1071 Small Business Lending Compliance: What Every Financial Institution Must Know

 After over a decade of anticipation, the Consumer Financial Protection Bureau (CFPB) unveiled its definitive Section 1071 rule on March 30, 2023, reshaping the landscape of small business lending data collection. This monumental rule, a cornerstone of the Dodd-Frank Act, stands to create the foremost comprehensive public database on small business lending practices, shedding light on lending to women-owned, minority-owned, and small businesses. While many in the financial sector initially approached the rule with trepidation, an in-depth exploration reveals its potential to invigorate the heart of the U.S. economy: the small business sector. As we delve deeper into the specifics and implications of the final rule, join us in unpacking the transformative impact it promises for lenders and small businesses alike.

A comprehensive understanding of the new Section 1071 rule requires a journey back to its roots. This regulation didn’t emerge out of thin air; it’s the culmination of years of legislative efforts, advocacy pushes, and industry dialogues, all striving to craft a more transparent and equitable financial landscape for small businesses. Before diving into the nitty-gritty of the rule itself, it’s imperative to shed light on the historical context that paved the way for its creation. As we trace the evolution of Section 1071, we’ll gain insights into the challenges and milestones that have defined its path, setting the stage for its current incarnation. Let’s embark on this exploration, starting with the catalysts that spurred the need for such a transformative regulation.


Diving into the roots of the small business data collection directive, one must rewind to 2010, a pivotal year in financial regulation. The Dodd-Frank Act emerged, and within its intricate web of provisions lay Section 1071. This section became a watershed moment as it amended the Equal Credit Opportunity Act (ECOA), creating an obligation for lenders to gather and relay specific pivotal data to the CFPB. This data was primarily concerned with women-owned, minority-owned, and other small businesses, underpinning the commitment to ensuring fair lending practices. At the outset, ambiguity surrounded whether the mandates of Section 1071 would automatically come into play or if a green signal from the CFPB, in the form of implementing regulations, was a pre-requisite.

Fast forward to April 11, 2011, the CFPB’s inaugural industry guidance came to light. Contrary to the looming uncertainties, the Bureau’s guidance clarified that the tenets of Section 1071 would await the Bureau’s regulations before activation. Despite the initial promise of moving “expeditiously,” the Bureau’s progress charted a slow trajectory over the next ten years, with sporadic mentions of the rule, but no concrete proposed rule.

However, the prolonged delay in rulemaking did not escape the vigilant eyes of consumer champions. In a bold move, by 2019, a coalition of community groups, flanked by two individuals, sought legal intervention, urging the Bureau to fulfill its regulatory mandate. Their relentless efforts bore fruit in a 2020 settlement, cementing a clear roadmap for the elusive 1071 rulemaking. True to its promise, by September 2021, the Bureau unfurled its proposed rule. The rule evoked a substantial response, raking in around 2,100 comments. The curtain finally lifted on March 30, 2023, when the CFPB’s final rule was promulgated. With its twists and turns, this journey has brought forth several crucial facets of the final rule, which we’ll delve into subsequently.

Small Business Lending Rule Benefits

Navigating the intricate tapestry of banking regulations can often feel daunting, with many of us naturally resistant to the thought of additional compliance. However, the Small Business Lending Rule, colloquially known as Section 1071, emerges as a breath of fresh air in this regard. Initially met with scepticism, a deeper dive into its provisions reveals that the rule harbours transformative potential, especially for rejuvenating the cornerstone of the U.S. economy—small businesses.

Here’s an exploration of the multifaceted advantages that Section 1071 brings to the table:

1. Efficiency in Uniformity

Consistency emerges as the linchpin for success in the volatile landscape of small business loans. 1071 possesses transformative potential in fostering processes and pricing uniformity. This systemic coherence optimises operational procedures and bolsters profitability, a win-win for financial institutions.

2. A Deeper Dive into Customer Dynamics

The rule mandates the meticulous collection of data pertaining to loan applications, encompassing details like the applicant’s race, gender, and ethnicity. Beyond just compliance, this treasure trove of data offers a panoramic view of customer demographics and needs. Section 1071 paves the way for rigorous scrutiny of lending trends. With this nuanced understanding, financial institutions can sculpt financial solutions that resonate with the unique challenges and aspirations of hitherto marginalized communities.

