Section 1071: the CFPB’s Game-Changing New Small Business Lending Rule for Banks - and Their Insurance Underwriters

#financialrisk  #CNAFinancial  #bankinginsurance  #bankingindustry #WSIA

Increased regulatory requirements heighten worries for financial institution insurance underwriters. As if we need another underwriting concern, with deposit beta, commercial real estate asset quality,  unrealized losses in securities portfolios, and the increasing likelihood of a recession already top of mind.   

I recently came across an interesting article on Moody’s Analytics.com discussing Section 1071, a massive and complicated new rule that focuses on small business lending. The Consumer Financial Protection Bureau (CFPB) finalized Section 1071 on March 30, 2023, as part of the 2010 Dodd-Frank Act. It will require banks and other lenders to collect, analyze, track, maintain, and report significantly more geographic, financial, and demographic information about their small business loans to the regulators. It will take effect for the largest lenders starting October 1, 2024. 

Please find the article linked here.

The CFPB, a federal consumer protection regulator, took over a decade to finalize this rule and received 2,500+ comments on its implementation. Section 1071 aims to enhance fairness, transparency, and community development in small business lending, particularly for women-owned or minority-owned small businesses, and ensure consistent lending enforcement by regulators. 

By collecting this additional data, the CFPB aims to uncover disparities or patterns of bias or discrimination in small business lending, similar to how laws like the Home Mortgage Disclosure Act (HMDA) address discrimination in residential mortgage originations. Additionally, other regulatory agencies, such as the Federal Trade Commission and state regulators, can access the information for monitoring and potential enforcement.

The rule applies to “covered financial institutions,” encompassing a wide range of businesses that originated at least 100 “covered credit transactions” in each of the two preceding calendar years. This includes depository institutions (banks, credit unions, etc.), online lenders, platform lenders, community development financial institutions, equipment and vehicles financing companies, farm credit system lenders, and even nonprofit lenders. 

Section 1071 applies exclusively to “small businesses” defined as entities with gross annual revenue of $5 million or less in the previous fiscal year. Entities with more than $5 million in gross annual revenue are not covered under this rule.

“Covered credit transactions” encompass business credits as defined in Regulation B of the Equal Credit Opportunity Act, such as small business loans, lines of credit, credit cards, merchant cash advances, and agricultural credit.

Financial institutions must collect and report three categories of data about their small business loan applications under Section 1071:

1)    Data generated by the financial institution itself, including the loan identifier, application date, application method, application recipient (directly or via a third party), the outcome of the application (granted or denied) along with the reason for denial, if applicable;

2)    Data collected from the applicant or a third-party source, such as the type of business, credit type, credit purpose, amount requested, census tract based on the provided address, gross annual revenue for the preceding year, three-digit NAICS code, number of employees at the applicant’s business, time in business, and number of the applicant’s principal owners (25% ownership or greater); and

3)    Demographic information requested and collected solely from the applicant, including the applicant’s status as a minority-owned, women-owned, or LGBTQI+-owned business, and the race, sex, and ethnicity of the applicant’s principal owners.

• It is important to note that while a financial institution must ask the loan applicant for this demographic information, it cannot require the applicant to provide it. If the applicant chooses not to provide this information, the financial institution should report that the applicant declined to provide it
• The rule also mandates the financial institution inform the applicant that discrimination based on their answers to the demographic questions is prohibited.  However, regulators will monitor low response rates to these questions, as it might indicate a financial institution is “discouraging” applicants from responding

Financial institutions are required to retain Section 1071 data for at least three years. While much of the data sent to the CFPB will be made public on the Bureau’s website, the CFPB can modify certain information to balance the privacy risks of the applicants and borrowers with the benefits of disclosure.   

To ensure compliance, the CFPB implemented a three-phase approach based on the number of loans originated by a financial institution in 2022 and 2023:

• The largest lenders, who originated at least 2,500 small business loans in both years, must start collecting data and complying with the rule starting on October 1, 2024
• Next, lenders who originated at least 500 loans in both years starting on April 1, 2025
• Finally, lenders that originated at least 100 loans in 2022 and 2023 will begin compliance on January 1, 2026

Many bankers worry that complying with this new regulation could significantly raise costs and compliance burdens when their balance sheets and staff are already strained. Compliance efforts include investing in technology, recruiting and training additional staff, implementing separate data collection processes, strengthening cybersecurity measures, and updating compliance playbooks. The Texas Bankers Association, the largest state-based banking trade group in the country, has filed a lawsuit to stop the implementation of Section 1071 alleging that it exceeds the CFPB’s authority and would excessively burden community banks (linked here).

Insurance underwriters for financial institutions should be concerned for a couple of key reasons:

• Redlining: Regulators prioritize census tract data collection in addressing redlining claims, which is a discriminatory lending practice historically targeting areas with larger Black populations. In October 2021, the Department of Justice announced its “Combating Redlining Initiative” (linked here), in collaboration with the CFPB and OCC, aiming to investigate and prosecute “modern-day redlining.” Since the announcement, the DOJ has announced six redlining cases, resulting in settlements totaling nearly $85M

o  Professional Liability insurance policies for banks typically exclude coverage for redlining claims, including both the Bankers’ Professional Liability and third-party EPL endorsements.

• Fines and penalties are usually not insurable, so they are not covered by insurance policies

o  However, if a regulatory agency investigation of a publicly traded bank into redlining allegations leads to a stock drop, it could potentially trigger a claim under Side C of the Directors and Officers Liability (D&O) policy

o  Alternatively, the regulatory investigation may trigger a derivative suit, where a shareholder brings a lawsuit against the directors and officers on behalf of the company, often alleging management breached its fiduciary duty. In many cases, derivative settlements are not indemnifiable, so there could be coverage under Side A of the D&O policy without applying a retention

• Data Security and Privacy: Section 1071 mandates that a loan applicant’s responses to demographic questions must be separated and protected from the rest of their loan information, inaccessible to other employees or officers. Complying with this requirement will significantly increase the financial institution’s cybersecurity strategies, enterprise risk management, and compliance programs

Section 1071 introduces significant new regulatory obligations for financial institutions, which have the potential to impact insurance policies. It is important for both banks and their insurance underwriters to understand and closely monitor this new rule, especially considering the limited 18-month preparation time before its October 1, 2024 start date. 

By actively staying up-to-date, banks and underwriters can effectively navigate the implications of Section 1071 and adapt accordingly.

If you are curious, some additional info can be found here:  

• The CFPB’s press release can be found here

o  The 888-page Final Rule can be found here

o  An 11-page Compliance Info Sheet can be found here

o  The 13-page Executive Summary can be found here

• The press release from the ICBA, a community banking trade association: 

o  ICBA to CFPB: Failure to Exempt Community Banks in Final 1071 Reporting Rule Raises Significant Privacy Concerns

• KPMG’s Regulatory Alert:

o  CFPB Small Business Lending Data (Section 1071): Final rule governing data collection and reporting

• Two blog posts by respected law firms in the financial institutions’ space:

o  CFPB Finalizes Small Business Lending Data Rule – by Goodwin on April 6th, 2023

o  CFPB Finalizes Small Business Lending Data Collection Rule – by Orrick on April 7th, 2023

• An informative three-part podcast series by Troutman Pepper, the large national law firm starting here:
• https://www.troutman.com/insights/cfpbs-section-1071-final-rule-part-1-a-general-overview.html