InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC Chairman remarks on 2024 Small Business Lending Survey
Recently, FDIC Chairman Martin Gruenberg remarked on the 2024 Small Business Lending Survey (SBLS) report at a community banking conference. He highlighted that technological advancements have not altered the relationship-oriented nature of small business lending in a fundamental way. The SBLS report, which, as previously covered by InfoBytes, provided insights into small business lending practices based on data collected in 2022, including loan approval processes, geographic markets, competition, use of financial technology, and lending to start-ups. Gruenberg explained that the report revealed that while banks adopt more financial technologies, the underwriting and approval processes for small business loans remain staff-intensive. Only 3 percent of banks fully automate the underwriting of some loans, and only 5 percent allow borrowers to complete the loan process entirely online.
As Gruenberg explained, the SBLS report also underscored the critical role of branches and staff in maintaining relationships with small business customers. About 80 percent of banks defined their small business lending market based on branch locations, with borrowers typically found within 40 miles of these branches. Community banks leverage “soft” information, such as a loan officer’s assessment, to make credit decisions, setting them apart from larger banks. This approach enables community banks to serve a broader range of small business borrowers, including startups, without relying heavily on government-guaranteed lending programs.
Republican House Financial Services Committee members seek clarity on 1071 rule implementation timeline
On April 18, Republican members of the House Financial Services Committee sent a letter to CFPB Director Rohit Chopra to express concern over the lack of clarity regarding the implementation timeline of the CFPB’s small business data collection rule, referenced as the 1071 Rule. As previously covered by InfoBytes, in October of last year, a Texas District Court issued a preliminary injunction that required the CFPB to halt implementation of the 1071 Rule, and directed the Bureau to extend the rule’s compliance deadline “to compensate for the period stayed.” In the letter, republican lawmakers stress that the CFPB has been “reluctant” to confirm whether it will comply with the court order, which has led to confusion among regulated financial institutions regarding compliance timeframe with the 1071 Rule. The letter also highlights that some prudential regulators are reportedly advising institutions to prepare for compliance by October 1, despite the court order. Accordingly, Republican members urge the CFPB to provide clear guidance affirming compliance with the court order and extending deadlines accordingly, including with respect to the rule’s transition period for data collection and reporting requirements.
Banking associations petition District Court for summary judgment against CFPB’s Final Rule on small business lending
On March 1, several banking associations (plaintiffs) petitioned a district court under a motion for summary judgment in an ongoing case against CFPB’s Final Rule in §1071, claiming that the Final Rule goes beyond the scope of the CFPB’s rulemaking authority. (For rule, see 88 Fed. Reg. 35150 from May 31, 2023). As previously covered by InfoBytes, the Court last ordered granting motions for a preliminary injunction against the CFPB and its small business loan rule. The rule expanded the number of data points to 81 so certain lenders––including women-owned, minority-owned, and small businesses––would be required to disclose to covered financial institutions. The plaintiffs argued that the Final Rule would be a “fruitless attempt to capture the complexity of small business lending” given the number of extraneous data fields and would not fulfill the underlying purpose of the rule set forth by ECOA. That purpose would be to “facilitate enforcement of fair lending laws and enable communities, government entities, and creditors to identify business and community development needs and opportunities for credit for women-owned, minority-owned, and small businesses.”
In their argument, the banking associations alleged that the CFPB had exceeded its statutory authority by requiring the extra data disclosures, that the data would not provide any tangible benefit, and that implementation of the rule is arbitrary and capricious as it ignores the significant costs that will be incurred by requiring lenders to provide such a large amount of extra information. The plaintiffs emphasized that while Congress granted the CFPB the power to add data points to information a lender might be expected to disclose, the CFPB exceeded its authority in adopting the Final Rule and that its only consequence “will be the imposition of a staggering compliance burden on lenders” and ultimately reduce opportunities for small businesses.
SBA unveils enhanced Lender Match tool to connect small businesses with lenders
On March 4, the SBA announced the launch of an online tool for small businesses to connect to capital through the SBA’s network of nearly 1,000 approved banks and private lenders. This Lender Match tool was designed to provide users with a more effective and user-friendly interface, including a mobile-friendly interface that allows small business entrepreneurs and enterprises seeking to grow businesses to more easily identify and compare potential lenders. The tool also included fraud-screening measures to ensure a smoother process for both parties. Small businesses that are unable to find a match through the tool will be directed to the SBA’s local advisors for additional support in becoming “capital-ready.” The SBA hopes to facilitate more connections for entrepreneurs looking for various financing options through the enhanced Lender Match platform including microloans and growth capital with competitive terms.
