CFPB Finalizes New 1071 Small Business Lending Rule – Key Takeaways

The significant narrowing of the scope of the rule is no surprise given the CFPB's responsiveness to industry demands, its desire to resolve outstanding litigation in Texas, Kentucky, and Florida, and the agency's general approach to regulatory burden reduction. The result is that fewer lenders will be required to collect and report data to the CFPB, fewer products will be covered by the rule, and lenders will have to collect information on fewer data points with a single compliance date of January 1, 2028.

These changes are a big win for financial institutions that did not want to be covered by this rule as well as for those still covered, because they will have to collect and report less data, which results in reduced compliance costs. While the CFPB's changes will undoubtedly reduce complexity and burden for lenders, as the first-of-its-kind small business lending data collection and reporting regime, the compliance challenges remain high.

This alert briefly summarizes the new rule and provides an insider perspective from the former manager of the CFPB's 1071 rulemaking on what institutions should expect next.

How Did We Get Here?

For anyone who has been tuned into this high-stakes rulemaking at the CFPB, it has been a rollercoaster ride from the agency's inception, with diverse viewpoints and stakeholders digging in their heals across issues that directly impact visibility into the nation's small business lending market. No other rulemaking in the CFPB's history has taken this long or resulted in as many lawsuits from civil rights and community groups as well as from the industry. Here's the quick version of that rollercoaster ride.

First, CFPB Director Richard Cordray prioritized time-sensitive, mortgage-related rules. He switched gears towards the end of his term to focus on 1071, but then a presidential election took place, and Acting Director Mick Mulvaney paused the work. Director Kathleen Kraninger was then sued for the agency's delay in issuing this Congressionally mandated rulemaking and agreed to a timeline to get it done. Progress was being made but then another presidential election took place, which resulted in leadership revisiting the agency's approach. Acting Director David Uejio moved quickly to issue the proposed rule, and the 2023 final rule came out under Director Rohit Chopra's watch. Lawsuits were filed in three different jurisdictions challenging the final rule. The tiered compliance dates were stayed pending the litigation and then – yes, you guessed it – another presidential election occurred. The agency again extended the compliance dates under Acting Director Russell Vought so that the agency could quickly reconsider the 2023 final rule, and here we are today.

The CFPB received 410 comments in response to its proposal released just five months ago in November 2025. The agency has mostly finalized the rule as proposed with a handful of material changes designed to ease compliance burden on institutions and made the final rule effective on June 30, 2026.

The CFPB moved quickly to revise and finalize provisions – supported by many commenters including banks, credit unions, non-depository and online lenders, and trade associations for lenders – that will make the 1071 data collection more efficient, less burdensome, and easier to implement for the industry. The changes are designed to reduce complexity and burden for lenders and improve data quality by focusing on core institutions that originate the most volume of core transactions covered by the rule and requiring the collection of more limited data from core small business applicants (those that it now deems are "truly small businesses").

The significant narrowing of the rule's scope under new CFPB leadership – opposed by many commenters, including advocacy and community groups, members of Congress, trade associations for community development financial institutions, small farms, and small businesses, as well as service providers to lenders – is not unexpected given:

• the agency's general approach to regulatory burden reduction and the directive from the White House to lessen compliance burden on lenders, as well as
• a desire by the agency to resolve the outstanding issues in the three lawsuits challenging the 2023 final rule in Texas, Kentucky, and Florida.

What Are the Changes to the Prior 1071 Rule?

At a high level, this 2026 final rule makes the following significant changes to the 2023 final rule:

• Increases the loan-volume threshold from 100 to 1,000 originations
• Exempts Farm Credit Service (FCS) lenders
• Maintains simplified "small business" definition by looking at gross annual revenue, but now only requires collecting data from small business applicants that have $1 million or less (no longer $5 million or less)
• Includes only "core" transactions – loans, lines of credit, and credit cards (and excludes merchant chance advances, agricultural lending, and smaller dollar transactions)
• Includes the statutory data points (with some revisions to ease compliance) and only three discretionary data points
• Revises "time and manner" provisions related to collection of applicant-provided data
• One single compliance date of January 1, 2028 (with annual data reported to the CFPB by June 1, 2029)

Financial Institutions Covered

In the spirit of simplifying the rule by narrowing its scope to "core" small business lending practices and lenders, the CFPB decided to:

• Require only financial institutions that originate at least 1,000 small business transactions in each of the two preceding calendar years to collect and report 1071 data
• Exempt FCS lenders

The agency emphasizes that "larger lenders are better resourced and can better sustain the complexities and cost of compliance with the rule." And while the agency acknowledges that the change to a 1,000-loan origination threshold "will carve out a large number of mostly smaller depository institutions" from being covered by the rule, it estimates that the rule will nevertheless continue to "cover the vast majority of small business loan originations made by depository institutions (approximately 92 to 93 percent)" at the higher threshold.

