Update on CFPB Small Business Lending Data Collection Rule Under Section 1071

By Anastasia D. Stull

Overview of the Regulatory Framework

After more than a decade of rulemaking and one year since the passing of the Consumer Financial Protection Bureau's (CFPB) final rule implementing Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) (the Final Rule), we are still waiting for complete certainty as to when lenders impacted are required to be in compliance and start collecting and reporting data. The Final Rule is in and of itself a critical, highly technical piece of legislation, but it is also significant because of how it implicates other federal regulations.

This insight provides a high-level overview and the first in a series of updates that address industry developments, ongoing litigation, and deeper dives into definitions and nuances in the rule intended to help lenders prepare for implementation and compliance.

The Purpose of the Final Rule

The Final Rule requires small business lenders to collect information about small business credit applications they receive, including geographic and demographic data concerning the principal owners, lending decisions, and the price of credit. This data includes race, ethnicity, and gender of the principal business owners, gross annual revenue, type and purpose of the loan or credit application, and location of the business, including the census tract or zip code.

By including demographic data, Congress intends to facilitate the enforcement of fair lending laws, and to enable communities, governmental entities and creditors to identify business and community development needs and opportunities for small businesses, including those that are women-owned and minority-owned. The CFPB states that this effort will result in the creation of the “first comprehensive public database” on small business financing practices.

The Rule in Operation: What is Covered?

Under the Final Rule, a "small business" is defined as an entity with $5 million or less in gross annual revenue for its preceding fiscal year. The CFPB plans to update this threshold every five years to account for inflation.

Covered Financial Institutions

The Final Rule imposes data collection requirements only on "covered financial institutions," which includes any partnership, company, corporation, incorporated and unincorporated association, trust, estate, cooperative organization, or other entity that meets both of the following requirements:

  • Engages in any financial activity.
  • Originates at least 100 “covered transactions” in each of the two preceding calendar years.

Financial activity is quite broadly construed to include depository institutions, online lenders, platform lenders, community development financial institutions, equipment and vehicle financers (excluding some motor vehicle dealers), community development financial institutions, farm credit system lenders, general commercial finance companies, providers of merchant cash advances, governmental lending entities and nonprofit lenders.   

Covered Credit Transactions

The Final Rule also defines "covered credit transactions" as an extension of business credit under Regulation B of the Equal Credit Opportunity Act (ECOA). Covered credit transactions include lines of credit, closed-end loans, business credit cards, merchant cash advances, online credit products, and credit products used for agricultural purposes by banks, credit unions, and other lenders. There are also express exclusions from coverage under the Final Rule even if they satisfy the definition of business credit under Regulation B, including trade credit, Home Mortgage Disclosure Act-reportable transactions, public utilities credit and credit incidentally extended to a consumer, to name a few examples. While auto dealers are typically the last party with the authority to set the terms of the transaction for indirect auto retail installment contracts, those transactions are not likely to be covered because of the Section 1022 exemption for auto dealers under the Dodd-Frank Act. Purchases of covered credit transactions (that were reportable at origination) are also not covered transactions subject to the Final Rule.

Covered Applications

The term “covered application” is defined more narrowly in the Final Rule than in the existing Regulation B. Specifically, a “covered application” constitutes any oral or written request for a covered credit transaction, regardless of whether it was approved, denied, withdrawn or incomplete. Requests for refinancing (with or without an additional credit amount) constitute “covered applications.” However, the Final Rule specifically excludes reevaluations, extensions or renewals when the credit amount remains the same, as well as any inquiries and prequalification requests.

Data Required to be Collected and Reported

Covered applications’ data requirements depend on how the information was collected. That data can be categorized in three ways:

  • Data points required to be reported for all applications.
  • Data points required only for applications that are denied.
  • Data points required only for applications that are approved.

