§ 1002.108—Firewall.

Official Interpretation

Section 1002.108—Firewall.

108(a) Definitions.

1. Involved in making any determination concerning a covered application from a small business. i. General. An employee or officer is involved in making a determination concerning a covered application from a small business for purposes of § 1002.108 if the employee or officer makes, or otherwise participates in, a decision regarding the evaluation of a covered application from a small business or the creditworthiness of a small business applicant for a covered credit transaction. This includes, but is not limited to, employees and officers serving as underwriters. The decision that an employee or officer makes or participates in must be about a specific covered application or about the creditworthiness of a specific applicant. An employee or officer is not involved in making a determination concerning a covered application if the employee or officer is only involved in making a decision that affects covered applications generally, or if the employee or officer only interacts with small businesses prior to them becoming applicants or submitting an application. An employee or officer may be participating in a determination concerning a covered application even if the employee or officer is not the ultimate decision maker or the sole decision maker. For example, an employee participates in a determination concerning a covered application if the employee recommends that another employee or officer approve or deny the application. Similarly, an employee or officer participates in a determination concerning a covered application if the employee or officer is part of a larger group, such as a committee, that makes a determination concerning a covered application. For example, an employee participates in a decision if the employee is a member of a committee that approves the terms offered to an applicant for a covered application. This is true even if the employee does not support the committee’s ultimate decision regarding the terms offered. Conversely, an employee or officer does not participate in a determination concerning a covered application if the employee or officer only performs ministerial functions for the committee, such as recording the minutes, or if the committee does not make a determination concerning a specific covered application.

ii. Examples of activities that do not constitute being involved in making a determination concerning a covered application from a small business. The following are examples of activities that do not constitute being involved in making a determination concerning a covered application:

A. Developing policies and procedures, designing or programming computer or other systems, or conducting marketing.

B. Discussing credit products, loan terms, or loan requirements with a small business before it submits a covered application.

C. Making or participating in a decision after the financial institution has taken final action on the covered application, such as a decision about servicing or collecting a covered credit transaction.

D. Using a check box form to confirm whether an applicant has submitted all necessary documents or handling a minor or clerical matter during the application process, such as suggesting or selecting a time for an appointment with an applicant.

E. Gathering information (including information collected pursuant to § 1002.107(a)(18) or (19)) and forwarding the information or a covered application to other individuals or entities.

F. Reviewing previously collected data to determine if it can be reused for a later covered application pursuant to § 1002.107(d).

iii. Examples of activities that constitute being involved in making a determination concerning a covered application from a small business. The following are examples of activities (done individually or as part of a group) that constitute being involved in making a determination concerning a covered application:

A. Making or participating in a decision to approve or deny a specific covered application. This includes, but is not limited to, making or participating in a decision that an applicant does not satisfy one or more of the requirements for the covered credit transaction for which it has applied.

B. Making or participating in a decision regarding the reason(s) for denial of a covered application.

C. Making or participating in a decision that a guarantor or collateral is required in order to approve a specific covered application.

D. Making or participating in a decision regarding the credit amount or credit limit that will be approved for a specific covered application.

E. Making or participating in a decision to set one or more of the other terms that will be offered for a specific covered credit transaction. This includes, but is not limited to, making or participating in a decision regarding the interest rate, the loan term, or the payment schedule that will be offered for a specific covered credit transaction.

F. Making or participating in a decision regarding a counteroffer made to a specific applicant, including a decision regarding the terms of such a counteroffer.

G. Recommending that another decision maker approve or deny a specific covered application, provide a specific reason for denying a covered application, require a guarantor or collateral in order to approve a covered application, approve a credit amount or credit limit for a covered credit transaction, set one or more other terms for a covered credit transaction, make a counteroffer regarding a covered application, or set a specific term for such a counteroffer.

