ANALYSIS: The Consumer Financial Protection Bureau (CFPB) has issued a final rule, overhauling many parts of its small business lending data collection rule. Significantly:
- Fewer credit unions will be subject to the rule;
- Fewer business loan applicants will be considered “small businesses” covered by the rule;
- Credit unions that are subject to the rule will have to collect less data; and
- The compliance deadline will be Jan. 1, 2028.
The League submitted a comment letter to the Bureau in December, supporting the amendments, which have now been finalized largely as proposed.
Background
As explained in The League’s ii Release No. B083, the rule requires financial institutions that do a certain amount of lending to small businesses to collect data about applications for those loans and report it to the CFPB. (We will update the ii Release to reflect the changes the new rule is making.)
The data includes basic information about the business and the loan, similar to the HMDA reporting requirements but for small business lenders. The rule also requires covered lenders to ask for demographic information about the owners of the business, such as their ethnicity, race, sex, etc.
The rule is often called the 1071 rule, after the section of the Dodd-Frank Act that required the CFPB to put it in place. The rule is intended to help authorities spot patterns of discrimination and enforce fair lending laws.
Why the changes?
The CFPB published the original rule in May 2023, but it was immediately challenged in three separate federal courts, all of which stayed compliance deadlines for those who filed the lawsuits but not others. The Bureau extended the compliance dates in 2024 and again in 2025, to standardize compliance deadlines for everyone, and it has now amended the rule to address issues raised in the lawsuits and in public comments.
In publishing the amendments, the CFPB wrote that it scaled back the rule because it, “now believes that … it should start with more modest requirements, focusing on core lending products, lenders, and data.” It added that “the 2023 final rule should have given more weight to qualitative differences among certain types of lenders and the likelihood that smaller lenders would face difficulties … addressing the complexity of a rule of broad scope, both of which could potentially diminish the quality of the data they collect.”
In the coming years, the CFPB anticipates the rule will grow more complex and comprehensive as it builds on to this new “modest” framework.
What’s changing
The final rule makes several key changes to the 1071 rule, summarized below:
Covered credit transactions. The CFPB said that the rule should initially focus on collecting data about “the core, widely used lending products most likely to be foundational to small businesses’ formation and operation.” So, they have excluded three new types of lending from the rule’s definition of “a covered credit transaction”:
- “Small dollar business credit,” meaning loans of $1,000 or less. That amount will be adjusted every five years based on the Consumer Price Index and rounded to the nearest $100.
- “Merchant cash advances,” which are agreements where a small business receives a lump-sum payment in exchange for the right to receive a percentage of its future sales or income up to a ceiling amount.
- “Agricultural lending transactions” meaning credit used to fund crop and livestock production or to acquire/refinance farmland, agricultural equipment, breeder livestock, and similar farm capital assets.
The Official Staff Commentary now provides detailed guidance on what kinds of credit are covered.
Covered financial institutions. The CFPB said that the rule should initially focus on larger lenders. So, it now defines a “covered financial institution” that must comply with the rule to mean any financial institution (including credit unions, banks, and others) that originated at least 1,000 covered credit transactions for “small businesses” in each of the two preceding calendar years. Previously, the rule set the threshold at just 100 loans. As a result, fewer credit unions will be required to collect small business lending data. The new rule also excludes Farm Credit System lenders from the rule altogether.
“Small business” definition. The CFPB wrote that “the focus of the rule, at least initially, should be truly small businesses. This final rule therefore changes the gross annual revenue threshold in the rule’s definition of small business from $5 million or less to $1 million or less.” This means that a business is treated as small if its gross annual revenue for the preceding fiscal year was $1 million or less.
Every five years, the CFPB will adjust the threshold, based on changes in the Consumer Price Index. This means that credit unions can rely on a $1 million cap, but they should be prepared to adjust their data collection systems as the threshold changes over time.
In addition, the CFPB confirms that lenders may rely on applicant‑stated revenue to decide whether a business is “small,” but lenders must update their determinations if they get more accurate information during loan underwriting.
