1 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
1700 G Street NW, Washington, DC 20552
Executive Summary of the Small Business
Lending Rule
1
On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) issued the small business
lending rule (final rule), which implements the small business lending data collection
requirements set forth in section 1071 of the Dodd-Frank Act (Section 1071).
Background
Section 1071 amended the Equal Credit Opportunity Act (ECOA) to require financial institutions to
compile data regarding certain business credit applications and report that data to the CFPB.
Section 1071 specifies several data points that financial institutions are required to report and
provides authority for the CFPB to require financial institutions to report additional data points
that the CFPB determines would aid in fulfilling Section 1071’s purposes. These purposes are
facilitating enforcement of fair lending laws and enabling the identification of business and
community development needs and opportunities for women-owned, minority-owned, and small
businesses. Section 1071 also contains a number of other requirements regarding information
compiled pursuant to Section 1071, including a requirement that financial institutions restrict
This is a Compliance Aid issued by the Consumer Financial Protection Bureau. The CFPB published a Policy Statement
on Compliance Aids, available at http://www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/policy-
statement-compliance-aids/, that explains the CFPB’s approach to Compliance Aids.
This executive summary was originally posted on March 30, 2023, and was edited on April 21, 2023, to expand the
section discussing which financial institutions begin collecting data and otherwise complying with the final rule on
January 1, 2026.
This document reflects the final rule as issued on March 30, 2023.
It does not include any legal developments occurring after this date.
2 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
certain persons’ access to certain information, requirements regarding maintaining certain
information, and requirements regarding the reporting and publication of data.
Section 1071 also directs the CFPB to prescribe such rules and issue such guidance as may be
necessary to carry out, enforce, and compile data pursuant to Section 1071. It permits the CFPB to
adopt exceptions and exemptions to Section 1071’s requirements as the CFPB deems necessary or
appropriate to carry out Section 1071’s purposes.
On September 1, 2021, the CFPB issued a notice of proposed rulemaking to implement Section
1071. The CFPB has finalized this proposed rulemaking and issued the final rule, which is
available at https://www.consumerfinance.gov/rules-policy/final-rules/small-business-lending-
under-the-equal-credit-opportunity-act-regulation-b/. The final rule requires covered financial
institutions to collect and report certain data about covered applications from small businesses
and allows for the creation of the first comprehensive public database that covers small business
lending practices.
Institutional Coverage
The final rule applies to “covered financial institutions.” A “covered financial institution” is any
partnership, company, corporation, association (incorporated or unincorporated), trust, estate,
cooperative organization, or other entity that engages in any financial activity,
1
and that originated
at least 100 covered originations in each of the two preceding calendar years. Thus, the final rule
applies to a variety of entities that engage in small business lending as long as they satisfy the
origination threshold. These entities include, but are not limited to, depository institutions (i.e.,
banks, savings associations, and credit unions), online lenders, platform lenders, community
development financial institutions, lenders involved in equipment and vehicle financing, farm
credit system lenders, commercial finance companies, merchant cash advance providers,
governmental lending entities, and nonprofit lenders.
Financial institutions will need to determine if they are covered financial institutions annually. A
financial institution that is not a covered financial institution may voluntarily collect data under
the final rule in certain circumstances, such as if it recently reported data as a covered financial
1
Motor vehicle dealers satisfying the definition in section 1029 of the Consumer Financial Protection Act of 2010, title
X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. 111-203, 124 Stat. 1376, 2004 (2010)
(i.e., motor vehicle dealers) are excluded from coverage.
3 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
institution, is about to become a covered financial institution, or is not covered but commits to
report data it voluntarily collects.
Transactional Coverage
When determining whether it is a covered financial institution and what compliance date tier
applies to it, a financial institution must count covered originations, which are certain covered
credit transactions that it originated to small businesses. Similarly, a covered financial institution
must collect and report data about an application if the application is from a small business and is
for a covered credit transaction. Thus, it is important to know how the final rule defines the terms
“small business” and “covered credit transaction.”
Small Business
The final rule’s definition of “small business” incorporates, in part, the Small Business
Administration’s (SBA) definition of “small business concern.” Pursuant to the final rule, a “small
business” is a small business concern
2
that had $5 million
3
or less in gross annual revenue for its
preceding fiscal year. Thus, if a business had more than $5 million in gross annual revenue for its
preceding fiscal year, it is not a small business pursuant to the final rule. Additionally, non-profit
organizations and governmental entities are not small businesses pursuant to the final rule
because they do not satisfy the SBA’s definition of small business concern. Transactions made to
such businesses and entities are not covered originations pursuant to the final rule. Similarly,
covered financial institutions are not required to report data regarding applications from such
businesses and entities.