The final rule provides that an institution must calculate its small business originations in 2026 and 2027 to determine whether it meets the 1,000-loan threshold to be covered by the rule beginning January 1, 2028. To ease compliance, the rule also permits institutions that do not have ready access to sufficient information to determine whether they are covered by the rule:

• to use reasonable methods to estimate their volume of originations to small businesses for this purpose, and
• may look to 2025 and 2026 small business originations (new provision).

Given the higher origination threshold (now 1,000 versus 100), the exemption of FCS lenders, and as discussed below, the exclusion of merchant cash advances as a product (which results in the exclusion of merchant cash advance providers), significantly fewer financial institutions will be covered by the rule. These combined changes are arguably the most impactful of any that the agency has made.

Small Business Definition

From the very first days of the CFPB's work on this rulemaking, the agency prioritized coming up with a simple definition of "small business" across industries that would allow lenders covered by the rule to more easily determine upfront whether an applicant is a small business or not.

As such, the 2023 final rule landed at defining a "small business" as a business that has $5 million or less gross annual revenue for its preceding fiscal year. Given the CFPB's desire to narrow the scope of the rule to focus on what the agency now calls "truly small businesses," it now only requires collecting data from small business applicants that have $1 million or less gross annual revenue for its preceding fiscal year.

Given this change, fewer small business applicants will be covered by the rule. However, as support for the revised definition, the agency contends that it "maintain[s] broad coverage of small businesses" including "a high share of minority-owned and women-owned businesses."

Covered Credit Transactions

In revisiting which small business credit products should be covered by the rule, the CFPB focused on what it determined to be core "widely used lending products most likely to be foundational to small businesses' formation and operation" and not, for example, "more niche or specialty lending products." The agency also sought to lessen operational complexity and poor data quality by focusing on a limited set of credit transactions.

Given this approach, the final rule now continues to cover only the following "core products":

• Loans
• Lines of credit
• Credit cards

Of great significance, the 1071 rule no longer covers the following transactions:

• Merchant cash advances
• Agricultural lending
• Transactions of $1,000 or less

And like before, the rule continues to exclude the following transactions:

• Trade credit
• Factoring
• Leases
• Home Mortgage Disclosure Act (HMDA)-reportable transactions
• Insurance premium financing
• Public utilities credit; securities credit; and incidental credit
• Consumer-designated credit used for business or agricultural purposes
• Credit transaction purchases; purchases of an interest in a pool of credit transactions; and purchases of a partial interest in a credit transaction

Given the decision to include only "core products" (loans, lines of credit, and credit cards) within the scope of the rule, there will be less information available about the diverse set of products used by small businesses. Despite this concern, the agency reiterated its belief that "the rule should focus on core, generally applicable lending products" and "minimize market disruption and regulatory complexity" by not bringing in additional products at the outset of this data collection.

Data Points

Section 1071 requires lenders to collect and report certain information from small business applicants, including:

• Statutorily required data points, and
• Discretionary data points (any other data that the CFPB determines would aid in fulfilling the statutory purposes).

The 2023 final rule resulted in a comprehensive dataset requiring collection and reporting of the 12 statutory data points (which when reporting requires 56 total data fields be completed or left blank when not applicable), along with nine discretionary data points (which when reporting requires 27 total data fields be completed or left blank when not applicable).

In revisiting what information a lender is required to collect from small business applicants, the CFPB weighed several considerations including a focus on "core" data points, the relative utility of the data with operational complexity, the desire to "improve data quality" and "streamline and simplify regulations." Guiding its decision on which discretionary data to include or not, the agency states it believes that:

"[if] the relative utility of the data is not strong enough to justify the additional operational complexity for financial institutions, that is sufficient reason to remove the discretionary data point, even if the discretionary data point would otherwise advance the purposes of the statute."

Given this approach, the final rule continues to cover the statutory data points:

• Unique identifier
• Application date
• Credit type
• Credit purpose
• Amount applied for
• Amount approved or originated
• Action taken
• Action taken date
• Census tract
• Gross annual revenue
• Women-owned and minority-owned business statuses
• Ethnicity, race, and sex of principal owners (with changes to the collection categories, which dramatically reduces the number of data fields)
  • Ethnicity – aggregate categories only (no disaggregated subcategories)
  • Race – aggregate categories only (no disaggregated subcategories)
  • Sex – binary, male/female (no gender identity)

The final rule also continues to cover the following three discretionary data points needed to facilitate the collection of the statutory data points:

• North American Industry Classification System (NAICS) three-digit code
• Time in business
• Number of principal owners

Notably, the rule no longer covers the following discretionary data points:

• Application method
• Application recipient
• Denial reasons
• Pricing information
• Number of workers
• LGBTQI+-owned business status

Despite fierce opposition from many commenters about the removal of any discretionary data points, the Bureau reiterated its belief from the proposal that the agency should focus on "core data points" as a method "to limit the initial compliance costs for collecting and reporting data in compliance with [this rule]."

