InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB issues guide on collecting small-biz data
The CFPB recently issued a compliance guide for its final rule implementing Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the final rule (issued at the end of March) will require financial institutions to collect and provide to the Bureau data on lending to small businesses, defined as an entity with gross revenue under $5 million in its last fiscal year (covered by InfoBytes here). The guide: (i) includes a detailed summary of the final rule’s requirements, including data reporting deadlines; (ii) provides comprehensive information on the types of data financial institutions need to collect and report on small business lending applications and decisions; and (iii) includes parameters for covered institutions and covered originations. The guide further breaks down reportable data points and explains the final rule’s “firewall” provision, which states that employees and officers of a financial institution or its affiliates “involved in making any determination” on a reportable application are generally prohibited from accessing applicant demographic information relating to ethnicity, race, sex, and status as a minority-owned, women-owned, or LGBTQI+-owned business. The guide specifies that certain exceptions may apply to situations where an employee involved in decision-making must have access to the data to fulfill their assigned job duties (e.g. a loan officer or loan processor). In these situations, financial institutions are required to provide notice to applicants that employees and officers involved in decision-making may have access to their demographic data.
Texas bankers seek to invalidate CFPB’s small business lending rule
On April 26, plaintiffs, including a Texas banking association, sued the CFPB, challenging the agency’s final rule on the collection of small business lending data. As previously covered by InfoBytes, last month, the Bureau released its final rule implementing Section 1071 of the Dodd-Frank Act, which requires financial institutions to collect and provide to the Bureau data on lending to small businesses with gross revenue under $5 million in their last fiscal year. According to the Bureau, the final rule is intended to foster transparency and accountability by requiring financial institutions—both traditional banks and credit unions, as well as non-banks—to collect and disclose data about small business loan recipients’ race, ethnicity, and gender, as well as geographic information, lending decisions, and credit pricing.
The plaintiffs’ goal of invalidating the final rule is premised on the argument that it will drive from the market smaller lenders who are not able to effectively comply with the final rule’s “burdensome and overreaching reporting requirements” and decrease the availability of products to customers, including minority and women-owned small businesses. Plaintiffs argued that the Bureau “took the original three pages of legislation and the 13 reporting data points required by [Dodd-Frank] and turned them into almost 900 pages of rulemaking—a new [f]inal [r]ule that requires banks to develop and implement new software and compliance mechanisms to comply with over 80 reporting requirements that have been exponentially grown by the CFPB since the Act requiring this [r]ule was passed.”
The plaintiffs further pointed to a decision issued by the U.S. Court of Appeals for the Fifth Circuit in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where the court found that the CFPB’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here and a firm article here), as justification for why the final rule should be set aside. The plaintiffs also pointed out certain aspects of the final rule that allegedly violate various requirements of the Administrative Procedure Act, and claimed that a recent data breach involving sensitive information on numerous financial institutions and consumers indicates that the agency is unprepared “to adequately assess the security and privacy impacts of its massive § 1071 data collection on small businesses.” The complaint seeks a court order finding the final rule to have been premised on the same unconstitutional grounds as found in CFSA, preliminary and permanent injunctions to set aside the final rule, and attorney fees and costs.
CFPB finalizes Section 1071 rule on small business lending data
On March 30, the CFPB released its final rule implementing Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the final rule will require financial institutions to collect and provide to the Bureau data on lending to small businesses, defined as an entity with gross revenue under $5 million in its last fiscal year, which the Bureau will ultimately publish. (See also an executive summary here.)
As explained in a corresponding fact sheet, the final rule is intended to foster transparency and accountability by requiring financial institutions—both traditional banks and credit unions, as well as non-banks—to collect and disclose data about small business loan recipients’ race, ethnicity, and gender, as well as geographic information, lending decisions, and credit pricing. The credit application information will be compiled in a comprehensive, publicly available database to help policymakers, borrowers, and lenders better address economic development needs and adapt to future challenges. The final rule also contains a sample data collection form that lenders can, but are not required to, use to collect applicants’ demographic data, and while small businesses are given the option not to provide this information, lenders must not discourage applicants from supplying this data (as explained in more detail in an accompanying policy statement). The Bureau also released a report detailing user testing research used to learn about lenders’ likely experience in filling out the sample data collection form, as well as a report describing the agency’s methodology for estimating how many lenders will be required to report under the final rule and for producing cost estimates associated with implementing the final rule.
