Section 1071 requirements will bring major challenges and risks

Another indication of significant challenges ahead is the 888-page final rule’s frequent use of a version of the term “reasonably designed procedures” — 175 times.

By John Hintze

The final regulation requiring banks to collect and report small-business loan application data provided some minor relief compared to the proposed version, especially to the smallest banks. But lenders large and small will face significant operational hurdles followed by compliance risk requiring a perpetually defensive posture.

TOOLKIT — Check out an ABA Staff Analysis that examines deficiencies in the CFPB’s 1071 regulatory analysis and warns of some of the unintended consequences associated with this rulemaking. On Friday, Aug. 4 at 11 a.m., ABA will host an ABA Expert Webinar: The Latest on the Section 1071 Injunction and What It Means for Banks. To register for the webinar, log in to your account with a bank email address. New users will have the option to create a free account.
A vast array of small regional and community banks submitted comments criticizing the proposal for Section 1071 of the Dodd-Frank Act, finalized March 30, as overly cumbersome and overstretching their resources. In response, the Consumer Financial Protection Bureau’s final rule increases the compliance threshold to banks with at least 100 “covered credit transactions for small businesses” from the proposal’s 25, still covering 90 percent of the market. It also eliminated the requirement for banks to infer an applicant’s race, ethnicity or gender, even as compliance is tiered according to an institution’s small-business transaction volume.

According to the final rule, lenders with the most transaction volume must start collecting customer data on Oct. 1, 2024, and reporting it to the CFPB on June 1, 2025. Lenders with moderate and lower volume have respectively until April 1, 2025 and Jan. 1, 2026 to begin collecting data. A federal judge on Monday issued an order delaying compliance dates for members of the American Bankers Association and Texas Bankers Association. The order was issued as part of the ABA and TBA lawsuit challenging the Section 1071 final rule and will apply while the U.S. Supreme Court considers a separate constitutional challenge to the CFPB. After that ruling is issued sometime in the first half of 2024, the CFPB will recalculate new delayed compliance dates for institutions that were covered by the judge’s order.

Even for banks that have a longer compliance period, the new rule’s requirements are likely to be a slog for most banks, especially in terms of collecting the data, given the bespoke nature of small-business lending.

“We do not offer a ‘menu’ of loan products with standard set terms and pricing structures,” Alesia Harlan, COO at $600 million-asset, Iowa-based Citi State Bank, notes in a lengthy comment letter. “Product offerings vary greatly from borrower to borrow, loan request to loan request, and are based on an individual borrower’s needs, their income sources and cash flow,” and a number of other factors.

While Rob Nichols, ABA president and CEO, acknowledged the CFPB’s adoption of “a few of our recommendations for the proposed rule” he emphasized that “it remains unnecessarily far-reaching and will harm the relationship banking model [CFPB] Director Chopra often praises—the mode that community banks have relied on to meet the unique needs of small businesses in their communities.”

To start, lenders must determine whether customers fit the definition of a small business—generating $5 million or less in gross annual revenue—that triggers the data collection requirements.

“That’s a data point that banks and credit unions have not collected historically,” says Stephanie Lyon, VP of compliance at NContracts, a fintech firm that has long collected banks’ data to comply with the Home Mortgage Disclosure Act and the Community Reinvestment Act, assure its quality and send that data to the appropriate regulator. NContracts is now adding additional fields to accommodate Section 1071 requirements.

Lyon adds: “Or, if they collect it, it’s usually not in a central location that makes it easy to ascertain if a loan file will have to be compliant with Section 1071.”

Complicating matters, lenders may have several small-business lending divisions, such as Small Business Administration loans, equipment financing and credit cards, each with different application processes and systems. Those businesses lines will have to collect normalized data in a central repository, in order to report it annually to the CFPB.

In addition, customers may apply online for some products and by talking to a salesperson and filling out paper forms for other products.

“So a lender will have to make sure it has a consistent process across those channels, and that its front end is talking to the back end in the same language,” says Matthew White, associate at Greenberg Traurig.