The CFPB also retains a few free-form text fields for reporting certain data – namely, the type of financial institution, credit product, or the type of guarantee – despite concerns from some commenters about data consistency, quality, and comparability.

Time and Manner of Collection

The new rule – like before – requires financial institutions to maintain procedures to collect information that is provided by an applicant at a time and in a manner that are reasonably designed to obtain a response. What has changed are certain "anti-discouragement" provisions that seemed to presume that financial institutions would not seek to obtain applicant-provided data – especially the principal owners' demographic information (ethnicity, race, and sex) – and dictated when in the application process such information must be collected.

What has changed is that the rule:

• No longer provides that low response rates of applicant-provided data may be indicia of discouragement
• No longer requires lenders to monitor for indicia of discouragement, such as low response rates from applicants, by, for example, performing peer comparisons
• Removes prior restrictions on the time and manner of collecting applicant-provided data by clarifying that "while the general expectation remains that financial institutions should attempt to collect data prior to notification of the credit decision," it now requires that data be collected at a time "reasonably designed to obtain a response," which creates "a flexible regulatory standard that permits financial institutions to collect data in a manner consistent with their operations."

The agency is also emphasizing the importance of an applicant's right to refuse to provide demographic data by including that statutory right in the regulatory text itself and with revisions to the sample demographic data form lenders may choose to use.

Relatedly, it is imperative to flag the CFPB's decision to also add the following new language to the sample demographic data form:

"Information about your application (without your name or other directly identifying information) may eventually be available to the public."

It will be interesting to see whether such language has the unintended consequence of deterring applicants from providing their ethnicity, race, and sex, as well as whether the business is minority- or women-owned. Arguably this new language could impact response rates.

Other Noteworthy Provisions

The final rule contains other provisions that are designed to lessen the compliance burden (all of which are not new and were in the prior rule).

• Sample "notice" to comply with the statutory requirement to "firewall" demographic data (race, ethnicity, and sex of principal owners) from underwriters and others
• Safe harbors – a total of four safe harbors related to reporting application date, incorrect entry for census tract, three-digit NAICS code, and the determination of small business status, covered credit transaction, or covered application
• Tolerance threshold for bona fide errors in data reported – revised to conform with the new 1,000-loan threshold
• Grace period (January 1, 2028, through December 31, 2028) – retains one-year grace period during which the CFPB, for institutions under its jurisdiction, will not assess penalties for errors in data reporting, and will conduct examinations only to assist institutions in diagnosing compliance weaknesses, to the extent that these institutions engaged in good faith compliance efforts
• Voluntary collection of applicants' demographic data (race, ethnicity, and sex of principal owners) one year prior to compliance date to help prepare for coming into compliance –may begin January 1, 2027

Privacy and Publication of the Data

The CFPB is statutorily required to use its discretion to modify or delete 1071 data prior to publication in order to "advance a privacy interest." In the 2023 final rule, the agency offered a preliminary view of how it might conduct that privacy analysis. The CFPB has now confirmed it will reassess that privacy assessment as it continues to engage with stakeholders and made two notable decisions:

• Commits to addressing these issues in a full notice-and-comment rulemaking
• To be published likely after the agency has received one full year of 1071 data

Given the fact that the first set of data will not be reported until June 1, 2029, this means that the agency could potentially be under new leadership following the next presidential election when the time comes to makes decisions on what data should be public and what data should be modified or redacted before publication.

Like everything related to implementing Section 1071, there will be strongly held and divergent views. With HMDA as a lesson in history, this is the next battleground, with the industry on one hand urging the CFPB to release less data to the public given potential re-identification risks to small businesses and the privacy interests of reporting lenders and, on the other hand, civil rights organizations, community groups, and researchers pushing for more visibility. The agency's decision to consider these issues through the formal rulemaking process – and not through guidance as was done with HMDA under Director Kraninger – is a big win for transparency and consideration of diverse perspectives.

Final Rule Likely Resolves Some (But Not All) of the Outstanding 1071 Litigation

After the 2023 Final Rule was released, several trade associations, financial institutions, and others filed lawsuits against the CFPB in Texas, Kentucky, and Florida challenging many aspects of the rule. Given the fact that many of the changes these industry litigants were looking for have now been incorporated into the new final rule, the issues are likely moot or otherwise resolve the litigation. Now that the CFPB's rulemaking process is complete, the stays in the cases will be lifted by the courts and the parties will have an opportunity, which they'll likely take, to inform the courts that they have reached an agreement to dismiss the litigation challenging the prior rule.

