Nobody’s Excited About the CFPB’s Small Business Lending Rule
February 15, 2024
By: Tyler Brown
Regulation and Community Financial Institutions
Amid a flurry of policy proposals on the table, the small business lending data collection rule from the Consumer Financial Protection Bureau (CFPB) appears to be causing the most anxiety. In fact, per a survey conducted in January by IntraFi, it’s the regulatory policy that financial institutions (FIs) are most concerned about. This isn’t surprising — the rule casts a wide net: Banks, credit unions, savings associations, and nonbank lenders would all “be required to collect and report data,” and it covers term loans, revolving credit including cards, “online credit products,” and merchant cash advances.
The purpose of the rule is to enforce an amendment to the Equal Credit Opportunity Act to require FIs to “compile, maintain, and submit to the [CFPB] certain data on applications for credit” for businesses with less than $5 million in annual revenue, including whether the applicant is an LGBTQI+-owned business; the ethnicity, race, and sex of the applicant’s principal owners; the credit decision; and the loan pricing. The CFPB nixed a proposal that loan officers determine on their own the principal owners’ race or ethnicity.
The rule is receiving a lot of pushback, and not just from FIs. Congress voted to repeal it, a move that the American Bankers Association supported, while both emphasized potential compliance costs for smaller institutions. President Biden cleared the way by vetoing the resolution, but state court cases brought by trade groups remain. Nonetheless, the financial services community seems concerned that the rule will move forward eventually, with implications that will make ongoing business difficult.
There’s particularly good reason for concern among smaller FIs. According to research by the Federal Reserve, smaller FIs hold more small business loans as a percentage of assets than their larger peers. Small business loans are 13-14% of assets for FIs with less than $1 billion in assets, about 11% for FIs with $1-10 billion in assets, and 6% for FIs with more than $10 billion. About 78%, or 3,616, of Federal Deposit Insurance Corporation (FDIC)-insured banks and 91%, or 4,221, of National Credit Union Administration (NCUA)-insured credit unions fall into the smallest group.
Given their dependence on small business loans, smaller FIs are in a tough spot. Only 13% of FIs within the IntraFi study with less than $1 billion in assets said they would cut back on small business lending if the rule went into effect, compared with 22% of FIs with $1-10 billion in assets and 57% with greater than $10 billion. Compliance will require FIs “to develop and implement new software and compliance mechanisms to address over 80 reporting requirements,” according to bankers associations, and the CFPB notes specific categories of costs related to “external audit, training, software, and data transcription.”
If the rule goes ahead as scheduled, the largest lenders — those that “originate at least 2,500 small business loans annually,” must comply with the final rule beginning this October. Smaller lenders have breathing room, with deadlines as distant as January 1, 2026. The rule applies to lenders making over 100 “covered small business loans” per year in the past two years, which, according to the CFPB, includes more than 95% of small business loans by banks and credit unions.
Whether they like it or not, the answer to this problem for FIs of all sizes is likely to be technical upgrades and systematic changes to lending. American Banker has in fact argued that lenders have no choice but to reassess their small business lending processes and adopt new supporting technology. To this end, the rule “allows FIs to work with third parties […] to develop services and technologies that will aid in collecting and reporting data,” and it will provide an API for data submission. FIs would be wise to use this endeavor to find new ways to collate and leverage data, perhaps by working with fintech providers, and turn a compliance burden into a differentiator.