April 17, 2023

Key Aspects of the CFPB's Finalized Small Business Data Collection Rule


The US Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) published its final rule implementing Section 1071 of the Dodd-Frank Act on March 30, 2023.1 The rule requires lenders to collect and report data about their small business lending activities, with the purpose of facilitating enforcement of fair lending laws with respect to women-owned, minority-owned, and small businesses. The 888-page rulemaking has been long-awaited by industry participants and advocacy groups. Indeed, the CFPB issued the rule just one day before its court-mandated deadline for finalization, and over 12 years after Congress passed the Dodd-Frank Act and directed the CFPB to implement small business data collection rules.

The final rule’s requirements are extensive, and implementation may present a number of operational challenges. Covered institutions that are experienced with the Home Mortgage Disclosure Act’s (“HMDA”) reporting requirements for mortgage loans may be better positioned to implement the small business data collection rule’s requirements, although implementation likely will be a complicated, lengthy process for all covered institutions. The CFPB seems to recognize that implementing business processes, policies, and procedures to comply with the data collection rules will require significant time and resources, and the final rule sets forth a tiered implementation schedule based on the number of small business loans a lender originates. Lenders will be required to start collecting the required data on various dates between October 24, 2024 and January 1, 2026.

Below, we discuss the background of the final rule and spotlight some of the new rule’s key requirements, including which institutions are covered, the data points institutions will be required to collect and report, and significant changes made to the final rule from the CFPB’s 2021 proposed version of the rule.


The origin of the small business data collection rule traces back to 2010 and the passage of the Dodd-Frank Act. Section 1071 of the Dodd-Frank Act amended the Equal Credit Opportunity Act (“ECOA”) to require creditors to collect, and report to the CFPB, certain information designed to effectuate federal fair lending laws with respect to women-owned, minority-owned, and small businesses. It was not clear at the time whether the Section 1071 data collection obligations were self-executing or if the CFPB was required to promulgate implementing regulations prior to the data collection requirements becoming effective. On April 11, 2011, the CFPB’s general counsel issued the Bureau’s first piece of industry guidance, indicating that obligations under Section 1071 would not take effect until the Bureau issued implementing regulations, which he indicated it would do “expeditiously.” Despite this statement, however, the small business data collection rulemaking appeared only sporadically on the Bureau’s regulatory agenda throughout the ensuing decade, each time without a proposed rule ever materializing.

The CFPB’s delay in beginning the rulemaking process to implement Section 1071 did not go unnoticed by consumer advocacy groups. In 2019, two community groups and two individuals filed suit to compel the agency to carry out the required rulemaking. This suit culminated in a February 2020 settlement, under which the CFPB committed to a timeline for the 1071 rulemaking. In September 2021, the Bureau issued a proposed rule to implement Section 1071 of the Dodd-Frank Act. Approximately 2,100 comments were submitted in response to the proposed rule. And on March 30, 2023, the CFPB issued the final rule. Certain key aspects of the final rule are highlighted below.

Key Terms and Definitions

What types of credit transactions and applications are covered?

A covered credit transaction under the final rule generally aligns with the existing definitions of “credit” and “business credit” under ECOA and its implementing regulation, Regulation B. Under ECOA and Regulation B, “credit” is defined as “the right granted by a creditor to an applicant to defer payment of a debt, incur debt and defer its payment, or purchase property or services and defer payment therefor.”2 Under the final rule, covered business credit transactions include loans, lines of credit, credit cards, merchant cash advances, and credit products used for agricultural purposes. There are a number of excluded transaction types, including, but not limited to, trade credit, HMDA-reportable transactions, insurance premium financing, incidental credit, factoring, true leases, purchases of a credit transaction, purchases of an interest in a pool of credit transactions, and purchases of a partial interest in a credit transaction, such as a participation interest. Some of these exclusions—such as incidental and trade credit—mirror exclusions already found in Regulation B, while other exclusions are unique to the new rule.

One nuanced aspect of the final rule is that it treats true leases differently from finance leases that create a security interest. Finance leases that create a security interest are treated as covered credit transactions, while true leases are excluded transactions. For purposes of the final rule, an excluded lease is defined as a transfer from one business to another of the right to possession and use of goods for a term, and for primarily business or commercial (including agricultural) purposes, in return for consideration. In contrast, a sale on approval or a sale or return, or a transaction resulting in the retention or creation of a security interest that otherwise meets Regulation B’s definition of credit, is a covered credit transaction.

