example, if based on an institution’s processes, loan officers will be responsible for both collecting the information from the applicants and for making a decision concerning the application. In this situation, an institution may determine that loan officers should have access to the information. The rule permits institutions to consider factors such as their size, application volume, staffing, and internal procedures when deciding which employees should have access to the information. Additionally, the rule states that institutions are not required to take actions such as upgrading systems, hiring additional employees, or changing lending processes solely for the purpose of limiting who should have access to the information.
Institutions should consider how they will comply with the firewall requirements well in advance of their mandatory compliance date. Furthermore, institutions should identify which employees, based on their own internal procedures, are involved in making determinations concerning covered applications. The next consideration should be for which employees it will not be feasible to limit access to the information. These reviews should be documented to demonstrate how the institution determined that certain employees, if any, should have access to the information. Once it is determined which employees involved in making a determination on applications will have access, the institution should then consider how it will restrict access to the information for other employees.
Unless no employees involved in the application decision will have access to the information, institutions are required to provide a notice to applicants that information will be available to one or more employees involved in the application decision. The sample data collection form contained in the rule contains example language for the notice. The specific language can be removed from the form if no employees involved in the determination will have access to the information.
Identifying Covered Applications
Covered applications are required to be reported on the SBLAR. The definition of this term is “an oral or written request for a covered credit transaction that is made in accordance with the procedures used by a financial institution for the type of credit requested.” Aside from the term “covered credit transaction,” which is defined above, this definition is generally consistent with the definition found in the existing Regulation B. For purposes of the SBLAR, however, both inquiries and prequalification requests are excluded from reporting as are requests to reevaluate, extend, or renew existing credit unless additional credit amounts are requested. It should be noted that an application does not have to become a completed application in order to be a covered application.
A question that may be posed is what an institution should do if it initially appears that an application is a covered application, but the institution subsequently determines that this is not the case. For example, an applicant may initially indicate that its gross revenues were $5 million or less in the preceding fiscal year. During the underwriting process, however, the institution may determine that gross revenues were greater than $5 million, and consequently, the application is not a covered application. The rule provides that institutions may rely on unverified information provided by the applicant in determining whether an application is covered. Yet, if the institution subsequently verifies the information, it must use the verified information to determine whether the application is a covered application.
Although having robust written procedures identifying what constitutes an application is necessary to comply with existing Regulation B provisions, these procedures become crucial in identifying covered applications for reporting on the SBLAR. An example of this type of written procedure is timely notification of credit decisions. In addition to having strong written procedures, employees should be provided with comprehensive training on not only the regulatory requirements for identifying covered applications and collecting necessary data, but also the institution’s internal processes on what is considered an application and when an inquiry is determined to become an application.
Supervisory Expectations
The rule includes a policy statement from the CFPB regarding a “grace period” covering the first 12 months of data submitted on the SBLAR. During the grace period, the CFPB does not intend to assess penalties for initial data submission errors or require resubmissions absent of material data errors. Rather, examinations will consider institutions’ “good faith” efforts in complying with the requirements. However, the policy statement clearly outlines that attempts to discourage data reporting by applicants and other errors that are not the result of good faith compliance errors are subject to penalties.
How to Best Prepare for Implementation
As we have stated, a successful implementation will demand much more than preparing to report the various SBLAR data fields. Without question, gaining a solid understanding of each data field is imperative, and our team at Wolf & Company will address data field reporting in future publications.
Beyond the data fields though, institutions must thoroughly consider the other requirements of the rule. Calculating origination volume to determine mandatory compliance dates, considering how applicant-provided data will be collected, determining how firewall provisions will be implemented, and developing a mechanism for identifying covered applications will be equally important components of a successful implementation. Developing processes and controls to comply with the requirements, having necessary conversations with software vendors, implementing robust written procedures, and providing comprehensive training to employees on an ongoing basis will be essential.
Regardless of when your institution’s mandatory compliance date is, beginning to have internal discussions around these topics as early as possible will serve your institution well in preparing for a successful implementation. If you need assistance with your regulatory compliance needs, reach out to our team at Wolf & Co. today.