A financial institution is permitted to rely on an applicant’s representations regarding gross
annual revenue (which may or may not include affiliate revenue) for purposes of determining
small business status. However, if a financial institution verifies applicant-provided gross annual
revenue information or if an applicant provides updated gross annual revenue information, the
financial institution must use the verified or updated information to determine small business
status.
2
See 15 U.S.C. 632(a), as implemented in 13 CFR 121.101 through 121.107.
3
After January 1, 2025, the CFPB will adjust the gross annual revenue threshold for inflation every 5 years (as needed).
4 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
Covered Credit Transaction
Generally, a covered credit transaction is an extension of business credit under Regulation B.
Thus, covered credit transactions can include loans, lines of credit, credit cards, merchant cash
advances, and credit products used for agricultural purposes.
However, the following transactions are excluded from coverage (i.e., are not covered credit
transactions) under the final rule even if they satisfy Regulation B’s definition of business credit:
Trade credit, which is a financing arrangement wherein a business acquires goods or
services from another business without making immediate payment in full to the business
providing the goods or services;
HMDA-reportable transactions;
Insurance premium financing, which generally is a financing arrangement wherein a
business agrees to repay a financial institution the proceeds advanced to an insurer for
payment of the premium on the business’s insurance contract and wherein the business
assigns to the financial institution certain rights, obligations, and/or considerations in its
insurance contract to secure repayment of the advanced proceeds;
Public utilities credit as defined in Regulation B, 12 CFR 1002.3(a)(1);
Securities credit as defined in Regulation B, 12 CFR 1002.3(b)(1); and
Incidental credit as defined in Regulation B, 12 CFR 1002.3(c)(1), but without regard to
whether the credit is consumer credit, is extended by a creditor, or is extended to a
consumer.
Furthermore, factoring, leases, consumer-designated credit used for business or agricultural
purposes, purchases of a credit transaction, purchases of an interest in a pool of credit
transactions, and purchases of a partial interest in a credit transaction (such as through a loan
participation agreement) are not covered credit transactions.
Covered Originations
For purposes of determining institutional coverage (i.e., whether a financial institution is a
covered financial institution) and compliance date tier (discussed below), financial institutions
count covered originations. A covered origination is a covered credit transaction that the financial
5 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
institution originated to a small business. Refinancings
4
can be covered originations. However,
extensions, renewals, and other amendments of existing transactions are not considered covered
originations even if they increase the credit line or credit amount of the existing transaction.
Reportable Applications
Pursuant to the final rule, a covered financial institution is required to collect and report data and
satisfy other requirements for reportable applications. An application is reportable if it is a
covered application from a small business.
A covered application is an oral or written request for a covered credit transaction (i.e., an
extension of business credit that is not otherwise excluded from coverage under the final rule) that
is made in accordance with procedures used by the financial institution for the type of credit
requested.
While this definition of covered application is largely consistent with the existing Regulation B
definition of “application,” certain circumstances do not constitute covered applications under the
final rule, even if they are otherwise considered applications under existing Regulation B.
Specifically, the following do not constitute covered applications and are not reported pursuant to
the final rule:
Reevaluation requests, extension requests, or renewal requests on an existing business
credit account, unless the request seeks additional credit amounts or a line increase;
5
Inquiries and prequalification requests; and
Solicitations, firm offers of credit, and other evaluations (including evaluations for
additional credit amounts or line increases) that the financial institution initiates, unless
the financial institution invites the business to apply for the credit and the small business
does so.
A request from a small business for a refinancing is a reportable application, regardless of whether
the small business requests additional credit amounts or a line increase, if the request is for an
4
A refinancing occurs when an existing obligation is satisfied and replaced by a new obligation undertaken by the same
borrower.
5
The final rule treats amendments, renewals, and extensions that increase the credit line or credit amount of an existing
transaction differently when determining the number of covered originations (for purposes of determining
institutional coverage and compliance date tier) and when determining whether an application is reportable.
6 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
extension of business credit that is not otherwise excluded from coverage under the final rule and
is made in accordance with the procedures the covered financial institution uses for the type of
credit requested.
Requirements to Collect and Report Data
Pursuant to the final rule, a covered financial institution is required to collect and report certain
data regarding reportable applications (i.e., covered applications from small businesses).
