Almost thirteen years after the Dodd-Frank Act (DFA) was signed into law, the Consumer Financial Protection Bureau (CFPB) on March 30, 2023, finalized a new rule “to create a new data set on small business lending in America.” The new regulation, known in the industry as “1071” as it is mandated by Section 1071 of the DFA, was named the Small Business Lending Data Collection Rule (“new rule”) by the CFPB. This new rule creates a new subpart to Regulation B, which implements the Equal Credit Opportunity Act (ECOA). According to the bureau, the rule will “increase transparency in small business lending, promote economic development, and combat unlawful discrimination.” The new regulation imposes significant data collection and reporting requirements on institutions that accept credit applications from small businesses.

The rule applies to “covered financial institutions,” which are defined as “any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity, and that originated at least 100 covered originations in each of the two preceding calendar years.” Thus, banks that originate small business loans are covered by the rule (assuming they meet the origination threshold, which must be determined annually due to the “two preceding calendar years” requirement).

The rule’s structure and requirements resemble those of the Home Mortgage Disclosure Act (HMDA) in many ways, and banks will find that many of their existing policies, procedures, and technology can be utilized when implementing the new rule. However, it is crucial to recognize and account for several significant differences between HMDA and the new rule. The bureau has staggered the initial compliance date into three “tiers” based on lenders’ origination volume. Larger volume lenders have roughly 18 months before they must begin collecting, with medium and smaller volume lenders having about two years and three years, respectively, before they must begin collecting. In the compliance world, time flies; 18 months, and even a year or two passes in the blink of an eye, and compliance may be required sooner than anticipated. Now that we know the specific requirements of the rule, including detailed data field requirements, banks should be assembling stakeholder groups and committees (and calling their automation providers) in order to figure out when and what they have to do to be ready when the time comes.

Here we’ll discuss the practical aspects of getting ready, and provide a listing of important issues banks should consider, with recommendations on what needs to happen between now and Day One of data collection. Included are implementing new policies and procedures, getting system requirements and automation in order, and (which has been under-emphasized) critical cultural aspects of imposing new processes into the small business lending process. There’s a lot to do and a short time to do it. But the first question is simultaneously the simplest to ask and most complicated to answer: When do we have to comply?

1. Figure out when (or whether) the bank has to start doing something.

Determine how many “covered originations” the bank had in 2022 and how many it will have in 2023. Will it be 100 or more in each of those years? 500 or more? 2,500 or more? This will determine the future date the bank must begin collecting small business lending data.

The proposed version of the rule requested comment on various approaches to how implementation of the rule should be rolled out. The CFPB in the final rule fortunately responded to concerns expressed by the industry with a phased approach (in three phases, or “tiers”) to required compliance. The date a bank must begin to collect small business lending data depends on how many “covered originations” it had in both of two calendar years, as follows:

Tier 1: If the bank had at least 2,500 “covered originations” in both 2022 and 2023, it must begin collecting small business lending data on October 1, 2024, and report data to the CFPB on June 1, 2025. This means the bank will report data covering only the fourth quarter of 2024 this first time only.

Tier 2: If the bank had at least 500 (but not more than 2,500) “covered originations” in both 2022 and 2023, it must begin collecting small business lending data on April 1, 2025, and report data to the CFPB on June 1, 2026. This means the bank will report data covering only the final three quarters of 2025 this first time only.

Tier 3: If the bank had at least 100 (but not more than 500) “covered originations” in both 2022 and 2023, it must begin collecting small business lending data on January 1, 2026, and report data to the CFPB on June 1, 2027. Similarly, if the bank had between 100 and 500 “covered originations” in both 2023 and 2024, or 2024 and 2025, must begin collecting data on January 1, 2026. For these banks, full-year datasets will be reported.

Thereafter, if a bank originates at least 100 transactions in two consecutive calendar years, it must collect data beginning January 1st of the following calendar year and report the previous calendar year’s data by June 1st of the following calendar year.

If the bank did not have at least 100 covered originations in each of the prior two calendar years, it need not collect and report small business lending data for the present calendar year. This yearly determination means a bank could be required to collect and report data for some years, but if covered originations later fall below the threshold for a particular calendar year, it would have at least a two-year respite from collection and reporting (and it may become a reporting bank again in the future depending on what happens later). But what exactly is counted to get to these 100, 500, or 2,500 thresholds? What is a “covered origination”?

To figure out how many “covered originations” the bank had, figure out how many “covered credit transactions” the bank had.

