CFPB Finalizes Landmark Small-Business Lending Data Collection Rule

By the Lawyers at Debevoise & Plimpton

CFPB Finalizes Landmark Small-Business Lending Data Collection Rule

CFPB Finalizes Landmark Small-Business Lending Data Collection Rule

By the Lawyers at Debevoise & Plimpton

On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) published its long-anticipated final rule1 (the “Final Rule”) implementing the small business lending data collection requirements set forth in § 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.2 Section 1071 amended the Equal Credit Opportunity Act3 (ECOA) to require financial institutions to collect and report certain data relating to business credit applications, notably from those made by women-owned and minority-owned small businesses.4 Under the Final Rule, covered financial institutions (as defined below) are required to collect and report application data for a range of credit transactions to fulfill § 1071’s dual statutory purposes of (1) facilitating enforcement of fair lending laws and (2) enabling the identification of business and community development needs and opportunities. The Final Rule will, according to the CFPB, result in the creation of the “first comprehensive public database” on small business financing practices.5

The Final Rule is effective 90 days after its publication in the Federal Register, but it contains a tiered compliance schedule, with the earliest compliance date set for October 1, 2024, for financial institutions that originated at least 2,500 covered originations (defined below) in both 2022 and 2023. Later compliance dates are assigned for covered financial institutions with lower origination volumes.

In this article, we describe the Final Rule’s key provisions, describe some of the notable changes from the proposed rule,6 and examine the implications of the Final Rule’s data collection and reporting requirements for covered financial institutions.

I. Key Definitions from the Final Rule

  • Covered financial institutions. A “covered financial institution” is broadly defined to include any entity that had at least 100 covered originations of covered credit transactions (rather than 25, as proposed) to small businesses in each of the two preceding calendar years.7 Thus, the term extends beyond depository institutions such as banks, savings associations and credit unions to also include online lenders, platform lenders, community development financial institutions, lenders involved in equipment and vehicle financing, farm credit system lenders, commercial finance companies, merchant cash advance providers, governmental lending entities and nonprofit lenders, that engage in the threshold levels of covered originations.
  • Covered credit transactions. A “covered credit transaction” is an extension of “business credit,” as such term is defined under Subpart A of Regulation B and includes loans, lines of credit, credit cards, merchant cash advances and credit products used for agricultural purposes.8 However, certain transactions are expressly excluded from the definition of “covered credit transactions” in a variety of ways, including within the Final Rule itself, by virtue of the cross-reference to the existing ECOA regulation,9 and perhaps most notably, in the Official Interpretations to the Final Rule. Specifically, the following types of transactions are excluded from the definition of covered credit transaction:

• Trade credit;

• Reportable transactions under the Home MortgageDisclosure Act (HMDA);

• Insurance premium financing

• Public utilities credit as defined in Regulation B, 12 CFR 1002.3(a)(1);

• Securities credit as defined in Regulation B, 12 CFR 1002.3(b)(1);

• Incidental credit as defined in Regulation B, 12 CFR 1002.3(c)(1), but without regard to whether the credit is consumer credit;

• Factoring;

• Leases; and

• Consumer-designated credit used for business or agricultural purposes.

However, as discussed below, not all covered credit transactions with small businesses will necessarily count towards a particular financial institution’s covered originations.

  • Covered originations.10 A “covered origination” is used as a metric for determining institutional coverage (i.e., whether a financial institution is a covered financial institution) and the financial institution’s applicable compliance date. Under the Final Rule a “covered origination” includes covered credit transactions that the financial institution originated to or refinanced with a small business. However, notwithstanding the regulatory definition of “covered credit transaction,” requests for additional credit amounts on an existing account, as well as other transactions that extend, renew, or otherwise amend a transaction, do not count as “originations.”11
  • Small business. The Final Rule applies to covered credit transactions (and applications therefore) involving certain small businesses. For the purposes of the Final Rule, a business is a “small business” if it satisfies two criteria: (1) the business meets the Small Business Administration’s (SBA) definition of “small business concern” based on the size standards for the business’s applicable industry, as set forth in the SBA’s regulations; and (2) the business has gross annual revenue for its preceding fiscal year of $5 million or less.12 Note that non-profit organizations and governmental entities are not small businesses pursuant to the Final Rule because they do not satisfy the SBA’s definition of small business concern. Thus, extensions of credit made to such entities would not count towards a financial institution’s covered originations, nor would covered financial institutions be required to report data regarding such applications.
  • Covered applications. A “covered application” is defined as an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested.13 Receipt of a covered application from a small business triggers data collection, reporting and related requirements for covered financial institutions. The definition closely tracks the existing Regulation B definition of “application,” but the following circumstances do not constitute covered applications under the Final Rule:
  • Reevaluation requests, extension requests or renewal requests on an existing business credit account, unless the request seeks additional credit amounts or a line increase;
  • Inquiries and prequalification requests; and
  • Solicitations, firm offers of credit and other evaluations initiated by the financial institution, unless the financial institution invites the business to apply for the credit, and the small business indeed applies.14

