Five Steps For Small Business Lenders to Prepare for New Data Collection Rule

According to the Small Business Administration (“SBA”), roughly 44% of the American economy in 2019 derived from small business activity.¹ Unfortunately, based on studies from the Urban Institute, not all small businesses are treated equally when attempting to secure loan funding. Small businesses located in median majority-white census tracts received a larger volume of SBA loans (after controlling for the number of employees), as well as Community Reinvestment Act (“CRA”)-reported small business investments. More specifically, the Urban Institute noted that “the median majority-white census tract receives 1.4 times the CRA-reported small business investment of the median majority-Black census tract and 1.7 times the CRA-reported small business investment of the median majority-Latino census tract.”²

Congress has long been discussing the need to collect demographic information of small business loan applicants to ascertain lending patterns, fair lending implications and the impact to affected communities. In Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank Act"),³ Congress mandated the Consumer Financial Protection Bureau (“CFPB”) to amend the Equal Credit Opportunity Act (“ECOA”)⁴ so that demographic information on small businesses could be legally obtained.⁵ On March 30, 2023, the CFPB published the final rule (“1071 Rule”) that amended the ECOA.⁶ Under the 1071 Rule, covered financial institutions⁷ are required to collect data on certain applications⁸ received from small businesses and report the data to the CFPB. Additionally, the 1071 Rule requires financial institutions to create a “firewall” to ensure that underwriters and others who make credit decisions do not have access to the demographic information that is collected on the applicants, unless other provisions within the regulation are met.⁹

Regulatory scrutiny will begin with the data and examiners asking questions such as: 1) Did the lender adequately set up processes to collect information? and 2) Did the lender report accurate data? While the expectation is for lenders to adequately implement processes for accurate collection of data, the CFPB has provided a 12-month grace period in which they will not assess penalties for errors in data sets, as long as lenders have developed their small business fair lending program in good faith.¹⁰

In order to prepare for these reviews, financial institutions should take the following steps:

Review the Compliance Management System (“CMS”) to ensure Section 1071 is included in the components;
Monitor and test updates to ensure adherence to the 1071 Rule;
Assess underwriting and pricing models for compliance (especially those that rely on algorithms);
Analyze fair lending data and small business lending operations; and,
Remediate any identified disparities.

After implementation, regulators will concentrate on the analysis and monitoring of the data. This phase will consist of supervisory examinations and civil investigative demands. Regulators will likely review internal monitoring processes that may exist, as well as conduct their own analyses of the data. If disparities are identified through internal monitoring, regulators will review corrective actions taken.

Compliance Management System Reviews

Regulator expectations are that financial institutions have a CMS in place that responds timely to change.¹¹ These changes might include responding to new or revised regulatory requirements, system changes, and process changes.

Financial institutions should review their Compliance Management Program (“CMP”) to determine if current policies and procedures, training, and monitoring and audit functions adequately mitigate the risk associated with the 1071 change. Updates could include creating or amending policies and procedures, training individuals on the new expectations and requirements and ensuring comprehensive coverage from monitoring and audit, among others. A formal risk assessment is imperative for noting all the products and processes to be included in the review, as well as identifying the risks and the appropriate internal controls.

Implementing and Testing Processes Put into Effect to Adhere to the 1071 Rule

After setting up the small business fair lending framework through the CMS, a financial institution will need to execute the processes and test to ensure the processes are working as intended based on the change. These processes may include either automated collection or manual entry of the information.

For the automated processes, financial institutions will want to ensure that the data assembled for the report is mapped to the correct data point collected during the applications process. In addition, financial institutions will need to test mapping prior to implementation and immediately after implementation to ensure the process is operating as intended.

For manual processes, financial institutions will need to hold business segment training to ensure the employees taking the application are trained on the expectations and data points that need to be collected. It’s important to identify all business segments that will be responsible for the data in any journey of collection, input and monitoring. Those could include front line loan officers, loan officer assistance, compliance personnel, information technology, and others. Additionally, the financial institutions’ monitoring or audit function will need to review the processes and information entered to confidently ensure the information is accurate.

Assess Underwriting and Pricing Models That Rely on Algorithms

Once the financial institution is confident that the data collected will efficiently and accurately assemble into the required database, it is imperative that the financial institution identify all underwriting and pricing models that affect small businesses and the related fair lending risk. The financial institution should assess whether the policies and models are effective, follow the new ECOA requirements and do not create bias when calculating application decisions. For example, underwriting policies that will not lend to entrepreneurs in high school could be considered disparate treatment based on age or education, assuming the applicants have the legal capacity to borrow.

