As recently discussed on our podcast here, section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) amended the Equal Credit Opportunity Act (ECOA) to require lenders to collect information about small business credit applications they receive, including geographic and demographic data concerning the principal owners, lending decisions, and the price of credit. The Consumer Financial Protection Bureau (CFPB or Bureau) issued its massive, highly technical, and complicated Final Rule on March 30, 2023. In this second in a multi-post blog series (the first post is available here), we will take a closer look at the data collection and reporting requirements of the Final Rule.
The Final Rule requires covered financial institutions to collect and report three types of data concerning small business loan applications: 1) data points that the financial institution itself generates, such as the unique application identifier number and the action taken on the application by the institution, as well as reasons for denial (for declined applications); 2) data points that are based on information that either could be collected from the applicant or through a third-party source such as information related to the applicant’s business, credit type, credit purpose, and the amount the applicant applied for; and 3) demographic information requested and collected from the applicant, such as the applicant’s status as a minority-owned, women-owned, or LGBTQI+-owned business, and the race, sex, and ethnicity of the applicant’s principal owners.
What about repeat customers?
If an applicant is a repeat customer of the financial institution and has previously provided these data points, the financial institution may reuse the data collected within 36 months (3 years) of the date of the application being assessed. So, if an applicant submitted an application in 2021 and later submitted an application in 2023, the financial institution would be permitted to reuse the data from the 2021 application. However, for any previously collected data that a financial institution relies upon, the financial institution must ensure that it has no reason to believe the data is inaccurate.
There are also a few limitations to the three-year look-back period. First, for the “gross annual revenue” data point, financial institutions are only allowed to reuse this data if it was collected within the same calendar year of the applicant’s current application submission. Second, a financial institution may only reuse previously collected demographic information (for example, minority-owned business status, race, or sex) if the data was previously collected pursuant to the Final Rule.
Is an applicant required to provide the demographic information requested?
No, whether an applicant chooses to provide the demographic data points is completely up to the applicant, and the applicant may refuse to do so. In fact, the Final Rule requires financial institutions to inform applicants that they are not required to submit these demographic data points with their applications. If the applicant fails or declines to provide this information, however, the financial institution must report the applicant’s failure or refusal.
What are the procedural requirements for collecting demographic data?
Financial institutions must maintain procedures to collect demographic data points at a time and in a manner that are reasonably designed to obtain a response.
- Timing: Financial institutions must seek to collect applicant-provided data, at the latest, before notifying the applicant of final action taken on the application. The Bureau has expressed that earlier in the application process is generally better, in terms of seeking to collect the demographic information.
- Manner of collection: Financial institutions must present requests for these demographic data points in a manner that ensures an applicant actually sees or hears the request. Requests cannot be obscured or presented in a way that applicants are likely to overlook.
- Easy Response Process: Financial institutions must ensure that applicants can easily respond to these data requests. The demographic information form, for example, cannot be more difficult or burdensome to fill out and provide than the remainder of the loan application.
- Monitoring: Financial institutions must monitor their collection of applicant data to identify any signs of potential discouragement. We’ll be writing separately about this very important aspect of the Final Rule.
How does a financial institution report these data points to the Bureau?
The Final Rule directs financial institutions to the Bureau’s Filing Instruction Guide (FIG), which sets forth the technical instructions for the submission of data to the Bureau. Financial institutions are required to report data to the Bureau by June 1 of the year following the calendar year in which the financial institution collected the data. For example, data collected for 2024 must be reported by June 1, 2025.
As for when the financial institutions must start reporting, the Bureau adopted a tiered approach that requires later reporting dates for smaller lenders:
- For financial institutions that originated at least 2,500 covered credit transactions in 2022 and 2023, the compliance date is October 1, 2024.
- For financial institutions that originated at least 200 covered credit transactions in 2022 and 2023, the compliance date is April 1, 2025.
- For financial institutions that originated at least 100 covered credit transactions in 2022 and 2023, the compliance date is January 1, 2026.
- For financial institutions that did not originate at least 100 covered credit transactions but subsequently originate at least 100 covered credit transactions in two consecutive calendar years, the compliance date is no earlier than January 1, 2026.