II. Data Collection Requirements

As noted above, under the Final Rule, a covered financial institution is required to collect and report data on covered applications from small businesses.15 The data points that are required to be collected and reported fall into three broad categories: (1) data points generated by the financial institution; (2) data points based on information collected from the applicant or an appropriate third-party source; and (3) data points based solely on the demographic information collected from an applicant. Each of these is discussed in more detail below.

1. Data points generated by the financial institution. Covered financial institutions must collect and maintain data points: (i) required to be reported for all applications; (ii) required only for applications that are denied and (iii) required only for applications that are approved. They include the following:16

• For all covered applications:

  • A unique identifier;
  • The application date;
  • The application method (i.e., the means by which the applicant submitted its application);
  • The application recipient (indicating whether the application was received directly, or indirectly via an unaffiliated third party);
  • The action taken by the covered financial institution on the application; and
  • The date the financial institution took action on the application.
  • For applications that are denied:
  • the reason for denial.
  • For applications that are approved by the financial institution but not accepted by the applicant or that result in an origination:
  • The amount approved or originated; and
  • Pricing information, including, as applicable, information regarding the interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing and prepayment penalties.

2. Data points based on information collected from the applicant or an appropriate third-party source. These data points include information specifically related to the credit being applied for and information related to the applicant’s business. Specifically, these data points are:17

  • Credit type;
  • Credit purpose;
  • The amount applied for;
  • A census tract based on an address or location provided by the applicant;
  • Gross annual revenue for the applicant’s preceding fiscal year;
  • A three-digit North American Industry Classification System (NAICS) code18 for the applicant;
  • The number of people working for the applicant;
  • The applicant’s time in business; and
  • The number of the applicant’s principal owners.

3. Data points based solely on the demographic information collected from an applicant. Covered financial institutions are also required to report the following data points based solely on demographic information:19

  • The applicant’s minority-owned business status, women-owned business status and LGBTQI+-owned business status; and
  • The applicant’s principal owners’ ethnicity, race and sex.

III. Collecting Demographic Information

  • Requesting demographic information from applicants.
  • A covered financial institution is required to ask an applicant to provide this demographic information and to report such information to the CFPB based solely on the responses that the applicant provides. But a covered financial institution may not require an applicant or other person to provide demographic information.
  • Applicant’s failure to provide information. If the applicant fails or declines to provide the information necessary to report a demographic data point, the financial institution should report the failure or refusal to provide the information, as financial institutions are not permitted to infer demographic data through visual observation or surname, in contrast to the proposed rule.
  • Prohibition on discouraging applicants from responding to requests. Covered financial institutions may not discourage applicants from responding to requests for demographic information and must maintain procedures to collect such data at a time and in a manner reasonably designed to obtain a response. These procedures must, at a minimum, have provisions to ensure that:
  • The initial request for applicant-provided data occurs prior to notifying an applicant of the final action taken on an application;
  • The request for applicant-provided data is prominently displayed and presented;
  • Applicants are not discouraged from responding; and
  • Applicants can easily respond to such requests.
  • Low response rates. Covered financial institutions are required to maintain procedures to identify and respond to signs of potential discouragement, including low response rates for applicant-provided data. The Final Rule provides that low response rates may indicate discouragement or another failure by a covered financial institution to maintain procedures to collect applicant-provided data at a time and in a manner reasonably designed to obtain a response.
  • Providing required notices to applicants. A covered financial institution is required to inform an applicant that the financial institution is not permitted to discriminate on the basis of an applicant’s responses about its minority-owned, women-owned, or LGBTQI+-owned business status, on the basis of responses about any principal owner’s ethnicity, race or sex, or on the basis of whether the applicant provides demographic information. Additionally, the covered financial institution must inform applicants that they are not required to answer the financial institution’s inquiries regarding such information.

The Final Rule includes as Appendix E a sample data collection form that covered financial institutions may use to collect this demographic information from applicants and to provide these required notices. The form reflects certain legal requirements that financial institutions must follow, but use of the sample form is not required under the Final Rule.