First, the final rule requires a covered financial institution to report data points that the financial
institution generates. For all reportable applications, these data points include:
A unique identifier;
The application date;
The application method (i.e., the means by which the applicant submitted its application);
The application recipient (indicating whether the application was received directly, or
indirectly via an unaffiliated third party);
The action taken by the covered financial institution on the application; and
The action taken date.
For reportable applications that are denied, there is an additional data point for denial reasons.
For reportable applications that are approved but not accepted or that result in an origination,
there are additional data points for the amount approved or originated and for pricing
information. The pricing information includes, as applicable, information regarding the interest
rate, total origination charges, broker fees, initial annual charges, additional cost for merchant
cash advances or other sales-based financing, and prepayment penalties.
Second, the final rule requires a covered financial institution to report data points based on
information that could be collected from the applicant or an appropriate third-party source. These
data points include information specifically related to the credit being applied for and information
related to the applicant’s business. These data points are:
Credit type;
Credit purpose;
The amount applied for;
A census tract based on an address or location provided by the applicant;
Gross annual revenue for the applicant’s preceding fiscal year;
7 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
A three-digit North American Industry Classification System (NAICS) code for the
applicant;
The number of people working for the applicant;
The applicant’s time in business; and
The number of the applicant’s principal owners.
6
Third, the final rule requires a covered financial institution to report certain data points based
solely on the demographic information collected from an applicant. These data points are:
The applicant’s minority-owned business status, women-owned business status, and
LGBTQI+-owned business status; and
The applicant’s principal owners’ ethnicity, race, and sex.
A covered financial institution is required to ask an applicant to provide this demographic
information, and to report the demographic information solely based on the responses that the
applicant provides for purposes of the final rule. However, a covered financial institution cannot
require an applicant or other person to provide this demographic information. If the applicant
fails or declines to provide the demographic information necessary to report a data point, the
financial institution reports the failure or refusal to provide the information. Financial institutions
are not required or permitted to report these data points based on visual observation, surname, or
any other basis (including demographic information provided for other purposes).
The final rule requires a covered financial institution to inform an applicant that the financial
institution is not permitted to discriminate on the basis of an applicant’s responses about its
minority-owned, women-owned, or LGBTQI+-owned business status, on the basis of responses
about any principal owner’s ethnicity, race, or sex, or on the basis of whether the applicant
provides this information. Covered financial institutions also must inform an applicant that the
applicant is not required to answer the financial institution’s inquiry about the applicant’s
minority-owned, women-owned, and LGBTQI+-owned business statuses, or the inquiries about
the principal owners’ ethnicity, race, or sex.
The final rule includes a sample data collection form that covered financial institutions can use to
collect this demographic information from applicants and to provide these required notices. As
illustrated in this form, covered financial institutions, generally, must collect principal owners’
ethnicity and race using aggregate categories and disaggregated subcategories. Covered financial
6
A “principal owner” is an individual who directly owns 25 percent or more of the equity interests of a business. Thus,
an applicant will have no more than four principal owners and may not have any principal owners if no natural person
directly owns 25 percent or more of the equity interests of the business.
8 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
institutions must allow applicants autonomy to describe a principal owner’s sex through free-form
text or a verbal self-description.
7
Covered financial institutions cannot discourage applicants from responding to requests for
applicant-provided data
8
and must maintain procedures to collect applicant-provided data at a
time and in a manner that are reasonably designed to obtain a response. With regard to data
collected directly from an applicant, these procedures must, at a minimum, have provisions to
ensure that:
The initial request for applicant-provided data occurs prior to notifying an applicant of the
final action taken on an application;
The request for applicant-provided data is prominently displayed and presented;
Applicants are not discouraged from responding to such requests; and
Applicants can easily respond to such requests.
Additionally, covered financial institutions must maintain procedures to identify and respond to
signs of potential discouragement, including low response rates for applicant-provided data. The
final rule notes that low response rates may indicate discouragement or another failure by a
covered financial institution to maintain procedures to collect applicant-provided data at a time
and in a manner that are reasonably designed to obtain a response.
9
The final rule also addresses how a covered financial institution should report certain data if,
despite having such procedures in place, it is unable to obtain the data from an applicant.
7
When requesting information about a principal owner’s sex, a financial institution must use the term “sex/gender.”
8
The data that could be collected from the applicant (i.e., credit type, credit purpose, amount applied for, address or
location to determine census tract, gross annual revenue, NAICS code or information about the business to determine
the applicant’s NAICS code, number of workers, time in business, and number of principal owners) or must be
collected from the applicant (applicant’s business statuses and principal owners’ ethnicity, race, and sex) are referred
to as “applicant-provided data.”