3. Reinventing Risk Management

 Section 1071 illuminates the patterns of lending, allowing banks and credit unions to break free from the confines of traditional markets and venture into uncharted territories. An East Coast Coast bank executive shed light on the game-changing potential of the rule in diversifying portfolios, leading to robust risk management paradigms. By harnessing the power of this data, banks can finetune their risk models, ensuring judicious credit decisions, minimizing default rates, and elevating overall portfolio efficacy.

Moreover, the profound insights into borrower demographics empower banks to discern the economic divides and systemic barriers plaguing minority entrepreneurs. With this newfound awareness, banks can proactively deploy risk-mitigating measures, championing financial inclusivity and fostering socio-economic harmony.

Covered Institutions

The final rule casts a wide net, encompassing a vast array of financial institutions. To be classified as a “covered financial institution” under Section 1071, an entity need not be a traditional bank or credit union. Instead, the rule includes:

  • Depository Institutions: These are your standard banks and credit unions that accept deposits from the public.
  • Online Lenders: With the rise of fintech, many lending operations now exist primarily or exclusively online. These digital entities are also captured under this rule.
  • Platform Lenders: These are typically online services that match borrowers with lenders, often using unconventional algorithms and data sources to determine creditworthiness.
  • Commercial Finance Companies: These entities typically provide loans to businesses, backed by commercial property or assets.
  • Nonprofit Lenders: Even charitable or not-for-profit entities that offer lending services are subject to the rule if they meet the criteria.
  • Specialized Lenders: This encompasses a variety of niche lending institutions, including community development financial institutions, equipment and vehicle financing entities, governmental lending bodies, farm credit system lenders, merchant cash advance providers, and more.

Regardless of the type or niche of the institution, the principal determining factor for whether it falls under the rule’s jurisdiction is its lending activity. Specifically, an institution qualifies as “covered” if it originated at least 100 covered originations, like loans to small businesses, in each of the two preceding calendar years. It’s crucial to note that not all lending activities count as “covered originations.” For instance, modifications to existing transactions aren’t counted.

Covered Transactions

A “covered credit transaction,” described under the fnal rule, is fundamentally an extension of business credit that complies with Regulation B. This includes a spectrum of credit forms such as loans, lines of credit, credit cards, merchant cash advances, and credit products explicitly meant for agricultural endeavours. But it’s crucial to note that while many transactions might align with Regulation B’s definition of business credit, not all are encompassed within the purview of a “covered credit transaction.”

Exclusions from the rule include:

  • Trade Credit: This represents a scenario where a business obtains goods or services from another entity without immediately making the full payment. Essentially, it’s a form of short-term lending, typically extended by the seller to the buyer.
  • HMDA Transactions: Transactions that need to be reported under the Home Mortgage Disclosure Act of 1975 don’t fall under the “covered” category.
  • Insurance Premium Financing: This is a financing structure where a business pledges to repay a financial institution for the advanced funds used to settle an insurance premium. In these arrangements, the business typically assigns specific rights from its insurance contract to the financial institution to ensure repayment.
  • Public Utilities Credit: Credits associated with public utilities.
  • Securities Credit: Credits linked to securities.
  • Incidental Credit: This kind of credit, regardless of whether it’s consumer-oriented or extended by a creditor, doesn’t qualify unless it satisfies certain conditions defined under Regulation B. 

Covered Small Businesses

As defined by the final rule, a small business is an enterprise that has accrued a gross annual revenue of $5 million or less in the prior calendar year. This definition is consistent with the one found in the Small Business Act. In determining the status of a business as a small entity, financial institutions are authorized to base their judgment on the applicant’s statements about their gross annual revenue. However, this confirmed data must be prioritised and used if the financial institution is presented with validated revenue details. It is essential for financial institutions to recognize that non-profit organizations and government agencies do not qualify as small businesses under this rule. By its core definition, a small business is an entity structured for profit, autonomously managed, and operated, which is not predominant in its operational domain. It has grossed $5 million or less in the previous fiscal year. Non-profit entities and governmental agencies under Section 1071 are explicitly excluded from this classification.

