CFPB Finalizes Revised Dodd-Frank Section 1071 Rule

Small Business Lending Data Collection and Reporting: What Lenders Need to Know Now 

Overview

The Consumer Financial Protection Bureau (CFPB) released its revised final rule implementing Section 1071 of the Dodd-Frank Act (the “2026 Final Rule”) on May 1, 2026. This rule amends Regulation B under the Equal Credit Opportunity Act and establishes the nation’s first comprehensive data collection and reporting framework for small business lending.

This is a significantly scaled-back regime compared to the 2023 version. Acting CFPB Director Russell Vought framed the approach as “start small, expand carefully,” acknowledging Section 1071 as a multidecade project. All lenders should understand this rule now; the CFPB has limited initial coverage but signaled its intent to expand scope in future rulemakings. This rule is effective sixty days after Federal Register publication, with a data-collection compliance date of January 1, 2028, and first reporting deadline of June 1, 2029.

Who Must Comply

A financial institution is “covered” if it originated at least 1,000 covered credit transactions for small businesses in each of the two preceding calendar years. Covered institutions include commercial banks, savings institutions, credit unions, online and fintech lenders, community development financial institutions (CDFI), and nonprofit and governmental lenders. Farm Credit System (FCS) lenders are explicitly exempt.

In multiparty structures, only the last financial institution with authority to set material loan terms is responsible for reporting. Loan purchasers that acquire seasoned paper after origination have no reporting obligations.

What Constitutes a Small Business?
The rule defines a small business as any business entity with $1 million or less in gross annual revenue for the preceding fiscal year (reduced from the $5 million threshold in the 2023 rule). Beginning in 2035, the revenue threshold will be adjusted every five years. Lenders may rely on applicant self-reported revenue without independent verification unless the lender verifies it during underwriting. Nonprofit organizations and governmental entities are excluded.

What Loans Are in Scope?
The 2026 Final Rule covers business term loans, lines of credit, and business credit cards. The following are expressly excluded:

• merchant cash advances: lump-sum payments in exchange for a percentage of future sales
• agricultural lending: transactions for crop/livestock production or farmland/equipment acquisition
• small-dollar business credit of $1,000 or less
• Home Mortgage Disclosure Act (HMDA) reportable mortgage transactions already reported under the HMDA

Lenders with portfolios concentrated in excluded products—particularly revenue-based financing and agricultural finance—should map their product portfolios now and build clear scoping logic into their systems.

What Data Must Be Collected and Reported?

The 2026 Final Rule adopts a leaner, statute-anchored set of data points compared to the eighty-one data fields in the 2023 rule. Required fields include:

Application and Transaction Data

• Unique application identifier, application date, and final action taken (approved, denied, withdrawn, etc.)
• Credit product type, loan purpose, amount applied for, and amount approved or originated
• Census tract of the applicant’s principal place of business

Business and Demographic Information

• Business type/entity structure and gross annual revenue for preceding fiscal year
• Whether the business is women- or minority-owned
• Race, ethnicity, and sex (male/female) of each principal owner collected directly from applicants; lenders may not supply this information by visual observation or proxy

Lenders are expressly prohibited from discouraging applicants from providing demographic information. Applicants who decline must be reported as such. Data points removed from the 2023 rule include application method, denial reasons, pricing information, and number of workers.

The Demographic Data Firewall

Demographic data (e.g., race, ethnicity, sex) must be shielded from loan underwriters and other credit decision-making personnel to prevent it from influencing lending outcomes. Where maintaining a full firewall is not feasible—common in smaller institutions—lenders may instead provide applicants with a written disclosure that their demographic information will be accessed by the decision-maker. Institutions must document their firewall procedures or alternative notice practices in their compliance management systems.

Compliance Dates

• Rule effective date: sixty days after Federal Register publication
• Data collection begins: January 1, 2028
• First CFPB filing deadline: June 1, 2029
• Voluntary early collection permitted: beginning twelve months prior to compliance date to allow system and process testing

To determine coverage, institutions may use 2026 and 2027 small business origination data.

