Small business lending rule FAQs
The questions and answers below pertain to compliance with the small business lending rule.
This is a Compliance Aid issued by the Consumer Financial Protection Bureau. The CFPB published a Policy Statement on Compliance Aids, available here, that explains the CFPB's approach to Compliance Aids.
Topics
Institutional coverage
A financial institution is a covered financial institution for a calendar year if it satisfies the origination threshold in each of the two immediately preceding calendar years. 12 CFR 1002.105(b). See also comment 105(b)-6.
A “financial institution” is any entity that regularly engages in any financial activity. 12 CFR 1002.105(a). Thus, banks, savings associations, credit unions, online lenders, platform lenders, community development financial institutions, Farm Credit System lenders, lenders involved in equipment and vehicle financing, and commercial finance companies are all financial institutions. Non-profit organizations, governments or governmental subdivisions or agencies, partnerships, companies, corporations, associations, trusts, estates, cooperative organizations, and other entities can also be financial institutions if they engage in financial activity. Comment 105(a)-1. However, motor vehicle dealers that are persons defined by Section 1029 of the Dodd-Frank Act are excluded from coverage under the final rule. See comment 105(a)-2.
A financial institution satisfies the origination threshold if it originated 100 or more covered credit transactions to small businesses in each of the two immediately preceding calendar years, except that for this purpose a financial institution is not required to count transactions that extend, renew, modify, or otherwise amend an existing transaction. 12 CFR 1002.105(b); comment 105(b)-5.
For more information on the transactions that a financial institution counts when determining if it is a covered financial institution, see Sections 2.1.4, 2.2, and 2.3 of the small entity compliance guide and Institutional Coverage Question 3. For more information on covered financial institutions generally, see Section 2.1 of the small entity compliance guide .
Updated June 28, 2023
Yes, a financial institution that satisfies the origination threshold in each of the two immediately preceding calendar years is a covered financial institution, and a covered financial institution is required to comply with the small business lending rule on or after its applicable compliance date. 12 CFR § 1002.105. It does not matter if the covered financial institution has a branch or office in an MSA.
Updated June 28, 2023
When determining if it satisfies the origination threshold for a particular calendar year, a financial institution counts the covered credit transactions that it originated to a small business in each of the two immediately preceding calendar years. 12 CFR § 1002.105(b). However, a financial institution is not required to count covered credit transactions that extend, renew, or otherwise amend an existing transaction. Comment 105(b)-5. Additionally, if multiple financial institutions are involved in the origination of a covered credit transaction to a small business, a financial institution is only required to count that origination if it is the last financial institution with authority to set the material terms of the transaction. Comment 105(b)-3. For more information on who counts an origination if multiple financial institutions are involved, see Sections 2.1 and 7.3 of the small entity compliance guide and Institutional Coverage Question 11. For ease of reference, the transactions that a financial institution must count when determining if it satisfies the origination threshold are sometimes called “covered originations” in these materials.
A covered credit transaction is an extension of business credit (as that term is defined in 12 CFR § 1002.2(g)) that is not excluded pursuant to the small business lending rule. 12 CFR § 1002.104. See also 12 CFR § 1002.102(d). For this purpose, “business credit” includes credit used primarily for an agricultural purpose as well as credit primarily used for a business or commercial purpose. 12 CFR § 1002.2(g); 12 CFR § 1002.102(d). Thus, covered credit transactions include loans, lines of credit, credit cards, merchant cash advances, and other credit products used primarily for agricultural, business, or commercial purposes. Comment 104(a)-1. Other types of business credit not specifically described in the small business lending rule are covered credit transactions unless they are specifically excluded under the small business lending rule. 12 CFR § 1002.104. However, factoring, leases, and consumer-designated credit are not covered credit transactions because they do not satisfy the definition of business credit. Comments 104(b)-1 through -3. For more information on covered credit transactions, see Section 2.2 of the small entity compliance guide and the Covered Credit Transactions Questions.
The following are specifically excluded pursuant to the small business lending rule even if they otherwise satisfy the definition of business credit: trade credit, HMDA-reportable transactions, insurance premium financing, public utilities credit, securities credit, and incidental credit. 12 CFR § 1002.104(b). Additionally, purchases of covered credit transactions, purchases of an interest in a pool of covered credit transactions, and purchases of a partial interest in a covered credit transaction (such as through a loan participation agreement) are not themselves covered credit transactions. Thus, these transactions are not covered originations and are not counted when determining whether a financial institution exceeds the origination threshold. Comment 104(b)-4. For more information on these exclusions, see Section 2.2.2 of the small entity compliance guide and the Covered Credit Transactions Questions.