Covered Applications

Under Section 1071, a “covered application” is characterized as any oral or written request for a covered credit transaction. This request should be made in alignment with the procedures utilized by a financial institution tailored to the specific type of credit being sought. The rule seeks to ensure that all forms of credit requests, regardless of their medium or format, are considered, given they adhere to the institution’s established procedures for the credit type.

Not all credit requests fall under the definition of a covered application. The rule explicitly excludes:

  • Reevaluation, extension, or renewal requests pertaining to existing business credit accounts
  • Inquiries and prequalification requests
  • Solicitation initiated by the financial institution 
  • Firm offers of credit
  • Any other assessments initiated by the financial institution itself

Financial institutions must meticulously track all applications they receive that fall under covered transactions to achieve comprehensive data collection and reporting. This isn’t limited to just approved and finalized credit but encompasses applications that might be withdrawn, incomplete, denied, or even approved by the institution but subsequently declined by the applicant.

Financial institutions have a degree of discretion when defining what constitutes an incomplete or withdrawn application. However, irrespective of individual interpretations by institutions, such definitions and decisions should be clearly outlined in the loan policy. The policy should also make clear provisions regarding how the institution treats a counteroffer.

Data Collection and Reporting Requirements

Under the final rule of Section 1071, new and enhanced data collection and reporting requirements exist for covered financial institutions. Here’s a comprehensive breakdown of these requirements:

Mandatory Data Collection for all applications:

Financial institutions must collect the following data points for all covered applications:

  1. Unique identifier for the application
  2. Date the application was received
  3. Method by which the application was submitted (e.g., in-person, online, etc.)
  4. Whether the application was received directly or came indirectly via an unaffiliated third-party
  5. Action taken on the application (e.g., approved, denied)
  6. The date on which the action was taken

Data points based on applicant or third-party information:

  1. Type of credit requested
  2. Purpose of the credit
  3. Amount of credit applied for
  4. Census tract related to an address given by the applicant
  5. A three-digit NAICS code indicating the nature of the applicant’s business
  6. Number of individuals employed by the applicant
  7. Length of time the applicant has been in business
  8. Number of principal owners of the applicant’s business

Demographic data points:

  1. The applicant’s status in terms of minority ownership, women ownership, and LGBTQI+ ownership
  2. Ethnicity, race, and gender of the business’s principal owners

Reporting Timeline and Method:

Financial institutions must compile this small business lending data annually and ensure its submission to the CFPB by June 1 of the subsequent year. The CFPB has issued a Filing Instructions Guide that offers more details on data submission.

Tips from the CFPB:

Some critical insights from the CFPB’s commentary to aid financial institutions in data collection include clarifications on the application method. For example, an “in-person” application includes submissions at a branch, at the business’s location, or through electronic media with video. “Online” applications cover submissions through various electronic platforms, including websites, mobile apps, email, text, or other forms of text-based electronic communication.

Applicant Data Collection Protocols:

Financial institutions must establish “reasonably designed” procedures to collect applicant-provided data effectively. These protocols must ensure that:

  1. The request for data is made before notifying the application of the final decision
  2. The data request is prominently displayed and presented
  3. Applicants are not discouraged from providing the requested data
  4. The process facilitates easy responses from applicants

All the collected data is to be recorded in a specific format termed the “LAR” (Lending Application Register), which is similar to the reporting structure for home mortgage data under HMDA. The annual deadline for this report is June 1, differing from the March 1 deadline for HMDA LARs.

Firewall Requirements: Protecting Demographic Data

The final rule under Section 1071, while mainly centring on data collection and reporting stipulations, introduces an essential provision to bolster data security and confidentiality: the “firewall.” The intent behind this provision is to restrict specific individuals within financial institutions from accessing sensitive demographic data collected under the rule. Given the complexity of operationalizing such a system, the firewall provision has stirred discussions and raised concerns within the industry.