IV. Firewall—Requirements to Limit Access to Certain Data

The Final Rule implements a firewall requirement in
§ 1071 that certain data collected from applicants be shielded from underwriters and certain other persons.20 Pursuant to the Final Rule, employees and officers of a covered financial institution or its affiliates involved in making any determination concerning a covered application are prohibited from accessing the applicant’s responses to the inquiries about protected demographic information made by the financial institution. If a covered financial institution determines that an employee or officer should have access to one or more applicants’ responses to these inquiries and grants the employee or officer such access, the covered financial institution must provide notice to the applicants whose responses will be accessed. Additionally, the Final Rule prohibits a covered financial institution or third party from disclosing this applicant-provided data to other parties, except to further compliance with ECOA or Regulation B or as required by law.

V. Recordkeeping Requirements21

The Final Rule requires covered financial institutions to retain copies of small business lending application registers22 and other evidence of compliance for at least three years after its small business lending application register is submitted to the CFPB. It also includes a requirement to maintain, separately from the rest of an application for credit and accompanying information, an applicant’s responses to a financial institution’s inquiries regarding the applicant’s protected demographic information. Note that a financial institution (including one that does not necessarily satisfy the definition of “covered financial institution” but voluntarily compiles, maintains and reports small business lending data) may not include within its small business lending application register or in the separately maintained protected demographic information any personally identifiable information concerning any individual who is, or is connected with, an applicant.

VI. Compliance Date Tiers for Data Collection and Reporting

Covered financial institutions must collect the required data on a calendar year basis and submit the data to the CFPB by June 1 of the following year.23 Additionally, in contrast to the proposed rule, which would have required compliance approximately 18 months after publication of the final rule in the Federal Register, under the Final Rule, a covered financial institution must begin complying according to its applicable compliance date. The applicable compliance date for a covered financial institution depends on its number of covered originations.24 The tiered deadlines are as follows:

Tier Number of Covered
Originations in Each of
Calendar Years 2022 and 2023
Compliance Date
First Reporting
Tier 1 At least 2,5001 October 1, 2024 June 1, 2025
Tier 2 At least 5002 April 1, 2025 June 1, 2026
Tier 3 At least 1003 January 1, 2026 June 1, 2027

The Final Rule provides a 12-month enforcement grace period for financial institutions’ first year of data submission, in which the CFPB will not assess penalties for errors in data reporting and will conduct examinations only to assist institutions in diagnosing compliance weaknesses, provided the financial institution engages in good faith compliance efforts. Specifically, for Tier 1 financial institutions, as well as any financial institutions that make a voluntary submission for the first time for data collected in 2024, the CFPB provides a grace period covering the 3 months of data collected in 2024 as well as the first nine months of data collected in 2025. Similarly structured grace periods are likewise provided to Tier 2 and Tier 3 financial institutions.

Additionally, the data reported by financial institutions will be made available to the public on an annual basis, but the CFPB will not reveal any privacy-protected information about any particular small business applicant. While the CFPB has not yet determined precisely how it will protect applicant privacy, the Final Rule notes that the CFPB will determine what, if any, modifications and deletions are appropriate after it obtains a full year of data and that any publication of aggregate data will be dependent on multiple factors, including privacy considerations, the volume of data received and trends in the data.

VII. Supervisory and Enforcement Priorities

Concurrent with the publication of the Final Rule, the CFPB issued policy guidance addressing its enforcement and supervisory priorities relating to the Final Rule (the “Policy Guidance”).25 The Policy Guidance states that the CFPB will focus its enforcement and supervisory work on ensuring that covered financial institutions comply with the Final Rule’s prohibition on discouraging small business loan applicants from providing responsive data. The Policy Guidance also notes that lenders covered by the Final Rule violate ECOA if they fail to observe the regulatory requirements outlined therein.

VIII. Key Takeaways

  • To comply with the Final Rule, covered financial institutions should consider designing data collection procedures such that requests for data are prominent to applicants, applicants can easily respond to such requests, that such requests initially be made prior to notifying an applicant of the lender’s decision on the application and that the time and manner of a lender’s collection procedures otherwise serve to obtain responsive information.
  • In designing such data collection procedures, covered financial institutions should pay close attention to substantive requirements of the Final Rule that, as demonstrated above, are contained in the Official Interpretations but are not necessarily made clear from a stand-alone reading of the regulations.
  • Covered financial institutions should also work to identify and address potential indicia of discouragement in their practices, policies and procedures, including low response rates from applicants. Indeed, the CFPB stated in the Policy Statement its expectation that covered financial institutions will conduct ongoing monitoring and investigation of low response rates by “division, location, loan officer, or other factors to ensure that no discouragement or improper conduct is occurring” within the financial institution. To further compliance with the requirements relating to the Final Rule’s prohibition on discouraging applicants from submitting responsive information and to guide its enforcement priorities, the CFPB also stated that it will closely monitor covered financial institutions’ response rates and compare them to financial institutions of similar size, type, geographic research or other relevant factors.

