Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Banking associations petition District Court for summary judgment against CFPB’s Final Rule on small business lending


    On March 1, several banking associations (plaintiffs) petitioned a district court under a motion for summary judgment in an ongoing case against CFPB’s Final Rule in §1071, claiming that the Final Rule goes beyond the scope of the CFPB’s rulemaking authority. (For rule, see 88 Fed. Reg. 35150 from May 31, 2023). As previously covered by InfoBytes, the Court last ordered granting motions for a preliminary injunction against the CFPB and its small business loan rule. The rule expanded the number of data points to 81 so certain lenders––including women-owned, minority-owned, and small businesses––would be required to disclose to covered financial institutions. The plaintiffs argued that the Final Rule would be a “fruitless attempt to capture the complexity of small business lending” given the number of extraneous data fields and would not fulfill the underlying purpose of the rule set forth by ECOA. That purpose would be to “facilitate enforcement of fair lending laws and enable communities, government entities, and creditors to identify business and community development needs and opportunities for credit for women-owned, minority-owned, and small businesses.”

    In their argument, the banking associations alleged that the CFPB had exceeded its statutory authority by requiring the extra data disclosures, that the data would not provide any tangible benefit, and that implementation of the rule is arbitrary and capricious as it ignores the significant costs that will be incurred by requiring lenders to provide such a large amount of extra information. The plaintiffs emphasized that while Congress granted the CFPB the power to add data points to information a lender might be expected to disclose, the CFPB exceeded its authority in adopting the Final Rule and that its only consequence “will be the imposition of a staggering compliance burden on lenders” and ultimately reduce opportunities for small businesses.

    Courts CFPB Small Business Section 1071 ECOA Congress

  • SBA unveils enhanced Lender Match tool to connect small businesses with lenders

    Federal Issues

    On March 4, the SBA announced the launch of an online tool for small businesses to connect to capital through the SBA’s network of nearly 1,000 approved banks and private lenders. This Lender Match tool was designed to provide users with a more effective and user-friendly interface, including a mobile-friendly interface that allows small business entrepreneurs and enterprises seeking to grow businesses to more easily identify and compare potential lenders. The tool also included fraud-screening measures to ensure a smoother process for both parties. Small businesses that are unable to find a match through the tool will be directed to the SBA’s local advisors for additional support in becoming “capital-ready.” The SBA hopes to facilitate more connections for entrepreneurs looking for various financing options through the enhanced Lender Match platform including microloans and growth capital with competitive terms.

    Federal Issues SBA Consumer Finance Small Business

  • FTC publishes letter to CFPB on its law enforcement and public outreach

    Federal Issues

    On November 16, the FTC released its letter of its annual summary of activities in 2022 to the CFPB. The CFPB used the findings in its annual report to Congress on the Fair Debt Collection Practices Act (FDCPA). In the letter, the FTC outlined several of its important procedural law enforcement activities, such as debt collection issues affecting small businesses, redressing consumers harmed by debt collection schemes, halting collection in consumer debt, and combating unauthorized charges to consumers. The second part of the letter outlines how the FTC enables public outreach and cross-agency coordination. For public outreach, the FTC proactively educates consumers about their rights under the FDCPA, and how debt collectors can comply with the law. The FTC also noted that it publishes material in both English and Spanish to broaden its outreach. In addition, the FTC added that it distributes print publications to libraries and businesses and logs more than 50 million views on its website pages. In its efforts to raise awareness about scams targeting the Latino community, the FTC highlighted its series of fotonovelas (graphic novels) in Spanish.

    Federal Issues FTC CFPB Congress FDCPA Small Business Debt Collection

  • Automotive management company settles with DOJ to resolve False Claims Act allegations

    Federal Issues

    On October 11, an automotive management company settled claims by the Department of Justice alleging that the company had violated the False Claims Act by knowingly providing false information in support of its Paycheck Protection Program (PPP) loan forgiveness application.

