The bill amends the Small Business Investment Act to expand the Office of Credit Risk Management’s role over the SBA 504 loan program. It requires regular loan-closing file reviews, supervisory presence during contractor audits, annual portfolio risk analyses with mandatory reports to Congress, and a new formal and informal enforcement regime for Certified Development Companies (CDCs).
It also authorizes the Office to collect graduated fees from CDCs to cover oversight costs and sets concrete penalty authorities and timelines for reports and responses.
Separately, the SBA must issue rules within 180 days clarifying how CDCs meet obligations under the National Environmental Policy Act (NEPA). For compliance officers, lenders, and CDC managers, the bill raises near-term administrative requirements, creates new exposure to civil penalties and temporary suspensions, and shifts a portion of oversight costs from the federal government onto CDCs via a fee capped at 1 basis point of portfolio value.
At a Glance
What It Does
Adds a new statutory Section 511 that makes the Office of Credit Risk Management responsible for supervising CDCs, conducting random complete file reviews of 504 loan closings, and producing written reports. It authorizes both informal and formal enforcement actions (formal actions require Lender Oversight Committee approval) including civil penalties up to $250,000, suspension authority, and smaller penalties for missed reporting. The Office must also perform an annual portfolio risk analysis and report to Congress each December 1. One year after enactment the Office may charge CDCs fees on a graduated scale up to 1 basis point of portfolio value to cover oversight costs.
Who It Affects
Certified Development Companies (CDCs) that participate in the SBA 504 program will face new supervisory reviews, timelines for corrective action, potential civil penalties, and fees deducted from servicing income. Designated closing attorneys, third‑party lenders, and the Commercial Loan Service Center will be receiving file‑review reports and may be pulled into remediation. SBA compliance staff and the Lender Oversight Committee gain new enforcement and reporting responsibilities.
Why It Matters
The bill creates stronger, centralized oversight and measurable transparency for the 504 program—shifting program risk management from ad hoc practice to a statutory regime. It also reallocates oversight costs to CDCs, changing their economics and possibly how they price and deliver 504 loans. NEPA-rule requirements aim to reduce environmental compliance ambiguity that has previously slowed or complicated project approvals.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill inserts a new statutory framework into the Small Business Investment Act that elevates the Office of Credit Risk Management (the Office) as the primary supervisor of Certified Development Companies that deliver SBA 504 loans. The Office must perform complete file reviews of loan closings selected at random; those reviews follow the SBA’s existing checklist for complete file review and must end with a written report.
The bill prescribes recipients of that report—namely the CDC, the closing attorney on the loan, and the Commercial Loan Service Center—and requires corrective action where deficiencies could cause loss to the Administration.
To ensure independence and consistency, the Office must place its own employees in supervisory roles whenever contractor teams perform CDC reviews, whether on‑site or remotely. The Administrator must set timelines for delivering supervision reports to CDCs: generally within 90 days of review completion, with required written notice and explanation when reports will be late.
If the Office requests a response to a report, CDCs must reply within 45 business days.The bill formalizes enforcement tools. The Director can use informal remedies for lesser violations and, with approval of the statutory Lender Oversight Committee, impose formal sanctions for statutory, regulatory, or SOP violations—including civil monetary penalties up to $250,000 determined by severity and frequency.
For procedural lapses such as failure to file an annual report within 60 days of its due date, the Director may suspend a CDC for up to 30 days or issue a penalty up to $10,000. The Director also must run an annual portfolio risk analysis of all 504 guarantees and report the analysis to Congress each December 1, including industry concentration metrics, consolidated statistics on CDC activity (without naming CDCs), losses and recoveries, and enforcement actions taken or recommended.To fund this enhanced oversight, the Office can collect fees from CDCs starting one year after enactment.
Fees must be graduated by portfolio size, paid from servicing fees collected by the CDC, and capped at one basis point (0.01%) of the CDC’s 504 portfolio value. Finally, the SBA Administrator must issue rules within 180 days clarifying the procedures CDCs must follow to satisfy NEPA obligations for projects receiving assistance under the 504 program; the statutory text specifically disclaims any change to NEPA’s substantive requirements.
The Five Things You Need to Know
The Office must deliver a written report within 60 days after completing each complete loan‑closing file review and send it to the CDC, the closing attorney, and the Commercial Loan Service Center.
Formal enforcement actions require Lender Oversight Committee approval and may include civil monetary penalties up to $250,000, sized according to severity and frequency.
If a CDC fails to submit a required report within 60 days of its due date, the Director may suspend the CDC for up to 30 days or impose a penalty up to $10,000.
Starting one year after enactment, the Office may charge CDCs a graduated oversight fee (paid from servicing fees) not to exceed 1 basis point of the CDC’s 504 portfolio value.
The SBA must issue rules within 180 days clarifying CDC procedures to comply with NEPA; separately, the Director must deliver an annual portfolio risk analysis to Congress by each December 1 beginning in 2025.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Designates the act as the 504 Credit Risk Management Improvement Act of 2025. This is purely formal but signals the bill’s focus on program risk management rather than substantive changes to lending eligibility.
Office responsibilities and loan file reviews
Assigns the Office of Credit Risk Management explicit responsibility for supervising CDCs and for conducting complete file reviews of randomly selected 504 loan closings. Reviews must use the SBA’s existing checklist and result in written reports. The bill prescribes report recipients (CDC, designated closing attorney, Commercial Loan Service Center) and requires correction of deficiencies that could lead to losses. Practically, this creates recurring operational obligations: CDCs must be prepared for random sampling, immediate remediation, and heightened transparency with closing attorneys and the service center.