Loan data points about the business and the loan. The CFPB said that the rule should focus, at least at first, on core data points to minimize compliance burdens. So, its new rule focuses on the data points listed in Section 1071 of the Dodd-Frank Act, plus a limited number of other data points. Specifically, the final rule removes the requirements to collect and report data on application method, application recipient, denial reasons, pricing information, and the number of workers a business has.
Demographic data points about a small business’ owners. The rule also makes changes in the demographic information that lenders must seek about the owners of a small business that applies for a loan. Covered credit unions will now have to:
- Ask whether the applicant is a minority‑owned business and/or a women‑owned business, without having to ask about LGBTQI+‑owned status;
- Ask about the principal owners’ sex, but using only “male” or “female” categories; and
- Continue to ask for the principal owners’ ethnicity and race – but using only aggregate categories (no sub-categories).
The rule’s sample notice (which lenders must give business loan applicants) has been revised to make their rights to refuse to provide information more prominent. Under the rule, covered lenders must inform applicants that they are not required to provide this demographic information, that the lender may not discriminate based on the information or whether it is provided, and that federal law requires the questions to help ensure fair treatment and to assess small business credit needs.
Under the new rule, covered lenders must maintain procedures that are reasonably designed to obtain responses for applicant‑provided data, but the rule no longer says that getting low response rates may be evidence that applicants are being discouraged from responding. Instead, the official interpretations focus on practical elements such as when the initial request is made (ideally before final action), whether the request is prominently presented, whether it is easy for applicants to respond, and how data can be reused across applications.
Multi-party lending & loan purchases. The new rule clarifies the reporting responsibilities in multi‑party loan arrangements. Where more than one financial institution is involved in originating a single covered credit transaction, only the last financial institution with authority to set the material terms (such as selecting among competing offers or modifying pricing, amount, or repayment duration) must count and report the origination. If that last decision maker is not a covered financial institution, no one needs to report the loan application.
The final rule further confirms that purchases of loans or interests in loans after origination are not “covered credit transactions,” so purchasers do not incur reporting obligations.
However, the CFPB specifically declined to exclude indirect lending from the rule, covering this instead through their “last decision‑maker” framework.
Firewall, safe harbors, and error tolerances. The new rule maintains an existing “firewall” requirement – preventing a credit union’s loan decision-makers from accessing demographic responses, except for a narrow statutory exception. But it adds details about who is subject to that firewall (including certain affiliate personnel) and what counts as “access” to demographic information. It also spells out the content and timing of the notice that covered lenders must give if they invoke the firewall exception and allow decision-makers to view demographic responses.
The rule protects institutions that collected demographic data in reasonable belief that an application was covered but later determined it was not. Also, Appendix F to the rule provides numerical tolerances for errors in each data field based on random samples of the institution’s data. These features give institutions a framework for testing, validation, and remediation.
Compliance dates. The new rule sets a single compliance date – Jan. 1, 2028 – for all covered financial institutions. This replaces a “tiered” compliance date system from previous versions of the rule. As a result, credit unions that meet the 1,000‑origination threshold in 2026 and 2027 must start collecting data on Jan. 1, 2028, and file their first Small Business Lending Application Register by June 1, 2029. Lenders that cross the threshold later will become subject to the rule subsequently, but not before Jan. 1, 2029.
The CFPB promised a grace‑period for the first 12 months of data collection, saying that its supervisory focus for 2028 data will be based on good‑faith efforts and building effective programs, not strict liability.
Credit unions that expect to be covered can start collecting only minority‑/women‑owned status and principal‑owner ethnicity/race/sex data up to 12 months before their compliance date to test systems.
Applications received before the compliance date but decided afterward are not subject to data collection or reporting requirements.
Compliance Roundtable – September 16 (In-Person)
Join members of The League’s compliance team as they lead a discussion on the latest changes in regulations and need to know information to keep your credit union in compliance. You can find more information or register on our website.