ANALYSIS: The League has published new ii Release No. B083 – Reg. B – Small Business Lending Rule. The rule is part of Reg. B, which implements the federal Equal Credit Opportunity Act. The rule will require certain credit unions to collect and report data about loans they make to small businesses. This is meant to help facilitate the enforcement of fair lending laws, and it will let communities, government entities, and creditors identify business and community development needs and opportunities for women-owned, minority-owned, and small businesses.
We summarized the basics of the new rule when it was finalized, in a March 30 Compliance Courier. Today’s Courier provides more details. For a fuller understanding of the rule, please see the CFPB’s Small Entity Compliance Guide to the rule, which is attached as an exhibit to the new ii Release.
Pending litigation
Barely a month after the rule was published, the CFPB faced a lawsuit challenging the rule’s validity. The lawsuit was filed in a Texas federal district court by the Texas Bankers Association and Rio Bank, McAllen, Texas. (It was a Fifth Circuit panel that held the CFPB’s funding to be unconstitutional in Community Financial Services Association of America Ltd. v. CFPB. The U.S. Supreme Court has agreed to review that decision in its next term.)
The Texas bankers’ complaint alleges that the rule is invalid because the CFPB’s funding structure is unconstitutional. They also claimed that the CFPB abused its discretion by finalizing a rule that goes far beyond what Congress required. Under the Dodd-Frank Act, financial institutions were to collect and report 13 specific data points about loans to small businesses, but the CFPB expanded that to 81 separate data or sub-data points.
The plaintiffs also allege that the CFPB failed to consider comments submitted when the rule was proposed. For example, those comments alerted regulators to the alarming costs that the expansion of data points would impose on small and mid-sized lenders. The League submitted a comment letter on the proposal, pointing out concerns that it would unduly burden credit unions and even discourage certain credit unions from offering business credit.
We’ll keep Wisconsin credit unions posted on the progress of the lawsuit, but credit unions should not count on the court stopping or delaying implementation of the rule. It would be smart for each credit union that may be subject to the rule to do two things in the coming months: 1) Work to determine the compliance date “tier” that may apply to your credit union, so you know when compliance will be required (as discussed near the end of this Courier). 2) Consult with your core processor about getting systems in place to capture required data on small business lending.
Covered credit unions, small businesses & transactions
The rule applies to any credit union – of any asset size – if it originated at least 100 covered transactions to small businesses in each of the two preceding calendar years. Thus, credit unions need to determine if they are covered by the rule each year.
A “small business” means a business that had $5 million or less in gross annual revenue for its preceding fiscal year. Non-profit organizations and governmental entities are not small businesses. A credit union can rely on an applicant’s representations regarding gross annual revenue.
Generally, a “covered credit transaction” means any extension of business credit under the CFPB’s Reg. B. Thus, covered credit transactions can include loans, lines of credit, credit cards, merchant cash advances, and credit products used for agricultural purposes. However, certain transactions are excluded from coverage under the rule, such as: transactions reportable under the Home Mortgage Disclosure Act (HMDA), which we cover in The League’s ii Release No. B017; incidental credit; consumer-designated credit used for business or agricultural purposes; and purchases of loan participation interests.
To determine whether a credit union is subject to this rule, it must count how many covered originations it has made in each of the two preceding calendar years. A covered origination is a covered credit transaction that the credit union originated to a small business. Refinancings can be covered originations; however, extensions, renewals, and other amendments of existing transactions are not considered covered originations even if they increase the credit line or credit amount of the existing transaction.
Collecting & reporting data
Under the rule, a covered credit union must collect and report data (and satisfy other requirements) for reportable applications. An application is reportable if it is a covered application from a small business. A covered application is an oral or written request for a covered credit transaction (i.e., an extension of business credit that is not otherwise excluded from coverage under the rule) that is made in accordance with procedures used by the credit union for the type of credit requested.
Under the rule, a covered credit union must collect and report up to 81 potential data points regarding reportable applications. Those data points can be broken down into three categories:
- Data points that the credit union generates, like a unique identifier, the application date, the action taken on the application, and the action taken date;
- Data points based on information that could be collected from the applicant or an appropriate third-party source, like credit type, credit purpose, the amount applied for, a census tract based on an address or location provided by the applicant, gross annual revenue for the applicant’s preceding fiscal year, a three-digit North American Industry Classification System (NAICS) code for the applicant, and the number of people working for the applicant; and
- Data points based solely on the demographic information collected from an applicant, which are the applicant’s minority-owned business status, women-owned business status, and LGBTQI+-owned business status, and the applicant’s principal owners’ ethnicity, race, and sex.