Additionally, a careful review should be considered to ensure these models do not create disparate impact, or any unintentional discriminatory result. For example, policies or models that include setting minimum requirements not based on repayment risk may exclude certain applicants. It is imperative that underwriting or pricing model inputs include clear business justifications, as well as assurance that that there is not an alternative policy or practice that could serve the same purpose with less discriminatory effect.

Moreover, if the financial institution uses decisioning models that rely on machine learning to predict the applicant’s repayment risk more precisely, the financial institution should review those requirements as the model evolves to ensure that the outcomes align with management’s intent and regulatory requirements.

Perform Fair Lending Analysis on the Data and Small Business Lending Operations

After evaluating its policies and models, the financial institutions should assess the data and operations for fair lending risks. These assessments should include a review of underwriting and pricing outcomes to identify if any particular basis group is being treated differently than another basis group. Additionally, financial institutions should review its application and marketing distribution to identify any redlining risks, i.e., engaging in lending discrimination based on historically shunned areas. This includes whether certain census tracts are excluded from advertising or whether applications in certain census tracts are not approved based on the location.

Remediate Identified Disparities

Finally, if any disparities are identified, the financial institution should remediate the issue in a timely and efficient manner. For example, remediation could include inviting the applicant to reapply for a loan product with more favorable terms and conditions than when they received the initial loan, or to reapply for a loan product for which they were denied. Another remediation action could include the offering of special purpose credit programs if the financial institution identifies a larger need among its applicants. Addressing any of these actions is just a small sample of remedial efforts that could be taken by a financial institution. In doing so, the financial institutions place themselves in a positive light, should they come under the scrutiny of a regulator or the public.

To prepare for the transmission of data to federal regulators, financial institutions will need to implement significant revision not only to current small business lending activities, but overall programs, including institutions’ CMS. It will not be sufficient to simply react to the rule and implement data collection; rather, financial institutions will want to be proactive and understand the ramifications of the data regarding their small business lending operations. Certain financial institutions may need to adjust and correct operations in a way that reduces fair lending risk and ultimately provides fair treatment to their entire customer base.

Footnotes:

1: “Small Businesses Generate 44 Percent Of U.S. Economic Activity,” U.S. Small Business Administration Office of Advocacy (January 30, 2019), https://advocacy.sba.gov/2019/01/30/small-businesses-generate-44-percent-of-u-s-economic-activity/.

2: Brett Theodos and Eric Hangen, “Re: Public Comment on Section 1071 Small Business Lending Data Collection; Docket No. CFPB-2021-0015,” Urban Institute (January 6, 2022), https://www.urban.org/sites/default/files/publication/105315/urban-public-comment-letter-on-section-1071-small-business-lending-data-collection_1.pdf.

3: Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, 124 Stat. 1376 (July 21, 2010), https://www.congress.gov/111/plaws/publ203/PLAW-111publ203.pdf.

4: Equal Credit Opportunity Act, 15 U.S.C. §§ 1691-1691f (1974), https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter41-subchapter4&edition=prelim.

5: Prior to 1071 rule implementation, ECOA and Regulation B restricted the collection of demographic information except for home loans.

6: “Recordkeeping, enforcement, and severability,” in “Small Business Lending under the Equal Credit Opportunity Act (Regulation B),” Consumer Financial Protection Bureau (2023), https://files.consumerfinance.gov/f/documents/cfpb_1071-final-rule.pdf.

7: A “covered financial institution” is defined in Section 1002.105(b) of the 1071 Rule as a financial institution that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years.

8: Applications exclude reevaluation, extension, or renewal requests on existing business credit accounts, unless the request seeks additional credit amounts; or inquiries and prequalification requests.

9: The CFPB notes that in certain circumstances, certain financial institution employees who make credit decisions may have access to the applicant’s demographic information. In these instances, the financial institution must provide a notice to the applicant about the access. See further discussion at section § 1002.108 of the final rule.

10: See supra note 6.

11: “Federal Financial Institutions Examination Council, Docket No. FFIEC-2016-0003,” Federal Financial Institutions Examination Council (FFIEC) (March 31, 2017), https://www.ffiec.gov/press/PDF/FFIEC_CCR_SystemFR_Notice.pdf.