White adds that HMDA requires lenders to maintain and submit to the government key information about their lending practices, similar to Section 1071, and so could provide the “boots on the ground” to implement the rule operationally and maintain compliance.

Still, there are significant differences between HMDA and Section 1071 that lenders must consider. David Skanderson, VP at Charles River Associates, notes that regarding HMDA, regulators have expressed concerns that certain lenders are insufficiently diligent collecting information about borrowers’ gender, race and ethnicity.

Unlike HMDA, Section 1071 does not obligate loan officers engaged in in-person applications to provide that information through visual observation. However, the rule lays out six steps lenders must perform “to ensure they are complying with the rule for collecting applicant-provided information and ensuring there is no discouragement to collect that information,” Skanderson says. “The rule is very prescriptive in that regard.”

Those steps include monitoring for low response rates; irregularities in a response that may indicate potential discouragement; providing adequate training to loan officers; and promptly investigating indications of potential discouragement.

Another indication of significant challenges ahead is the 888-page final rule’s frequent use of a version of the term “reasonably designed procedures”—175 times, Skanderson adds.

Lenders must have reasonably designed procedures overall to collect and report the data and, for the first time, for each of the data elements they must collect from the applicant. In some ways that’s helpful, Skanderson says, because the agency is explaining to lenders what they want, although how regulatory examiners will apply and interpret the term has yet to be seen.

The rule lays out four criteria for reasonably designed procedures, the first of which is timing of the initial data collection attempt, making it easy to provide the information. In addition, the request for information must be prominently displayed, and it cannot discourage an applicant from responding. And lastly, it must be easy for the applicant to respond, perhaps by clicking a box electronically.

The implicit risk in the CFPB’s detailed explanation is that it also provides a roadmap for examiners to pinpoint violations. HMDA does not provide such specifics, Skanderson says. But Section 1071 provides a long list of reasonably designed procedures and compliance monitoring steps that examiners could find to be deficient.

That risk creates a major operational challenge for banks. Systems must be designed and staff trained to incorporate those elements, from the start of the application process through processing the data and reporting it.

“There’s a whole lot of different aspects of an organization that may be involved, and it will have to train staff all along the way,” Skanderson says.

That training is critical not only to make sure the data is being collected correctly, Lyon says, but to minimize confusing Section 1071 requirements with other rules’ requirements. One of the biggest challenges with HDMA, she says, has been instilling in employees what they can and cannot do. And soon there will be similar but different requirements for Section 1071.

For example, HMDA requires a banker filling out an application with a prospective borrower who doesn’t want to provide gender, race and ethnicity information to infer that information based on visual information, surname and other clues.

“Under 1071, that’s absolutely, categorically prohibited,” Lyon says, emphasizing the need to train employees to recognize those differences.

The rule ultimately aims to facilitate enforcement of fair lending laws as well as provide insight more broadly into the availability of credit for various segments of the small-business world, although the data it requires will invariably leave out key factors impacting a bank’s lending decisions.

“We also worry that the data produced will put small businesses’ privacy at risk and could provide an incomplete and potentially misleading picture of small business lending to underserved groups,” Nichols adds.

NContracts is developing analytical tools to help banks identify where their data may indicate variances from fair lending requirements. Providing that fuller picture will be important, Lyon says, given that the CFPB intends to make banks’ data public. “So anyone out there, including the regulators, can analyze the data to determine if the bank is underperforming …”

She adds that the CFPB has not yet stated which data points it will make public or when, precisely, although the goal is to start after the first iteration of a full year’s worth of data.

“So banks will have to be on the defensive all of the time, and almost on the offensive to be prepared to explain a variance before anyone even brings it up,” Lyon says.

John Hintze is a frequent contributor to ABA Banking Journal.

LEARNINGABA Compliance Schools provide the full breadth of regulatory knowledge to adapt to an ever-changing compliance environment. For the Fall 2023 sessions, the Advanced School, Oct. 16 to 20, will be held in person. The Foundational School, Oct. 30 to Nov.15, will be virtual. Find out more about all ABA schools.