For purposes of the small business lending rule, a small business is a “small business concern” as defined in the Small Business Act, 15 USC § 632(a), except instead of applying the size standards found in the Small Business Administration’s regulations, a small business is one that had gross annual revenue of $5 million or less in its preceding fiscal year. 12 CFR § 1002.106(b). A small business must be a for-profit business, but it can take various forms. It can be a corporation, a partnership, a limited liability company, a joint venture (with no more than 49 percent participation by foreign businesses), a sole proprietorship, an association, a trust, or a cooperative. A small business does not include a non-profit organization or a governmental entity. 12 CFR §1002.106(a) (incorporating 13 CFR § 121.105). For more information on the definition of small business pursuant to the small business lending rule, see the Small Businesses Questions.
Updated June 28, 2023
No, a financial institution counts the covered credit transactions that it originated to a small business in each of the two immediately preceding calendar years. 12 CFR § 1002.105(b). A financial institution is not required to count the covered transactions that an affiliate originated.
As noted in the preamble to the small business lending rule, the CFPB did not add a requirement to aggregate originations at the parent or holding company level. See also 12 CFR § 1002.109(a)(2), which discusses a covered financial institution that is a subsidiary of another covered financial institution completing its own small business lending application register. However, if both the financial institution and one or more of its affiliates must make a credit decision in order to approve a single covered credit transaction to a small business and the financial institution has the last authority to set the material terms of the transaction, then it must count the transaction. 12 CFR § 1002.109(a)(3); Comments 105(b)-3 and 109(a)(3)-1.
Updated June 28, 2023
Yes, if the refinancing is a covered credit transaction and is originated to a small business, the financial institution must count the refinancing when determining its number of covered originations. Comment 104(a)-1. See also comment 103(b)-2. A refinancing occurs when an existing obligation is satisfied and replaced by a new obligation undertaken by the same borrower. Comment 103(b)-2. Thus, for the purpose of determining its number of covered originations, a covered financial institution counts a “refinancing” that satisfies and replaces an existing obligation undertaken by the same borrower provided that the refinancing is a covered credit transaction made to a small business. Whether an existing obligation is satisfied and replaced by a new credit obligation is determined by contract and applicable state law. See 88 Fed. Reg. 35150, 35216 (May 31, 2023).
For more information on covered credit transactions, see Section 2.2 of the small entity compliance guide and the Covered Credit Transactions Questions.
Updated September 14, 2023
No, a financial institution is not required to count extensions, renewals, or other amendments when counting the number of covered credit transactions that it originated to small businesses. Comment 105(b)-5. However, as noted in Institutional Coverage Question 5, it is required to count refinancings that are covered credit transactions originated to small businesses.
Note that, as discussed in Section 2.4.1 of the small entity compliance guide , a small business’s request for an additional credit amount or a line increase on an existing account could be a reportable application for a covered financial institution.
Updated June 28, 2023
Yes, if the transaction is credit primarily for an agricultural purpose that is extended to a small business and is not specifically excluded pursuant to the small business lending rule, the financial institution must count the transaction when determining its number of covered originations. 12 CFR §§ 1002.104 and 1002.105.
Some of the specific exclusions in the small business lending rule may apply to agricultural-purpose transactions. For example, the small business lending rule has an exclusion for trade credit (i.e., a financing arrangement wherein a small business acquires goods or services from another business without making immediate payment in full to the business providing the goods or services) 12 CFR § 1002.104(b)(1). Thus, if a retailer permits a small farm to purchase seed, equipment, or another good or service from it and defer payment to a later time, it extends credit pursuant to Regulation B, but that extension of credit is trade credit and is not a covered credit transaction pursuant to the small business lending rule. However, an extension of agricultural purpose credit by a financial institution other than the supplier of the goods or services is not trade credit (i.e., trade credit does not include credit extended by a financial services company affiliated with the retailer). In addition, credit extended by a business providing goods or services is not trade credit if the business intends to sell or transfer its rights as a creditor to a third party, such as when a retailer extends credit to a small business to purchase goods and services and plans to sell the credit contract to a financial institution. See comment 104(b)(1)-1.
Although the small business lending rule has an exclusion for HMDA-reportable loans, transactions used primarily for agricultural purposes are not ‘covered loans’ under Regulation C. Thus, they cannot be excluded from the small business lending rule as HMDA-reportable loans, even if they are secured by a dwelling. See 12 CFR § 1003.3(c)(9).
For more information on the small business lending rule’s definition of small business, see Section 2.3 of the small entity compliance guide and the Small Businesses Questions. For more information on the exclusions from the definition of covered credit transaction, see Section 2.2.2 of the small entity compliance guide .
Updated September 14, 2023
No. HMDA-reportable loans are not covered credit transactions, and thus are not counted as covered originations. It does not matter if the financial institution is subject to HMDA or if the financial institution actually reports the loan pursuant to HMDA/Regulation C. 12 CFR § 1002.104(b)(2).