2. Should have access. i. General. A financial institution may determine that an employee or officer who is involved in making a determination concerning a covered application from a small business should have access to information otherwise subject to the prohibition in § 1002.108(b) if that employee or officer is assigned one or more job duties that may require the employee or officer to collect, see, consider, refer to, or otherwise use information subject to the prohibition in § 1002.108(b). If the employee or officer might need to collect, see, consider, refer to, or use such information to perform the employee’s or officer’s assigned job duties, the financial institution may determine that the employee or officer should have access. For example, if a loan officer is involved in making a determination concerning a covered application and that loan officer’s job description or the financial institution’s policies and procedures state that the loan officer may need to collect information pursuant to § 1002.107(a)(18) or (19), the financial institution may determine that the loan officer should have access.

ii. When a group of employees or officers should have access. A financial institution may determine that all employees or officers with the same job description or assigned duties should have access for purposes of § 1002.108. For example, if a job description, a policy, a procedure, or another document states that a loan officer may have to collect or explain any part of a data collection form that includes the inquiries described in § 1002.107(a)(18) and (19), the financial institution may determine that all employees and officers who have been assigned the position of loan officer should have access for purposes of § 1002.108.

iii. Making a determination regarding who should have access. A financial institution is permitted to choose what lawful factors it will consider when determining whether an employee or officer should have access. A financial institution’s determination that an employee or officer should have access may take into account relevant operational factors and lawful business practices. For example, a financial institution may consider its size, the number of employees and officers within the relevant line of business or at a particular branch or office location, and/or the number of covered applications the financial institution has received or expects to receive. Additionally, a financial institution may consider its current or its reasonably anticipated staffing levels, operations, systems, processes, policies, and procedures. A financial institution is not required to hire additional staff, upgrade its systems, change its lending or operational processes, or revise its policies or procedures for the sole purpose of limiting who should have access.

Official Interpretation

108(b) Prohibition on access to certain information.

1. Scope of persons subject to the prohibition. The prohibition in § 1002.108(b) applies to an employee or officer of a covered financial institution or its affiliate if the employee or officer is involved in making any determination concerning a covered application from a small business. For example, if a financial institution is affiliated with company B and an employee of company B is involved in making a determination concerning a covered application on behalf of the financial institution, then the financial institution must comply with § 1002.108 with regard to company B’s employee. Section 1002.108 does not require a financial institution to limit the access of employees and officers of third parties who are not affiliates of the financial institution.

2. Scope of information that cannot be accessed when the prohibition applies to an employee or officer. i. Information that cannot be accessed when the prohibition applies. If a particular employee or officer is involved in making a determination concerning a covered application from a small business, the prohibition in § 1002.108(b) only limits that employee’s or officer’s access to that small business applicant’s responses to the inquiries that the covered financial institution makes to satisfy § 1002.107(a)(18) and (19). For example, if a financial institution uses a paper data collection form to request information pursuant to § 1002.107(a)(18) and (19), an employee or officer that is subject to the prohibition is not permitted access to the paper data collection form that contains the applicant’s responses to the inquiries made pursuant to pursuant to § 1002.107(a)(18) and (19), or to any other record that identifies how the particular applicant responded to those inquires. Similarly, if a financial institution makes the inquiries required pursuant to § 1002.107(a)(18) and (19) during a telephone call, the prohibition applies to the applicant’s responses to those inquiries provided during that telephone call and to any record that identifies how the particular applicant responded to those inquiries.

ii. Information that can be accessed when the prohibition applies. If a particular employee or officer is involved in making a determination concerning a covered application, the prohibition in § 1002.108(b) does not limit that employee’s or officer’s access to an applicant’s responses to inquiries regarding whether the applicant is a minority-owned, women-owned, or LGBTQI+-owned business, or principal owners’ ethnicity, race, or sex, made for purposes other than compliance with § 1002.107(a)(18) or (19). Thus, for example, an employee or officer who is subject to the prohibition in § 1002.108(b) may have access to information regarding whether an applicant is eligible for a Small Business Administration program for women-owned businesses without regard to whether the exception in § 1002.108(c) is satisfied. Additionally, an employee or officer who knows that an applicant is a minority-owned business, women-owned business, or LGBTQI+-owned business, or who knows the ethnicity, race, or sex of any of the applicant’s principal owners due to activities unrelated to the inquiries made to satisfy the financial institution’s obligations under § 1002.107(a)(18) and (19) is not prohibited from making a determination concerning the applicant’s covered application. Thus, an employee or officer who knows, for example, that an applicant is a minority-owned business due to a social relationship or another professional relationship with the applicant or any of its principal owners may make determinations concerning the applicant’s covered application. Furthermore, an employee or officer that is involved in making a determination concerning a covered application may see, consider, refer to, or use data collected to satisfy aspects of § 1002.107 other than § 1002.107(a)(18) or (19), such as gross annual revenue, number of workers, and time in business.

Official Interpretation

108(c) Exception to the prohibition on access to certain information.

