CFPB 1071 Rule Has Significant Requirements

The Consumer Financial Protection Bureau’s (CFPB) small business data collection rule, often referred to as the 1071 rule, is set to be the most significant effort of data collection and reporting for financial institutions in nearly 50 years. Banks and credit unions must prepare to meet the rule’s requirements by understanding what data must be collected, when it needs to be collected and how to streamline the process to ensure compliance.  

This article describes the scope of the CFPB small business lending data regulations and offers practical tips for banks and credit unions to manage their data collection processes efficiently. Understanding the rule and preparing adequately will help your financial institution stay ahead of deadlines and avoid compliance problems.  

The Scope of Small Business Data Collection

The CFPB’s small business data collection rule implements Section 1071 of the Dodd-Frank Act, which directs the bureau to collect certain demographic data from small business lenders. The primary goal of the federal rule is to facilitate fair lending enforcement and identify the credit needs of women- and minority-owned businesses.

Under this rule, any entity engaged in lending activities is required to collect and report demographic data during the application process. This includes not just banks and credit unions but also finance companies, online lenders, Community Development Financial Institutions (CDFIs), government lenders and nonprofit lenders. The only lenders excluded from these requirements are those that originated fewer than 100 covered credit transactions in each of the two calendar years preceding their compliance date. Requests for additional credit tied to an existing loan do not count as originations when determining whether an institution is covered. 

The rule requires that lenders collect and report data for all small business credit applications from any business with $5 million or less in gross annual revenue its preceding fiscal year. Credit transactions covered by the rule include applications or requests for:  

• Loans.
• Lines of credit.
• Credit cards.
• Merchant cash advances.
• Credit products used for agricultural purposes.
• Refinancings where existing debt is satisfied and replaced by a new obligation for the same borrower.

Compliance Deadlines for 1071 Small Business Lending Data Regulations

Lender deadlines for 1071 compliance are initially determined by the volume of small business loans originated in each of the calendar years 2022 and 2023 or in 2023 and 2024. Abrigo has a one-pager summarizing the 1071 data collection and reporting deadlines. Here’s a general overview of when different types of lenders must begin data collection, based upon their origination thresholds: 

• Lenders that originate at least 2,500 small business loans in each of the years must start collecting data on covered applications by July 18, 2025. 
• Lenders that originate at least 500 covered loans in each of the years must begin data collection by Jan. 16, 2026. 
• Lenders that originate at least 100 small business loans in each of the years must collect application data starting Oct. 18, 2026.

To prepare for these deadlines, lenders may begin gathering the otherwise protected demographic information one year before their official collection deadline. This head start can help institutions ensure timely compliance and address any challenges in advance. 

Key Data Points Under 1071 Small Business Lending Data Regulations

Banks, credit unions and other creditors will need to collect more than 20 pieces of data for each application and report this data to the CFPB each year. The data points cover a wide range of details related to the credit transaction, the business’ attributes and demographic data.

Some of the key 1071 data points required include:

1. Application date and method (in person, telephone, online, mail).
2. Credit type, including the product type (term loan, line, credit card, etc.), guarantee type (personal, SBA, USDA, etc.) and loan term (in months).
3. Purpose of the credit (e.g., purchase, working capital, construction, etc.).
4. Amount applied for.
5. Action taken on the application (originated, denied, withdrawn, etc.) and date of action. 
6. Amount approved or originated.  
7. Denial reasons (e.g., business characteristics, cash flow, collateral). 
8. Pricing details (interest rate, origination charges, broker fees, initial annual charges, additional cost for merchant cash advances and prepayment penalties). 
9. Census tract number. This information should represent the address where loan proceeds will be applied, the address of the applicant’s headquarters or main office, or another address associated with the applicant. 
10. Gross annual revenue. Financial institutions may reuse previously collected gross annual revenue figures when the data was collected within the same calendar years as the covered application. 
11. NAICS code. 
12. Number of workers and time in business. 
13. Business ownership status (such as minority, women, LGBTQI+). 
14. Number of principal owners and ethnicity, race and sex/gender of principal owners 1-4. This data must be reported based only on information provided by the applicant (i.e., no reporting based on visual observation). 

Importantly, the CFPB mandates that lender data collection processes shouldn’t discourage applicants from providing their demographic information. Financial institutions will want to make data collection processes as easy as possible for applicants to encourage participation. 

Tips for Organizing and Streamlining Data Collection Processes

Given the scope of effort needed to collect and report data by the CFPB deadlines, some financial institutions are already taking action. In fact, if you are a tier 1 lender and have to comply beginning July 1, 2025, we recommend beginning your testing now to give you at least nine months of testing.

For those who may feel overwhelmed by the tasks ahead, the following steps can help organize and streamline the data collection process:

1. Understand the rule and related requirements. Make sure others involved in lending are familiar with the 1071 small business lending data regulations and the specific requirements for CFPB small business data collection. 
2. Review existing data collection practices. Identify what data is already being collected and where gaps exist. Some data may be available within the financial institution’s systems, while other data points will need to be obtained from applicants. 
3. Assess current systems used for data collection and reporting. Determine whether these can be leveraged for 1071 data collection and whether new or updated systems are needed. 
4. Assess the current lending process (i.e., how information is gathered). This assessment likely will require reviewing the institution’s credit culture if certain required data points are missing from the current application process.

Technological Solutions for Efficient 1071 Data Collection

Automation can play a critical role in streamlining CFPB small business data collection. Software solutions designed for data collection and analysis can help lenders focus on the borrowers and winning deals while ensuring compliance with the 1071 small business lending data regulations. These tools can also make it easier to review and submit the information to the CFPB efficiently. Abrigo’s product team worked with the CFPB throughout the rulemaking process and has built 1071 compliance into its loan origination platform and its small business loan origination software.

While ease of data access is important, in general, if the institution doesn’t employ the firewall exception, CFPB prohibits underwriters or any employee responsible for the disposition or “making a determination” on an application from accessing certain demographic data. Abrigo’s software integrates 1071 compliance features such as built-in firewalls and user permission controls to help maintain non-biased lending and compliant reporting. 

Preparing for Regulatory Changes 

While organizing the data collection process is crucial, it’s also important for financial institutions to take broader steps to prepare for these regulatory changes. These include educating staff, revising policies and procedures, and considering more standardized pricing and fee structures to align with the 1071 small business lending data regulations.

1071 Data Risk Management and Compliance Strategies

Compliance with the 1071 small business lending data regulations will require coordination across multiple departments. To mitigate risks associated with non‑compliance, financial institutions should:

• Create a formal project plan and timeline for compliance efforts.
• Plan for the training of all relevant staff involved in data collectors, reporting and underwriting.
• Establish consistent lending processes to promote data accuracy and compliance.  
• Consider the formality of the current borrower application process and identify any culture changes needed.
• Automate processes to reduce manual errors and speed processes.
• Develop internal controls, including those that validate and test the data collected. 
• Track and report exceptions, particularly those related to pricing, fees and loan structures.

Some financial institutions will need to formalize their small business loan application process. Others may decide to balance small business relationship lending with a risk-based pricing model to mitigate unintended disparate treatment among lenders and branches.

For institutions facing challenges or staff resource constraints, engaging experienced consultants can help. CFPB 1071 consultants can establish reporting and monitoring processes and recommend any needed policy changes.

The CFPB’s 1071 small business lending data regulations represent a momentous change in how financial institutions must collect and report data. By understanding the requirements, preparing in advance and leveraging technology, banks and credit unions can navigate the changes with compliance. Start planning now to make sure your institution is ready for a smooth data collection process under the 1071 rule.