A “covered origination” is “a covered credit transaction that the financial institution originated to a small business.” An origination involves a new credit obligation, meaning a new promissory note or similar legal agreement. Thus, refinancings (where an existing obligation is satisfied and replaced by a new obligation by the same borrower) can be originations, whereas modifications (in the form of extensions, renewals, amendments, addendums, etc., of existing obligations) are not originations since there is no new credit obligation. Modifications are not counted when considering whether (and when) the bank must begin reporting, and applications for modifications are not included in a bank’s annual reporting. This is true even if the bank made a credit decision when determining whether to grant a borrower’s request for a modification, or if the credit amount is increased. This is the same standard used under HMDA, as well as the Truth in Lending Act (TILA) and Regulation Z, so it is a standard that banks are used to applying.

But to fully understand a “covered origination,” we have to understand the definition of “covered credit transaction.” Generally speaking, this is an extension of business credit under Regulation B. This is broadly defined and includes loans, lines of credit, credit cards, merchant cash advances, and notably, agricultural credit (this is noteworthy since loans and lines of credit primarily for agricultural purposes are covered under this new rule, but are exempt from HMDA reportability. This has implications for data collection requirements, which will be discussed later).

But the new rule exempts several types of credit from the definition of “covered credit transactions,” including:

  • Trade credit;
  • Insurance premium financing;
  • Public utilities credit;
  • Securities credit;
  • Factoring;
  • Certain leases; and
  • Purchases of a credit transaction, an interest in a pool of credit transactions, and purchases of a partial interest in a credit transaction (such as through a loan participation agreement).

Each of these exempt credit types is defined in the rule, which is helpful in determining whether a particular deal is covered under the definition or not. There are a few additional noteworthy exemptions:

Incidental credit. These are extensions of credit that are not made pursuant to the terms of a credit card account, are not subject to a finance charge (as defined in Regulation Z), and are not payable by agreement in more than four installments. Even though these requirements come from Regulation Z, this exemption applies regardless of whether or not the credit is consumer credit. An example of incidental credit is when a service provider such as a hospital, doctor, lawyer, or merchant allows a small business client to defer payment of a bill.

Consumer-designated credit used for business or agricultural purposes. These are loan or lines of credit that are used for mixed purposes, but are primarily for personal, family, or household purposes. Even though there may also be a business or agricultural purpose, since the primary purpose is not business, they are excluded. Fortunately, again banks can use the standard in Regulation Z to determine whether the loan or line of credit is primarily for consumer or business purposes. If the transaction is covered by Regulation Z, then it is not covered under the new rule.

HMDA-reportable transactions. Fortunately, banks need not report HMDA-reportable small business applications also under this new rule. Thus, small business loans and lines of credit secured by dwellings that are used for home purchase, home improvement, or refinancing purposes are exempt from the new rule. While this lack of duplicative reporting is good news, it sets up a challenge for banks when it comes to proper data collection and reporting, as discussed later.

To figure out how many “covered credit transactions” the bank had, figure out how many loans and lines of credit the bank made to “small businesses.”

Defining a “small business” under this new rule has a bit of a tortured history. The final rule states that a business is “a small business if its gross annual revenue…for its preceding fiscal year is $5 million or less.” To determine a business’s gross annual revenue (which may or may not include affiliate revenue), the bank may rely on representations from the business, but if the bank verifies this information (or receives updated information), that verified and/or updated information must be used when reporting.

The definition is based on the Small Business Association’s (SBA) definition of “small business concern,” which excludes nonprofit organizations and government entities. Banks need not count loans to them in the threshold calculation or report applications from them later. A startup business would be a “small business” since its gross annual revenue would initially be zero.

Use the “transitional provision” if the bank doesn’t have gross annual revenue information.

What happens if the bank doesn’t have sufficient data to determine whether a particular loan or line of credit was made to a “small business,” meaning it doesn’t know for sure whether the borrower’s gross annual revenue was $5 million or less? Maybe the precise data wasn’t collected initially, or retained later. In cases such as these, a bank may use “any reasonable method to estimate its covered originations.” The rule presents two non-exclusive examples to help it determine how many covered originations it had in 2022 and/or 2023:

Option 1: The bank may “count covered originations for the last quarter of calendar year 2023 (October 1 through December 31), and then annualize the number of its covered originations based on this information. The financial institution could use this annualized number to determine its covered originations for 2022, 2023, or both years.” Under this option the bank would determine the number of covered originations it has in the fourth quarter or 2023, then multiply this number by four to extrapolate a total for 2022 and/or 2023.

Option 2: The bank may “assume that all covered credit transactions originated during a calendar year were made to a small business for purposes of determining institutional coverage and compliance date tier pursuant to the final rule.” This may be easier, since the bank would assume that all business loans and lines of credit lacking precise gross annual revenue information are made to “small businesses.” (However, this could potentially lead to over-counting and accelerate the bank’s need to collect and report data.)

2. Once it is known that the bank must comply (and when), determine what must be collected and reported.

Understand what a reportable application is under the new rule.