1. General. A financial institution is not required to limit the access of an employee or officer who is involved in making determinations concerning a covered application from a small business if the financial institution determines that the particular employee or officer should have access to the information collected pursuant to § 1002.107(a)(18) or (19), and the financial institution provides the notice required by § 1002.108(d). A financial institution is not required to perform a separate analysis of the feasibility of maintaining a firewall. A determination that an employee or officer should have access means that it is not feasible to maintain a firewall as to that particular employee or officer, and the exception applies to that employee or officer if the financial institution provides the notice required by § 1002.108(d). However, the fact that a financial institution has made a determination that an employee or officer should have access does not mean that the financial institution can permit other employees and officers who are involved in making determinations concerning a covered application to have access to the information collected pursuant to § 1002.107(a)(18) and (19). A financial institution may only permit an employee or officer who is involved in making a determination concerning a covered application to have access to information collected pursuant to § 1002.107(a)(18) and (19) if it has determined that employee or officer or a group of which the employee or officer is a member should have access to the information.

2. Applying the exception to a specific employee or officer or group of similarly situated employees or officers. The exception applies to an employee or officer if the financial institution determines that the employee or officer should have access to the information collected pursuant to § 1002.107(a)(18) or (19), and the financial institution provides the notice required by § 1002.108(d). A financial institution can also determine that several employees and officers should have access, that all of a group of similarly situated employees or officers should have access, and that multiple groups of similarly situated employees or officers should have access to information collected pursuant to § 1002.107(a)(18) or (19). See also comment 108(a)-2. For example, a financial institution could determine that all its small business loan officers, small business loan processors, compliance officers, and legal officers should have access. If the financial institution provides the notice required in § 1002.108(d), the financial institution may permit all of its small business loan officers, small business loan processors, compliance officers, and legal officers to have access. However, the financial institution cannot permit other employees and officers to have access simply because it has determined that the small business loan officers, loan processors, compliance officers, and legal officers should have access. For example, in this case, the financial institution may not permit its underwriters or chief executive officer to have access to the information collected from the applicant pursuant to § 1002.107(a)(18) or (19) if they are involved in making any determination concerning a covered application, unless the financial institution also determines that they should have access. This would be true even if the chief executive officer or underwriter had some of the same assigned duties as a loan officer, such as being a member of a credit committee, but has not been assigned the task(s) that may require access to one or more applicants’ responses to the financial institution’s inquiries under § 1002.107(a)(18) or (19). If the financial institution separately determines that underwriters and the chief executive officer should have access, then the underwriters and chief executive officer may also have access.

Official Interpretation

108(d) Notice.

1. General. If a financial institution determines that one or more employees or officers should have access pursuant to § 1002.108(c), the financial institution must provide the required notice to, at a minimum, the applicant or applicants whose responses will be accessed by an employee or officer involved in making determinations concerning the applicant’s or applicants’ covered applications. Alternatively, a financial institution may also provide the required notice to applicants whose responses will not or might not be accessed. For example, a financial institution could provide the notice to all applicants for covered credit transactions or all applicants for a specific type of product.

2. Content of the required notice. The notice must inform the applicant that one or more employees and officers involved in making determinations concerning the applicant’s covered application may have access to the applicant’s responses regarding the applicant’s minorityowned business status, women-owned business status, LGBTQI+-owned business status, and its principal owners’ ethnicity, race, and sex. See the sample data collection form in appendix E to this part for sample language for providing this notice to applicants. If a financial institution establishes and maintains a firewall and chooses to use the sample data collection form, the financial institution can delete this sample language from the form.

3. Timing for providing the notice. If the financial institution is providing the notice orally, it must provide the notice required by § 1002.108(d) prior to asking the applicant if it is a minority-owned business, women-owned business, or LGBTQI+-owned business and prior to asking for a principal owner’s ethnicity, race, or sex. If the notice is provided on the same paper or electronic data collection form as the inquiries about minority-owned business status, women-owned business status, LGBTQI+-owned business status and the principal owners’ ethnicity, race, or sex, the notice must appear before the inquiries. If the notice is provided in an electronic or paper document that is separate from the data collection form, the notice must be provided at the same time as the data collection form or prior to providing the data collection form. Additionally, the notice must be provided with the non-discrimination notices required pursuant to § 1002.107(a)(18) and (19). See appendix E for sample language.