    According to the DOJ’s allegations, the automotive management company certified it was a small business with fewer than 500 employees when in fact it shared common operational control with dozens of automobile dealerships with more than 3,000 employees in total.

    Federal Issues DOJ False Claims Act / FIRREA Small Business Fees Consumer Finance PPP Settlement

  • CFPB issues guide on collecting small-biz data

    Agency Rule-Making & Guidance

    The CFPB recently issued a compliance guide for its final rule implementing Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the final rule (issued at the end of March) will require financial institutions to collect and provide to the Bureau data on lending to small businesses, defined as an entity with gross revenue under $5 million in its last fiscal year (covered by InfoBytes here). The guide: (i) includes a detailed summary of the final rule’s requirements, including data reporting deadlines; (ii) provides comprehensive information on the types of data financial institutions need to collect and report on small business lending applications and decisions; and (iii) includes parameters for covered institutions and covered originations. The guide further breaks down reportable data points and explains the final rule’s “firewall” provision, which states that employees and officers of a financial institution or its affiliates “involved in making any determination” on a reportable application are generally prohibited from accessing applicant demographic information relating to ethnicity, race, sex, and status as a minority-owned, women-owned, or LGBTQI+-owned business. The guide specifies that certain exceptions may apply to situations where an employee involved in decision-making must have access to the data to fulfill their assigned job duties (e.g. a loan officer or loan processor). In these situations, financial institutions are required to provide notice to applicants that employees and officers involved in decision-making may have access to their demographic data.

    Agency Rule-Making & Guidance Federal Issues CFPB Small Business Small Business Lending Section 1071 Dodd-Frank Compliance

  • FTC examines small business credit reporting

    Federal Issues

    On March 16, the FTC launched an inquiry into the small business credit reporting industry, seeking information from firms on how information is collected and processed for business credit reports, how these reports are marketed, and firms’ approaches for addressing factual errors contained in the reports. Firms are also asked to provide information on the types of services provided to businesses for monitoring or enhancing their own credit reports. The FTC noted that currently there is no federal law that specifically outlines credit reporting processes and protections for small businesses, unlike individual consumer credit reports, which are governed by the FCRA.

    Federal Issues FTC Small Business Credit Report FCRA Credit Reporting Agency

  • CFPB launches rulemaking on consumers’ rights to their data

    Agency Rule-Making & Guidance

    On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Emphasizing that “[c]lear data rights for consumers have the potential to give individuals more bargaining leverage,” the Bureau claimed that companies compiling vast amounts of personal data, including information about consumers’ use of financial products and services, are able to monopolize the use of this data, thereby blocking competition and stifling the development of competitors’ products and services.

    Highlights from the outline include a series of discussion questions for small businesses and a list of topics, including:

