CFPB slims small-business borrower data collection rule

The Consumer Financial Protection Bureau on Thursday issued a final rule significantly narrowing the number of lenders forced to collect data on small-business borrowers.

The rule, set to take effect in January 2028, essentially spares small banks and credit unions – requiring only financial institutions that have originated 1,000 or more small-business loans in each of the past two years to comply.

A 2023 version of the rule had sought borrower data from lenders that originated 100 small-business loans in each of the past two years. With Thursday’s changes, just 280 lenders will be affected by the rule – down from roughly 2,500 lenders in 2023.

Thursday’s rule also reduced – from 81 to 13 – the number of data points that would be collected from borrowers, scrapping an earlier requirement that lenders identify small-business owners by race, ethnicity and LGBTQ+ status.

Further, Thursday’s version scales back the definition of a small business to encompass entities that report $1 million in gross annual revenue. That’s down from a $5 million revenue threshold in the 2023 rule.

Certain categories of lending – agricultural lending and merchant cash advances, most prominently – are excluded from the loan tally, under Thursday’s rule. Further, the rule does not include data on loan pricing or reasons a borrower was denied a loan.

In a rare statement, CFPB Acting Director Russ Vought estimated the narrowed rule would save $166 million annually in compliance costs, calling it “a long-awaited win for both borrowers and small businesses.”

“These reforms not only make borrowing more affordable for America’s small businesses, including our farmers, but minimize burdens on those needing quick access to credit without requiring them to answer unnecessary and invasive [diversity, equity and inclusion] questions introduced by the Biden-Harris-Chopra Administration,” Vought said in a statement reported by Breitbart News.

The nonprofit Americans for Financial Reform blasted the CFPB’s update, saying Thursday’s rule “will let unfair and discriminatory lending practices persist,” including “well-documented lending biases against Black, Latine, Indigenous and women farmers.”

But the small-business data-collection rule is nothing if not contentious. A Texas bank and the state’s banking trade group sued the CFPB less than a month after the 2023 rule was announced. The judge in that case paused the rule nationwide but ultimately rejected the lawsuit after the Supreme Court upheld the CFPB’s funding structure. Meanwhile, the CFPB repeatedly delayed the rule’s effective date.

Some Republican lawmakers argued the 2023 rule embodied regulatory overreach and set up potentially problematic violations of privacy.

Noting the 81 data points the rule sought to collect, Sen. John Kennedy, R-LA, said, “All of a sudden, they want a book.”

On the Senate floor in October 2023, Kennedy said the rule “totally perverts [the] intention … of the Dodd-Frank Act.”

“They’re going to publish it on their website: Are you gay? Are you lesbian? What race are you?” Kennedy said of the CFPB. “And snoops will be able to go on that website and identify small business people in their community.”

Perhaps some of the struggle behind the data-collection rule is that it’s codified by the framework that created the CFPB.

“The only reason the CFPB under this leadership didn't get rid of 1071 altogether is that it's required by the Dodd-Frank Act and the risks are too high that a court would have forced them to do it,” Elena Babinecz, a CFPB alum and partner at the law firm Baker Donelson, told American Banker. “Since they really couldn't rescind it completely, they revised it significantly given new priorities.”

One concern from proponents of the 2023 rule is that the Trump-era version may be too limited to flag fair lending issues or give insight into community lending to small businesses.

Even banking trade groups, which generally appeared supportive of the updated rule Thursday, suggested the CFPB’s 1,000-loan-per-year threshold was too high.

In a December comment letter, the Consumer Bankers Association and Bank Policy Institute suggested setting the threshold at 250 or 500 small-business loans per year because “excluding [smaller] lenders from reporting requirements would significantly reduce the availability of comprehensive data and could hinder effective fair lending enforcement and the identification of community development needs.”

In a statement Thursday, CBA CEO Lindsey Johnson said the updated rule “reflects meaningful progress,” while noting its 2023 predecessor “raised serious concerns about operational complexity.”

“Getting this right matters — because overly burdensome requirements risk limiting the very lending small businesses depend on,” Johnson said.

Rob Nichols, CEO of the American Bankers Association said Thursday’s rule “appropriately refocuses on core lenders, products and data points without imposing undue compliance costs that would make it harder for America’s banks to serve their customers and communities.”

A leading credit union trade group tied its support Thursday primarily to what it saw as the spirit of the law.

“Credit unions are aligned with the goals of Section 1071 to ensure small business lending is meeting community development needs and is accessible to all lenders, particularly those owned by women and minorities,” America’s Credit Unions CEO Scott Simpson said. “But as we often see, the original rulemaking was significantly burdensome … We appreciate the bureau reconsidering this rule, listening to credit unions, and providing meaningful relief.”