April 28, 2023  |  Articles

New Federal Rule Requires Entities Making More Than 100 Loans to Small Businesses to Collect and Report Data to the Federal Government

Silhouette Of The Man In The Office And Corporate Infographic

On March 30, 2023, the Consumer Financial Protection Bureau (“CFPB”) finalized the small business lending rule to increase transparency in small business lending and help enforce fair lending laws. The rule implements the small business lending data collection requirements set forth in Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.


The federal Equal Credit Opportunity Act (“ECOA”) prohibits discrimination in credit transactions on the basis of race, color, religion, national origin, sex, marital status, age, and other prohibited bases. ECOA applies not only to consumer residential loans, but also to commercial loans.

For many years, banks and other financial institutions have been required to report demographic and loan data for consumer residential loans to the federal government pursuant to the federal Home Mortgage Disclosure Act (“HMDA”), and its implementing Regulation C. The aggregated data is analyzed by regulators to determine whether patterns of housing finance discrimination exist in our communities.

Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act amended ECOA to also require small business lenders to collect and report certain business credit data to the CFPB. Section 1071 is viewed as the small business equivalent to HMDA, with the data to be used by regulators to determine whether patterns of discrimination exist in small business lending.

Who it Applies To

The small business lending rule applies to both traditional financial institutions and other entities making small business loans, including for-profit companies, trusts, non-profits, and other entities. Entities making more than 100 loans per year to small businesses, for two consecutive years, are considered covered entities, which triggers the obligation to report loan and applicant data to the CFPB.

A “Small business” is a business that is considered a “small business concern” under Small Business Administration (“SBA”) regulations, or alternatively, a business with up to $5 million in gross annual revenue in its preceding fiscal year.

What Data Will Be Reported

Collected information and data will include the loan amount, interest rate, loan fees, reasons for denial, borrower’s gross annual revenue, and demographic information, such as ethnicity, race, and sex of at least one principal owner. If the potential borrower does not self-report the demographic information, the lender reports failure or refusal to provide such information. Unlike HMDA, small business lenders are not required or permitted to report demographic data based on visual observation, surname, or any other basis.

Generally, covered lenders must report data to the CFPB annually by June 1 of the year following the calendar year in which it collected the data. Lenders will be required to retain evidence of compliance, including the data registers, for at least three years. In addition, the lender will be required to provide identifying information about itself as part of the submission process. The lender will be required to make this data available to the public on its website, or otherwise available on request.

What Disclosures are Required

Covered lenders must provide a non-discrimination notice to potential borrowers. Lenders must inform small business applicants that it is not permitted to discriminate on the basis of the applicant’s responses about its minority-owned, women-owned, and LGBTQI+-owned business status or the principal owners’ ethnicity, race, and sex.

Trade Credit, Incidental Credit, and Loans to Non-Profits Are Not Counted Toward the 100 Loan Threshold

Entities who extend “trade credit” or “incidental credit” to small businesses need not count such transactions in the 100-loan per year threshold. “Trade credit” means a financing arrangement where a business acquires goods or services from another without making immediate payment in full to the supplier/provider.

“Incidental credit” refers to extensions of credit that (i) are not made pursuant to the terms of a credit card account; (ii) are not subject to a finance charge; and (iii) are not payable by agreement in more than four installments. For example, if a service provider, such as a hospital, doctor, lawyer, or merchant, allows a client or customer to defer payment of a bill in four installments, this deferral of debt is considered incidental credit and excepted from compliance with the procedural requirements under the small business lending rule. The CFPB excluded incidental credit because these “lenders” might not have intended to extend credit, and might not have the means to manage the compliance burdens under the rule.

Loans to non-profit organizations are not covered because non-profit organizations are not considered small businesses for purposes of the rule.

Effective Date

The provisions of the small business lending rule are effective 90 days after publication in the Federal Register, and therefore go into effect on June 28, 2023. However, the timeline of compliance is set up in tiers, depending on the number of covered originations that the lender had in the previous year. Lenders that originate at least 2,500 small business loans annually must collect data starting October 1, 2024. Lenders that originate at least 500 loans annually must collect data starting April 1, 2025. Lenders that originate at least 100 loans annually must collect data starting January 1, 2026.

This article provides a brief summary of some of the notable provisions within 12 CFR Part 1002 (Regulation B). For more information, you may wish to review the CFPB compliance aids for the small business lending rule, the final rule published by the CFPB, and Regulation B and ECOA in its entirety.