9
In conjunction with the final rule, the CFPB is also issuing a policy statement regarding the final rule’s requirement
not to discourage applicants from providing responsive data.
9 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
Covered financial institutions are permitted to rely on information provided by an applicant or
appropriate third-party source, but a covered financial institution is required to report verified
information if it chooses to verify applicant-provided information.
10
The final rule permits the reuse of certain previously collected applicant-provided data in certain
circumstances. Generally, a covered financial institution is permitted, but not required, to reuse
certain previously collected applicant-provided data to satisfy the requirement to collect and
report certain data points if: (1) the data were collected within thirty-six months of the current
covered application (except that gross annual revenue must have been collected within the same
calendar year as the current covered application); and (2) the financial institution has no reason to
believe the data are inaccurate. A covered financial institution that decides to reuse previously
collected data to report the time in business data point must update the previously collected data
to reflect the passage of time since that data was collected. A covered financial institution may
only reuse previously collected demographic information—data regarding the applicant’s
minority-owned, women-owned, and LGBTQI+-owned business statuses or data regarding the
principal owners’ ethnicity, race, or sex—if the data were previously collected pursuant to the final
rule.
Requirements to Report Data to the CFPB and Provisions
Regarding Availability and Publication of Data
Generally, covered financial institutions must report data to the CFPB by June 1 of the year
following the calendar year in which the financial institution collected the data (e.g., data collected
for 2024 must be reported by June 1, 2025). Covered financial institutions submitting data to the
CFPB must provide certain identifying information about themselves as part of their submissions.
The CFPB has provided a Filing Instructions Guide, which contains additional information
regarding the submission of data. It is available at https://www.consumerfinance.gov/data-
research/small-business-lending/filing-instructions-guide/.
Subject to certain modifications or deletions that the CFPB determines would advance a privacy
interest, data that financial institutions submit to the CFPB will be made available to the public on
an annual basis. The CFPB will determine what, if any, modifications and deletions are
appropriate after it obtains a full year of data. The CFPB will announce the specific timing and
10
Covered financial institutions are not permitted to verify an applicant’s responses to the final rule’s required inquiries
regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses, or about the
principal owners’ ethnicity, race, or sex. These data points must be reported based solely on an applicant’s responses
to the covered financial institution’s inquiries.
10 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
method for issuing these determinations at a later date. Additionally, the CFPB anticipates that it
will release higher-level, aggregate data before releasing application-level data. Any publication of
aggregate data will be dependent on multiple factors, including privacy considerations, the volume
of data received, and trends in the data received.
The CFPB’s publication of data will satisfy covered financial institutions’ statutory obligation to
make data available to the public upon request. More specifically, the final rule provides that a
covered financial institution is required to make available to the public on its website, or otherwise
upon request, a statement that the covered financial institution’s small business lending
application register, as modified by the CFPB, is or will be available from the CFPB. The final rule
includes language that a covered financial institution could use for this statement.
Requirements to Limit Access to Certain Data
The final rule implements the statutory requirement to limit certain persons’ access to certain data
(i.e., the firewall). Accordingly, pursuant to the final rule, employees and officers of a covered
financial institution or its affiliate are prohibited from accessing an applicant’s responses to the
final rule’s required inquiries regarding the applicant’s minority-owned, women-owned, and
LGBTQI+-owned business statuses and regarding its principal owners’ ethnicity, race, and sex if
that employee or officer is involved in making any determination concerning the applicant’s
covered application. This prohibition does not apply to an employee or officer if the covered
financial institution determines that the employee or officer should have access to one or more
applicants’ responses to these inquiries, and the covered financial institution provides a notice to
the applicants whose responses will be accessed. Alternatively, a covered financial institution can
provide the notice to a broader group of applicants, up to and including all applicants.
In addition, the final rule prohibits a covered financial institution or third party from disclosing
this demographic information (i.e., minority-owned, women-owned, and LGBTQI+-owned
business statuses and ethnicity, race, and sex information collected pursuant to the final rule) to
other parties, except in limited circumstances.
Recordkeeping Requirements
The final rule has recordkeeping requirements, including a requirement to retain copies of small
business lending application registers and other evidence of compliance for at least three years. It
also includes a requirement to maintain an applicant’s responses to the final rule’s required
inquiries regarding an applicant’s minority-owned, women-owned, and LGBTQI+-owned business
11 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
statuses and regarding principal owners’ ethnicity, race, and sex separate from the rest of the
application and accompanying information.
