A new rule that recently went into effect will, in the near future, impact the way banks, fintechs and other financial institutions who lend to small businesses are required to collect customer information.
Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) amended the Equal Credit Opportunity Act (ECOA) to require financial institutions that serve small businesses to collect certain demographic data on applications for credit from women-owned, minority-owned and small businesses.
On March 30, 2023 the Consumer Finance Protection Bureau (CFPB) issued a final rule to implement section 1071. While the rule is now in effect, the first covered businesses will not be required to comply until 2024 and to report by June 1, 2025.
The 1071 rule has two main purposes. The first is to create oversight to ensure that lenders are not discriminating against businesses based on the fact that they are woman-owned, minority-owned, LGBTQI+-owned or their status as a small business. A small business as defined by the CFPB is a business with $5 million or less in gross annual revenue for its preceding fiscal year.
The second purpose is to collect and publish aggregate data about the above business types. This will allow regulators to discern patterns in lending and advocacy groups and nonprofits to use this data in order to further their goals. For example, the National Community Reinvestment Coalition (NCRC) works with lenders to identify “credit gaps” and rectify them. They currently use data from the Home Mortgage Disclosure Act (HMDA), but state that this new reporting requirement will allow them to perform similar advocacy when it comes to business lending.
The three main laws Rule 1071 builds on are:
The Dodd-Frank Wall Street Reform and Consumer Protection Act - A financial reform law passed in 2010 designed to curtail risky financial behaviors such as those that led to the 2007-2008 financial crisis. Aspects of the act took years to implement, which is why we’re still seeing its far-reaching effects.
The Equal Credit Opportunity Act (ECOA) - Enacted in 1974, this federal civil rights law prohibits lenders from discriminating against borrowers on any basis aside from their ability to repay.
The Home Mortgage Disclosure Act (HMDA) - Historically, practices such as redlining in the mortgage lending space, have been used to deny credit to qualified applicants. Passed in 1975, this rule requires that lenders provide anonymized sex, race and income data for borrowers applying for home mortgages. Governments and advocates use the data to ensure fair mortgage lending practices.
The 1071 final rule applies to “covered financial institutions.” The CFPB defines a covered institution as any bank, financial institution or other lender who “originated at least 100 covered originations” in each of the two preceding calendar years.
According to the CFPB, this includes but is not limited to:
In other words, if your bank, financial institution, fintech or other entity made at least 100 loans or sold another qualifying financial product (such as equipment financing) to one of the minority-owned or small business types covered by the 1071 rule in the past two calendar years, then your business is required to comply.
The new 1071 rule has both data collection and reporting requirements. The data collection requirements will affect your business’s onboarding, and covered financial institutions must collect the following information:
The financial institution must also ask for the following demographic information:
As part of the application process, you must allow applicants to decline to provide their demographic info. However, the rule clearly states that the questions asking for this info must be “prominently displayed,” asked before a lending decision is made, and that lenders must not do anything to discourage borrowers from answering these questions.
As part of compliance, lenders must also create procedures to identify and respond to low-responses to this data. If lenders notice that many applicants are not filling out this demographic data, the CFPB encourages lenders to update their onboarding processes to encourage self-reporting.
Further, the rule permits institutions to use “appropriate 3rd party sources'' like Middesk to collect this information. For example, the financial institution could use a business income tax filing made within the past calendar year to confirm the borrower’s gross income. Or the lender could use demographic data (such as woman, minority or LGBQTI+ status) if already collected within the past 36 months.
Last but not least, the CFPB requires a “firewall” between demographic data and other data used in decision-making. The rule already states that self-reported demographic data can’t be used as a data point to decide whether or not to lend to a business. But this also means that analysts making credit decisions should not have access to this demographic data.
This CFPB details reporting requirements in their 1071 rule executive summary. In general, financial institutions must report by June 1 of the year following the compliance year.
The new rule introduces a tiered compliance system, with the banks, fintechs and FI’s who originate more than 2500 covered loans have the earliest compliance obligations. They have to start collecting this information as of Oct 1, 2024 and then report in June of 2025 (this means that only the final 3 months of 2024 are included in that first filing.)
Banks, fintechs with and FIs with less than 2500 covered loans but 500 or more must collect this new information as of April 1 2025 and report as of June 1, 2026.
The lowest tier includes institutions that originate at least 100 but fewer than 500 covered loans. They must begin collecting in 2025 and report June 1, 2027.
Aside from the financial and demographic information already listed above, institutions must also report:
Institutions are also required to keep copies of small business lending applications for three years. The demographic information (race, sex, LGBTQI+ status, etc.) is required to be kept separately from the rest of the application and accompanying information.
This new rule is complex, and we recommend reading the CFPB’s 1071 Rule Executive Summary for even more detailed information about compliance and reporting requirements.