A Practical Guide for Small Business Data Rule Implementation

The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) passed in 2010, but it seems like decades ago given what has happened since its passage—the regulatory agencies and financial services industry digested it and spent hundreds of thousands of hours issuing rules and more hours implementing those rules; a new agency, the Consumer Financial Protection Bureau (CFPB), was created and has been active with examination and enforcement activity; Congress partially reformed the law; COVID; inflation; rising interest rates; some large bank failures; and much more. It would be fair to say that most provisions of the Dodd-Frank Act have become the norm.

That said, one provision of the Dodd-Frank Act had not been fully implemented until recently. That provision is section 1071, which amended the Equal Credit Opportunity Act (ECOA) to require covered financial institutions to collect and report certain information related to applications for small business credit. The CFPB issued proposed rules to amend the ECOA’s implementing regulation (Regulation B) and issued an almost 900-page final rule on March 30, 2023, the Small Business Data Rule (Rule). Much has already been written related to why the Rule went too far or did not go far enough and criticizing specific provisions and explaining certain sections in the Rule.

The Texas Bankers Association (TBA), American Bankers Association (ABA), and co-plaintiff Rio Bank filed a lawsuit in the U.S. District Court for the Southern District of Texas on April 26, 2023, challenging the Rule as CFPB overreach. One argument they made is that section 1071 only required 13 data points whereas the CFPB final rule requires 81. On July 31, 2023, the Court issued a preliminary injunction blocking enforcement of the Rule for all TBA and ABA members while the Supreme Court hears arguments and determines the constitutionality of the funding structure of the CFPB.

An institution will need to determine whether it is subject to the Rule by analyzing the exemptions and the key thresholds related to small business loans, e.g., the definition of small business credit and the number of loans required for coverage. The exemptions and definitions have been written about by trade associations and others. This article focuses on some practical tips related to reviewing the Rule, working on systems related to the Rule’s requirements, and implementing the Rule.

1. Do not ignore the Rule or wait for it to be repealed, changed, or delayed: Do not wait to review and implement the Rule hoping that it will ultimately be overturned or delayed or that a systems vendor will have everything ready to comply with the Rule and will provide the system and training needed for your institution. If an institution is subject to the Rule and does not comply, ECOA violations can be the cause of exam findings, enforcement actions with monetary and/or non-monetary requirements, referrals to the Department of Justice, downgrades to Community Reinvestment Act or compliance management systems ratings, and much more. Given the 81 data points and the almost 900 pages of information, any delay may result in poor performance. As indicated above, the CFPB is not able to enforce the Rule against all TBA and ABA members pending a determination by the Supreme Court related to the constitutionality of the funding structure of the CFPB. New compliance dates will be determined for those banks at a later date.

2. Do not assume that since the Rule is new and relates to commercial transactions, the regulatory agencies will not examine your evaluation of whether you are a covered institution or your practices and compliance: The Rule has an effective date that is 90 days after publication in the Federal Register but does not require collection of data by covered institutions until October 1, 2024, April 1, 2025, or January 1, 2026, depending on your volume. These dates will change for TBA and ABA member banks. Initial reporting dates are June 1 the year following collection. Any lender without at least 100 small business loans in 2022 and 2023 will not be covered initially. The CFPB and other agencies believe this is a generous period to begin compliance with the Rule. Further, the CFPB issued a statement related to its enforcement and supervisory practices related to certain aspects of the Rule. The CFPB and other agencies will examine for compliance with the Rule at their first opportunity after it is applicable to an institution, and half compliance will not be considered compliance.

3. Do use the correct personnel to review and implement the Rule: This includes, for example, the correct compliance, systems, and lending personnel. While the Rule is new, some aspects of it are like provisions found in other rules such as those for the Home Mortgage Disclosure Act, the Community Reinvestment Act, and the Small Business Act. Familiarity with those rules, the procedures and systems used to implement them, and examinations related to those rules can provide much needed context on how section 1071 might be interpreted by examiners and others.
Personnel more familiar with consumer transactions may not appreciate the differences in how commercial products are processed. It would be best to include both consumer and commercial employees familiar with compliance, systems, and lending. If you do not have someone who is a full-time compliance person, you should identify a third party to help you with implementation of the Rule.

4. Do request specific detailed updates from vendors and your systems and compliance personnel: Almost all institutions process applications and originate loans, including small business loans, with the help of one or more systems, and those systems are often offered by a third party. However, it is not uncommon for one or more components of the process to be something developed by the institution. Make sure that the personnel who manage any critical vendors fully understand the institution’s processes, systems, and data related to small business lending. Even where a vendor’s system is used to comply with one or more rules, the institution, not the vendor, is ultimately the responsible party in the eyes of the regulatory agency and will be the one impacted by any finding of noncompliance. The contract with the vendor may be relied upon to recover costs or provide other restitution related to the finding, but the vendor’s business is not impacted directly by the regulatory rating.

By now, systems vendors should know that the Rule has been issued and should have assigned personnel to review it regarding aspects of the Rule for which their system is used and how the system might be used for other aspects of the Rule such as the record keeping and reporting of data. That review should have resulted in a detailed road map that outlines key dates and milestones for the vendor to revise one or more parts of its system for compliance, and the work should have begun. Vendors should make that information available at trade conferences and at other scheduled times. However, internally they should also closely track the milestones more granularly. An institution should ask the vendor to email updates that include this granular information to two or three main personnel working on implementation. If updates do not come, engage your contact at the vendor to ask why and request an update.

The institution should request notice for any missed milestones that may cause the system not to be ready by a date that allows time to install it, rewrite procedures, and train personnel on the new system. This will allow the institution to obtain more detailed information about the issue and the vendor’s overall progress. If the vendor cannot ensure the system will be ready within a reasonable period after the needed date, timely notification allows the institution to consider switching vendors or create an interim process for compliance and to request reimbursement for those costs. You should review your contracts now for language related to termination, material breach, acceptance of systems, and other issues.

For any internal components related to the small business lending process, the institution should identify those components in its own review and set its own key milestones related to them. Assigned personnel should be required to provide at least weekly updates and to immediately notify management if a date will be missed. Combined tracking and reporting for vendor and internal tasks should be reported to the Board at least monthly until the project is complete.

5. Do use all the tools made available from the CFPB and other regulators in the implementation project: The regulatory agencies often issue tools to assist institutions they supervise in complying with the vast array of rules, especially when a large change occurs. As financial institution personnel understand all too well, agencies issue rules, often with commentary and/or staff interpretations related to laws and rules. The agencies may also issue guidance documents, examination manuals, or other types of manuals or handbooks. All these documents further explain the agencies’ thoughts related to particular provisions and can help prevent surprises during an examination. These other issuances are not rules, but the context they provide may make compliance easier. They may also make compliance more difficult, but an institution will not know until it reviews the documents. Reviewing the documents and identifying items that go beyond the Rule during the implementation project provide an institution with the ability to make decisions and be prepared to explain their actions. There is no reason to fail an open book test.

The CFPB has already provided a number of these type of tools for financial institutions. As of June 1, 2023, those include:

This article has been updated since its original print version.