A covered financial institution is required to collect and report data on applications for covered credit transactions from small businesses. A “covered application” is defined as an oral or written request for a covered credit transaction that is made in accordance with procedures used by the financial institution for the type of credit requested. Although this definition is generally consistent with the general definition of “application” under Regulation B, certain circumstances that are considered “applications” under Regulation B are not considered applications for purposes of the small business data collection rule. Specifically, covered applications under the final rule do not include:

  • Requests for reevaluation, extension, or renewal on an existing business credit account, unless the request seeks additional credit amounts or a line increase;
  • Inquiries and prequalification requests; and
  • Solicitations, firm offers of credit, and other evaluations that the covered financial institution initiates, unless the covered financial institution invites the business to apply for the credit and the small business actually does so.

Who must collect and report data?

“Covered financial institutions” are required to collect and report data to the CFPB under the final rule. A “covered financial institution” is any partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity, and that originated at least 100 covered originations in each of the two preceding calendar years. Covered financial institutions include depository institutions, online lenders, platform lenders, community development financial institutions, lenders involved in equipment and vehicle financing, farm credit system lenders, commercial finance companies, merchant cash advance providers, governmental lending entities, and nonprofit lenders. In fact, there are limited exclusions based on lender type—so long as a lender originates the requisite number of qualifying small business loans, then it generally will be required to collect and report data under the final rule.

Loan brokers and correspondents that are not covered financial institutions themselves are permitted to collect data on behalf of a covered financial institution. The Official Staff Commentary to the final rule clarifies that third parties such as loan brokers and correspondents do not violate ECOA or Regulation B if they collect information for the purpose of providing it to a covered financial institution under the terms of the final rule, HMDA, or another statute or regulation requiring data collection, even if the broker or correspondent would otherwise be prohibited from collecting the information on its own behalf.

What entities are “small businesses”?

The rule requires covered financial institutions to collect and report certain data regarding their lending activities to covered small businesses. Generally, the final rule defines a small business by reference to the definition of “small business concern” under the Small Business Act. However, the Bureau’s definition of small business sets a separate financial threshold. In order for a business to be considered a “small business” under the final rule, it must have $5 million or less in gross annual revenue for the preceding fiscal year. This threshold will be adjusted for inflation every five years. Not-for-profit organizations and governmental entities are not small businesses pursuant to the final rule because they do not satisfy the definition of “small business concern.” As a result, covered financial institutions are not required to report data regarding applications from such businesses and entities.

The small business gross annual revenue threshold was a hotly debated topic during the rulemaking process. In the preamble to the final rule, the CFPB clarifies that it adopted the $5 million threshold from the proposed rule because the Bureau believes it strikes the right balance in terms of covering the small business credit market to fulfill Section 1071’s statutory purposes, while meeting the Small Business Administration’s (“SBA”) criteria for an alternative size standard. According to the CFPB, while cut-offs vary by financial institution, a common demarcation for small business customers are those with less than $5 million in gross annual revenue. Further, the CFPB found during the rulemaking process that small entity representatives generally preferred a simple small business standard over the complexity of the SBA’s North American Industry Classification System standards.

The final rule provides that a financial institution is permitted to rely on an applicant’s representations regarding gross annual revenue for purposes of determining small business status. However, if the applicant provides updated gross annual revenue information, or if the financial institution verifies the gross annual revenue information, the financial institution must use the updated or verified information in evaluating small business status.

Data Points for Collection and Reporting

The data points financial institutions must collect and report about covered small business credit transactions include certain information about the transaction, the small business, and the principal owners of the business, with “principal owner” being defined as an individual who directly owns 25 percent or more of the equity interests of a business. Examples of the types of data covered financial institutions must collect and report include:

  • The application date;
  • The application method;
  • The application recipient (i.e., whether the application was received directly, or indirectly via an unaffiliated third party);
  • The action taken by the covered financial institution on the application;
  • The reason the application was denied, if applicable;
  • The credit type;
  • The credit purpose;
  • The amount applied for;
  • A census tract based on an address or location provided by the applicant;
  • Gross annual revenue for the applicant’s preceding fiscal year;
  • The number of people working for the applicant;
  • The applicant’s time in business;
  • The number of the applicant’s principal owners;
  • The applicant’s minority-owned business status, women-owned business status, and LGBTQI+-owned business status; and
  • The applicant’s principal owners’ ethnicity, race, and sex.

