On March 31, the Consumer Financial Protection Bureau (CFPB) issued its final rule amending Regulation B to implement changes to the Equal Credit Opportunity Act (ECOA) under section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Now is the time for covered financial institutions to start planning and implementing processes and systems for reporting small business lending data.

The table of “basics” below provides a good starting point. Then, after reviewing the final rule and accompanying documents, lenders should initiate a project and assign a project manager. Next, identify impacted stakeholders with roles and responsibilities. Kick off the project and begin a project plan with workstreams, milestones, and tasks.

Decisions Involved in Implementing 1071

Several decisions need to be made before developing a 1071 implementation plan. It is important to document all decisions throughout the project. Without adequate documentation, it is not easy to remember two years from now why certain decisions were made. Here’s a breakdown of decision types:

  • Compliance tier: For some, it may be easy to determine the compliance tier into which they fall, depending on loan volume, in order to pinpoint the initial dates on which they are required to gather and report data. For others, especially those with disparate systems or no system, it will be more difficult.The CFPB anticipated that some institutions may not be able to determine their compliance tier with existing data. It therefore provided that reasonable alternative means could be used to determine the compliance tier. These include:
    • Gathering the necessary data for applications October 1, 2023 through December 31, 2023 and annualizing the number for 2022 and 2023;
    • Assuming all covered credit transactions originated in 2022 and 2023 were to small businesses; and
    • Any other methodology that is reasonable and documented in writing.A decision is needed about whether data gathering will begin earlier than the required date. The CFPB permits institutions to gather data one year before its requirement.
  • Technology: Technology plays an important role in preparing for 1071 reporting. It is important to identify each system used to originate the covered credit transactions. Transactions within the scope of the rule include loans, lines of credit, credit cards, merchant cash advances, and credit products used for agricultural purposes. The CFPB is excluding trade credit, public utilities credit, securities credit, and incidental credit as initially proposed in its draft of the rule. In addition, the bureau has added exclusions for transactions that are reportable under the Home Mortgage Disclosure Act (HMDA) and insurance premium financing. Consistent with the CFPB’s initial proposal, factoring, leases, and consumer-designated credit that is used for business or agricultural purposes are also excluded. In addition, the bureau has made clear that purchases of originated covered credit transactions are not reportable.Decisions may be needed to consolidate systems or implement new ones—for example, for transactions that are not currently supported by any systems.
  • Processes: If applications are taken through separate business lines, a decision will be needed regarding whether the institution should centralize the process. If there is no formal application process for some transactions, the decision at hand is whether processes need to be developed.
  • Customer impact: Some institutions, especially regional lenders, may have deep and repetitive lending relationships with their small business customers. Institutions should determine whether they want to prepare their customers for a more formal application process that includes more data, including demographic data. How that socialization will occur may be a completely separate workstream itself.
  • Third parties: Not only must an institution determine how it will work with its third parties, including loan origination systems and reporting and analysis vendors, but it must also determine whether it has third-party originators to consider. While the CFPB explicitly states that purchases are not covered, transactions should be evaluated to determine whether third parties are used in the application process.
  • Interim plan: Will an interim plan be required? This should be considered if transformative work will be needed such as implementing new systems or revamping processes.

Project Plan for Implementing 1071

Once the final rule and its accompanying documents have been reviewed, the first step is to launch a project and designate a project manager. Afterwards, it’s important to identify all stakeholders who will be impacted, along with their respective roles and responsibilities. From there, the project can be initiated, and a comprehensive project plan can be developed, including workstreams, milestones, and tasks.

Project plans should be robust and constantly evolving. Consider a collaborative tool so that all workstreams can monitor and update tasks. A good project manager should drive progress and support the teams.