The rule requires banks to collect and report data (as well as meet other requirements) for “reportable applications.” This term seems obvious, but it is different in several material ways from the existing definition of “application” in Regulation B (aside from the obvious requirement that the application be for a covered type of credit from a small business).

Under Regulation B, “Application means an oral or written request for an extension of credit that is made in accordance with procedures used by a creditor for the type of credit requested.” This definition is interpreted broadly so that applicants can be notified as to the lender’s decision within a reasonable period of time. However, under the new rule, certain types of requests are excluded from the definition of a “reportable application”:

  • Reevaluation requests, unless new credit is requested;
  • Extension requests, unless new credit is requested;
  • Renewal requests on an existing business credit account (unless the request seeks additional credit amounts);
  • Inquiries; and
  • Prequalification requests.

Banks must carefully differentiate between the broader set of events that would require notification to the applicant of the bank’s decision on the request, and those that rise to the level of data collection and reporting under the new rule.

Determine how the bank will define its application procedures, including whether the bank should standardize its small business application process, and whether to use a written form.

The commercial loan application process can be notoriously unstructured. Sometimes an “application” is nothing more than a casual request to the banker, although many banks have a much more standardized process for small business applications. In any case, there is a long list of data elements that must be collected and reported under the new rule, and it may be the case that the bank doesn’t normally collect all the information that is part of the new reporting requirement. Information such as application date, method, action taken date, the number of non-owners working for the applicant business, applicant’s time in business, and number of principal owners (among others) are prime examples of information that may not be collected for every single small business loan application. And lenders do not collect demographic information on business owners, unless they are offering special purpose credit programs. But these, along with many others, are required data elements for reportable applications, and there are no exceptions in the final rule for banks that don’t normally collect them.

So that all data elements are collected in every instance, it may be worthwhile to standardize the application process, or at least amend existing processes to ensure that all required information is requested and captured. One way to do this is to implement a written application. The final rule contains a Sample Data Collection Form for the demographic information requirements. This form could be incorporated into the bank’s written small business loan/line of credit application. There is no requirement in the rule that there be a written application form (or that the sample form be used), but it is one way to ensure all the necessary information is collected and retained, which will help with data validity later.

Assemble a data dictionary.

The best way to ensure all necessary data elements are collected for each reportable application is to develop and utilize a data dictionary, which is a listing of all the information within an application, how and where it is collected, and where it is maintained. This assists in later data integrity regulatory examinations, since there will be a clear and defined path from the source of the information, where it is housed (the database of record), to the ultimate submission file to the CFPB. It makes it much easier to determine that the correct information was ultimately reported.

The bureau published a Small Business Lending Rule: Data Points Chart that can be used for this purpose. This chart, which is similar to those published for HMDA data, is a comprehensive listing of each data point with regulatory references, descriptions, and filing instructions (including when to report “Not Applicable” and other reporting notes). This chart can be used as the go-to resource for the bank to assemble its data dictionary.

It also allows the bank to determine which data points it does not presently collect, so it can use the time between now and when it must begin collecting data to figure out what procedures must be formulated or amended so that it can obtain the additional information. Again, there are no allowances in the new rule allowing banks to forgo reporting data points they don’t consider important within their application processes. If it’s a covered application under the new rule, all data must be requested, collected and reported. Only in narrow circumstances may a bank report that a data point was not provided by the applicant.

Differentiate demographic information reporting requirements between commercial HMDA-reportable applications and Small Business Lending Data Collection applications.

While it is good news that banks need not report both data required by HMDA and data required by this new rule for the same application, there are procedural differences that must be addressed. See Demographic Reporting in Commercial Lending on page 10, for a more detailed explanation.

3. Prepare the submission and data integrity process.

Prepare for the data submission process.

This again will operate much like the HMDA submission process: the bank will prepare its submission file, and will report it to the CFPB by June 1st of the successive calendar year. The 1071 data submission will be required three months after HMDA and CRA data are submitted. This will relieve some of the stress in the first two months of the year, which are intense enough for HMDA- and/or CRA-reporting banks without the additional burden of another submission due the same day.

Like HMDA, data submitted by the bank under this new rule will be made available to the public after it is scrubbed to protect privacy interests. However, at this point, the CFPB has not decided what data will be redacted from the public data set. The “CFPB will determine what, if any, modifications and deletions are appropriate after it obtains a full year of data,” which will be announced at a later date. Aggregate data as well as application-level data will both eventually be released.

The rule is also similar to HMDA in that an authorized representative of the bank “with knowledge of the data” must certify to its accuracy and completeness. Each reporting bank must figure out who that person will be.

Don’t forget data analysis!

