CFPB Proposes New Rule to Greatly Increase Reporting Requirements of All Banks

Executive Summary 

  • A full decade after Dodd-Frank, the Consumer Financial Protection Bureau (CFPB) has introduced a proposed rule that would meet its requirements under an amended Equal Credit Opportunity Act. 
  • The CFPB has proposed that lenders collect a wide range of demographic and financial data on all applications for credit made by small businesses so that the CFPB can better facilitate the enforcement of fair lending laws. 
  • These extensive reporting requirements will add millions of dollars to the compliance costs of a wide range of lenders, including the smallest community banks, in the hope that the CFPB would be able to use this data to better facilitate access to credit for small businesses—by hobbling the providers of that credit. 


Ten years after the implementation of the Dodd-Frank Act, the Consumer Financial Protection Bureau (CFPB) has introduced a proposed rule that would meet – and greatly exceed – the requirements of Sec. 1071 of the Act. In this section, Congress amended the Equal Credit Opportunity Act (ECOA) to require the CFPB to collect data on small business lending to “facilitate enforcement of fair lending laws.”  

In practice, the statute would require lenders to report to the CFPB on the demography of loan applicants and the amount and type of credit applied for. The statute also allows the CFPB to collect “any additional data that the [CFPB] determines would aid in fulfilling the purposes of this section.” Using this discretion, the CFPB under acting Director Dave Uejio has also proposed that lenders report on a wide range of other data points, from the sexual orientation and gender identity of applicants to all actions taken on the loan, reasons for denial of credit, and a detailed breakdown of pricing including broker fees. 

The public will have 90 days in which to comment on the proposed rule from publication in the Federal Register. 

The Stated Purpose of the Rule 

As drafted, the CFPB proposed rule would create “the first comprehensive database of small business credit applications in the United States,” a staggeringly lofty goal. The CFPB proposes that it would be able to use this database to better identify the credit needs of small businesses, including women-owned and minority-owned small businesses. The CFPB also hopes that this database will “help governments, community groups, financial institutions, and other stakeholders to identify opportunities and gaps in the market.” This raises more questions than it answers, most obviously one of access to this database of highly confidential personal consumer and private pricing data. It also presupposes a government opportunity to not merely identify but also capitalize market opportunities that verges on blind optimism. 

Covered Parties 

Dodd-Frank’s amendment to ECOA requires a lender to inquire whether an applicant is women-owned, minority-owned, or a small business. The CFPB proposed rule nonetheless would only apply to small businesses, with the CFPB reasoning that most women- and minority-owned businesses would fall within the scope of small business. Where the Dodd-Frank amendment had defined “small business” by reference to the Small Business Administration definitions, this is a surprisingly complex determination that the CFPB proposes instead to replace with the simple question as to whether the small business had $5 million or less in gross annual revenue for the preceding fiscal year. 

The CFPB has demonstrated considerably less common sense in proposing the scope of lenders the rule would cover. Where the CFPB under the previous administration had reportedly been considering the exemption of lenders with total asset sizes smaller than $100-$200 million, the new proposed rule would only exempt lenders making fewer than 25 covered transactions per financial year. A net this broad would capture every lender in the country, including the community banks that make 60 percent of all business loans across the country, many of which are themselves small businesses. Compliance with the proposed rule will add millions of hours and dollars in compliance costs for the smallest banks, serving the smallest communities most in need of credit. These additional requirements will shutter banks and discourage new lending startups, actively frustrating the purposes of the proposed rule. This would not simply apply to banks but to trusts, associations, co-operative organizations, or “any other entity that engages in any financial activity” (emphasis added) including online lenders, fintechs, community development financial institutions, and even lenders involved in equipment and vehicle financing. 

Covered Transactions 

The CFPB has proposed that covered transactions would include loans, lines of credit, business credit cards, and merchant cash advances. Covered transactions would not include consumer-designated credit, leases, factoring, trade credit, or public utilities, securities, or incidental credit. The CFPB is also seeking to clarify a range of circumstances that may or may not be reportable, including pre-qualifications, extensions and renewals, and potentially all abandoned or withdrawn applications. 

Data Requirements 

Dodd-Frank’s amendment to the ECOA requires that lenders disclose to the CFPB the following data points: 

(A) the number of the application and the date on which the application was received; 

(B) the type and purpose of the loan or other credit being applied for; 

(C) the amount of the credit or credit limit applied for, and the amount of the credit transaction or the credit limit approved for such applicant; 

(D) the type of action taken with respect to such application, and the date of such action; 

(E) the census tract in which is located the principal place of business of the women-owned, minority-owned, or small business loan applicant; 

(F) the gross annual revenue of the business in the last fiscal year of the women-owned, minority-owned, or small business loan applicant preceding the date of the application; 

(G) the race, sex, and ethnicity of the principal owners of the business; and 

(H) any additional data that the Bureau determines would aid in fulfilling the purposes of this section. 

In addition to these mandatory data points required by statute, the CFPB has proposed that lenders be required to report additional data points under section H, above. These include data as to the sexual orientation or gender orientation of the applicant, with the CFPB bafflingly suggesting that “If an applicant does not provide any ethnicity, race, or sex information for any principal owners, the Bureau is proposing that the financial institution must collect at least one principal owner’s race and ethnicity (but not sex) via visual observation or surname,” which seems a recipe for disaster. Additional financial data has also been requested, including reasons if any for denial of credit and number of workers, but more problematic is the CFPB’s proposal that businesses be required to provide a detailed breakdown of pricing data.  

Reporting Requirements 

The CFPB has proposed that reporting for the purposes of meeting the Dodd-Frank amended ECOA requirements would be performed by lenders annually, on June 1 of each calendar year, with a three-year retention of data requirement. Lenders would be prohibited from including personally identifiable information unless specifically required and the CFPB is also considering requiring lenders to enact a firewall so that the any business decision to provide or deny credit is not made based on this information acquired. Compliance with the final rule would not be required until 18 months after publication. 


As written, the CFPB rule would greatly increase the reporting requirements of lenders, a cost that will inevitably be passed to consumers. Worse, as drafted the rule would include practically every lender in the country, including small community banks, picking regulatory winners and losers by showing an odd preference for small credit applicants over small lenders. The additional burden would further add to the difficulties of lending startups and decrease competition in lending across the system. Worse still, it is not clear what real purpose these additional requirements would serve. Additional reporting requirements will neither magically create additional available capital at lenders (if anything, it will do the opposite), nor will it make unviable small businesses viable. All this at the cost of the millions of taxpayer dollars required for the CFPB to create and maintain this database of highly sensitive customer and pricing data on a creaking government IT infrastructure vulnerable to cyberattack. This is the worst example of bureaucracy at work – replacing what could simply be a survey of small business credit needs and working with lenders to incentivize small business lending as required with onerous reporting requirements that will actively work against this poorly defined goal a full decade after Congress made it so urgent an obligation.