FTC publishes letter to CFPB on its law enforcement and public outreach
On November 16, the FTC released its letter of its annual summary of activities in 2022 to the CFPB. The CFPB used the findings in its annual report to Congress on the Fair Debt Collection Practices Act (FDCPA). In the letter, the FTC outlined several of its important procedural law enforcement activities, such as debt collection issues affecting small businesses, redressing consumers harmed by debt collection schemes, halting collection in consumer debt, and combating unauthorized charges to consumers. The second part of the letter outlines how the FTC enables public outreach and cross-agency coordination. For public outreach, the FTC proactively educates consumers about their rights under the FDCPA, and how debt collectors can comply with the law. The FTC also noted that it publishes material in both English and Spanish to broaden its outreach. In addition, the FTC added that it distributes print publications to libraries and businesses and logs more than 50 million views on its website pages. In its efforts to raise awareness about scams targeting the Latino community, the FTC highlighted its series of fotonovelas (graphic novels) in Spanish.
Automotive management company settles with DOJ to resolve False Claims Act allegations
On October 11, an automotive management company settled claims by the Department of Justice alleging that the company had violated the False Claims Act by knowingly providing false information in support of its Paycheck Protection Program (PPP) loan forgiveness application.
According to the DOJ’s allegations, the automotive management company certified it was a small business with fewer than 500 employees when in fact it shared common operational control with dozens of automobile dealerships with more than 3,000 employees in total.
CFPB issues guide on collecting small-biz data
The CFPB recently issued a compliance guide for its final rule implementing Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the final rule (issued at the end of March) will require financial institutions to collect and provide to the Bureau data on lending to small businesses, defined as an entity with gross revenue under $5 million in its last fiscal year (covered by InfoBytes here). The guide: (i) includes a detailed summary of the final rule’s requirements, including data reporting deadlines; (ii) provides comprehensive information on the types of data financial institutions need to collect and report on small business lending applications and decisions; and (iii) includes parameters for covered institutions and covered originations. The guide further breaks down reportable data points and explains the final rule’s “firewall” provision, which states that employees and officers of a financial institution or its affiliates “involved in making any determination” on a reportable application are generally prohibited from accessing applicant demographic information relating to ethnicity, race, sex, and status as a minority-owned, women-owned, or LGBTQI+-owned business. The guide specifies that certain exceptions may apply to situations where an employee involved in decision-making must have access to the data to fulfill their assigned job duties (e.g. a loan officer or loan processor). In these situations, financial institutions are required to provide notice to applicants that employees and officers involved in decision-making may have access to their demographic data.
FTC examines small business credit reporting
On March 16, the FTC launched an inquiry into the small business credit reporting industry, seeking information from firms on how information is collected and processed for business credit reports, how these reports are marketed, and firms’ approaches for addressing factual errors contained in the reports. Firms are also asked to provide information on the types of services provided to businesses for monitoring or enhancing their own credit reports. The FTC noted that currently there is no federal law that specifically outlines credit reporting processes and protections for small businesses, unlike individual consumer credit reports, which are governed by the FCRA.
CFPB launches rulemaking on consumers’ rights to their data
On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Emphasizing that “[c]lear data rights for consumers have the potential to give individuals more bargaining leverage,” the Bureau claimed that companies compiling vast amounts of personal data, including information about consumers’ use of financial products and services, are able to monopolize the use of this data, thereby blocking competition and stifling the development of competitors’ products and services.
Highlights from the outline include a series of discussion questions for small businesses and a list of topics, including:
- Data providers subject to the proposals under consideration. The proposals, if finalized, would impact data providers, including “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” Notably, “a financial institution would be a covered provider if it issues an ‘access device’ (as the term is defined in Regulation E § 1005.2(a)(1)), such as a digital credential storage wallet, and provides EFT services, even if it does not hold consumer accounts.” Additionally, “a card issuer would be a covered data provider if it issues a ‘credit card’ (as the term is defined in Regulation Z § 1026.2(a)(15)(i)), such as by issuing digital credential storage wallets, even if it does not hold consumer credit accounts.” The outline also defines covered accounts and states the Bureau is considering potential exemptions for certain data providers.