Per the regulations of the final rule, there are specific restrictions placed on access to applicants’ demographic details. Specifically, officers and employees of a covered financial institution, or its affiliated entities, involved in evaluating or making decisions related to a covered application, are explicitly forbidden from accessing the applicant’s responses about their demographic particulars. This includes information on whether the business is minority-owned, women-owned, or LGBTQI+-owned, as well as information regarding the principal owners’ ethnicity, race, and gender.

However, the rule also offers some flexibility. If a covered financial institution deems it necessary for a particular employee or officer to have access to the demographic responses, they can do so. But this comes with a caveat. The institution must notify the applicants whose data will be accessed. The rule offers latitude on this front, too. Financial institutions can send this notification to a select group of applicants or, if more feasible, to all applicants. This flexibility ensures that institutions can maintain compliance without overly burdensome procedures.

Another crucial aspect of the firewall requirement is the overarching prohibition on sharing this demographic information. Whether it’s the financial institution itself or a third party associated with it, sharing such data with other parties is strictly limited, with only a few exceptions permitted.

The firewall provision under Section 1071 aims to strike a balance. While the collection of demographic data is pivotal for promoting fair lending and ensuring inclusivity, it’s equally critical to protect the confidentiality of this information. This rule aims to create a system that upholds transparency and trust, assuring applicants that their sensitive data remains secure.

Key Updates in the Section 1071 Final Rule: A Synopsis

The journey to the final version of the Section 1071 rule has been comprehensive and involved significant feedback from industry stakeholders. With the proposal initially introduced in September 2021, the finalized rule showcases the CFPB’s dedication to incorporating diverse perspectives, as reflected in the more than 2,100 public comments it received. Here’s a rundown of the most pivotal updates from the proposed rule:

1. Eliminating the Visual Observation Requirement:  One of the more debated aspects of the proposed rule involved lenders relying on visual observation to collect and report on the ethnicity, race, and sex of the applicant’s principal owners if such information wasn’t willingly provided by the applicant. In the final rule, the CFPB has entirely nixed this proposal. Financial institutions are now expressly barred from using visual observation, surname, or any other basis to collect these data points, except through the applicant’s direct input.

2. Inclusion of LGBTQI+ in Demographics: The proposed rule initially called on financial institutions to inquire about an applicant’s status as a minority-owned or women-owned business. However, the final version has expanded this also to include LGBTQI+-owned businesses.

3. Exemption for HMDA-reportable Loans: A significant relief in the final rule is the explicit exclusion of loans already mandated for reporting under HMDA from being redundantly reported under the new small business lending rule. Moreover, the CFPB has synchronized this rule with impending guidelines under the Community Reinvestment Act, ensuring streamlined data submission requirements.

4. Addressing Discouragement: A crucial component in the final rule emphasizes the potential discouragement of applicants from reporting their demographic details. The CFPB plans to enhance its supervisory and enforcement endeavours, focusing on discouragements that may arise from institutions’ self-reported demographic data. Financial institutions are now mandated to institute processes that can identify and tackle signs of such discouragement, particularly when there are unusually low response rates related to demographic data. Such low rates might be a red flag indicating potential deterrents in place or inadequacies in collecting the data effectively.

5. Consideration for Small Lenders: The CFPB is contemplating offering more time for smaller lenders, especially those with a proven track record of effectively serving local communities, to implement the rule. This decision will leverage benchmarks such as the Community Reinvestment Act.

6. Redefining a Covered Financial Institution: The final rule adopts a definition based on a ‘covered origination volume threshold.’ This is a departure from earlier considerations that revolved around defining institutions based on asset size thresholds or origination criteria contingent on the type of financial institution.

7. Relieving Loan Officers of Demographic Determination: Loan officers are now exempt from personally determining an applicant’s demographic data, such as race or ethnicity.

8. Duplication Prevention with HMDA: As reinforced in the final rule, loans already mandated for reporting under HMDA won’t require separate reporting under Section 1071.