• Although the Final Rule is already the subject of a lawsuit seeking to block its implementation,26covered financial institutions should nevertheless consider preparing well in advance of the compliance deadlines to comply with the Final Rule’s significant data collection and reporting obligations and dedicate special attention to developing procedures for encouraging responses to demographic data requests from applicants.


1 CFPB, Small Business Lending under the Equal Credit Opportunity Act (Regulation B) Final Rule (March 30, 2023) [hereinafter, CFPB Small Business Lending Final Rule].

2 Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 1071, 124 Stat. 2056, 2056 (2010).

3 The Equal Credit Opportunity Act (15 U.S.C. § 1691 et seq.) and its implementing Regulation B (12 CFR Part 1002) are intended to protect applicants from discrimination in any aspect of a credit transaction.

4 Note that the Final Rule does not require financial institutions to collect and report data regarding applications for women-owned and minority-owned businesses that are not small. However, 99 percent of women-owned and minority-owned businesses are small businesses, and thus covering small businesses necessarily means nearly all women-owned and minority-owned businesses will be covered. See CFPB Small Business Lending Final Rule, p. 2.

5 CFPB, Executive Summary of the Small Business Lending Rule (March 30, 2023).

6 86 Fed. Reg. 56356 (Oct. 8, 2021).

7 12 C.F.R. § 1002.105.

8 12 C.F.R. § 1002.104.

9 Subpart A of Regulation B defines “business credit” as “extensions of credit primarily for business or commercial (including agricultural) purposes” but excludes public utilities credit, securities credit, incidental credit, and government credit. 12 C.F.R. § 1002.2(g). “Extension of credit” means “the granting of credit in any form (including, but not limited to, credit granted in addition to any existing credit or credit limit; credit granted pursuant to an open-end credit plan; the refinancing or other renewal of credit, including the issuance of a new credit card in place of an expiring credit card or in substitution for an existing credit card; the consolidation of two or more obligations; or the continuance of existing credit without any special effort to collect at or after maturity).” Id. § 1002.2(q).

10 While this is not a defined term in the Final Rule, it has been used by the CFPB to refer to the types of originations that impact the determination of a Covered Financial Institution’s compliance date.

11 12 C.F.R. part 1002 Supp. I § 1002.105(b)-5; see also supra note 10.

12 Note that this $5 million threshold is subject to inflation adjustment every 5 years, starting January 1, 2025. See 12 C.F.R. § 1002.106(b)(2). Compare to the current Community Reinvestment Act regulations, which considers the level of banks’ loans to small businesses with gross annual revenues of $1 million or less. See, e.g., 12 C.F.R. § 345.22(b)(3)(ii).

13 12 C.F.R. § 1002.103.

14 12 C.F.R. part 1002 Supp. I § 1002.103(a)-4, .103(b)-(4).

15 12 C.F.R. § 1002.107.

16 12 C.F.R. § 1002.107(a)(1)-(4), (8)-(12).

17 12 C.F.R. § 1002.107(a)(5)-(7), (13)-(17), (20).

18 The NAICS is “the standard used by Federal statistical agencies in classifying business establishments for the purpose of collecting, analyzing, and publishing statistical data related to the U.S. business economy.” See The Small Business Act defines a small business using size standards that generally hinge on the average number of employees or average annual receipts of the business concern and are customized by industry across 1,012 six-digit NAICS codes. See Small Bus. Admin., Table of Small Business Size Standards Matched to North American Industry Classification System Codes (effective Mar. 17, 2023).

19 12 C.F.R. § 1002.107(a)(18)-(19).20

20 12 C.F.R. § 1002.108.

21 12 C.F.R. § 1002.111.

22 Small business lending application register or register means the data reported, or required to be reported, annually to the CFPB. 12 C.F.R. § 1002.102(q).

23 12 C.F.R. § 1002.109(a).

24 While this is not a defined term in the Final Rule, it has been used by the CFPB to refer to the types of originations that impact the determination of a Covered Financial Institution’s compliance date.

25 CFPB, Statement on Enforcement and Supervisory Practices Relating to the Small Business Lending Rule under the Equal Credit Opportunity Act and Regulation B (March 30, 2023), available here.

26 Texas Bankers Ass’n v. Consumer Financial Protection Bureau, 7:23-cv-00144, U.S. District Court for the Southern District of Texas.