Updated June 28, 2023
Yes, if the temporary, bridge, or other short-term loan is credit used primarily for a business, commercial, or agricultural purpose, is extended to a small business, and is not specifically excluded pursuant to the small business lending rule, the financial institution must count the loan when determining its number of covered originations. The small business lending rule does not have a specific exclusion for temporary loans, bridge loans, or other short-term loans. 12 CFR §§ 1002.104 and 1002.105.
While HMDA-reportable loans are excluded under the small business lending rule, temporary and bridge loans are unlikely to be HMDA-reportable because transactions that are designed to be replaced by separate permanent financing extended to the same borrower at a later time do not constitute “covered loans” under Regulation C. Comment 1003.3(c)(3)-1. However, short term loans that are not intended to be replaced by other financing might be excluded from the small business lending rule as HMDA-reportable loans if they: (1) are extended for business or commercial purposes; (2) are secured by a dwelling; and (3) are for a home purchase, are for a home improvement, or are a refinancing of a home purchase or home improvement loan. See 12 CFR §§ 1003.2(e) and 1003.3(c). Some short-term transactions may qualify for other exclusions, such as the incidental credit exclusion or the trade credit exclusion. 12 CFR § 1002.104(b). Additionally, as noted in Institutional Coverage Question 6, a financial institution is not required to count extensions, renewals, or other amendments when determining its number of covered originations.
For more information on the exclusions pursuant to the small business lending rule, see Section 2.2.2 of the small entity compliance guide and the Covered Credit Transactions Questions. For more information on the small business lending rule’s definition of small business, see Section 2.3 of the small entity compliance guide and the Small Businesses Questions. For information on HMDA-reportable transactions, see the HMDA 2023 Transactional Coverage Chart .
Updated June 28, 2023
Yes, if the construction loan is credit used primarily for a business, commercial, or agricultural purpose, is extended to a small business, and is not specifically excluded pursuant to the small business lending rule, the financial institution must count the loan when determining its number of covered originations. The small business lending rule does not have a specific exclusion for construction loans. 12 CFR §§ 1002.104 and 1002.105.
While HMDA-reportable loans are excluded under the small business lending rule, some construction loans may not be HMDA-reportable because transactions that are designed to be replaced by separate permanent financing extended to the same borrower at a later time do not constitute “covered loans” under Regulation C. Comment 1003.3(c)(3)-1. However, construction loans that are not intended to be replaced by other financing might be excluded from the small business lending rule as HMDA-reportable loans if they: (1) are extended for business or commercial purposes; (2) are secured by a dwelling; and (3) are for a home purchase, are for a home improvement, or are a refinancing of a home purchase or home improvement loan. 12 CFR §§ 1003.2(e) and 1003.3(c). Additionally, as noted in Institutional Coverage Question 6, a financial institution is not required to count extensions, renewals, or other amendments when determining its number of covered originations.
For more information on the exclusions pursuant to the small business lending rule, see Section 2.2.2 of the small entity compliance guide and the Covered Credit Transactions Questions. For more information on the rule’s definition of small business, see Section 2.3 of the small entity compliance guide and the Small Businesses Questions. For information on HMDA-reportable transactions, see the HMDA 2023 Transactional Coverage Chart .
Updated June 28, 2023
If only one financial institution was needed to make a credit decision in order to originate a covered credit transaction, the financial institution that made the credit decision is required to count the resulting covered origination. However, if it was necessary for more than one financial institution to make a credit decision in order to originate a single covered credit transaction, only the last financial institution with authority to set the transaction’s material terms is required to count the resulting covered origination. The last financial institution with authority to set the material terms counts the covered origination even if it does not exercise its authority. Comments 105(b)-3 and 109(a)(3)-1 through 3.
For example, assume that a small business submits an application for a covered credit transaction to one financial institution, which approves the application and forwards it to a second financial institution. This second financial institution also approves the application but modifies the credit terms (e.g., the interest rate and repayment term). The first financial institution does not have any additional authority to set the material terms, and the resulting covered credit transaction reflects the modified terms. The second financial institution is the last financial institution with the authority for setting the material terms of the covered credit transaction and must count the covered origination. If, under the same facts, the second financial institution approved the application but did not exercise its authority to modify the credit terms, it would still be responsible for counting the resulting covered origination. This is because the second financial institution still would be the last financial institution with the authority for setting the material terms, even if chose not to so do in this particular instance.
Updated June 28, 2023
No, unless the financial institution is the last financial institution with authority to set the material terms of the credit card account. Comment 105(b)-3. For example, assume a financial institution receives a business-purpose credit card application from a small business and forwards it to an issuer that must approve the application before an account will be opened. If the financial institution does not have any authority to set any of the material terms after the issuer approves the application, the financial institution is not required to count the resulting origination of the credit card account.
Updated June 28, 2023
Yes, a covered credit transaction that is extended to multiple borrowers is a covered origination as long as at least one of the borrowers is a small business, and the transaction is not an extension, renewal, or other amendment of an existing transaction. Comment 106(b)(1)-4.