These updates underscore the CFPB’s commitment to fostering a lending environment that is both inclusive and efficient, ensuring that financial institutions can operate effectively without compromising on fair lending principles.

Timing Requirements: A Detailed Overview

The Section 1071 final rule, soon to be incorporated into the regulatory framework, has outlined comprehensive requirements for financial institutions about data collection on small business loans. Here’s an exhaustive breakdown of the timing mandates embedded in the rule:

  • Effective Date: The final rule will come into force 90 days post after its publication in the Federal Register. However, the actual compliance dates for financial institutions are staggered, depending on their lending volume, to ease the transition into the new system.
  • Tiered Compliance Dates:       

1. Large Lenders (2,500+ Loans):

    • Financial institutions that have originated at least 2,500 covered small business loans in both 2022 and 2023 will kickstart their data collection on October 1, 2024.
    • For these institutions, data accumulated between October and December 2024 must be reported by June 1, 2025. Subsequently, data for the entire year of 2025 will have to be conveyed by June 1, 2026. Going forward, annual data collection will span the full calendar year, with reporting due by June 1 of the following year

2. Mid-tier Lenders (500-2,499 Loans):

  • Financial institutions that originated a minimum of 500 but fewer than 2,500 covered small business loans in both 2022 and 2023 will embark on their data collection journey on April 1, 2025. 
  • The entire data set for the year 2025 will need to be submitted by June 1, 2026.

3. Smaller Lenders (100-499 Loans):

  • Institutions that initiated at least 100 covered small business loans in both 2022 and 2023 will initiate their data collection process on January 1, 2026.
  • Data acquired throughout 2026 should be forwarded to the CFPB by June 1, 2027.

For those financial institutions that didn’t reach the 100-loan threshold in 2022 and 2023 but later met or surpassed this criterion over two consecutive calendar years, their data collection can commence, at the earliest, by January 1, 2026.

Continuous Evaluation: The CFPB has stressed the need for financial institutions to evaluate their status concerning the rule’s requirements annually. Even if an institution determines non-compliance in 2024, 2025, or 2026, subsequent years necessitate re-evaluation based on loan origination metrics of the preceding two calendar years.

Supplementary Proposals: The CFPB is also considering issuing further proposals. One notable highlight is the potential provision of extended implementation time for smaller lenders that boast commendable performances under the Community Reinvestment Act and analogous state legislations.

Understanding the Implications of Section 1071 for Financial Institutions

Section 1071’s final rule introduces intricate data reporting mandates that significantly impact the vast majority of lenders offering credit to small businesses. The onset of these requirements will be staggered, implying that diverse lenders will encounter varying timelines to ensure compliance. It is crucial for lenders to precisely discern when their obligations under the final rule commence, particularly concerning data collection and reporting stipulations.

Realizing these obligations necessitates many lenders to innovate and implement novel data compliance mechanisms in alignment with the final rule expectations. Notably, several stakeholders within the industry have voiced apprehensions regarding the potential financial burdens accompanying the rule Rule. Such fiscal demands, they argue, could inadvertently impede fair lending practices. Small community-based financial institutions might bear the brunt most severely, as the expenses associated with the comprehensive implementation of the rule Rule could potentially constrict their lending capacities to small businesses.

Recognizing the potential compliance pitfalls and the need to ensure fairness, the CFPB has elucidated its stance through an Enforcement Policy Statement. Within this Statement, the CFPB underscores several crucial aspects:

  • The final rule envisions data collection methods to be unbiased, ensuring applicants aren’t deterred from submitting relevant information.
  • The rule Rule also mandates that data requisitions be visibly apparent to applicants, easily actionable, initiated before intimating the lender’s verdict on the application and structured to facilitate seamless information capture.
  • Lenders falling under the rule’s Rule’s purview must proactively spot and rectify any signs of applicant discouragement within their operational modalities. This involves rapid scrutiny of potential discouragement signals, instant corrective measures, consistent monitoring for data collection response rates, and potential discrepancies. Additionally, there’s an emphasis on ensuring employees’ proficiency in data gathering from loan seekers through thorough training.

