January 25, 2023

Small Business Lenders: CFPB's Anticipated Section 1071 Rule Would Impose New Data Collection, Reporting Obligations

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Go-To Guide:

  • In a July 2022 stipulated order, the CFPB agreed to issue a final rule implementing Section 1071 of the Dodd Frank Act by March 31, 2023. But in its 2022 Fall Rulemaking Agenda, the CFPB indicated that it may issue its final rule in January 2023.
  • The CFPB's anticipated rule would require covered financial institutions to collect and report data on small business loan applications, including applications from minority-owned and women-owned small businesses.
  • The CFPB's anticipated rule would be effective 90 days after publication in the Federal Register, and covered financial institutions would be required to comply with the CFPB's final rule 18 months after it is published in the Federal Register, with the first required reports probably due on June 1, 2025.
  • The CFPB's anticipated rule would create significant new compliance obligations and require lenders to make substantial operational changes, and it would also create risks by making data publicly available that regulators and class-action plaintiffs' attorneys may then use to bring suits alleging fair-lending violations.

After years of rulemaking efforts, the Consumer Financial Protection Bureau (CFPB) may issue a final rule later this month that would require lenders to collect and report data on small business loan applications, including applications from minority-owned and women-owned small businesses. According to the CFPB, when it is implemented, the rule will create the first comprehensive database of small business credit applications in the United States.

The anticipated rule would implement Section 1071 of the Dodd-Frank Act, which amended the Equal Credit Opportunity Act (ECOA) to mandate this data collection and reporting. Section 1071 and the CFPB's anticipated implementing rule are intended to enable governmental entities, communities, and creditors to identify business and community development needs and opportunities for minority-owned and women-owned small business and, perhaps most important here, to facilitate enforcement of federal and state fair-lending laws.

According to the CFPB's October 2021 Notice of Proposed Rulemaking (NPRM), the "collection and subsequent publication of more robust and granular data regarding credit applications for small businesses, including those that are women- and minority-owned, will provide much-needed transparency to the small business lending market." The agency noted that the need for that transparency has been highlighted by recent events, including the COVID-19 pandemic, and by a shift away from traditional bank lenders to fintechs and providers of merchant cash advances (MCAs).

"Small businesses are the primary job creators and wealth builders in communities across the country," said then-CFPB Acting Director Dave Uejio in a statement issued when the proposed rule was initially announced. "Yet too often, small business development is starved for want of access to responsible, fairly priced credit. Today, we are proposing a rule that would help us all learn how small enterprises fare when trying to access financing, and what barriers are holding them back from further prosperity."

That said, current CFPB Director Rohit Chopra has acknowledged concerns about how the effect of complying with the rule on smaller financial institutions could affect the supply of credit to the nation's small businesses.


As proposed, the rule would apply to "covered financial institutions," a term defined to include any financial institution (FI) that originated at least 25 "covered credit transactions" to "small businesses" in each of the two preceding calendar years. The term "covered credit transactions" is defined, in turn, to mean "any extension of business credit" that is not trade credit, public utilities credit, securities credit, or incidental credit. Factoring, leasing, and consumer-designated credit transactions or transactions involving credit secured by investment properties would not be covered credit transactions. But loans, lines of credit, credit cards, and MCAs would be covered credit transactions.

Under those definitions, the rule's requirements would apply to a variety of entities that engage in small business lending as long as they satisfy the origination threshold, including depository institutions (i.e., banks, savings associations, and credit unions), online lenders, platform lenders, community development financial institutions, lenders involved in equipment and vehicle financing, commercial finance companies, governmental lending entities, and nonprofit lenders.


The rule would require covered FIs to collect and report data regarding any "covered application" from any "small business." The term "covered application" is defined to include any oral or written request for a covered credit transaction, but does not include any inquiries or prequalification requests or requests for reevaluation, extension or renewal, unless the request seeks additional credit amounts. The term "small business" is defined to include any business whose gross annual revenue for the preceding fiscal year was $5 million or less.

Data Generated by the FI. Covered FIs would be required to generate new data and collect data that they probably already generate. For instance, they would be required to generate a unique identifier for each covered application or covered credit transaction and provide information about each application or transaction that they probably already generate, including information about the application method (i.e., the means by which the applicant submitted its application), the application submitter (i.e., whether the application was submitted directly by the applicant or indirectly via an unaffiliated third party), the action taken on the application (i.e., granted or denied), and the date the action was taken. In addition, covered FIs would have to provide additional information about denied applications (i.e., the reason for the denial) and about granted applications (i.e., the amount approved or originated and pricing information, including the interest rate, total origination charges, broker fees, initial annual charges, additional cost for MCAs or other sales-based financing, and prepayment penalties).