A financial institution may aggregate gross annual revenue for co-applicants (or borrowers) that are affiliates, as noted in Small Businesses Question 1. If the combined gross annual revenue of two or more affiliated co-applicants (or borrowers) exceeds $5 million for their preceding fiscal year, they are not small businesses. However, a financial institution cannot aggregate unaffiliated co-applicants’ (or borrowers’) gross annual revenue. Comment 106(b)(1)-4.
For this purpose, one business is an “affiliate” of another when one controls or has the power to control the other, or a third party controls or has the power to control both. It does not matter whether control is exercised, so long as the power to control exists. See 13 CFR § 121.103. Additionally, a business is not considered a separate business concern if a substantial portion of its assets and/or liabilities are the same as those of a predecessor entity. 13 CFR § 121.105(c).
Updated June 28, 2023
Covered credit transactions
A covered credit transaction is an extension of business credit (as that term is defined in 12 CFR § 1002.2(g)) that is not excluded pursuant to the small business lending rule. 12 CFR §§ 1002.102(d) and 1002.104.
For this purpose, “business credit” includes credit used primarily for an agricultural purpose as well as credit primarily used for a business or commercial purpose. Thus, covered credit transactions include loans, lines of credit, credit cards, merchant cash advances, and other credit products used primarily for agricultural, business, or commercial purposes. See Comment 104(a)-1. However, factoring, leases, and consumer-designated credit are not covered credit transactions because they do not satisfy the definition of business credit. Comments 104(b)-1 through -3.
The small business lending rule specifically excludes the following extensions of business credit from the definition of covered credit transaction: trade credit, HMDA-reportable transactions, insurance premium financing, public utilities credit, securities credit, and incidental credit. 12 CFR § 1002.104(b).
Additionally, purchases of covered credit transactions, purchases of an interest in a pool of covered credit transactions, and purchases of a partial interest in a covered credit transaction (such as through a loan participation agreement) are not themselves covered credit transactions. Comment 104(a)-4.
For additional information on covered credit transactions, see Section 2.2 of the small entity compliance guide .
Updated June 28, 2023
Yes. An extension of consumer-designated credit is not a covered credit transaction, even if its proceeds are used for business or agricultural purposes. A transaction qualifies as consumer-designated credit if the financial institution offers or extends the credit primarily for personal, family, or household purposes. For example, an open-end credit account used for both personal and business/agricultural purposes is not business credit under the small business lending rule unless the financial institution designated or intended for the primary purpose of the account to be business/agricultural-related. Comment 104(b)-3. If the financial institution extends the credit primarily for a business or agricultural purpose, then it is not consumer-designated credit.
Financial institutions should note that various consumer laws, including consumer disclosure laws and regulations, may apply to consumer-designated credit transactions.
Updated September 14, 2023
As explained in the preamble to the small business lending rule, merchant cash advances are a form of financing for businesses that purport to be structured as a sale of potential future income. They are an extension of business credit that is not excluded from coverage pursuant to the small business lending rule. Comment 104(a)-1.
Merchant cash advances, which are typically offered by lenders that are not depository institutions, may vary in form and substance. However, under a typical merchant cash advance, a merchant receives a cash advance and promises to repay it plus some additional amount or multiple of the amount advanced (e.g., 1.2 or 1.5, the “payback” or “factor” “rate”). The merchant promises to repay by either pledging a percentage of its future revenue, such as its daily credit and debit card receipts (the “holdback percentage”), or agreeing to pay a fixed daily withdrawal amount to the merchant cash advance provider until the agreed upon payment amount is satisfied. Merchant cash advance contracts often provide for repayment directly through the merchant’s card processor and/or via Automated Clearing House withdrawals from the merchant’s bank account. Merchant cash advances constitute the primary product under an umbrella term often referred to as “sales-based financing;” generally, transactions wherein a financial institution extends funds to a business and repayment is based on the business’s anticipated sales, revenue, or invoices. See 88 Fed. Reg. 35150, 35220 (May 31, 2023).
Updated September 14, 2023
No, letters of credit, as described in the preamble to the small business lending rule, are not covered credit transactions because they are not credit. 88 Fed. Reg. 35150, 35245-46 (May 31, 2023).
Generally, a letter of credit is an instrument issued by a bank that promises, upon the presentation of certain documents and/or satisfaction of certain conditions, to direct payment to a beneficiary of the instrument. Letters of credit are often presented by buyers of goods who seek to postpone payment until their goods have been received. Some letters of credit are secured by a promissory note and are converted if the customer fails to pay. The issuance of such letters of credit are not extensions of credit.