The CFPB, in its Statement, accentuates its intent to supervise and enforce lenders’ adherence to these mandates, concentrating specifically on the rate of responses garnered from data requisitions. The CFPB’s evaluative approach will juxtapose a lender’s performance against comparable financial institutions, also focusing on response anomalies that might hint at biases, undue influence, or obstructions to applicants’ genuine responses.

Given the comprehensive nature of the rule Rule, its actualization demands considerable planning, resources, and groundwork. Small business lenders are advised to initiate their adaptational strategies promptly, laying down robust frameworks to capture and report mandated data.

To ensure unerring compliance with Section 1071, financial institutions should proactively:

  1. Procure program management reinforcement
  2. Establish definitive and answerable governance architectures
  3. Conduct thorough technology, applications, data acquisition, and data handling practices analyses against Section 1071 benchmarks.
  4. Prioritize technological, application, data gathering, and data management enhancements.
  5. Formulate procedural blueprints and workflows, embedding mechanisms for decision audit trails.
  6. Launch exhaustive training modules for pertinent staff members
  7. Implement meticulous data quality evaluations on the data gathered
  8. Undertake rigorous data control assessments
  9. Execute fair lending assessments on currently stored data

Embracing these steps will ensure adherence to the final rule and bolster financial institutions’ credibility, safeguarding their vital role in facilitating small business growth.

The “Don’ts” of 1071 Small Business Lending

The 1071 Small Business Lending Rule has been instituted to introduce certain benchmarks and criteria, ensuring transparency and fairness within the lending landscape. While the primary focus is often on what financial institutions must do to adhere to the rule Rule, it is equally paramount to recognize what they should avoid. Comprehending these “Don’ts” will streamline the compliance process and avert unnecessary complications and potential pitfalls.

First and foremost, the axiom, “Don’t comply if you don’t have to,” rings true. Financial institutions must carry out a rigorous assessment to determine whether they fall within the purview of the 1071 rule Rule. Blindly rushing into compliance without this clarity can lead to wasted resources and efforts. Institutions should carefully review the rule’s Rule’s criteria and applicability to ascertain if they genuinely need to undertake the compliance steps.

The following pivotal guideline is timing: “Don’t start collecting the required data too early.” The onset of data collection mandates will vary for different financial institutions. Commencing data collection prematurely, without a clear understanding of the specific requirements and timelines, can lead to misalignment with the rule’s Rule’s provisions. Such premature actions might result in inconsistencies, potential data redundancies, or even the inadvertent collection of non-required data, complicating the eventual compliance reporting process.

Lastly, the complex and nuanced nature of the 1071 rule Rule emphasizes the importance of the directive, “Don’t attempt to comply alone; utilize compliance professionals.” The intricacies of the rule Rule, coupled with the repercussions of non-compliance, make it essential for financial institutions to solicit expert guidance. While institutions may possess internal expertise, navigating the 1071 landscape can benefit immensely from specialized compliance professionals who are abreast of the latest interpretations, implications, and best practices related to the rule  Rule. Their insights can be invaluable in ensuring financial institutions are on the right track, eliminating the risks of oversight or misinterpretation.

In summary, while the 1071 Small Business Lending Rule seeks to level the playing field and bolster transparency, it’s crucial for financial institutions to approach compliance judiciously. By understanding not just the actions to take, but also the pitfalls to sidestep, these institutions can ensure a smoother, more efficient, and compliant lending environment for small businesses.


Navigating the intricacies of the 1071 Small Business Lending Rule is no small feat, and as the landscape of financial compliance continues to evolve, institutions must stay ahead of the curve. Ensuring adherence mitigates risks and fosters trust with small businesses and stakeholders alike. If you’re feeling overwhelmed by the rule Rule’s complexities or unsure about the best approach for compliance, you’re not alone. 

RADD LLC specializes in guiding financial institutions through such regulatory mazes with expertise and precision. Let us help you transition seamlessly into full compliance with the 1071 rule Rule, ensuring that you avoid common pitfalls and remain on the right side of regulation. Schedule a consultation with me here.