Effective Date and Compliance Date Tiers
The final rule is effective 90 days after its publication in the Federal Register. However,
compliance with the final rule is not required at that time. In order to determine when it must
begin complying with the final rule, a financial institution must determine which compliance date
tier applies to it.
Generally, the compliance date tiers in the final rule differ depending on the number of covered
originations that a financial institution originated in 2022 and 2023. Additionally, in order to be
required to comply with the final rule in a given year, a financial institution must be a covered
financial institution (as discussed above) for that year. Taken together, these two provisions in the
final rule mean that:
A financial institution must begin collecting data and otherwise complying with the final
rule on October 1, 2024 if it originated at least 2,500 covered originations in both 2022 and
2023.
A financial institution must begin collecting data and otherwise complying with the final
rule on April 1, 2025 if it:
o Originated at least 500 covered originations in both 2022 and 2023;
o Did not originate 2,500 or more covered originations in both 2022 and 2023; and
o Originated at least 100 covered originations in 2024.
A financial institution must begin collecting data and otherwise complying with the final
rule on January 1, 2026 if it originated at least 100 covered originations in both 2024 and
2025 but did not originate at least 500 covered originations in both 2022 and 2023.
The info sheet, available at www.consumerfinance.gov/compliance/compliance-resources/small-
business-lending-resources/small-business-lending-collection-and-reporting-requirements,
discusses the compliance date tiers and provides additional information to help financial
institutions determine when they must begin complying with the final rule.
Transitional Provision for Determining Number of Covered
Originations
Some financial institutions may not be able to readily determine if transactions originated in 2022
or early 2023 are covered originations because they don’t know if a borrower is a small business as
12 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
defined in the final rule. Thus, the final rule includes a transitional provision that financial
institutions may use to determine the number of covered originations they originated in 2022 and
2023. A financial institution may rely on the transitional provision to determine the number of its
covered originations for 2022 and/or 2023 if it did not collect sufficient information to determine
if some or all borrowers were small businesses pursuant to the final rule or if such information is
not readily accessible. Such institutions may count covered originations for the last quarter of
calendar year 2023 (October 1 through December 31), and then annualize the number of its
covered originations based on this information. The financial institution could use this annualized
number to determine its covered originations for 2022, 2023, or both years.
Financial institutions are also permitted to assume that all covered credit transactions originated
during a calendar year were made to a small business for purposes of determining institutional
coverage and compliance date tier pursuant to the final rule.
For example, if a financial institution currently does not obtain an applicant’s gross annual
revenue or otherwise determine if an applicant had revenue of $5 million or less in its preceding
fiscal year, it is not likely to know how many covered originations it had in 2022 and 2023.
Pursuant to the final rule, the financial institution could obtain information about the borrower’s
small business status for the covered credit transactions it originated on or after October 1, 2023.
If the financial institution determines that it originated 90 covered credit transactions to small
businesses between October 1 and December 31, 2023, the financial institution could use 360 as its
annualized number of covered originations for 2023. The financial institution could also use this
number for its covered originations for 2022. The financial institution would not be required to
begin collecting data or otherwise complying with the final rule before January 1, 2026.
Alternatively, the financial institution could assume that all of the covered credit transactions that
it originated in 2022 and 2023 were made to a small business and, thus, are covered originations.
For example, if the same financial institution originated 370 covered credit transactions in 2022, it
is not required to begin collecting data or otherwise complying with the final rule before January 1,
2026.
Safe Harbors and Other Provisions
The final rule also includes provisions regarding enforcement, bona fide errors, and safe harbors.
It has safe harbors for certain incorrect entries of census tracts, NAICS codes, and application
dates. It also has a safe harbor regarding incorrect determinations of small business status,
covered credit transactions, and covered applications. For example, if a covered financial
institution initially determines that an applicant for a covered credit transaction is a small
13 EXECUTIVE SUMMARY OF THE SMALL BUSINESS LENDING RULE
business, but then later concludes the applicant is not a small business, the covered financial
institution would not be in violation of ECOA or the final rule if, at the time it collected the
demographic data required by the final rule, it had a reasonable basis for believing that the
application was from a small business. In this situation, the covered financial institution is not
required to report the application but is nonetheless required to comply with certain other
provisions of the final rule in order to avail itself of this safe harbor.
Additional Resources
The CFPB has released additional implementation resources. They are available at
www.consumerfinance.gov/compliance/compliance-resources/small-business-lending-
resources/small-business-lending-collection-and-reporting-requirements.