As noted in comments 104(b)-1 and -2, the name used by a financial institution for a product is not determinative of whether it is a covered credit transaction. Accordingly, if a financial institution develops a product that it calls a “letter of credit” that includes an extension of credit (i.e., permits an applicant to defer payment of a debt, incur debt and defer its payment, or purchase property or services and defer payment therefor), that product might be a covered credit transaction. Additionally, if a financial institution extends credit when the letter is presented for payment or an option is exercised pursuant to the letter of credit, that extension of credit may also be a covered credit transaction.
Updated September 14, 2023
Generally, yes. While the purchase of a partial interest in a credit transaction, such as through a loan participation agreement, is not a covered credit transaction (see comment 104(b)-4), the underlying loan itself is a covered credit transaction as long as it is an extension of business credit to a small business and is not excluded pursuant to the small business lending rule. Thus, if the lead lender is the only financial institution needed to make a credit decision in order to originate the loan or if the lead lender is the last financial institution with authority to set the material terms of the loan, the lead lender counts the loan (assuming it is made to a small business, is primarily for a business, commercial, or agricultural purpose, and is not excluded) as a covered origination and is responsible for reporting the application (assuming the lender is a covered financial institution).
Updated September 14, 2023
No, an extension of business credit by a financial institution other than the supplier of the goods or services being financed is not trade credit for purposes of the small business lending rule. Comment 104(b)(1)-1.
Trade credit, which is excluded from the definition of a covered credit transaction, is a financing arrangement wherein a business acquires goods or services from another business without making immediate payment in full to the business providing the goods or services. 12 CFR 1002.104(b)(1). Trade credit may involve a supplier that finances the sale of equipment, supplies, or inventory. However, an extension of business credit by a financial institution other than the supplier for the financing of such items is not trade credit. Also, credit extended by a business providing goods or services to another business is not trade credit for the purposes of the small business lending rule where the supplying business intends to sell or transfer its rights as a creditor to a third party. Comment 104(b)(1)-1.
For example, if a retailer sells goods, such as seeds, to a small business and allows the small business to defer payment, the transaction is trade credit that is excluded from coverage under the small business lending rule. However, if a retailer sells seeds to a small business and the small business pays for them using the proceeds of a loan from a bank, credit union, or financing company, the transaction is not trade credit. This is true even if the financing company is affiliated with the retailer.
Updated September 14, 2023
Small businesses
The term “business” has the same meaning as “business concern or concern” in 13 CFR § 121.105 of the Small Business Administration’s (SBA) regulations, and the term “small business” has the same meaning as the term “small business concern” in the Small Business Act, 15 USC § 632(a), as implemented in 13 CFR §§ 121.101 through 121.107 of the SBA’s regulations. 12 CFR § 1002.106. Thus, a small business generally is a business organized for profit, with a place of business located in the United States, and which operates primarily within the United States or which makes a significant contribution to the U.S. economy through payment of taxes or use of American products, materials, or labor. 13 CFR § 121.105(a). A small business can take a variety of legal forms, and can be an individual proprietorship, partnership, limited liability company, corporation, joint venture (with no more than 49 percent participation by foreign businesses), association, trust or cooperative. 13 CFR § 121.105(b).
Notwithstanding the size standards set forth in the SBA’s regulations, a business is a small business for purposes of the small business lending rule if its gross annual revenue for its preceding fiscal year was $5 million or less. 12 CFR § 1002.106(b). A financial institution is permitted to rely on an applicant’s representations regarding gross annual revenue (which may or may not include any affiliate’s revenue) for purposes of determining small business status. However, if the applicant provides updated gross annual revenue information during the application process or the covered financial institution verifies the gross annual revenue information during the application process, the financial institution must use the updated or verified information in determining small business status. Comment 106(b)(1)-3.
While a financial institution may aggregate gross annual revenue for affiliated applicants, it cannot aggregate unaffiliated co-applicants’ gross annual revenue for purposes of determining small business status. Comment 106(b)(1)-3. For this purpose, one business is an “affiliate” of another when one controls or has the power to control the other, or a third party controls or has the power to control both. It does not matter whether control is exercised, so long as the power to control exists. See 13 CFR § 121.103.
Every five years after January 1, 2025, the CFPB shall adjust the gross annual revenue threshold, as necessary, based on changes to the Consumer Price Index for All Urban Consumers, as published by the United States Bureau of Labor Statistics. Any adjustment shall be rounded to the nearest multiple of $500,000 and take effect on the following January 1. 12 CFR § 1002.106(b)(2); Comment 106(b)(2)-1.
Updated June 28, 2023
Yes, an individual or sole proprietorship can be a small business pursuant to the small business lending rule. This is true regardless of whether the individual has formed an entity under applicable law to operate the business, whether the individual is doing business in the individual’s own name, or whether the individual is doing business using a trade name or other name (such as a DBA). See 13 CFR § 121.105(b).
