The Consumer Financial Protection Bureau ("CFPB" or "Bureau") recently published a Small Entity Compliance Guide (the "Guide") regarding Section 1071 of the Dodd-Frank Act, which amended ECOA to require that financial institutions compile certain data regarding small business lending and report it to the CFPB.

As we previously detailed, the CFPB released a Final Rule (the "Rule") aimed at improving the transparency of and access to credit for small businesses on March 30, 2023. The Guide details the requirements of the Rule and provides further exemplars that are not provided in the Rule itself to assist small entities in complying with the Rule.

This article focuses on the Guide's discussion of the Rule's coverage, the reportable data points, and firewall provisions to assist covered financial institutions in understanding the Rule when they are starting to think about setting up systems to achieve compliance. This is especially important for those covered financial institutions that originated at least 2,500 covered originations in calendar years 2022 and 2023, as compliance for those covered financial institutions currently begins October 1, 2024.

The Rule's Coverage

The Rule applies to "covered financial institutions," which includes financial institutions that originated at least 100 covered originations in each of the two preceding calendar years. Financial institutions include, but are not limited to, banks, credit unions, online lenders, and equipment and vehicle financial lenders, whether they are organized as a partnership, company, association, trust, or other entity type. However, as the Guide notes, motor vehicle dealers that are persons, as defined by the Dodd-Frank Act, are excluded from coverage under the Rule. Where multiple financial institutions are involved in the origination of a covered origination, only the last financial institution with authority to set the material terms of the transaction is required to count the origination for reporting purposes.

What Is a Covered Credit Transaction?

A covered credit transaction is an extension of business credit that is not otherwise excluded under the Rule. The Guide notes that the definition of a covered credit transaction is important to the Rule, since for an application to be reportable, among other things, it must involve a covered credit transaction. The definition of business credit under the Rule means an extension of credit primarily for business, commercial, or agricultural purposes, unless otherwise excluded. Therefore, loans, lines of credit, credit cards, merchant cash advances, and any other credit product used primarily for agricultural, business, or commercial purposes are included in the Rule's coverage. However, the Guide notes the following either do not meet the definition of "business credit" or are excluded from the Rule's coverage:

• Factoring transactions, such as accounts receivable purchase transactions
• Lease transactions
• Consumer designated credit
• Trade credit, such as a financing arrangement wherein one business acquires goods or services from another business without making immediate repayment
• Home Mortgage Disclosure Act reportable transactions
• Insurance premium financing
• Public utilities credit
• Securities credit
• Incidental credit

What Is a Covered Application?

Covered financial institutions must collect and report data regarding covered applications from small businesses. A covered application is an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested. Covered financial institutions have latitude to establish their own application procedures; however, the Guide reminds covered financial institutions that "procedures" include both the stated application procedures as well as the financial institution's actual practices. The Rule excludes the following from the definition of "covered application":

• Reevaluation, extension, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts. However, a refinancing is considered a covered application, provided it otherwise satisfies as the definition of covered application and is a covered credit transaction, as the prior obligation is satisfied and replaced by a new obligation.
• Inquiries and prequalification requests, such as a preliminary determination of whether the prospective application would likely qualify for credit.
• Reviews or evaluations initiated by the covered financial institution.
• Solicitations and firm offers of credit.

What Is a Covered Origination?

A covered origination is a covered credit transaction that a financial institution actually makes to a small business, except when the credit transaction extends, renews, or otherwise amends an existing transaction, unless additional credit amounts are extended. A small business's request to change one or more terms of an existing account does not constitute a reportable transaction.

Reportable Data Points

As set out in the Rule and Guide, a covered financial institution is required to compile, report, and maintain data on the following for reportable applications:

