A little over a year ago, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking (NPRM) to require financial institutions to collect and report data on small business credit applications, to facilitate enforcement of fair lending laws and help identify the needs of small businesses, including those owned by women and minorities. Recently, a status report filed in court indicates the CFPB is on track to issue its final rule no later than March 31, 2023. Given this timeline, lenders should begin preparing now to ensure adequate procedures designed to accurately collect and report small business loan data.
Notice of Proposed Rulemaking
Section 1071 of the Dodd-Frank Act (DFA) called for financial institutions to collect and report data on small business credit applications. In implementing the law, the CFPB’s NPRM details the groups that would be covered, for which transactions, and the data required to be reported.
Financial institutions covered: These would be “any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity” and that originated at least 25 covered credit transactions to small businesses in each of the two preceding calendar years.
Transactions included: Under the NPRM, covered credit transactions would include loans, lines of credit, credit cards, and merchant cash advances, including covered credit transactions for agricultural purposes and any covered credit transactions reportable under the Home Mortgage Disclosure Act. The CFPB proposes to exclude trade credit, factoring, leases, public utilities credit, securities credit, incidental credit, and consumer credit used for business purposes from the scope of covered credit transactions. Nor would inquiries or prequalification requests be covered. The NPRM would also exclude requests for extensions, renewals, or reevaluations of existing business credit accounts, unless the applicant requests additional credit.
Small business definition: DFA Section 1071 references the Small Business Act definition of “small business concern.” In the NPRM, the CFPB proposes defining a small business as an entity with $5 million or less in gross annual revenue for its preceding fiscal year. This definition, however, would require approval as an alternate small business size standard by the Small Business Administration.
Data points required: For covered transactions, the CFPB proposes collecting approximately two dozen data points, although some of those have component parts, and others would only apply to certain actions taken. For all covered transactions, the data points include a legal entity identifier, a unique application identifier, application date, application method, application recipient, action taken, action taken date, credit type (including credit product, guarantee, and loan term), loan purpose, loan amounts requested and approved, census tract of principal place of business, gross annual revenue, six-digit NAICS code, number of workers, time in business, number of principal owners, and demographic data on the applicant. Denial reasons would be required for denied applications. Originated loans or applications that were approved but not accepted would require pricing information, including interest rate, origination charges, broker fees, annual fees, prepayment penalties, and any additional costs for merchant cash advances or other sales-based financing.
Demographic data: In the NPRM, demographic data would include whether the applicant is a minority- or woman-owned business and the race, ethnicity, and sex of the applicant’s principal owners. The NPRM also includes a requirement for a firewall, if feasible, to prohibit access to demographic information by employees involved in the credit decision. If it is not feasible to implement and maintain a firewall, the lender must notify applicants.
Preparing to Comply
Although covered financial institutions cannot complete preparations until a final rule for Section 1071 data collection is released, there are steps lenders can take today to begin preparing for the unique challenges of collecting data on small commercial loans.
Top-line assessment: First, assess your institution’s lending. Assuming the final rule is consistent with the NPRM, would your institution be a covered financial institution? What types and volumes of covered credit products do you offer?
Process review: Next, review your processes for originating each covered small business credit product. Does your institution have formal applications for small business loans? If not, creating a standardized application or set of application data points will facilitate compliance with the final rule. Are there manual processes that may be error-prone or inefficient? If so, this may be an opportunity to streamline or automate processes.
Data review: If standardized applications or data requirements already exist, review the data points collected to see which of the non-demographic data points in the NPRM are currently being collected. If your institution does not currently have a standard application, review credit packages or other underwriting requirements. To the extent currently permitted by Regulation B, does your institution currently collect the proposed required data fields? As you review your institution’s application and origination processes, identify proposed data points that are not currently collected or retained in a manner that permits electronic reporting.
Data quality review: Proposed Appendix H to Part 1002 includes expected sample sizes and error tolerance thresholds for data collected under the rule. Would your institution’s current data conform with these error tolerance thresholds? Are there any data points that pose particular difficulty? For example, some lenders may struggle with accurate collection of six-digit NAICS codes, especially when business activities are spread across multiple NAICS codes. To prepare for regulatory data quality expectations, it may be useful to test current data accuracy by comparing electronic data to credit memos or other source materials. Excessive data errors would indicate areas for improvement before required data collection begins.
Third-party risk assessment: Institutions will also need to assess third-party risks associated with the NPRM. Technology, such as loan origination systems (LOS), will be critical. Ensure affected LOS vendors are aware of the pending Section 1071 requirements and will be able to capture the necessary data by the time the rule takes effect. Pay close attention to the firewall requirements, and whether your LOS vendor will provide the ability to segregate the demographic data. In addition, if you plan to conduct regulatory submissions outside of your LOS, ensure any vendors used in the submission process are also on track for meeting regulatory submission requirements. Institutions that originate covered loans through third parties, such as originating through FinTech partnerships, should also ensure their lending partners are prepared to implement the final rule in a timely fashion.
Fair lending review: This is also a good time to evaluate your current fair lending monitoring, testing, analysis, and reporting. If your institution’s fair lending compliance management system does not currently include small business loans, begin incorporating business credit in your fair lending analyses. Take this time to educate the lines of business as to the risks associated with discretion and general pricing and credit policies. Do business units have appropriate quality control functions around data accuracy and adverse action notices for small business credit applications? Can lending staff exercise discretion in underwriting or pricing small business loans? Are you currently conducting redlining analyses of small business and small farm lending? Have you included small business lending in your fair lending underwriting and pricing regressions? Do you conduct comparative file reviews of business underwriting and pricing decisions?
Implementing the Final Rule
Once the final rule is released, there will be a sprint to complete implementation. Given the importance of accurate data and the potentially significant impact on business operations and compliance staff, institutions may wish to establish one or more working groups to develop an implementation program if you have not already done so. Compliance will require updates to many policies, procedures, and processes that cannot be completed until the final rule is released. Steps include:
Technology: One of the highest priorities should be ensuring your technology is on track to comply in a timely fashion. Check in with any of your vendors of systems used in taking and decisioning applications, originating and pricing loans, or reporting required data points to the CFPB. Along with system updates, make sure you’ve incorporated the required firewall access controls, if feasible.
Policies and procedures: Covered institutions will also need to update policies and procedures to conform with the final rule. Make sure the updates include application forms, disclosures, and job aids used in small business loan origination processes.
Training: Once policies and procedures are updated, develop training curricula and materials, identify learner audiences, create training timelines, and monitor completion. Don’t forget to include appropriate training for executive leadership and the board of directors.
Monitoring and testing: Once the rule is implemented and data collection begins, conduct ongoing quality assurance testing of data accuracy and completeness with a particular focus on new data points or those that have not previously been subjected to data quality reviews. Incorporate the new data into your fair lending monitoring and testing. Report to senior management and the board the results of both implementation testing and fair lending monitoring to prepare for examinations.