A covered credit union must ask an applicant to provide this demographic information, and it must report the demographic information solely based on the applicants’ responses for purposes of this rule. However, a covered credit union cannot require an applicant or other person to provide this demographic information. If the applicant fails or declines to provide the demographic information necessary to report a data point, the credit union reports the failure or refusal to provide the information. Credit unions are not required or permitted to report these data points based on visual observation, surname, or any other basis (including demographic information provided for other purposes).
A covered credit union must inform an applicant that the credit union is not permitted to discriminate on the basis of an applicant’s responses about its minority-owned, women-owned, or LGBTQI+-owned business status, on the basis of responses about any principal owner’s ethnicity, race, or sex, or on the basis of whether the applicant provides this information.
The rule includes a sample data collection form (available online here) that a credit union can use to collect this demographic information from applicants and to provide required notices.
Generally, covered credit unions must report data to the CFPB by June 1 of the year following the calendar year in which they collected the data (e.g., data collected for 2024 must be reported by June 1, 2025).
Data submitted to the CFPB is made available to the public annually by the CFPB. The CFPB will determine what, if any, modifications and deletions are appropriate to protect privacy.
A covered credit union must make available to the public on its website, or otherwise upon request, a statement that its small business lending application register, as modified by the CFPB, is or will be available from the CFPB. The rule includes language that could be used for this statement.
The “firewall”
The rule limits certain persons’ access to certain data (i.e., the “firewall”). Under the rule, employees and officers of a covered credit union (or its affiliate) are prohibited from accessing an applicant’s responses to inquiries about the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding its principal owners’ ethnicity, race, and sex – if that employee or officer is involved in making any determination concerning the applicant’s covered application. There is a limited exception to this rule, explained in the compliance guide attached to ii Release No. B083. Other provisions in the rule prohibit sharing demographic information with other parties.
Record retention
The rule has recordkeeping requirements, including a requirement to retain copies of small business lending application registers and other evidence of compliance for at least three years.
Compliance dates
To determine when it must begin complying with this rule, a credit union must determine which compliance date “tier” applies to it.
- A credit union must begin collecting data and otherwise complying with the rule on Oct. 1, 2024, if it originated at least 2,500 covered originations in both 2022 and 2023.
- A credit union must begin collecting data and otherwise complying with the rule on April 1, 2025, if it: Originated at least 500 covered originations in both 2022 and 2023; and did not originate 2,500 or more covered originations in both 2022 and 2023; and originated at least 100 covered originations in 2024.
- A credit union must begin collecting data and otherwise complying with the rule on Jan. 1, 2026, if it originated at least 100 covered originations in both 2024 and 2025 but did not originate at least 500 covered originations in both 2022 and 2023.
A CFPB “info sheet” (available online here), discusses the compliance date tiers and provides additional information to help credit unions determine when they must start complying with the rule.
Transitional provision for determining number of covered originations
Some credit unions may not be able to readily determine if transactions originated in 2022 or early 2023 are covered originations because they don’t know if a borrower is a small business as defined in the rule. The rule includes a transitional provision that they may use to determine the number of covered originations in 2022 and 2023.
A credit union may rely on the transitional provision to determine the number of its covered originations for 2022 and/or 2023 if it did not collect sufficient information to determine whether some or all borrowers were small businesses under the rule or if such information is not readily accessible.
Credit unions can count covered originations for the last quarter of calendar year 2023 (October 1 through December 31), and then annualize the number of its covered originations based on this information. The credit union could use this annualized number to determine its covered originations for 2022, 2023, or both years.
Credit unions may also assume that all covered credit transactions originated during a calendar year were made to a small business for purposes of determining institutional coverage and compliance date tier pursuant to the rule.
For example, if a credit union currently does not obtain an applicant’s gross annual revenue or otherwise determine if an applicant had revenue of $5 million or less in its preceding fiscal year, it is not likely to know how many covered originations it had in 2022 and 2023.
Under the rule, the credit union could obtain information about the borrower’s small business status for the covered credit transactions it originated on or after October 1, 2023. If the credit union determines that it originated 90 covered credit transactions to small businesses between October 1 and December 31, 2023, it could use 360 as its annualized number of covered originations for 2023. It could also use this number for its covered originations for 2022. The credit union would not be required to begin collecting data or otherwise complying with the rule before Jan. 1, 2026.
Alternatively, the credit union could assume that all the covered credit transactions it originated in 2022 and 2023 were made to a small business and, thus, are covered originations. For example, if the same credit union originated 370 covered credit transactions in 2022, it is not required to begin collecting data or otherwise complying with the rule before Jan. 1, 2026.