Updated June 28, 2023
No, a financial institution does not include an individual’s personal income when calculating a sole proprietorship’s gross annual revenue because it is not revenue earned by the for-profit business applying for a covered credit transaction. Gross annual revenue is the amount of money earned by the business itself, before subtracting taxes and other expenses. See Comment 107(a)(14)-1. For example, assume an individual earns a salary working as an employee of Company A and also owns Company B, a business that purchases and operates commercial rental properties. If Company B applies for or obtains a covered credit transaction, the financial institution does not consider the individual’s salary from Company A when determining if Company B is a small business.
Updated September 14, 2023
Generally, yes. If a new or recently started business did not operate in the preceding fiscal year (and thus did not have gross annual revenue for its preceding fiscal year) and does not have affiliates with gross annual revenue exceeding $5 million in their preceding fiscal year, the new or recently started business is a small business. Comment 107(a)(14)-4. However, as set forth in the SBA’s regulations, a business is not treated as a separate business concern if a substantial portion of its assets and/or liabilities are the same as those of a predecessor entity. In such a case, the annual receipts of the predecessor business can be taken into account in determining gross annual revenue and may result in a determination that a new or recently started business is not a small business. See 13 CFR § 121.105(c).
When determining whether a business is a small business, a financial institution may rely on an applicant’s representations regarding gross annual revenue. A financial institution is permitted, but not required, to aggregate an applicant’s gross annual revenue with its affiliates’ gross annual revenue. Thus, if a new business states that its and its affiliates’ combined gross annual revenue exceeds $5 million and the financial institution does not verify gross annual revenue, the business is not a small business. However, if the financial institution obtains updated gross annual revenue information or verifies gross annual revenue, it must determine if the business is a small business based on the updated or verified information. Comment 106(b)(1)-3. See also comments 107(a)(14)-1 and -3.
Updated June 28, 2023
Maybe. It depends on whether the entity’s gross annual revenue, which may or may not include affiliates’ gross annual revenue, exceeds $5 million. Comment 107(a)(14)-3.
When determining whether a business is a small business, a financial institution may rely on an applicant’s representations regarding gross annual revenue, which may or may not include affiliates’ revenue. Thus, if an applicant states that its and its affiliates’ combined gross annual revenue exceeds $5 million and the financial institution does not verify gross annual revenue, the business is not a small business. However, if the financial institution updates or verifies gross annual revenue (which may include its affiliates’ gross annual revenue), it must determine if the business is a small business based on the updated or verified information. Comment 106(b)(1)-3. See also comments 107(a)(14)-1 and -3.
Updated June 28, 2023
No, the definition of applicant does not include other persons who are or may become contractually liable regarding an extension of business credit such as guarantors, sureties, endorsers, and similar parties. Thus, a financial institution does not consider such persons’ revenue in determining whether an applicant or borrower is a small business. 12 CFR 1002.102(b). See also 88 Fed. Reg. 35150, 35196 (May 31, 2023).
Updated September 14, 2023
Firewall
“Firewall” is a term sometimes used to describe a provision in the small business lending rule that prohibits certain employees and officers of covered financial institutions (and certain of their affiliates’ employees and officers) from accessing demographic information obtained from small business applicants pursuant to the rule. Notwithstanding this general prohibition, if a covered financial institution determines that an employee or officer that is otherwise subject to the firewall should have access to such information, that employee or officer may have access to the information if the covered financial institution provides a required notice to, at least, the small business applicants whose demographic information will be accessed. 12 CFR 1002.108.
Section 5.1 of the small entity compliance guide discusses the scope of the firewall’s prohibition on certain employees and officers accessing certain demographic information. Section 5.2 of the small entity compliance guide discusses the exception to the firewall’s prohibition and how a financial institution may determine that an employee or officer should have access to the demographic information protected by the firewall. Section 5.3 of the small entity compliance guide discusses the notice that a covered financial institution must provide if it wants to rely on the exception.
Updated September 14, 2023
If a covered financial institution determines that an employee or officer who is involved in making a determination concerning a covered application “should have access” to the demographic information collected pursuant to the small business lending rule, it means that it is not feasible to maintain a firewall as to that particular employee or officer. 12 CFR 1002.108(b), (c). The covered financial institution is not required to perform a separate analysis of the feasibility of establishing or maintaining a firewall. It is only required to determine whether the employees and officers who are involved in making determinations concerning covered applications should have access to protected demographic information. Comment 108(c)-1.
However, a determination that one employee or officer (or one group of employees or officers) should have access to demographic information protected by the firewall does not mean that is not feasible to maintain a firewall for other employees and officers who are involved in making determinations concerning covered applications. Comment 108(c)-1.
See Firewall Question 3 for a discussion of how a covered financial institution satisfies the exception to the firewall prohibition. For more information on the firewall generally, see Section 5 of the small entity compliance guide .
