As recently discussed on our podcast here, section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) amended the Equal Credit Opportunity Act (ECOA) to require lenders to collect information about small business credit applications they receive, including geographic and demographic data concerning the principal owners, lending decisions, and the price of credit. In September 2021, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a proposed rule with more than 900 pages of supplementary material. The Bureau also issued a summary of the proposed rule and a chart of the data points that the rule would require creditors to collect, and it accepted approximately 2,100 comments on the proposal in January 2022. The Bureau then issued the Final Rule on March 30, 2023, with a host of supplementary materials. In this third in a multi-post blog series (first post available here, second here), we will take a closer look at what changed between the proposed rule and the Final Rule.
Did the Bureau remove any requirements from the Final Rule?
Yes, the CFPB did, based on public comments. Key changes include the following:
- The CFPB increased the number of required covered credit transactions a financial institution must originate per year to be covered under the Final Rule from 25 to 100, which was a favorable change for the industry.
- In the preamble to the Final Rule, the Bureau stated it made this change based on public feedback and because, even with the increase, 95% of all small business loans by banks and credit unions will be covered.
- The Bureau changed the required compliance date from 18 months across the board to a phased implementation based on origination volume.
- For financial institutions that originated at least 2,500 covered credit transactions in 2022 and 2023, the compliance date is October 1, 2024.
- For financial institutions that originated at least 200 covered credit transactions in 2022 and 2023, the compliance date is April 1, 2025.
- For financial institutions that originated at least 100 covered credit transactions in 2022 and 2023, the compliance date is January 1, 2026.
- For financial institutions that did not originate at least 100 covered credit transactions but subsequently originate at least 100 covered credit transactions in two consecutive calendar years, the compliance date is no earlier than January 1, 2026.
- The CFPB removed the visual observation requirements that related to the collection of demographic information about the principal owners.
- Under the proposed rule, if in-person applicants refuse to provide demographic information, lenders would have been required to make a “guess” as to race/ethnicity based on visual appearance and last name.
- Unsurprisingly, this provision of the proposed rule garnered so much negative feedback that it was eliminated from the Final Rule.
- The CFPB changed the timeframe for which data collected can be reused.
- The proposed rule would have only allowed data to be reused for a year, whereas the Final Rule allows most data to be reused for 36 months.
- Notably, gross annual income data is still only allowed to be reused within the same calendar year.
- In all instances, the financial institution can only reuse data if it has no reason to believe the data is inaccurate.
- The CFPB reduced the number of NAICS code digits that need to be collected from six to three.
- The CFPB removed data collection and reporting requirements for transactions that are reportable under the Home Mortgage Disclosure Act of 1975 (HMDA) and insurance premium financing.
Did the Bureau add anything to the Final Rule?
Yes, mostly involving demographic information.
- The CFPB added a requirement to collect LGBTQI+ information on business owner’s status, which was not in the proposed rule.
- The CFPB also made it mandatory to provide a disclosure informing the applicant that federal law requires the lender to ask for the applicant’s minority owned, women owned, LGBTQI+ plus owned business status.
- This was in the proposed rule, but it wasn’t mandatory.
- Importantly, the CFPB added discouragement requirements through policy guidance published on the same day as the Final Rule. This is a critical change because the Bureau will begin examining for compliance with the anti-discouragement provisions immediately — there is no grace period. We will discuss this in depth in a future post.
Other notable changes to the Final Rule:
- Principal owners’ sex and gender information must be collected from applicants using a free-form field without predefined response categories.
- Financial institutions are not required to report if data is reused.