Acting on the directive in section 1071 of the Dodd Frank Act, the CFPB issued the final rule for the Small Business Lending Act on March 30, 2023, to implement the small business data collection requirements of section 1071. The intent – to provide insight into how institutions are upholding Fair Lending Laws – is similar to other lending data collection rules such as HMDA and CRA. The data collected will comprise a small business lending data set, which will provide transparency into how institutions are meeting the credit needs of small businesses.
Lending Officers and Compliance Officers at banks, credit unions, and even non-bank lenders (institutions) have waited a long time for this final rule, but won’t have to comply with it immediately. Instead, compliance with this final rule will be expected in tiers, based on the number of small business loans an institution originated (covered loans) in 2022 and 2023.
The compliance dates included in the tiers appear to be reasonable, given the first compliance date for collecting data won’t be until October 1, 2024, and the institutions in the smallest tier have until January 1, 2026 to start collecting data. For institutions that have been collecting lending data under HMDA and CRA, this will involve many of the same processes.
Changes from the Interim Rule
There are two major changes from the interim rule.
- The threshold for institutions to report was raised from 25 covered loans to 100 covered loans.
- Lending Officers will not have to guess an applicant’s race, ethnicity, or any other demographic information.
The good news is that there should not be the need to report the same loan application’s data under this new rule and other reporting requirements, such as HMDA or CRA. This new rule explicitly excludes applications reported under HMDA. Additionally, the proposed (and revised) CRA reporting requirements will exclude loans reportable under this new rule. If all goes well, no business loan application should ever be reported under more than one requirement. In support of this, institutions will need a reconciliation process in place to ensure loans are only reported once – assuming the CRA reporting rules are finalized.
Data from loan applications from businesses that had gross revenue of less than $5 million in the last fiscal year is to be reported. Data will be collected from closed-end loans, lines of credit, business credit cards, online credit products, and merchant cash advances. Excluded from data collection are renewals and extensions of loans. Factoring, leases, trade credit, insurance premium financing, and participations are excluded, too. Additionally, prequalification requests and inquiries are not considered applications for data collection. The CFPB provided a data collection form for institutions to use, and the data points can be found here: https://files.consumerfinance.gov/f/documents/cfpb_small-business-lending-data-points-chart.pdf.
Data to be collected include demographic and geographic information about the business loan applicants, loan purpose data, loan decision data, and many other data points found in the document available from the CFPB in the link.
The Path Forward
- Appoint a Project Manager if one hasn’t been appointed, yet.
- Map the data you are currently collecting to the data you must collect, using the tool the CFPB provided. This will identify gaps in your current data collection that will need to be filled.
- Create an “Applicability Matrix” that identifies the business lending products at your institution that are covered, and which are not.
- The Project Manager should schedule a conference call with the business lending software vendors, the institution’s Compliance Officer, Lending Officers, Risk Officers, and most importantly, the Information Technology and Operations staff who will have to support this additional data collection effort. For institutions that are already collecting HMDA and CRA data, the mechanics of collecting this new data set should already be in place. Note the use of the plural when mentioning vendors. This is because there will likely be more than one lending software system used in an institution for the various loan types covered under this new rule. For example, very seldom is the same software product used for closed end loans and business credit cards. There will likely be multiple vendors to work with. Be sure that you’ve completed step #2 and step #3 as gaps and coverage will need to be discussed with each vendor.
- Determine what process will be needed to select additional software to support data collections (or whether existing software is sufficient.)
- Begin to think about the reconcilement process needed to ensure that business loans are reported under the correct requirement (this new rule, HMDA, or CRA).
- Ensure that the Compliance Committee, Risk Committee, Fair Lending Committee, executive management, and the Board are aware of this new rule.
- Ensure that this new rule is included in the Compliance Risk Assessment, the Fair Lending Risk Assessment, the Small Business Lending Risk Assessment, IT Risk Assessment, and is incorporated into other risk assessments at the institution to capture the impact on all the risk categories the institution faces.
- Similar to #8, begin to incorporate this new rule into existing policies and procedures.
- Begin to think about what monitoring will be performed in the first line of defense and the second line of defense, such that the institution can determine how it is meeting the needs of small business. Although it is likely too early to determine KRI thresholds, the Fair Lending Officer can at least determine what it is that KRIs should address.
- Craft the training program. Although it’s too early to provide detailed operational training, there’s ample opportunity to incorporate this new rule into existing training. At the overview level, vendor-provided webinars might be a good approach for this type of training. Ensure that your lending software vendors understand that the sooner their solution is available, the sooner you can provide detailed operational training on it.
- Craft the staffing plan. Although it’s difficult to know how many additional staff will be needed to support this new rule, it’s reasonable to assume the number is greater than zero. Even for institutions that already report HMDA data and CRA data, there is still overhead created by the reconcilement activity and by QC’ing the data.
Most managers at institutions have been waiting a decade for this rule to be finalized, and have likely begun the process described above. From a risk perspective, the new rule represents one more area where errors (potential violations) could occur, but those should be lessened via automation. The true risk resides in the nuances of the data collection, and experts will arise in the institution as they did for HMDA or CRA.
If you would like Project Management assistance, or general guidance regarding this rule, contact us today!