The final rule contains important changes from the proposed rule issued in September 2021 (covered by a Special Alert here). Explaining that these changes are designed to make the final rule more effective and easier to follow, the Bureau stated that larger lenders will be required to collect and report data earlier than small lenders. The reporting requirements begin once a lender originates at least 100 covered small business loans in each of the two prior calendar years—a threshold that “accounts for more than 95 percent of small-business loans by banks and credit unions,” the Bureau said in its press release, noting that it was raised from the originally proposed 25-loans-per-year threshold.
While the final rule is effective 90 days after publication in the Federal Register, lenders will follow a tiered compliance date structure:
- Lenders that originate at least 2,500 covered small business loans in both 2022 and 2023, must begin collecting data on October 1, 2024.
- Lenders that originate at least 500 covered small business loans in both 2022 and 2023, must begin collecting data on April 1, 2025.
- Lenders that originate at least 100 covered small business loans in both 2022 and 2023 must begin collecting data on January 1, 2026.
- Lenders that did not originate at least 100 covered small business loans in both 2022 and 2023, but subsequently originated at least 100 transactions in two consecutive calendar years may begin collecting data no earlier than January 1, 2026.
- Lenders that originate between 100 and 500 small business loans in both 2024 and 2025, must begin collecting data on January 1, 2026.
Other changes from the proposal include allowing applicants to self-identify demographic information, including race and ethnicity, rather than requiring loan officers to make the determination. The final rule also now includes an exclusion for mortgage loans that must be reported under HMDA, and suggests that under the federal regulators’ forthcoming Community Reinvestment Act (CRA) reporting requirements, data submitted under the Bureau’s final rule will satisfy relevant CRA requirements. Additionally, financial institutions and other third parties will be allowed to develop services and technologies to assist lenders with collecting and reporting data. The Bureau noted that it is working on a supplementary proposal that would, if finalized, give more compliance time for small lenders that are already successful in meeting the needs of the local communities they serve.
CFPB Director Rohit Chopra commented that the final rule’s impact “will be in the comprehensive data that it produces, which can be used by lenders, borrowers, and the broader public to achieve better credit outcomes for small businesses and communities across the country.”
CFPB releases regulatory agenda
Recently, the Office of Information and Regulatory Affairs released the CFPB’s fall 2022 regulatory agenda. Key rulemaking initiatives that the agency expects to initiate or continue include:
- Overdraft and NSF fees. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation Z with respect to special rules for determining whether overdraft fees are considered finance charges. According to the Bureau, the rules, which were created when Regulation Z was adopted in 1969, have remained largely unchanged despite the fact that the nature of overdraft services has significantly changed over the years. The Bureau is also considering whether to engage in pre-rulemaking activity in November regarding non-sufficient fund (NSF) fees. The Bureau commented that while NSF fees have been a significant source of fee revenue for depository institutions, recently some institutions have voluntarily stopped charging such fees.
- FCRA rulemaking. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation V, which implements the FCRA. As previously covered by InfoBytes, on January 3, the Bureau issued its annual report covering information gathered by the Bureau regarding certain consumer complaints on the three largest nationwide consumer reporting agencies (CRAs). CFPB Director Rohit Chopra noted that the Bureau “will be exploring new rules to ensure that [the CRAs] are following the law, rather than cutting corners to fuel their profit model.”
- Section 1033 rulemaking. Section 1033 of Dodd-Frank provides that covered entities, such as banks, must make available to consumers, upon request, transaction data and other information concerning consumer financial products or services that the consumer obtains from the covered entity. Over the past several years, the Bureau has engaged in a series of rulemaking steps to prescribe standards for this requirement, including the release of a 71-page outline of proposals and alternatives in advance of convening a panel under the Small Business Regulatory Enforcement Fairness Act (SBREFA). The outline presents items under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” (Covered by InfoBytes here.) The Bureau anticipates issuing a SBREFA report in February.
- Amendments to FIRREA concerning automated valuation models. The Bureau is participating in interagency rulemaking with the Fed, OCC, FDIC, NCUA, and FHFA to develop regulations to implement the amendments made by Dodd-Frank to FIRREA concerning appraisal automated valuation models (AVMs). The FIRREA amendments require implementing regulations for quality control standards for AVMs. The Bureau released a SBREFA outline and report in February and May 2022 respectively (covered by InfoBytes here), and estimates that the agencies will issue a notice of proposed rulemaking (NPRM) in March.
- Property Assessed Clean Energy (PACE) financing. The Bureau issued an advance notice of proposed rulemaking (ANPRM) in March 2019 to extend TILA’s ability-to-repay requirements to PACE transactions. (Covered by InfoBytes here.) The Bureau is working to develop a proposed rule to implement Economic Growth, Regulatory Relief, and Consumer Protection Act Section 307 in April.