In addition, § 1002.107(c)(3) and (4) of the Final Rule require a covered financial institution to maintain procedures designed to identify and respond to indicia of potential discouragement of applicants from providing responsive information, including low response rates. Indicia of potential discouragement may include a low response rate for applicant-provided data, according to the CFPB. Low response rates may also be a sign that the financial institution has failed to maintain procedures to collect applicant-provided data that are “reasonably designed to obtain a response.”

Unlike the data collection and reporting transitional periods, there is no statutory grace period for discouragement and the CFPB intends to focus its supervision and enforcement on compliance with this prohibition. The topic of discouragement under 1071, and other key areas of risk, will be included in a separate update.

Effective Date and Compliance Dates

The Final Rule became effective 90 days after publication on March 30, 2023 and compliance dates are tiered dependent upon the lenders' total number of originations in the two years prior. Additionally, in order to be required to comply with Section 1071, a covered financial institution must qualify for that year. Compliance dates are:

  • October 1, 2024, if covered originations are at least 2,500.
  • April 1, 2025, if covered originations are below 2,500, but at least 500.
  • January 1, 2026, if covered originations are at least 100.

Use and Publication of Data

Data pursuant to the new rule will be collected annually and published by the CFPB, subject to modifications and deletions that it determines would advance a privacy interest, and will occur after the CFPB has obtained a full year of reported data. It is also important to note that this publication will satisfy covered financial institutions' statutory obligation to make that data available to the public upon request.

Specifically, the CFPB intends to publish:

  • Application-level data for all data fields, subject to a full privacy analysis.
  • Aggregate analyses on a select basis prior to publishing application-level data.

The CFPB does not intend to establish a separate program by which researchers may have access to unmodified data. Instead, only a singular published data set will be available to all users, with the exception of state or federal regulators, to whom the CFPB may provide additional data access (e.g., to facilitate ECOA enforcement).

The 1071 "Firewall Provision"

The Final Rule contains a firewall provision which states that employees or officers of the financial institutions or its affiliates who are involved in making a determination about the application should not have access to the demographic information of the principal owners, including whether the business is minority-owned, women-owned or LGBTQI+ owned, or the ethnicity, race and sex of the principal owners. The firewall provision does not apply if the financial institution determines that access to one or more of the applicant's responses and a disclosure is provided to the applicant at the time of the inquiry. Alternatively, such a disclosure can be provided to a broader group of or all applicants. We see this as an area for potential operational and compliance issues for small business lenders.

Safe Harbors

The Final Rule provides certain "safe harbors" for incorrect entries for census tracts, NAICS codes and application dates and for incorrect determinations of small business status, covered transactions and covered applications. These inaccuracies allow for de minimus errors that will be viewed in light of certain thresholds deemed reasonable by the CFPB.

Litigation and Challenges

The Final Rule is currently being challenged in federal courts by various trade groups in Florida, Kentucky and Texas. A Texas judge granted a preliminary injunction staying all deadlines for compliance — on a nationwide basis — until after the U.S. Supreme Court's ruling in Consumer Financial Protection Bureau v. Community Financial Services Ass'n of America, Ltd., where the high court is reviewing a Fifth Circuit decision which held that the CFPB's funding mechanism violates the Appropriations Clause. The Texas order granting the preliminary injunction also mandates that if the Supreme Court rules in favor of the CFPB in the case, the CFPB must extend compliance deadlines to compensate for the period stayed.

The U.S. Senate and House of Representatives also passed resolutions of disapproval of the Final Rule under the Congressional Review Act, which President Biden vetoed. There is also litigation brought by a sales-based financing trade group (complaint) challenging the Final Rule on the basis that it violates the Administrative Procedures Act, which is ongoing.  


The CFPB has issued a substantial body of documentation to assist financial institutions in understanding and implementing the final rule. Resources released to date include:


For more information on the scope of the Small Business Data Collection Rule, please contact Anastasia D. Stull, Michelle A. Fox or the Stinson LLP contact with whom you regularly work.

Subscribe to Stinson's
News & Insights
Jump to Page

We use cookies on our website to improve functionality and performance, analyze website traffic and enable social media features. For more information, please see our Cookie Policy.