What the new data will say about the state of small business lending in this country as a whole, as well as within individual lenders, is eagerly awaited by regulators, community groups and the press, among others. Don’t ignore the critical aspect of understanding what the bank’s data says about its performance. It may be several years away, but don’t get too caught up in implementing the rule, and collecting and reporting data, to forget to analyze it and be ready for any potential questions and comments.

4. Make it happen: implement policies and procedures.

Put the right policies and procedures in place to deal with the cultural aspects of the new rule.

One of the most important tasks in being ready to collect all this new data is to have the appropriate policies and procedures in place to ensure the right data is collected in the right instances. But don’t ignore the cultural impact—this will require small business lenders to undertake new procedures that they may see as adding little value to the lending process. Again, rely on what the bank already does for HMDA reporting (if it reports under that rule)—the need for standardization and clear processes is similar in many respects to collecting data under that regulation.

Procedures should include:

  • Processes “reasonably designed to obtain a response” from the applicant, for demographic information and other applicant-provided data points. The request for information must be prominently displayed and presented, and applicants should be able to easily respond to such requests. It should be clear that applicants are not discouraged from responding to the request.
  • Processes to identify and respond to signs of possible discouragement. This should include testing for low response rates, as the bureau warns that “low response rates may indicate discouragement or another failure by a covered financial institution to maintain procedures to collect applicant-provided data.” This is so critical that the bureau issued a policy statement on 1071 enforcement, where it announced it will “focus its supervisory and enforcement activities…on ensuring that lenders do not discourage small business loan applicants from providing responsive data.”
  • Provisions ensuring that if some reportable information is verified by the bank, that the verified information is reported rather than unverified information, along with a reminder that demographic information is not permitted to be verified.
  • Provisions allowing that some data provided by the applicant may be reused, but only if it was collected within 36 months of the current application (except for gross annual revenue for obvious reasons—it is a yearly figure), and only if that previous data was originally collected as part of an application covered by the new rule.

Keep an eye on the interplay between 1071 and the impending changes to the Community Reinvestment Act (CRA) rule.

There are two CRA-related aspects to the new rule. One is a statement by the bureau that pursuant to “the regulators’ Community Reinvestment Act proposal, data submitted under the CFPB’s rule would satisfy the relevant Community Reinvestment Act requirements.” This would avoid duplicative reporting but may have implications for CRA performance because the 1071 rule is not identical to current CRA data collection for loans to small businesses and small farms. Stay tuned, as we have yet to see what the new final CRA regulations will look like.

The other is a statement that the bureau may “provide additional implementation time for small lenders that have demonstrated high levels of success in serving their local communities, as measured by their performance under relevant frameworks like the Community Reinvestment Act and similar state laws.” This is an opportunity to consult with executive management and/or the Board and determine what the bank’s goals are for CRA performance. This seems to be an added incentive for having an outstanding CRA rating, for example. We don’t yet know how much additional time may be provided, what “small lenders” would be covered, and what it would take to qualify, but it is certainly bears watching to see what the bureau proposes.

5. Set up the firewall.

Make the firewall formal, train it, and test it.

By the term “firewall,” the rule refers to some sort of process that keeps demographic information out of the hands of those with lending authority. As the CFPB stated:

[E]mployees and officers of a covered financial institution or its affiliate are prohibited from accessing an applicant’s responses to the final rule’s required inquiries regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding its principal owners’ ethnicity, race, and sex if that employee or officer is involved in making any determination concerning the applicant’s covered application.

How will this be accomplished? It can be as simple as physical separation in a loan file or access limitations in electronic systems. But it must be a formalized process to ensure that anyone who has approval authority, pricing authority, or influence over the terms and conditions of the potential loan not have visibility to the demographic information provided by the applicant.

The rule does provide for an exception to the firewall, if the bank determines the “employee or officer should have access to one or more applicant responses,” but don’t be tempted into considering this a free pass. However, there are times an “employee or officer is assigned one or more job duties that may require the employee or officer to collect, see, consider, refer to, or otherwise use information subject to the prohibition.” Banks should carefully consider whether this is always appropriate, as difficult as it might be in some cases. A solution may be specifying that anyone involved in the credit decision not be the one asking for or collecting the demographic information during the application process, if possible. But where the bank deems the employee or officer should have access, the bank must provide “a notice to the applicants whose responses will be accessed,” or a broader group of applicants, “up to and including all applicants.” This is also a procedural issue that must be implemented.

Put it all together.

The time that banks will have before they have to start collecting data will go by quickly. There is much to do, both operationally as well as technologically. Use the time to your advantage—figure out when you have to comply, make some calls now, and analyze what will have to change in the bank from a cultural perspective. Then implement the proper policies and procedures to make it happen.

As seen in ABA Risk and Compliance Magazine July / August 2023 issue