On the flip side, there is one lawsuit that may not go away. After new leadership at the CFPB informed the Texas, Kentucky, and Florida courts that it would be reconsidering the 2023 final rule, advocacy groups and others filed a lawsuit in D.C. district court challenging the agency's actions to reconsider the rule.

While financial institutions welcome the reduction in regulatory complexity and decreased compliance costs with open arms, others view these changes by the CFPB as a significant loss for more fulsome data which would have:

• helped lenders identify credit needs of small businesses, across all parts of the country, including in rural areas,
• helped lenders identify opportunities in the marketplace, and
• shed light on risks of potential discrimination by a diverse set of lenders.

Of particular concern for these stakeholders is the increase of the loan threshold from 100 to 1,000 originations, coupled with:

• Exemption of FCS lenders
• Exemption of agricultural lending by any covered lender
• Exemption of merchant cash advances, especially considering ongoing reports that such financing is high-priced and potentially targeted to financially vulnerable businesses

The concern is that these changes result in a dramatic decrease in the number of depository institutions that are covered, and in the number and type of non-depository institutions that are no longer covered by the new threshold and the exemptions. The worry is that this results in data gaps. For example, there will be less insight into small business lending in certain geographies, such as rural areas, and less insight into lending to certain populations given that many institutions that lend to minority- and women-owned businesses do so at lower volumes and by providing the now-exempted products.

In addition, for those who believe a more comprehensive dataset – despite increased compliance costs – is warranted to further the Section 1071 statutory purposes, they have serious concerns about the removal of all but three of the discretionary data points, but especially pricing data and denial reasons.

To be seen is whether stakeholders who oppose these changes decide to challenge them in court as "arbitrary and capricious," contrary to law, and in excess of the CFPB's statutory authority under the Administrative Procedure Act. On one hand, these changes are a tough pill to swallow for stakeholders who view the data as critical to their missions and serving their communities. On the other hand, litigation will result in, once again, a delay in having the 1071 data in their hands. A pressing dilemma is whether more limited data guaranteed sooner is better than more fulsome data potentially later.

What Does This All Mean for Small Business Lenders Now?

Financial institutions want certainty. They want to understand what the new rule does and does not cover, when they need to take certain actions to be ready to comply, and how to prepare for smooth implementation.

As such, while the new January 1, 2028, compliance date could be impacted by further legal developments, financial institutions that are covered by the new rule should take advantage of the compliance lead time to develop and perfect systems used to collect and report accurate 1071 data and begin to test those systems. Institutions should also perfect their 1071 policies and procedures, train personnel, and build systems that are equipped to monitor for potential fair lending violations. There is no doubt that the 1071 data reported to the CFPB will one day become a priority in its supervisory and enforcement work. 

While some institutions have reported some small business lending data under other legal obligations, the 1071 data collection and reporting requirements are unique and present many challenges. As institutions that have reported residential home mortgage lending data for years under HMDA know firsthand, it takes time, sufficient resources, and an understanding of the risks of non-compliance to get this right. The Federal Reserve Board has repeatedly reported HMDA non-compliance as its top violation, year after year. The 1071 data contain many of the same data points but with even greater complexity given diverse products, application procedures, underwriting criteria, and systems of record.

And as for financial institutions that are no longer covered by the new final rule – whether because of the increased loan-volume threshold or any of the exemptions – there is a risk that if the rule is challenged and if a court disagrees with the changes, such institutions could be swept back into scope.

History is a lesson here. In 2020, during the first Trump administration, the CFPB increased the originations threshold in HMDA for closed-end mortgages (25 to 100) and open-end lines of credit (100 to 200) based on concerns that the burdens placed on lower-volume reporting institutions were not justified considering the small amount of data that they report. While the court let stand the CFPB's increase in the open-end lines of credit threshold, the court invalidated the change to the closed-end threshold, finding the agency had "failed adequately to explain or support its rationales for adoption of the [new threshold], rendering [that] aspect of the rule arbitrary and capricious." As such, institutions that thought they were out at the new, higher threshold were suddenly back in. Given this scenario has sufficient similarities, institutions should monitor any potential 1071 litigation closely to be prepared to pivot if necessary.

Should you have any questions about the 1071 final rule, how to prepare for compliance with the new requirements, or how potential future litigation may impact your organization's implementation plan, please contact Elena Babinecz, former deputy assistant director at the CFPB and prior manager of the agency's 1071 rulemaking for more than nine years.