Updated September 14, 2023
The small business lending rule’s firewall provision contains both a prohibition and an exception. Generally, a covered financial institution must prohibit an employee or officer who is involved in making a determination concerning a covered application from accessing the demographic information that the applicant provides pursuant to the small business lending rule. However, a covered financial institution may comply with the rule by satisfying the exception in the firewall provision. 12 CFR 1002.108.
If a covered financial institution wants to rely on the exception, it should first determine which employees and officers (or which groups of employees and officers) are involved in making determinations concerning covered applications. If an employee or officer is involved in making a determination concerning a covered application, then the covered financial institution must either establish and maintain a firewall to prohibit that employee or officer from accessing the demographic information that is protected by the firewall or must satisfy the exception with regard to that employee or officer. If an employee or officer is not involved in making determinations concerning covered applications, the firewall prohibition does not apply to that employee or officer regardless of whether the covered financial institution satisfies the exception.
Next, the covered financial institution determines which, if any, employees and officers (or which groups of employees and officers) who are involved in making determinations concerning covered applications “should have access” to the demographic information that is protected by the firewall (i.e., the demographic information collected pursuant to the small business lending rule). 12 CFR 1002.108(c). A covered financial institution may determine that an employee or officer “should have access” if that employee or officer may need to collect, see, consider, refer to, or otherwise use protected demographic information to perform the employee’s or officer’s assigned job duties. 12 CFR 1002.108(a)(2); comment 108(a)-2.i. A covered financial institution may make this determination on an individual-by-individual basis, or it may determine that a group of employees or officers with the same job description or assigned duties should have access for purposes of the exception. If a covered financial institution assigns one or more tasks that may require access to protected demographic information to everyone with a particular job title, the covered financial institution may determine that everyone who has that job title should have access. For example, if a job description, a policy, a procedure, or another document states that all employees and officers who are loan officers may have to collect or explain any part of a form collecting demographic information required under the small business lending rule, the covered financial institution may determine that all employees and officers who have been assigned the position of loan officer should have access to protected demographic information. Comment 108(a)-2.ii.
Finally, if a covered financial institution determines that any employees or officers (or any groups of employees or officers) who are involved in making determinations concerning covered applications should have access to the demographic information that is protected by the firewall, the covered financial institution must provide a required notice. At a minimum, a covered financial institution must provide the required notice to the applicants whose protected demographic information will be accessed by the employees and officers that it has determined should have access (as discussed above). 12 CFR 1002.108(d). Alternatively, the covered financial institution may provide the required notice to a larger group of applicants. For example, a covered financial institution could provide the notice to all small business applicants for covered credit transactions or all small business applicants that are applying for a specific type of product or that are applying at a particular location. 12 CFR 1002.108(d); comment 108(d)-1. This notice must inform an applicant that one or more employees and officers involved in making determinations concerning the applicant’s covered application may have access to the applicant’s responses regarding its minority-owned business status, women-owned business status, LGBTQI+-owned business status, and its principal owners’ ethnicity, race, and sex. Comment 108(d)-2. A covered financial institution may, but is not required to, use the sample language in the sample data collection form for this notice.
If a covered financial institution completes these steps (including providing the required notice), it may permit the employees and officers that it has determined are assigned one or more job duties that may require the employee or officer to collect, see, consider, refer to, or otherwise use the demographic information subject to the firewall prohibition to have access to that information. However, it may not permit other employees and officers who are involved in making determinations regarding covered applications to access demographic information that is protected by the firewall, unless it also determines that those employees and officers should have access to protected demographic information. In other words, if the covered financial institution provides the notice required by the rule, it is not required to maintain a firewall with regard to the employees and officers that it determines “should have access,” but is required to maintain a firewall as to any other employees and officers who are involved in making determinations concerning covered applications. Comment 108(c)-1.
For example, assume that a covered financial institution’s chief executive officer, commercial loan officers, compliance officers, and underwriters make determinations concerning covered applications. The commercial loan officers and compliance officers have been assigned one or more job duties that may require them to collect, see, consider, refer to, or otherwise use demographic information protected by the firewall, but the chief executive officer and underwriters have not been assigned such duties (i.e., the financial institution determines that the commercial loan officers and compliance officers should have access, but does not determine that the chief executive officer and underwriters should have access). Based on these facts, if the covered financial institution provides the required notice, it may permit the commercial loan officers and compliance officers to access the demographic information protected by the firewall, but it cannot permit the chief executive officer or underwriters to access such information.
For more information on which employees and officers are subject to the firewall and more information on the demographic information that is protected by the firewall, see Section 5.1 of the small entity compliance guide . For more information on how to determine if an employee or officer should have access to the demographic information that is protected by the firewall, see Section 5.2 of the small entity compliance guide . For more information about the notice that a covered financial institution must provide to satisfy the exception to the firewall prohibition, see Section 5.3 of the small entity compliance guide .