    • Data providers subject to the proposals under consideration. The proposals, if finalized, would impact data providers, including “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” Notably, “a financial institution would be a covered provider if it issues an ‘access device’ (as the term is defined in Regulation E § 1005.2(a)(1)), such as a digital credential storage wallet, and provides EFT services, even if it does not hold consumer accounts.” Additionally, “a card issuer would be a covered data provider if it issues a ‘credit card’ (as the term is defined in Regulation Z § 1026.2(a)(15)(i)), such as by issuing digital credential storage wallets, even if it does not hold consumer credit accounts.” The outline also defines covered accounts and states the Bureau is considering potential exemptions for certain data providers.
    • Recipients of information. To be considered an authorized third party under the proposals, a third party must: (i) provide an “authorization disclosure” informing consumers of key terms of access; (ii) obtain consumers’ informed, express consent to the key terms of access contained within the authorization disclosure; and (iii) certify to consumers that it will abide by certain obligations related to the collection, use, and retention of a consumer’s information. The Bureau is considering proposals that would address “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
    • Types of information covered data providers would need to make available. The outline proposes six categories of information data providers would have to make available with respect to covered accounts, including (i) periodic statement information; (ii) information on certain types of prior transactions and deposits that have not-yet-settled; (iii) information regarding prior transactions not typically shown on periodic statements or online account portals; (iv) online banking transactions that have not yet occurred; (v) account identity information; and (vi) other information, such as consumer reports, fees, bonuses, discounts, incentives, and security breaches that exposed a consumer’s identity or financial information.
    • Exceptions to the requirement to make information available. The outline provides four exceptions to the requirement for making information available: (i) confidential commercial information; (ii) information obtained to prevent fraud, money laundering, or other unlawful conduct; (iii) information that is required to be kept confidential; and (iv) information a “data provider cannot retrieve in the ordinary course of business.”
    • How and when information would need to be made available. The outline states the Bureau is considering ways to define the methods and the circumstances in which a data provider would need to make information available with respect to both direct access and third-party access.
    • Third party obligations. The Bureau is examining proposals to limit authorized third parties’ collection, use, and retention of consumer information to that which “is reasonably necessary to provide the product or service the consumer has requested.” This includes (i) limiting duration, frequency, and retention periods; (ii) providing consumers a simple way to revoke authorization; (iii) limiting a third party’s secondary use of consumer-authorized information; (iv) requiring third parties to implement data security standards and policies and procedures to ensure data accuracy and dispute resolution; and (v) requiring third parties to comply with certain disclosure obligations, including a mechanism for consumers to request information about the extent and purposes of a third party’s access to their data.
    • Record retention obligations. Proposals under consideration would establish requirements for data providers and third parties to demonstrate compliance with their obligations under the rule.
    • Implementation period. The Bureau is seeking feedback on time frames to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.

    An appendix to the highlights provides examples of ways the proposals would apply to hypothetical transactions involving consumer-authorized data access to an authorized third party.

    The Bureau’s rulemaking process will include panel convenings, as mandated under the Small Business Regulatory Enforcement Fairness Act of 1996, after which the panel will prepare a report for the Bureau to consider as it develops the proposed rule. “Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” CFPB Director Rohit Chopra said in announcing the rulemaking outline. Chopra further elaborated on the rulemaking’s purposes during an industry event earlier in the week (covered by InfoBytes here) where he said the Bureau plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing as a way to “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.”

    Agency Rule-Making & Guidance Federal Issues CFPB Section 1033 Small Business Dodd-Frank Consumer Finance Privacy, Cyber Risk & Data Security

  • Chopra previews Section 1033 rulemaking on consumers’ rights to data

    Federal Issues

    On October 25, CFPB Director Rohit Chopra spoke before an industry event where he announced that the Bureau will soon release a discussion guide for small businesses to further the agency’s Section 1033 rulemaking efforts with respect to consumer access to financial records. As announced in the Bureau’s Spring 2022 rulemaking agenda, Section 1033 of Dodd-Frank provides that, subject to Bureau rulemaking, covered entities such as banks must make certain product or service information, including transaction data, available to consumers. The Bureau is required to prescribe standards for promoting the development and use of standardized formats for information made available to consumers under Section 1033. In 2020, the Bureau issued an advanced notice of proposed rulemaking seeking comments to assist in developing the regulations (covered by InfoBytes here).

    Chopra explained that, before issuing a proposed rule, the Bureau must first convene a panel of small businesses that represent their markets to solicit input on proposals the CFPB is considering. Chopra said the Bureau plans to “hear from small banks and financial companies who will be providers of data, as well as the small banks and financial companies who will ingest the data,” and will also gather input from intermediary data brokers that facilitate data transfers (“fourth parties”). He noted that a report will be published in the first quarter of 2023 based on comments received during the process, which will be used to inform a proposed rule that is slated to be issued later in 2023. Chopra said the Bureau hopes to finalize the rule in 2024, stating “[w]hile not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.”