The CFPB’s commentary provides some insights into the various required data points, including how to categorize certain data, that is not fully covered in the text of the rule. For example, the final rule requires covered financial institutions to collect and report data on whether the application method was in-person, telephone, online, or mail. The commentary clarifies that an “in-person” application is one submitted to the financial institution, or to another party acting on the financial institution’s behalf, in person, including, for instance, applications submitted at a branch office, at the applicant’s place of business, or via electronic media with a video component. The application method is considered “online” if the applicant submitted the application to the financial institution, or another party acting on the financial institution’s behalf, through a website, mobile application, fax transmission, electronic mail, text message, or some other form of text-based electronic communication. However, the final rule and commentary cannot cover all possible scenarios that may arise in connection with small business financing, so there likely will be numerous grey areas that institutions will need to navigate in preparing to implement new data collection processes.

The final rule also requires covered financial institutions to maintain procedures to collect applicant-provided data at a time and in a manner that are “reasonably designed” to obtain a response. These procedures must, at a minimum, have provisions to ensure that:

  • The initial request for applicant-provided data occurs prior to notifying an applicant of the final action taken on an application;
  • The request for applicant-provided data is prominently displayed and presented;
  • Applicants are not discouraged from responding to such requests; and
  • Applicants can easily respond to such requests.

Under the final rule, covered financial institutions are required to report the collected data in a small business lending application register (“LAR”), which will be in a CFPB-prescribed format. This approach is similar to reporting home mortgage loan data under HMDA. Covered financial institutions will be required to submit data from the prior calendar year by June 1 each year (compared to the annual March 1 filing deadline for HMDA LARs).


Although the final rule primarily focuses on the data collection and reporting requirements, the final rule also implements the statutory requirement under Section 1071 to limit certain persons’ access to certain data, termed the “firewall.” This provision has been the subject of industry concerns about the operational challenges in implementing such a firewall. Pursuant to the final rule, employees and officers of a covered financial institution (or its affiliate) that are involved in making any determination concerning the applicant’s covered application are prohibited from accessing an applicant’s responses to questions regarding demographic information (i.e., the applicant’s minority-owned, women-owned, and LGBTQI+-owned business status and regarding its principal owners’ ethnicity, race, and sex).

This prohibition does not apply to an employee or officer if the covered financial institution determines that the employee or officer should have access to one or more applicants’ responses to these inquiries, and the covered financial institution provides a notice to the applicants whose responses will be accessed. Alternatively, a covered financial institution can provide the notice to a broader group of applicants, up to and including all applicants, in order to comply with this notice provision. In addition, the final rule prohibits a covered financial institution or third party from disclosing this demographic information to other parties, except in limited circumstances.

Key Changes from the Proposed Rule

For those in the industry who have been closely following the Section 1071 rulemaking, the final rule contains some key changes from the proposal issued in September 2021. The changes reflect the CFPB’s consideration of more than 2,100 public comments on the
proposal, as well as extensive public input predating the proposal. Some of the most significant changes from the proposed rule are:

  • No visual observation. A widely criticized component of the proposed rule was a proposed requirement for lenders to use visual observation to collect and report on the applicant’s principal owners’ ethnicity, race, and sex if the applicant declined to provide that information. In response to those comments, the CFPB has eliminated any such requirement, and the final rule prohibits covered financial institutions from collecting or reporting on those data points based on visual observation, surname, or any basis other than the applicant’s own response.
  • Addition of LGBTQI+ to reporting categories. As to demographic information regarding an applicant and its principal owners, the proposed rule required covered financial institutions to ask an applicant about its status as minority-owned or women-owned business. The final rule adds status as an LGBTQI+-owned business to this list.
  • Exclusion of HMDA-reportable loans. Another highly controversial aspect of the proposed rule was the lack of a wholesale exclusion of HMDA-reportable loans as covered credit transactions. In a welcome departure from the proposed rule, HMDA-reportable mortgage loans that are already required to be reported under HMDA will not need to be separately reported under the small business lending rule. The rule will also work in concert with forthcoming rules under the Community Reinvestment Act’s reporting requirements. Under the regulators’ Community Reinvestment Act proposal, data submitted under the CFPB’s Section 1071 rule will satisfy the relevant Community Reinvestment Act requirements.
  • Discouragement. As described in greater detail below, in policy guidance issued on the same day as the final rule, the CFPB highlighted its concerns over discouragement of the reporting of demographic information. The Bureau also stated that it plans to focus its supervisory and enforcement efforts in connection with the small business rule on potential discouragement, using institutions’ self-reported demographic information. The final rule includes a requirement for financial institutions to maintain procedures to identify and respond to signs of potential discouragement, including low response rates related to applicant-provided data. The final rule states that low response rates may indicate discouragement or another failure by an institution to maintain procedures to collect applicant-provided data at a time and in a manner that are reasonably designed to obtain a response.

