Executive Summary

Commonly known as the CFPB 1071 Rule, upcoming requirements to be finalized in 2023 by the Consumer Financial Protection Bureau (CFPB) will represent the most significant effort of data collection and reporting for financial institutions in nearly 50 years. The checklist provides lenders with seven steps to prepare for compliance with this new rule.

Introduction

Section 1071 of the Dodd-Frank Act amended Regulation B — Equal Credit Opportunity Act (ECOA). On Sept. 1, 2021, the CFPB issued a proposed rule to require financial institutions and others to compile, maintain, and submit to the CFPB certain data points on applications for credit for small businesses, including those owned by women and minorities.

While officially titled “Small Business Lending Data Collection Under the Equal Credit Opportunity Act (Regulation B),” the proposed rule is often known as the CFPB’s 1071 Rule.

The primary purposes of reporting this information are to:

• Provide tracking of small business credits to enforce fair lending laws
• Enable creditors to identify and support the business needs of women and other minority-owned small businesses within the community

CFPB 1071 Deadline Ahead

The final rule is expected by March 31, 2023, with compliance required 18 months after the publication of the final rule. While 18 months may seem like a long lead time, don’t let that timeframe lull you into inaction. This is a major effort of small business data collection and reporting not experienced since the Home Mortgage Disclosure Act (HMDA) requirements of 1975. As community financial institutions have become more commercially focused, the data collection requirements of the 1071 rule may surpass those of HMDA.

The following seven steps are a checklist for successful compliance with the final 1071 Rule:

1. Read the Rule and Familiarize Your Staff With Rule Requirements
   This may seem obvious, but spend the time needed to focus on the regulatory requirements of this particular guidance. This is especially important when complying with a regulation concerning the collection of applicant/borrower attributes – where it’s essential to know what you can and cannot ask.
   
   

   The Bureau is proposing to apply the rule to covered financial institutions. A covered financial institution is a financial institution or other entity, including fintechs, that originated at least 25 credit transactions that would be covered credit transactions to small businesses in each of the two preceding calendar years.

   After you’ve assessed whether you are covered under the 1071 data collection rule, the next step is to analyze your small business loan portfolio.

2. Analyze Your Small Business Loan Portfolio in Advance of the Compliance Date to Determine Impact
   The CFPB’s proposed definition of a small business is one that had $5 million or less in gross annual revenue for its preceding fiscal year. The bureau is seeking SBA approval for this alternate small business size standard pursuant to the Small Business Act. Next, covered credit transactions include loans, lines of credit, credit cards, and merchant cash advances (including such credit transactions for agricultural purposes and those that are also covered by the Home Mortgage Disclosure Act of 1975).
   
   

   If able, produce a report of small business loans that fit the revenue size above. In addition, if you have the minority information available, you can sort the data by that additional criteria. Either way, this exercise should provide insight into the impact that the 1071 rule will have on your institution.

3. Create Written Policies and Procedures
   Policies should include the following components, while procedures should represent more detailed instructions describing how to perform tasks associated with the rule:

• • Background and governance
  • Roles and responsibilities
  • Description of the 1071 rule’s impact on the loan portfolio (from the analysis above)
  • General process of gathering, tracking, monitoring, and reporting pertinent information to comply
  • Process internal controls
  • Reporting and conclusions on compliance
  • Educational expectations for current and new staff
  • Collection of data
  • Recording of data
  • Monitoring and interpreting the data
  • Staff training

4. Determine a Plan to Gather Data Points and Set Up an Identification/ Data Collection System
   Data points can be divided into three categories:

• • • System basic data points such as applicant/ borrower loan number, type, purpose, pricing details, and, for denied applications, the denial reason
    • Data points specifically related to the credit, such as business description, gross annual revenue, census tract, NAICS code, and owner and worker counts
    • Demographic data points, such as minority (and women) business status, owner ethnicity, race, and sex

We recommend including detailed procedures for lenders and other staff collecting this data. You may need to update your internal checklists or application to ensure a centralized and standard place to record information.

As with Regulation B and HMDA, there are specific rules related to the method of data collection. For example, suppose an applicant does not provide ethnicity, race, or sex information for at least one principal owner. The proposed rule states that the financial institution or entity must collect at least one principal owner’s race and ethnicity (but not sex) via visual observation and/or surname if the financial institution meets in person, or by video, with any principal owner.

The applicant must provide the minority-owned business status and/or women-owned business status. The institution would not be permitted or required to report these data points based on visual observation, surname, or any other basis if the applicant chooses not to provide the information.

More details to come on instructions on how to collect and report minority-owned business status, women-owned business status, and principal owners’ ethnicity, race, and sex. This phase of the rule will require targeted and detailed training for your staff to avoid actual or perceived discriminatory treatment.

5. Begin Tracking Data on a Rule-Compliant System
   The final rule should include a sample tracking sheet. However, we recommend that you strongly consider automation of this function. With more than 20 data points required to be reported under the proposed small business data rule, automation is key to efficiently utilizing staff and minimizing data collection errors. Ideally, these data points should be captured during the loan application or booking process. Check with your core provider to determine if they have or are considering automating the process as data is entered directly into their system. Additionally, if you are on a loan origination platform, your provider will most likely build a data-gathering document into that system, so check with your provider in advance.
   
   What if your institution doesn’t automate this function? In that case, Excel can be a useful tool for maintaining the required data points as long as you have primary and backup staff to maintain the spreadsheet, as well as an independent reviewer to perform a periodic spot-check of the data.
   
   

   The 1071 rule requires that institutions collect data on a calendar-year basis and report their data to the bureau by June 1 of the following year. The proposed rule will allow the CFPB to make the data available to the public annually.

6. Set up an Audit System to Periodically Check Small Business Loans by Cross-Referencing to Tracking Document
   One of the primary reasons for the rule is to ensure that financial institutions are addressing the credit needs of minority small businesses and that institutions are pricing and determining other loan terms in a manner that does not discriminate against the minority-owned small business.
   
   The development of analytical reports and periodic monitoring of small business lending is essential for compliance and to identify areas of concern, mitigation, and reporting. Consider a quarterly compliance scorecard approach to identify loan pricing exceptions and set baseline performance indicators.
   
   
7. Finally, Consider Assistance From Third-Party Resources
   From educating and clarifying rule components to creating policies and procedures, a third-party provider can make compliance easier. Such a resource can:

• • Alleviate any staff bandwidth issues
  • Avoid interruptions in daily job requirements
  • Assist with best practices to gather information
  • Assist with the creation of or adaptation of current collection and/or loan pricing systems to ensure compliance with the rule

Other considerations important for financial institutions as they implement the CFPB 1071 Rule include whether to:

• • Standardize small business lending loan originations, pricing, and fee structures
  • Develop an objective small business loan pricing model to mitigate unintentional disparate treatment resulting from lender subjectivity in interest rate, fee, and pricing structure
  • Automate the reporting of small business loan pricing exceptions to policy to be proactive in making future adjustments

Conclusion

In a recent survey of financial institution executives, the final 1071 rule was the top regulatory compliance concern — outranking BSA/AML rules, beneficial ownership requirements, and CECL obligations.

With Community Reinvestment Act reform also expected to increase data collection and reporting requirements for some financial institutions, it’s prudent to plan early for the CFPB 1071 changes. Working with dedicated third-party risk management consultants or advisors is a way to ensure compliance with CFPB 1071 while minimizing institutional disruption.