    Chopra also expressed plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing. He stressed that doing so would “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.” He further noted that the Bureau is planning to assess ways to prevent incumbent institutions from improperly restricting access when consumers try to control and share their data, including by developing requirements for limiting misuse and abuse of personal financial data, fraud, and scams. Chopra said staff has been directed to consider alternatives to the “notice-and-opt out” regime that has been the standard for financial data privacy and to explore safeguards to prevent excessive control or monopolization by one or a handful of firms.

    Federal Issues Privacy, Cyber Risk & Data Security CFPB Section 1033 Agency Rule-Making & Guidance Small Business Dodd-Frank Consumer Finance

  • FTC proposes TSR amendments to extend robocall protections

    Agency Rule-Making & Guidance

    On April 28, the FTC proposed rulemakings to extend protections for small businesses against telemarketing business-to-business schemes and strengthen safeguards to protect consumers from other telemarking scams. Both the notice of proposed rulemaking (NPR) and advance notice of proposed rulemaking (ANPRM) stem from the FTC’s regulatory review of the Telemarketing Sales Rule (TSR) and address public comments received as part of the review.

    The NPR proposes to amend TSR recordkeeping requirements to require telemarketers to retain seven new categories of information related to their telemarketing activities, including records concerning each unique prerecorded message, records sufficient to show the established business relationship between a seller and a consumer, records of the service providers used by a telemarketer to deliver outbound calls, and records of the FTC’s Do Not Call Registry that were used to ensure compliance with this rule. Additionally, the NPR seeks comments on whether the FTC should amend the TSR to prohibit material misrepresentations and false or misleading statements in business-to-business telemarketing transactions to prevent harm caused by deceptive telemarketing, and proposes adding a definition of “previous donor” related to charitable donation solicitations.

    The ANPRM seeks comments on a range of issues related to whether calls related to tech-support scams should be covered by the TSR, whether telemarketers should be required to provide consumers with a simple click-to-cancel process when they sign up for subscription plans, and whether the TSR should stop treating telemarketing calls made to businesses differently from those made to consumers. According to the FTC, robocalls made to businesses are generally exempt from certain TSR provisions.

    Comments on both proposed rulemakings are due 60 days after publication in the Federal Register.

    Agency Rule-Making & Guidance Federal Issues FTC Small Business Telemarketing Telemarketing Sales Rule Robocalls

  • CFPB releases comment letter on FTC enforcement action

    Federal Issues

    On February 18, the CFPB released a comment letter in response to the FTC’s request for comments on its proposed order with a business credit reporting agency alleging that the respondent engaged in deceptive and unfair practices. (Covered by InfoBytes here). In commending the FTC, the CFPB noted that “there are troubling conflicts of interest when the purveyor of credit reports also sells ancillary services.” The CFPB also discussed that the FCRA “may not have contemplated the serious challenges that small businesses face with respect to business credit reports and associated services such as the provision of credit scores,” and that small business “may not benefit” from the FCRA. The Bureau noted that “[b]usiness credit reporting companies should not be able to unfairly harm a small business’s and their owner’s or operator’s financing opportunities.” In supporting “greater remedial authorities for the FTC to be more in line with other civil law enforcement agencies,” the comment letter argued that “[s]tronger authorities for the FTC may help to remediate this full range of harms,” and that the Bureau “stands ready to work with the FTC and other federal and state law enforcement partners to examine whether there are other unlawful practices related to small business credit reporting by other providers.” According to the CFPB, the Bureau will be working with the FTC “to ensure that small businesses are treated fairly when it comes to accessing loans.” The CFPB also noted that it is “working on a rule to shine more light on small business lending, by gathering more data about whether and how small businesses are able to access credit,” and will provide regulators the opportunity “to understand the landscape of credit availability to small businesses that for too long have had to rely on opaque business credit reporting agencies as gatekeepers of financing,” according to the comment letter.

    Federal Issues CFPB FTC Credit Reporting Agency Enforcement FCRA Small Business


Upcoming Events