Implementation Timeline

As noted above, the CFPB has decided on a complicated, muti-tier implementation timeline, depending on the number of covered loans an institution originates, as well as other factors. The deadlines to begin collecting data and otherwise comply with the final rule are as follows:

  • October 1, 2024 for a covered financial institution if it originated at least 2,500 covered originations in both 2022 and 2023;
  • April 1, 2025 for a covered financial institution if it:
    • originated at least 500 covered originations in both 2022 and 2023;
    • did not originate 2,500 or more covered originations in both 2022 and 2023; and
    • originates at least 100 covered originations in 2024; and
  • January 1, 2026 for a covered financial institution if it originates at least 100 covered originations in both 2024 and 2025.

In addition, the CFPB has indicated that it intends to issue a supplementary proposal to provide additional implementation time for small lenders that have strong records of performance under the Community Reinvestment Act and similar state laws.

Anticipated Enforcement

In policy guidance issued concurrently with the final rule, the CFPB warned covered financial institutions that it intends to focus its supervisory and enforcement activities on ensuring financial institutions do not discourage applicants from providing responsive data.3 The statement notes that the final rule requires covered financial institutions to design their small business data collection methods in way that will not discourage applicants from submitting responsive information, including by ensuring that requests for data are prominent, applicants can easily respond and requests for information are made prior to notifying the applicant of the lending decision. As described above, the final rule also requires covered financial institutions to work to identify and respond to potential indicia of discouragement in their practices, policies, and procedures—including low response rates. The CFPB stated that covered institutions should promptly investigate any indicia of potential discouragement, promptly remediate any improper conduct, monitor for low response rates and significant irregularities (including monitoring rates by division, location, loan officer, or other factors), and provide adequate training to persons involved in data collection.

In the policy guidance, the CFPB highlights that it intends to pay particular attention to covered financial institutions’ response rates for data requested from applicants. The CFPB plans to compare the response rates of institutions of a similar size, type, and geographic reach. In addition, the CFPB will consider irregularities related to a particular response, such as high rates of a particular lender’s applicants refusing to provide the requested information compared to similar lenders. The CFPB suggests that such irregularities may indicate steering, improper interference, or other potential discouragement or obstruction of applicants’ ability to provide their preferred responses.

*          *          *          *

Implementing processes, policies, and procedures to comply with the new small business data collection rule is likely to require significant effort and resources. Accordingly, small business lenders should start considering how they will comply with the rule’s requirements and build out processes to collect and report the required information. Mayer Brown is available to assist in navigating the complexities of the small business data collection rule as it applies to your business.



1 CFPB, Small Business Lending under the Equal Credit Opportunity Act (Regulation B) (Mar. 30, 2023), https://files.consumerfinance.gov/f/documents/cfpb_1071-final-rule.pdf. See also our prior blog post that briefly summarizes the new rule: https://www.cfsreview.com/2023/04/cfpb-finalizes-long-awaited-small-business-data-collection-rule/.

2 15 U.S.C. 1691a(d); 12 C.F.R. § 1002.2(j).

3 CFPB, Statement on Enforcement and Supervisory Practices Relating to the Small Business Lending Rule under the Equal Credit Opportunity Act and Regulation B (Mar. 30, 2023), https://files.consumerfinance.gov/f/documents/cfpb_1071-enforcement-policy-statement.pdf.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.