CFPB Proposes Rule for Small Business Data Collection
On Wednesday, September 1, 2021, the CFPB published a long-awaited proposed rule that implements Section 1071 of the Dodd-Frank Act. This part of the Act amended the Equal Credit Opportunity Act (ECOA) and directed the bureau to establish a framework for collecting data about certain small business loans, data that is somewhat like what is collected under the Home Mortgage Disclosure Act (HMDA) and its implementing Regulation C. The proposal is over 900 pages long, but the rule text, sample forms and commentary amount to about 140 pages. The rule will be housed in Regulation B once finalized. Since the rule is long, so this blog runs a bit long too. Here are a few highlights to note, and NAFCU will seek member feedback in the coming weeks to formulate comments on this proposal.
Scope and Key Definitions
For most regulations, the definitions of key terms help determine the scope of the rule and this proposal is no exception. Much like HMDA, the rule has a specific definition of “financial institution” that would determine which credit unions must follow the rule. However, the definition used in the proposal is much broader than the HMDA definition, with the only carve out for those under a minimal transactional threshold. A “covered financial institution” is one “that originated at least 25 covered credit transactions for small businesses in each of the two preceding calendar years.” Note that unlike HMDA, there is no carve out for a credit union under a certain asset threshold (currently set at $48 million or less) or for those not operating in a Metropolitan Statistical Area. So as proposed, credit unions that are currently exempt from HMDA reporting could be subject to this rule if they are above the transactional threshold and offer the kinds of products to the kinds of entities covered by the rule.
Most business credit is included in the proposal’s definition of “covered credit transaction,” such as credit cards, lines of credit and term loans. There are some exclusions for some specific categories of credit like trade credit, where a business acquires goods or services without making immediate payment to the entity providing the goods or services. Definitions in current Regulation B exceptions are also incorporated as exclusions like “incidental credit” which is narrowly defined as credit that is not part of a credit card account, not subject to a finance charge and not payable in more than four installments.
So what is a “business” and a “small business”? Both the Dodd-Frank Act and the proposed rule rely on the statute and rules for small business sizing for certain Small Business Administration (SBA) programs. Specifically, the proposed rule cross-references 13 CFR 121.101 through 121.107 and existing SBA interpretations would be utilized to make determinations. The proposal’s definition of business cross-references 13 CFR 121.105, which is the SBA’s definition for “business concern or concern.” This is, in part, “a business entity organized for profit, with a place of business located in the United States, and which operates primarily within the United States or which makes a significant contribution to the U.S. economy through payment of taxes or use of American products, materials or labor.” The definition goes on to note that the business concern could take multiple legal forms and fall within rules. Examples include but are not limited to: an individual proprietorship, partnership, limited liability company, and corporations. However, a business must have gross annual revenue of $5 million or less for its preceding fiscal year for the proposed rule to apply.
The SBA’s size and affiliation standards are also cross-referenced for determining if an entity is a small business. These rules are rather technical but include sizing standards adopted by the North American Industry Classification System (NAICS) and provisions for how affiliates are considered as part of the sizing process.
Proposed Data Collection
There are 23 data points in the proposal, some mandated by the statute and a few adopted under the bureau’s discretion. Many data points are the same or similar to HMDA such as: a unique identifier for each application that includes the credit union’s legal entity identifier, the application date, the type of credit, credit purpose, loan amount applied for, loan amount approved, action taken on the application, action taken date, denial reasons, and pricing information. Some data points are more unique to businesses, such as the gross annual revenue, number of principal owners, number of workers, time in business and the entity’s NAICS code.
The proposal would also require gathering data on whether the business is minority-owned and/or woman-owned as well as race and ethnicity data about the principal owners of the business. These are defined terms, with “minority individual” meaning someone who is “American Indian or Alaska Native, Asian, Black or African American, Native Hawaiian or Other Pacific Islander, and/or Hispanic or Latino.” “Minority-owned business” would be one for which more than 50% of ownership control is held by one or more minority individuals, and more than 50% of net profits or losses accrue to such individuals. The same ownership and net profits/losses metrics apply to determine if a business is “woman-owned” under the proposal.
The proposed staff commentary and model form show the categories and disaggregated subcategories of race and ethnicity options that would need to be presented to the applicant. This includes “free form” boxes where borrowers can write in their own selection that is not represented in the form. The proposal would also require allowing applicants to make multiple selections. Of note, borrowers would not be required to provide this information, and there is a box to check on the model form where the borrower can note this. But much like HMDA, under the proposal if credit union staff meet with any of the principal owners in the process, they would be required to collect race and ethnicity data “on the basis of visual observation and/or surname.” Here is the second page of the model form:
Firewall
Some data points that would be collected indicate that a business owner is a member of a protected class, such as their race and ethnicity. The proposal would also require credit unions to create a “firewall” so that staff involved in decision-making regarding the loan application, such as underwriters, do not have access to this data. There is a narrow exception to this requirement if it is not “feasible” to limit staff’s access to the information. In these situations, a notice would need to be provided to the borrower.
Annual Reporting Deadline, Effective Date, and Compliance Deadline
Data would need to be reported annually, by June 1 of the following calendar year. An authorized representative of the credit union would be required to certify the accuracy of the data. Much like with HMDA, the CFPB would publish a Filing Instructions Guide with technical requirements for how to submit the data. Also, under the proposal, the bureau would make the data available publicly on an annual basis and, at its discretion, publish aggregate data.
The bureau is proposing that these rules, when finalized, would become effective 90 days after publication in the Federal Register with a mandatory compliance deadline 18 months after such publication. Early compliance would be permitted. However, 18 months proved not enough time back when the HMDA rules were overhauled, in part due to challenges with vendors. The implementation timeline may prove challenging, especially if the Filing Instruction Guide and other guidance are not ready at the time a final rule is published. This would hinder the ability to start working on implementation as those technical specifications are important.
The bureau created several resources along with the proposal that may be helpful to review, which can be found on this webpage. In addition to the proposed rule, there is also a summary of the proposal, a chart of proposed data points and the reports partially relied upon in forming the proposal.
NAFCU will publish a Regulatory Alert on the proposal in the coming weeks and seek feedback from our members. We encourage credit unions to share insights and potential challenges this rulemaking presents to aid in formulating our comments to the CFPB.
About the Author
Brandy Bruyere, NCCO, Vice President of Regulatory Compliance/Senior Counsel, NAFCU
Brandy Bruyere, NCCO was named vice president of regulatory compliance in February 2017. In her role, Bruyere oversees NAFCU's regulatory compliance team who help credit unions with a variety of compliance issues.