Creating a Highly Effective Credit Risk Review Function in 2023 and Beyond
by Kelly Jenkins Global economic growth slowed considerably last year as many central banks continued hiking interest rates to close out the year.
by Russell Rollow
On March 23, 2023, the Consumer Financial Protection Bureau (CFPB) issued its final rule for Section 1071 of the Dodd-Frank Act, amending the Equal Credit Opportunity Act (ECOA) to bolster enforcement of fair lending laws and expand data availability on small businesses owned by members of protected classes, including women- and minority-owned firms. The rule substantially expands data collection and reporting requirements for small business lending by covered financial institutions. With regulatory deadlines rapidly approaching, proactively developing a data governance and management plan is critical to ensuring timely compliance.
Banks, non-banks, and credit unions must determine for themselves if they satisfy the CFPB criteria as a “covered financial institution”, based on the number of covered small business loans they originated in 2022 and 2023. To do so, it is important to understand a few key definitions:
This evaluation will require financial institutions to look back into past lending to identify loans to small businesses that meet the CFPB definition, particularly as implementation timelines vary depending on the number of covered transactions. Even if your institution falls short of the threshold, it would be wise to assess the future state of your small business lending to determine whether beginning data collection is necessary.
The rule mandates that covered financial institutions collect and report data on all covered credit applications. Namely, it requires covered institutions to ask applicants for demographic information (see gold boxes in Figure 2), though applicants may decline to disclose this data. Covered institutions must report all required data points, specified in Figure 2, to the CFPB by June 1 of the year following the calendar year in which the institution collected the data (e.g., institutions must report 2024 data by June 1, 2025). Due to the diversification of small business products, origination systems, and processes, this will be a burdensome task that requires a cohesive and coordinated data collection effort.
Depending on the size of your institution’s small business lending portfolio, collecting and reporting this data may require a substantial data governance and management effort. The rule’s firewall provision augments this challenge, prohibiting any employee involved in the underwriting decision from accessing the applicant’s demographic information. Given that an underwriter is often the primary point of contact for an applicant, covered financial institutions must design a well-controlled process to ensure proper data collection and storage with strict access controls.
The rule establishes a tiered rollout of the requirement to begin data collection. While recent litigation may impact compliance timelines for some banks, the final rule establishes different start dates depending on the size of your small business lending portfolio, as described in Figure 3.
Regardless of the tier your institution falls into, the time to begin preparation is now. Your institution can take early steps to identify relevant stakeholders needed to organize data collection, assess the scope of impact based on product offerings, and evaluate the capacity of existing technology to accommodate compliance needs. It is critical that your institution thoroughly understands its current state, identifies gaps, and maps a path to a future state of compliance. Like Home Mortgage Disclosure Act (HMDA) data, the CFPB will make data reported by every covered financial institution publicly available on its website. Thus, collecting and reporting data that lacks quality and integrity could expose your institution to not only regulatory scrutiny but also reputational risk from negative public attention.
FI brings both the financial expertise and technological proficiency to help your institution navigate data governance and management challenges. We have spent decades working with private sector financial institutions and government agencies of all sizes, including the Small Business Administration (SBA), and have vast experience helping clients solve complex data management, architecture, and governance challenges related to small business loan data.
Here are some of the ways FI Consulting can help your financial institution ensure compliance with Section 1071:
Interested in learning more? Email us at email@example.com or call us at 571.255.6900.