Updated September 14, 2023
No, a covered financial institution is not required to change its systems or processes for the sole purpose of determining which employees and officers should have access (i.e., whether the exception in the firewall provision applies). Comment 108(a)-2.iii.
A covered financial institution is permitted to choose what lawful factors it will consider when determining whether an employee or officer should have access to an applicant’s demographic information collected pursuant to the small business lending rule. A covered financial institution’s determination that an employee or officer should have access may take into account relevant operational factors and lawful business practices. For example, a covered financial institution may consider its size, the number of employees and officers within the relevant line of business or at a particular branch or office location, and/or the number of covered applications the covered financial institution has received or expects to receive. Additionally, a covered financial institution may consider its current or its reasonably anticipated staffing levels, operations, systems, processes, policies, and procedures. A covered financial institution is not required to hire additional staff, upgrade its systems, change its lending or operational processes, or revise its policies or procedures for the sole purpose of limiting who should have access. Comment 108(a)-2.iii.
Updated September 14, 2023
Yes, a covered financial institution can determine that employees or officers in some business units should have access to protected demographic information, even if it maintains a firewall for employees or officers in other business units. If the covered financial institution provides the required notice to the appropriate small business applicants, it may rely on the exception for the employees and officers it has determined should have access.
Although the small business lending rule permits a covered financial institution to make determinations that members of a group of similarly situated employees or officers should have access, it also permits a covered financial institution to make this determination of who should have access on an individual-by-individual basis. Comment 108(c)-2. Additionally, any determination that a group of employees or officers should have access must be based on the employees or officers in that group having been assigned a task that may require the employees or officers to collect, see, consider, refer to, or otherwise use demographic information protected by the firewall. If employees or officers share a job title, but have not all been assigned such a task, they are not a group of similarly situated employees for purposes of the firewall provision. For example, if five employees have the same job title and all five of them are involved in making determinations concerning covered applications, but only three of them have been assigned a task that may require them to collect, see, consider, refer to, or otherwise use demographic information protected by the firewall, the covered financial institution is not permitted to determine that the other two employees should have access to the demographic information protected by the firewall. Comment 108(a)-2.ii.
Updated September 14, 2023
No, unless the covered financial institution determines that the employee or officer should have access to the applicant’s protected demographic information (i.e., the demographic information collected pursuant to the small business lending rule) and provides the required notice to the applicant. 12 CFR 1002.108. The small business lending rule does not limit the time that the firewall prohibition applies. Thus, a covered financial institution cannot permit an employee or officer who was involved in making a determination concerning an applicant’s covered application to access that applicant’s protected demographic information after final action is taken, unless the covered financial institution determines that the employee or officer should have access and provides the required notice before permitting the employee or officer to access protected demographic information.
Updated September 14, 2023
The firewall provision does not include any specific documentation requirements. See 12 CFR 1002.108. In general, however, a covered financial institution must retain evidence of compliance with the small business lending rule for at least three years after its small business lending application register is required to be submitted to the CFPB. 12 CFR 1002.111(a). Evidence of compliance with the firewall provision may include, but would not be limited to, documents, such as job descriptions or procedures, that support the financial institution’s determinations of who should have access.
Updated September 14, 2023
Record retention
The small business lending rule has two primary record retention requirements.
First, a covered financial institution must retain evidence of compliance with the small business lending rule, including a copy of its small business lending application register, for at least three years after the register is required to be submitted to the CFPB. 12 CFR 1002.111(a); comment 111(a)-1.
Second, a covered financial institution must maintain demographic information collected pursuant to the small business lending rule separate from the rest of the application and accompanying information. The demographic information that must be maintained separately consists of an applicant’s response to the covered financial institution’s inquiry regarding (1) whether it is a minority-owned business, a women-owned business, and/or an LGBTQI+-owned business, and (2) the ethnicity, race, and sex of the applicant’s principal owners. 12 CFR 1002.111(b). A covered financial institution is permitted to maintain information regarding the applicant’s number of principal owners with an applicant’s responses to its requests for demographic information. Comment 111(b)-2.
When reporting a small business lending application register to the CFPB, maintaining a copy of the register as evidence of compliance, and maintaining a record of demographic information collected pursuant to the rule separate from the rest of the application, a covered financial institution must not include any name, specific address, telephone number, email address, or any other personally identifiable information concerning any individual who is, or is connected with, an applicant, other than as required by the rule. See 12 CFR 1002.107; 1002.111(b).
For additional information on the small business lending rule’s record retention requirements, see Section 6 of the small entity compliance guide .
Updated September 14, 2023
Yes. The requirement to maintain demographic information collected pursuant to the small business lending rule separate from the rest of the application and accompanying information applies regardless of whether a covered financial institution relies on the exception in the firewall provision. That exception only applies to the firewall prohibition in 12 CFR 1002.108. The exception to the firewall prohibition does not extend to the record retention requirements in 12 CFR 1002.111.
Updated September 14, 2023