- Recipients of information. To be considered an authorized third party under the proposals, a third party must: (i) provide an “authorization disclosure” informing consumers of key terms of access; (ii) obtain consumers’ informed, express consent to the key terms of access contained within the authorization disclosure; and (iii) certify to consumers that it will abide by certain obligations related to the collection, use, and retention of a consumer’s information. The Bureau is considering proposals that would address “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
- Types of information covered data providers would need to make available. The outline proposes six categories of information data providers would have to make available with respect to covered accounts, including (i) periodic statement information; (ii) information on certain types of prior transactions and deposits that have not-yet-settled; (iii) information regarding prior transactions not typically shown on periodic statements or online account portals; (iv) online banking transactions that have not yet occurred; (v) account identity information; and (vi) other information, such as consumer reports, fees, bonuses, discounts, incentives, and security breaches that exposed a consumer’s identity or financial information.
- Exceptions to the requirement to make information available. The outline provides four exceptions to the requirement for making information available: (i) confidential commercial information; (ii) information obtained to prevent fraud, money laundering, or other unlawful conduct; (iii) information that is required to be kept confidential; and (iv) information a “data provider cannot retrieve in the ordinary course of business.”
- How and when information would need to be made available. The outline states the Bureau is considering ways to define the methods and the circumstances in which a data provider would need to make information available with respect to both direct access and third-party access.
- Third party obligations. The Bureau is examining proposals to limit authorized third parties’ collection, use, and retention of consumer information to that which “is reasonably necessary to provide the product or service the consumer has requested.” This includes (i) limiting duration, frequency, and retention periods; (ii) providing consumers a simple way to revoke authorization; (iii) limiting a third party’s secondary use of consumer-authorized information; (iv) requiring third parties to implement data security standards and policies and procedures to ensure data accuracy and dispute resolution; and (v) requiring third parties to comply with certain disclosure obligations, including a mechanism for consumers to request information about the extent and purposes of a third party’s access to their data.
- Record retention obligations. Proposals under consideration would establish requirements for data providers and third parties to demonstrate compliance with their obligations under the rule.
- Implementation period. The Bureau is seeking feedback on time frames to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.
An appendix to the highlights provides examples of ways the proposals would apply to hypothetical transactions involving consumer-authorized data access to an authorized third party.
The Bureau’s rulemaking process will include panel convenings, as mandated under the Small Business Regulatory Enforcement Fairness Act of 1996, after which the panel will prepare a report for the Bureau to consider as it develops the proposed rule. “Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” CFPB Director Rohit Chopra said in announcing the rulemaking outline. Chopra further elaborated on the rulemaking’s purposes during an industry event earlier in the week (covered by InfoBytes here) where he said the Bureau plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing as a way to “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.”
Chopra previews Section 1033 rulemaking on consumers’ rights to data
On October 25, CFPB Director Rohit Chopra spoke before an industry event where he announced that the Bureau will soon release a discussion guide for small businesses to further the agency’s Section 1033 rulemaking efforts with respect to consumer access to financial records. As announced in the Bureau’s Spring 2022 rulemaking agenda, Section 1033 of Dodd-Frank provides that, subject to Bureau rulemaking, covered entities such as banks must make certain product or service information, including transaction data, available to consumers. The Bureau is required to prescribe standards for promoting the development and use of standardized formats for information made available to consumers under Section 1033. In 2020, the Bureau issued an advanced notice of proposed rulemaking seeking comments to assist in developing the regulations (covered by InfoBytes here).
Chopra explained that, before issuing a proposed rule, the Bureau must first convene a panel of small businesses that represent their markets to solicit input on proposals the CFPB is considering. Chopra said the Bureau plans to “hear from small banks and financial companies who will be providers of data, as well as the small banks and financial companies who will ingest the data,” and will also gather input from intermediary data brokers that facilitate data transfers (“fourth parties”). He noted that a report will be published in the first quarter of 2023 based on comments received during the process, which will be used to inform a proposed rule that is slated to be issued later in 2023. Chopra said the Bureau hopes to finalize the rule in 2024, stating “[w]hile not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.”
Chopra also expressed plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing. He stressed that doing so would “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.” He further noted that the Bureau is planning to assess ways to prevent incumbent institutions from improperly restricting access when consumers try to control and share their data, including by developing requirements for limiting misuse and abuse of personal financial data, fraud, and scams. Chopra said staff has been directed to consider alternatives to the “notice-and-opt out” regime that has been the standard for financial data privacy and to explore safeguards to prevent excessive control or monopolization by one or a handful of firms.