Considerations for Lenders

Many lenders began implementation work when the 2023 rule was issued, then shelved it as litigation delayed the rule. Now they need to take previous implementation work off the shelf, assess what has changed, and build a path forward.

Compliance with the 2026 Final Rule is fundamentally a technology and data management challenge. Key risk areas include data accuracy, data privacy, data security, fair lending analytics, systems infrastructure, and unfair, deceptive, or abusive acts of practice (UDAAP) exposure.

Institutions relying on third-party vendors for their loan origination system (LOS) or core banking system should immediately engage those vendors to assess 1071 module readiness and confirm timelines for updated functionality.

LOS Modifications

• Configure LOS to capture all required 1071 data fields at application intake.
• Build product scoping logic to identify covered versus excluded transactions and revenue-threshold screening for the $1 million small business definition.
• Flag multiparty structures to correctly assign reporting responsibility to the last decision-maker.

Demographic Data Collection and Firewall Controls

• Build separate data-collection workflows for protected demographic information with system-level access controls to prevent information from reaching credit-decisioning workflows.
• Generate and retain applicant-facing notice documentation where a firewall is technically infeasible.

Data Validation, Storage, and Export

• Implement data-validation rules consistent with the CFPB’s filing instructions guide.
• Retain application-level data for at least three years and generate CFPB-compliant CSV export files for annual submission.

Fair Lending and Supervisory Risk

The CFPB has signaled that supervisory focus will include ensuring covered lenders do not discourage applicants from providing demographic information, consistent with the 2023 rule. Since reported data will be publicly available, lenders should conduct proactive fair lending self-assessments of their small business portfolios in advance of the 2028 compliance date to identify and address disparities before regulators do.

Recommended Next Steps

• Conduct a threshold analysis using 2026–2027 origination data to determine current or projected coverage.
• Map small business loan portfolio against covered and excluded product types.
• Assess LOS and core banking system for 1071 field coverage, firewall capability, and reporting export functionality, and engage vendors immediately.
• Update fair lending compliance management framework to incorporate small business lending data.
• Train compliance, lending, and operations staff on new data-collection requirements, firewall procedures, and applicant interaction protocols.
• Monitor ongoing litigation and any future CFPB rulemaking that may expand the rule’s scope.

How BRG Can Help

BRG is a global consulting firm that provides deep expertise in financial regulatory compliance, consumer finance, fair lending, and data governance. Our financial services professionals—including former chief risk officers (CROs), chief compliance officers (CCOs), federal bank examiners, and CFPB-experienced consultants—can assist lenders at every stage of their Section 1071 compliance journey.

Regulatory Readiness and Gap Assessment

• Origination threshold analysis to determine current or projected coverage and product scoping reviews
• Assessment of existing data collection processes and systems against the 2026 Final Rule’s requirements

Technology Enablement and Data Infrastructure

• Advising on how prior 2023 rule implementation efforts can be leveraged for the 2026 Final Rule
• LOS and core banking system advisory, data governance framework design and validation, and CFPB submission infrastructure development

Fair Lending Risk Management

• Proactive fair lending self-assessments using advanced analytics to identify disparities in approval rates, pricing, or geographic distribution before regulators do
• Expert advisory and independent consultant services for institutions subject to the Office of the Comptroller of the Currency, Federal Deposit Insurance, Corporation, Federal Reserve, or CFPB enforcement actions

Compliance Program Design and Training

• Assessing and developing policies, procedures, and internal controls governing 1071 data collection, the demographic firewall, and annual CFPB submission
• Conducting tailored staff training and board/management governance advisory integrated with broader Community Reinvestment Act and fair lending frameworks

Our professionals average over twenty years of financial services experience and include former bank examiners, CROs, CCOs, Certified Public Accountants, and CFPB-experienced practitioners. BRG brings the regulatory credibility and hands-on implementation expertise institutions need to navigate the 2026 Final Rule with confidence.