Data Collected from the Applicant. Covered FIs would also be required to collect data from applicants, including information about the type, intended use, and amount of the credit sought as well as geographic data and information about the applicant's status as a minority-owned or women-owned small business and about the demographics (i.e., ethnicity, race, and sex) of the applicant's principal owners.

Reporting. Covered FIs would be required to collect the required data on a calendar-year basis and report to the CFPB by June 1 of the following year. The CFPB plans to make the submitted data available to the public annually, with some modifications or deletions to protect privacy. Additionally, the FI would be required to post a statement on its public-facing website that its small business lending application registry is available on the CFPB's website.

Firewall. Covered FIs would be required to create a firewall, intended to limit certain employees' and officers' access to certain data. In a nutshell, and subject to a limited exception, employees or officers who are involved in making any determination concerning a covered applications would be prohibited from accessing information about the applicant's status as a minority-owned or women-owned small business and about the demographics (i.e., ethnicity, race, and sex) of the applicant's principal owners.

Recordkeeping. Covered FIs would be required to retain evidence of their compliance with the proposed rule for at least three years, and would be required maintain an applicant's responses to the Section 1071 inquiry separate from other information related to the applicant's application.

Key Takeaways

The CFPB's anticipated rule implementing Section 1071 of the Dodd-Frank Act would create significant new compliance obligations and require lenders to make substantial operational changes, to the extent they have not already done so. Moreover, the anticipated rule would require lenders to make data publicly available that regulators and class-action plaintiffs' attorneys might then use to initiate investigations, bring real (or frivolous) lawsuits alleging federal or state fair-lending law violations, and bring third-party challenges to regulatory approval for proposed mergers and acquisitions. All to say, lenders should consider beginning work now to develop the tools they need to comply with the CFPB's anticipated rule and to understand and address any gaps in their fair lending programs. Those financial institutions not presently analyzing small business lending data for fair lending purposes should consider pro-active assessment to risks. 

Special thanks to Tessa Cierny ˘ for her valuable contributions to this GT Alert.

˘ Not admitted to the practice of law.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

International Entrepreneur Parole Program: USCIS Issues Policy Guidance

By Linnea Porter Greenberg Traurig March 22 , 2023

On March 10, U.S. Citizenship and Immigration Service (USCIS) issued an announcement with comprehensive guidance on parole for international entrepreneurs.

New UK Sanctions Package Would Target Russia's Arms Exports, Front-Line Resources

By Annabel Thomas Greenberg Traurig March 22 , 2023

The UK announced a further round of sanctions and trade measures on 24 February 2023 to coincide with the first anniversary of Russia’s invasion of Ukraine.

PFAS in Drinking Water: EPA Proposes Historic New Regulation

By Bernadette M. Rappold Greenberg Traurig March 17 , 2023

On March 14, 2023, the U.S. Environmental Protection Agency (EPA) issued a proposed National Primary Drinking Water Regulation (NPDWR) which, if finalized, would set enforceable limits, known as Maximum Contaminant Levels (MCLs), for six Per- and Polyfluoroalkyl Substances (PFAS).

More From Cybersecurity

Is a business required to include an 'opt out of targeted advertising' link on its homepage (i.e., a Do Not Share link) if it recognizes opt-out preference signals?

By David A. Zetoony Greenberg Traurig March 13 , 2023

Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.

Trade Associations Urge Illinois High Court to Reconsider BIPA Decision in Cothron

By Nadine C. Abrahams Jackson Lewis P.C. March 13 , 2023

The Illinois Supreme Court’s decision that a separate claim under Illinois’ Biometric Information Privacy Act (BIPA) accrues each time an entity scans or transmits an individual’s biometric identifier or biometric information will lead to absurd and unjust results not intended by the Illinois General Assembly, Jackson Lewis argued in a friend-of-the-court brief filed on behalf of a coalition of trade associations representing the interests of thousands of Illinois businesses employing approximately 2.9 million individuals in Illinois.

EU-US Transatlantic Data Flows Framework: EU Supervisors Shine Light at the End of the Tunnel

By Rosa Barcelo McDermott Will & Emery March 09 , 2023

In a recent non-binding opinion, EU regulators expressed timid positivity about the European Commission’s draft adequacy decision on the EU-US transatlantic data flows framework (Data Privacy Framework or DPF).

Featured Stories