Compliance Blog

Apr 03, 2023
Categories: CFPB

CFPB Issues Final 1071 Rule on Small Business Data Collection

On March 30th, the CFPB issued a final rule under section 1071 of the Dodd-Frank Act. A little history behind this rule, section 1071 of the Dodd-Frank Act amended the Equal Credit Opportunity Act (ECOA) and required financial institutions to collect data on small business loans. The final rule published on March 30th enacts this requirement. The CFPB has also published an executive summary and factsheet that may be helpful, as the final rule is 888 pages long.

Is Your Credit Union Covered?

Under the rule, a credit union is covered if it “originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years.”

What is a Small Business?

The final rule defines a small business as a business with gross annual revenue of $5 million or less in the preceding calendar year. This is the same definition as in the Small Business Act. According to the CFPB, a credit union may “rely on an applicant’s representations regarding gross annual revenue (which may or may not include affiliate revenue) for purposes of determining small business status.” However, if the credit union receives verified information, the credit union must use the verified revenue.

Credit unions may want to note that non-profits and government agencies are not considered small businesses under the rule.

Covered Credit Transactions

The rule defines a covered credit transaction as “an extension of business credit that is not an excluded transaction.” The rule excludes the following transactions:

·       Trade Credit;

·       Home Mortgage Disclosure Act (HMDA) reportable transactions;

·       Insurance premium financing;

·       Public utilities credit;

·       Securities credit;

·       Incidental credit;

·       Factoring;

·       Leases;

·       Consumer-designated credit used for business or agricultural purposes;

·       Purchases of a credit transaction;

·       Purchases of an interest in a pool of credit transactions; and

·       Purchases of a partial interest in a credit transaction.

For more information, credit unions may want to review the final rule for a more thorough explanation of the above.

Requirements for Covered Credit Unions

Under the rule, a covered credit union is required to collect and report data on covered applications.

What is a Covered Application?

The rule defines a covered application as “an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested.” Furthermore, the rule excludes the following from the definition of a covered application:

·       Reevaluation, extension, or renewal requests for existing businesses credit accounts;

o   However, requests for additional credit on existing accounts is a covered application;

·       Inquiries and prequalification requests;

·       Solicitations;

·       Firm offers of credit; and

·       Other evaluations that the credit union initiates.

What Data is required to be Collected and Reported?

The final rule requires a covered credit union to collect the following 20 different data points:

·       The application’s unique identifier;

·       Application date;

·       Application method;

·       Application recipient;

·       Credit type;

·       Credit product;

·       Guarantees;

·       Loan term;

·       Credit purpose;

·       Amount applied for;

·       Amount approved or originated;

·       Action taken;

·       Action taken date;

·       Denial Reasons;

·       Pricing information;

o   Interest rate;

o   Total origination charges;

o   Broker fees;

o   Initial annual charges;

o   Additional cost for merchant cash advances or other sales-based financing;

o   Prepayment penalties;

·       Census tract;

·       Gross annual revenue;

·       NAICS code;

·       Number of workers;

·       Time in business;

·       Minority-owner, women-owned, and LGBTQI+-owned business status;

·       Ethnicity, race, and sex of principal owners; and

·       Number of principal owners.

Credit unions are permitted to rely on information from the applicant when compiling the above data. Furthermore, the rule provides a more detailed explanation regarding the above data points that covered credit unions may want to review.

Credit unions are required to report the above data on June 1st of the calendar year following the collection of the data. Credit unions can find the CFPB’s filing instructions for the data here.

Effective Date

The final rule will be effective 90 days after it is published in the Federal Register. While this may not be exactly clear, the rule does not necessarily require a covered credit union to comply with the rule at that time. A credit union’s required compliance depends on certain information. Fortunately, the CFPB has helpfully provided an explanation regarding a covered credit union’s requirements to follow the rule:

·       “A financial institution must begin collecting data and otherwise complying with the final rule on October 1, 2024 if it originated at least 2,500 covered originations in both 2022 and 2023.

·       A financial institution must begin collecting data and otherwise complying with the final rule on April 1, 2025 if it:

o   Originated at least 500 covered originations in both 2022 and 2023;

o   Did not originate 2,500 or more covered originations in both 2022 and 2023; and

o   Originated at least 100 covered originations in 2024.

·       A financial institution must begin collecting data and otherwise complying with the final rule on January 1, 2026 if it originated at least 100 covered originations in both 2024 and 2025.”

This info sheet from the CFPB further discusses a credit union’s required compliance date that may be helpful.

Credit unions should understand that the above is only meant to serve as an overview of the new rule. The final rule, its commentary, and the preamble contain much more detailed information that should be reviewed to ensure compliance with the rule. 


Online Compliance Training Subscriptions: Master the most challenging areas of CU compliance—all accessible by your entire credit union staff 24/7/365. Industry experts cover the hottest topics in a fast, convenient way. Subscribe now.

About the Author

Keith Schostag, NCCO, Senior Regulatory Compliance Counsel, NAFCU


Keith Schostag joined NAFCU as regulatory compliance counsel in February 2021. In this role, Keith assists credit unions with a variety of compliance issues.

Read full bio