- Nonbank registration. The Bureau issued an NPRM in December to enhance market monitoring and risk-based supervision efforts by including all final public written orders and judgments (including any consent and stipulated orders and judgments) obtained or issued by any federal, state, or local government agency for violation of certain consumer protection laws related to unfair, deceptive, or abusive acts or practices in a database of enforcement actions taken against certain nonbank covered entities. (Covered by InfoBytes here.) In a separate agenda item, the Bureau states that the NPRM would also require supervised nonbanks to register with the Bureau and provide information about their use of certain terms and conditions in standard-form contracts. The Bureau proposes “to collect information on standard terms used in contracts that are not subject to negotiating or that are not prominently advertised in marketing.”
- Credit card penalty fees. The Bureau issued an ANPRM last June to solicit information from credit card issuers, consumer groups, and the public regarding credit card late fees and late payments, and card issuers’ revenue and expenses. (Covered by InfoBytes here.) Under the CARD Act rules inherited by the Bureau from the Fed, credit card late fees must be “reasonable and proportional” to the costs incurred by the issuer as a result of a late payment. Calling the current credit card late fees “excessive,” the Bureau stated it intends to review the “immunity provision” to understand how banks that rely on this safe harbor set their fees and to examine whether banks are escaping enforcement scrutiny “if they set fees at a particular level, even if the fees were not necessary to deter a late payment and generated excess profits.” The Bureau is considering comments received on the ANPRM as it develops an NPRM that may be released this month.
- Small business rulemaking. Section 1071 of Dodd-Frank amended ECOA to require financial institutions to report information concerning credit applications made by women-owned, minority-owned, and small businesses, and directed the Bureau to promulgate rules for this reporting. An NPRM was issued in August 2021 (covered by InfoBytes here). The Bureau anticipates issuing a final rule later this month.
CFPB “on track” to issue Section 1071 rulemaking by March 31
On August 22, the CFPB filed its tenth status report in the U.S. District Court for the Northern District of California, as required under a stipulated settlement reached in February 2020 with a group of plaintiffs, including the California Reinvestment Coalition, related to the collection of small business lending data. The settlement (covered by InfoBytes here) resolved a 2019 lawsuit that sought an order compelling the Bureau to issue a final rule implementing Section 1071 of the Dodd-Frank Act, which requires the Bureau to collect and disclose data on lending to women and minority-owned small businesses. The current status report states that the Bureau is on track to issue the Section 1071 final rule by March 31, 2023—a deadline established by court order in July (covered by InfoBytes here).
Find continuing Section 1071 coverage here.
CFPB announces meetings for small business lending data reporting
On August 8, the CFPB announced that it is hosting two events to discuss the technical implementation required to prepare for the Bureau’s Small Business Lending Data Collection Rulemaking, which is a requirement under Section 1071 of the Dodd-Frank Act. According to the Bureau, the meetings will be geared toward in-house bank technologists or providers that provide compliance software to banks. Among other things, the meetings will: (i) share how the Bureau builds regulatory compliance technology systems; (ii) discuss possible approaches to authentication and application programming interfaces; and (iii) review technical data submission standards, edits and validations. The Bureau stated that the meetings “will not discuss or seek input on the merits or potential outcome of any ongoing rulemakings or take questions pertaining to the substance of such rulemakings.” According to the CFPB’s spring rulemaking agenda that was released earlier this summer, a final rule is expected in March 2023 (covered by InfoBytes here).
District Court orders CFPB to issue Section 1071 rulemaking by March 31
On July 11, the U.S. District Court for the Northern District of California issued an order setting March 31, 2023 as the deadline for the CFPB to issue a notice of proposed rulemaking (NPRM) on small business lending data. As previously covered by InfoBytes, the Bureau is obligated to issue an NPRM for implementing Section 1071 of the Dodd-Frank Act, which requires the agency to collect and disclose data on lending to women and minority-owned small businesses. The requirement was established as part of a stipulated settlement reached in 2020 with a group of plaintiffs, including the California Reinvestment Coalition (CRC), who argued that the Bureau’s failure to implement Section 1071 violated two provisions of the Administrative Procedures Act, and harmed the CRC’s ability to advocate for access to credit, advise organizations working with women and minority-owned small businesses, and work with lenders to arrange investment in low-income and communities of color (covered by InfoBytes here).
Find continuing Section 1071 coverage here.
CFPB publishes rulemaking agenda
Recently, the Office of Information and Regulatory Affairs released the CFPB’s spring 2022 rulemaking agenda. According to the preamble, the information in the agenda is current as of April 1, 2022 and identifies regulatory matters that the Bureau “reasonably anticipates having under consideration during the period from June 1, 2022 to May 31, 2023.”