• Unique Identifier – A unique alphanumeric identifier must be compiled and reported. Among other requirements, it must not include any directly identifying information about the applicant or persons associated with the application. This number may be assigned at any time prior to the reporting of the application.
• Application Date – The date the application was received, or the date shown on a paper or electronic application, must be reported. If the application was received by the financial institution or affiliate, the covered institution reports the date it or its affiliate receives the application; however, if the application was received from a third party, the covered institution can report (i) the date it was received by the first party, (ii) the date it was received by the covered institution, or (iii) the date shown on the application form.
• Application Method – One of the following must be reported for the application method:
  • In-person, which includes in-person applications, hand-delivered applications, and applications taken over electronic media without a video component.
  • Telephone, which includes applications submitted to the financial institution, or to another party acting on the financial institution's behalf, by telephone call or via audio-based electronic media without a video component.
  • Online, which includes applications through a website, mobile application, fax transmission, electronic mail, text message, or some other form of text-based communication.
  • Mail, which includes applications through the U.S. mail, a courier or an overnight service, or an overnight drop box.
• Application Receipt – Whether the application was submitted directly to the financial institution or its affiliate(s), or whether the application was submitted through a third party, must be reported.
• Credit Type – The type of credit product applied for or originated, which consists of information about the credit product, guarantees, and loan term, must be reported.
• Credit Purpose – The purpose or purposes of the credit applied for or originated must be reported. In cases where credit may have multiple purposes, covered institutions must report all such purposes, up to a maximum of three.
• Amount Applied For – The initial amount of credit or the initial credit limit that the small business requested.
• Amount Approved or Originated – Covered financial institutions must, for every reportable application, report the amount approved or originated, as specified in the Rule.
• Action Taken – Covered financial institutions must report the final action taken on a reportable application.
• Action Taken Date – A covered financial institution must report the date it acted on a reportable application.
• Denial Reasons – Up to four principal reasons that the financial institution denied the application must be reported.
• Pricing Information – Covered financial institutions must, for each reportable application that resulted in origination or that was approved but not accepted, report the following information: (i) interest rate, (ii) total origination charges, (iii) broker fees, (iv) initial annual charges, (v) additional cost for merchant cash advances or other sales-based financing, and (vi) prepayment penalties.
• Census Tract – Covered financial institutions must report the census tract for one of the following locations as applicable:
  • The address or location where proceeds of the covered credit transaction will be or would have been principally applied, if known.
  • If the address or location where proceeds will be or would have been applied is not known, then the address or location of the applicant's main office or headquarters, if known.
  • If the address or location of where the proceeds are to be principally applied and the main office or headquarters address are not known, another address or location associated with the applicant may be used.
• Gross Annual Revenue – The gross annual revenue for the applicant's preceding fiscal year when data is collected must be reported. Covered financial institutions may rely on the applicant's reporting of its own revenue, but if the covered financial institution takes steps to verify the applicant's revenue, then that information must be reported. Covered financial institutions are permitted to include affiliate revenue in the gross annual revenue calculations, but are not required to do so.
• NAICS Code – The 3-digit NAICS code must be reported. If a NAICS code is unable to be collected or is otherwise not determined, covered financial institutions are permitted to report that the NAICS code is "not provided by applicant and otherwise undetermined."
• Number of Workers – The number of non-owners who work for the applicant must be reported, which includes full-time, part-time, and seasonal employees, as well as contractors.
• Time in Business – The number of years an applicant has been in business, reported in years, rounding down to the nearest whole year, must be reported.
• Minority-Owned, Women-Owned, or LGBTQI+-Owned Business Status – For each reportable application, information concerning whether the business is minority-owned, women-owned, or LGBTQI+-owned must be collected and reported. Applicants must be permitted to refuse to answer questions concerning whether the business is minority-owned, women-owned, or LGBTQI+-owned.
• Principal Owners' Ethnicity, Race, and Sex and Number of Principal Owners – For each reportable application, information concerning the principal owners' ethnicity, race, and sex must be collected and reported, as well as the number of principal owners. Applicants must be permitted to refuse to answer questions concerning principal owner's ethnicity, race, and sex.

Firewall

The Rule prohibits certain employees and officers of a covered financial institution or its affiliates from accessing certain demographic information obtained from small business applications. The prohibition applies to an employee or officer of a covered financial institution or one or more of its affiliates if the employee or officer is "involved in making any determination" concerning a reportable application.

The Guide discusses the Rule's commentary concerning what does and does not constitute being involved in making a determination concerning a reportable application. For example, developing policies and procedures; discussing credit products, loan terms, or loan requirements with a small business prior to an application; gathering information (including reportable demographic information); and forwarding that information to other individuals or entities are all not considered "making a determination" concerning a reportable application. However, making or participating in a decision to approve or deny a specific reportable application, making or participating in a decision that a guarantor or collateral is required to approve an application, or making or participating in a decision regarding a counteroffer made to a specific applicant are all examples of "making a determination" concerning a reportable application.

Although the Rule generally prohibits certain employees and officers from accessing certain demographic information, the Rule provides an exception if the financial institution determines that the particular employee(s) or officer(s) should have access to demographic information collected pursuant to the Rule, and the covered financial institution provides notice to applicants that an employee or officer with decision-making authority has access to the demographic information provided. Under those circumstances, that employee or officer is not prohibited from accessing the information.

Takeaways

The Guide provides small business entities with guidance concerning the scope and coverage of the Rule, the Rule's reportable data points, and the Rule's firewall provisions. Although the first- tiered compliance date under the Rule does not start until October 1, 2024 for those covered financial institutions that originated at least 2,500 covered originations in calendar years 2022 and 2023, that does not mean there is nothing to be done now.

Understanding the Rule's coverage, what data points must be reported, and the firewall provisions now means that entities can start drafting policies and procedures to maintain compliance, drafting questionnaires to start collecting reportable information, and ensuring that systems will be ready once compliance is necessary. Covered institutions should also actively monitor the American Bankers Association's challenge to the Rule. On May 14, the American Bankers Association joined a lawsuit filed by the Texas Bankers Association and Rio Bank, challenging the Rule as a violation of the APA and invalid, and arguing that the CFPB is unconstitutional. While the litigation is still in its initial phase, if the court decides to invalidate the Rule, it will affect covered institutions' compliance deadlines. Keeping abreast of the litigation and any changes to the Rule's effective date will be crucial in assessing compliance obligations.