Workstream examples include:

  • Current state lending process: It will be necessary for each financial institution to identify which covered transactions apply to its business. Then, the importance of documenting the current state process of the applicable covered transactions cannot be overstated. Each covered transaction may have different processes. Understanding how customers interact with the business line to complete a transaction is critical, in part because this interaction is a dependency for other workstreams such as communications and technology. Identify systems and controls within the processes.
  • Data: A data workstream will focus on which data is currently gathered, how it is saved, and where it is saved. If possible, a fair lending analysis should be done to determine whether there are issues with data or needs that should be addressed prior to implementing the new rule. The workstream will also begin mapping the conversion of data to the required format.
  • Future state design: Based on some of the decisions made upfront, new processes may be needed to meet reporting requirements. Consolidation and centralization may be key to establishing a holistic and sustainable reporting process. Be sure to include reviews, testing, and scrubbing in thoughts about future state. Ensure that the process clearly establishes that underwriters and other persons involved in making credit determinations are unable to access demographic data.
  • Staffing: Determine whether additional staff is needed for implementation or post-implementation processes. Do not forget quality control, quality assurance, data scrubbing, and fair lending in staffing plans. Begin identifying resources and timelines.
  • Technology: Systems and technology are needed to implement reporting, hand-in-hand with the future state design. Tasks may be applicable to existing systems or new systems. Partnering with vendors in their implementation plans may reside in this workstream or require a separate workstream. Ensure that the required firewall for access to demographic data is considered.
  • Communications: It is critical for the workstreams to communicate regularly throughout implementation. Additionally, the communications workstream may include designing communications with customers and across the organization, as well as training.
  • Policies and procedures: As systems are changed/implemented and processes are designed/updated, policies and procedures must be created and/or updated.
  • Other: Other workstreams to consider include testing, governance, fair lending, and reporting.

Fair Lending Implications

While the final rule is aimed at improving transparency and fair lending practices, it also presents emerging fair lending risks. These risks reside in requirements to report certain data points based solely on demographic information collected from an applicant.

Collecting this data raises the potential for unconscious bias to affect underwriting decisions and pricing—or for the data to be used to unfairly target or exclude certain demographic groups. Therefore, it is crucial that covered financial institutions closely monitor their lending practices and conduct regular fair lending risk assessments to ensure compliance with the rule and to prevent unintended consequences.

Specifically, required demographic information includes the applicant’s minority-owned business status, women-owned business status, and LGBTQI+-owned business status, as well as the applicant’s principal owners’ ethnicity, race, and sex. This data can be used to analyze disparities in minority vs. non-minority lending in both pricing and underwriting. Examples include:

  • Underwriting disparities: Data analysis of the newly available information could also reveal disparities in underwriting decisions based on the ethnicity, race, and sex of the applicant’s principal owners.
  • Pricing disparities: Statistical analysis of the data collected from small business applications could show disparities in interest rates, origination charges, and other pricing information between minority-owned and non-minority-owned businesses.
  • Peer comparisons: Similar to the changes in 2018 with HMDA, the demographic data collected could be utilized for peer comparisons if the data is offered in aggregate. This could pose a significant challenge to identifying peer lenders with a similar product and service offering or strategy that would make them accurate comparators for peer analysis.

As previously mentioned, the data workstream applies to implementation of the rule but also has a bearing on the quality and accuracy of any fair lending analytics that are performed on that data. This imposes a very high standard on the business units responsible for the data collection and quality control measures adopted by an institution.

The final rule includes a sample data collection form that covered financial institutions can use to collect this demographic information from applicants and provide the required notices. The form requires covered financial institutions to collect principal owners’ ethnicity and race using aggregate categories and disaggregated subcategories. Covered financial institutions must allow applicants autonomy to describe a principal owner’s sex through free-form text or a verbal self-description.

The Takeaway

In conclusion, while the final rule for data collection of small business application data presents emerging fair lending risks, it is an important step toward greater transparency and fair lending practices in the financial industry. By carefully monitoring lending practices and conducting regular fair lending risk assessments, covered financial institutions can help ensure compliance with the rule and promote equitable access to credit and financial services for all small businesses, regardless of ownership.


Daniel Johnson Sr.

Daniel Johnson is a Managing Director at Treliant. He is an experienced regulatory compliance and data science professional with comprehensive financial services experience in regulatory compliance, risk management, internal audit, fair lending, statistical analysis, operations management, enterprise program administration, and compliance training.