Key rulemaking initiatives include:
- Consumer Access to Financial Records. The Bureau notes that it is considering rulemaking to implement section 1033 of the Dodd-Frank Act to address the development and use of standardized formats for information made available to consumers. The Bureau will release materials in advance of convening a panel under the Small Business Regulatory Enforcement Fairness Act (SBREFA), in conjunction with the Office of Management and Budget and the Small Business Administration’s Chief Counsel for Advocacy.
- Amendments to FIRREA Concerning Automated Valuation Models. The Bureau is participating in interagency rulemaking with the Fed, OCC, FDIC, NCUA, and FHFA to develop regulations to implement the amendments made by the Dodd-Frank Act to FIRREA concerning appraisal automated valuation models (AVMs). The FIRREA amendments require implementing regulations for quality control standards for AVMs. The Bureau released a SBREFA outline in February 2022 and estimates in the agenda that the agencies will issue an NPRM in December 2022 (covered by InfoBytes here).
- Property Assessed Clean Energy Financing. The Bureau issued an ANPR in March 2019 to extend TILA’s ability-to-repay requirements to PACE transactions (covered by InfoBytes here). The Bureau is working to develop a proposed rule to implement Economic Growth, Regulatory Relief, and Consumer Protection Act section 307 in May 2023.
- Small Business Lending Data Collection Under the Equal Credit Opportunity Act. Section 1071 of the Dodd-Frank Act amended ECOA to require financial institutions to report information concerning credit applications made by women-owned, minority-owned, and small businesses, and directed the Bureau to promulgate rules for this reporting. The Bureau issued an NPRM in August 2021, and the comment period ended January 6 (covered by InfoBytes here). The agenda indicates that the Bureau estimates issuance of a final rule in March 2023.
- Adverse Information in Cases of Human Trafficking Under the Debt Bondage Repair Act. The National Defense Authorization Act amended the FCRA to prohibit consumer reporting agencies from providing reports containing any adverse items of information resulting from human trafficking. In June 2022, the CFPB issued a final rule implementing amendments to the FCRA intended to assist victims of human trafficking (covered by InfoBytes here).
CFPB reviewing 2,100 comments on small business data collection
On February 22, the CFPB filed its eighth status report in the U.S. District Court for the Northern District of California, as required under a stipulated settlement reached in February 2020 with a group of plaintiffs, including the California Reinvestment Coalition, related to the collection of small business lending data. The settlement (covered by InfoBytes here) resolved a 2019 lawsuit that sought an order compelling the Bureau to issue a final rule implementing Section 1071 of the Dodd-Frank Act, which requires the Bureau to collect and disclose data on lending to women and minority-owned small businesses. The current status report states that the Bureau has met the deadlines under the stipulated settlement, which included issuing its long-awaited proposed rule (NPRM) last September. As covered by a Buckley Special Alert, the NPRM would require a broad swath of lenders to collect small business loan data, including information about the loans themselves, borrower characteristics, and demographic information regarding the borrower’s principal owners. This information would be reported annually to the Bureau and published by the Bureau on its website. The Bureau notes in its status report that the NPRM’s comment period ended on January 6. The Bureau is currently reviewing approximately 2,100 comments submitted via the public docket and will confer with plaintiffs regarding an appropriate deadline for issuing a final rule.
Find continuing Section 1071 coverage here.
CBA urges CFPB to supervise nonbank small business lenders
On February 9, the Consumer Bankers Association (CBA) sent CFPB Director Rohit Chopra a letter regarding the supervision of nonbank small business lenders. The letter noted that the landscape for business lending has recently altered “substantially,” specifically with the alternative banking options offered by financial technology companies having “significant market share.” The letter considered small businesses to be “vulnerable” because the activities of fintechs engaged in small business lending are not supervised by the Bureau. The letter urged the Bureau to “evaluate all possible avenues for supervising these nonbank small business lenders, including adding nonbank small business lending to the larger participant rule.” The letter also pointed out that the “lack of supervisory authority over nonbank small business lenders” undermines the CFPB’s other regulatory efforts, such as identifying and addressing fair lending concerns through a final rule covering small business lending data collection pursuant to Section 1071 of Dodd-Frank. The CBA argued that the absence of authority over nonbank lenders “will negatively impact the accuracy and utility of any data the Bureau receives under a Section 1071 final rule.” The CBA also advised the Bureau to utilize its ability under 12 U.S.C. Section 5514 to increase its authority over larger participants in the small business lending market.