Supervision of contractor reviews and report timelines
Requires Office employees to supervise any contractor‑performed reviews, whether on CDC premises or offsite. The Administrator must issue a timeline for reviews and delivery of reports—generally a 90‑day target to provide a written report after a review concludes—and must notify CDCs if the report will be delayed. When reports request responses, CDCs have 45 business days to reply. This provision tightens control over outsourced oversight activities and sets enforceable response windows that will drive CDC compliance workflows.
Enforcement authorities: informal and formal actions
Splits enforcement into informal actions the Director can take unilaterally and formal actions that require Lender Oversight Committee approval. Formal actions cover statutory, regulatory, and SOP violations and allow civil penalties up to $250,000. For reporting failures, the Director can suspend CDC participation up to 30 days or levy up to $10,000. The structure balances expedited, lower‑level remedies against higher‑impact sanctions that require committee signoff but gives the Office real teeth to address persistent or severe compliance breakdowns.
Annual portfolio risk analysis and mandatory reporting to Congress
Mandates an annual risk analysis of the SBA’s 504 portfolio and a December 1 report to Congress detailing program‑level risk, industry concentration, consolidated statistics for CDCs responsible for at least 1% of approvals, mitigation steps, enforcement actions recommended and approved, loss and recovery metrics, and penalty amounts assessed. The report is comprehensive and intended to give policymakers visibility into concentration risk and enforcement activity without naming most CDCs, though the bill requires consolidated stats for entities meeting the 1% threshold.
Fee authority and NEPA rulemaking
Authorizes the Office to levy oversight fees on CDCs one year after enactment to bring the federal cost of examinations and oversight to zero; fees must be graduated by portfolio size and capped at one basis point of portfolio value, paid from servicing income. Separately, the Administrator must issue rules within 180 days clarifying the procedures CDCs must follow to comply with NEPA for projects receiving 504 assistance; the statute explicitly states these rules do not alter NEPA’s substantive obligations, but they aim to standardize administrative compliance steps.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- SBA / Office of Credit Risk Management — Gains clear statutory authority to supervise CDCs, perform file reviews, and enforce compliance, plus a fee mechanism to fund oversight activities.
- Congress and oversight staff — Receives standardized, annual portfolio risk reports with industry concentration and enforcement metrics, improving legislative visibility into 504 program risks.
- Third‑party lenders and the Commercial Loan Service Center — Benefit from greater CDC accountability and file‑review transparency that can reduce program loss risk and clarify closing responsibilities.
- Small business borrowers (indirectly) — May gain protections from improved program integrity that reduce taxpayer exposure and aim to lower the chance of downstream loan failures tied to weak origination practices.
- Compliance and risk teams at CDCs and banks — Get clearer expectations, timelines, and procedures (including NEPA rules), enabling more structured compliance programs.
Who Bears the Cost
- Certified Development Companies (CDCs) — Face direct new costs and cashflow impacts from graduated oversight fees (up to 1 basis point), increased review and remediation work, potential civil penalties up to $250,000, and the administrative burden of meeting specific response timelines.
- Designated closing attorneys — Will receive file‑review reports and may be required to correct closing deficiencies, increasing professional liability exposure and administrative involvement.
- SBA operational staff and contractors — Must execute more frequent reviews, supervise contractor work, and deliver statutory reports and timelines, increasing workload; while fees may offset costs long term, the Office will need near‑term capacity investments to meet statutory deadlines.
- Small business borrowers (potentially) — Could experience slower closings or higher transaction costs if CDCs pass oversight and compliance costs through to borrowers or reduce participation in certain markets.
Key Issues
The Core Tension
The central dilemma is whether strengthened, centralized oversight and taxpayer protection justify placing new financial and operational burdens on CDCs—the very intermediaries that deliver 504 loans to small businesses. The bill reduces federal cost and aims to lower program risk, but it does so by shifting cost, compliance complexity, and enforcement exposure onto CDCs and closing attorneys, potentially affecting program capacity and access to capital for small borrowers.
The bill tightens oversight while leaving several implementation details unresolved. It requires graduated fees “as necessary” to bring federal costs to zero but does not prescribe the rate bands, collection schedule, or appeals process—leaving CDCs to await implementing guidance that will determine the real economic impact.
The enforcement regime ties the most severe monetary penalties to Lender Oversight Committee approval; the Committee’s composition and approval standards will therefore shape enforcement intensity and could politicize high‑level sanctions.
Operational tensions also arise from short prescribed timelines: file‑review reports must be issued within 60 days (for loan‑closing reviews) and review reports to CDCs generally within 90 days, with CDC responses due in 45 business days. Those windows may be tight for complex projects, NEPA issues, or multi‑party closings, and could produce frequent suspensions or fines for procedural lapses rather than substantive misconduct.
The NEPA rule requirement clarifies administrative procedures but cannot change NEPA’s substantive duties; CDCs could still face project‑level environmental liability even after following SBA rulemaking. Finally, the bill’s anonymity protections in the congressional report (no naming of CDCs except consolidated stats for those ≥1% of approvals) may not prevent market participants from inferring identities based on size or industry concentration, creating reputational dynamics not addressed in the statute.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.