Today, the Consumer Financial Protection Bureau (CFPB or Bureau) released its final rule revising the 2023 small business lending data collection and reporting rule under the Equal Credit Opportunity Act (ECOA) and Regulation B, which implements Section 1071 of the Dodd-Frank Act (2026 Final Rule). The 2026 Final Rule will become effective 60 days after publication in the Federal Register, and the compliance date for initial data collection is January 1, 2028.

In November 2025, we published an analysis of the Bureau’s proposed rule (found here), in which we described a fundamental pivot to a “Phase One” regime focused on core products, higher‑volume lenders, and a leaner set of data collection points, with a single compliance date. The final rule largely adopts that narrowed architecture, while adding important implementation details and a few notable refinements.

From Proposed Rule to Final Rule (and the Litigation Backdrop)

Our earlier post explained that the CFPB was abandoning the “maximalist” 2023 approach in favor of a long‑term, incremental model akin to the evolution of HMDA collection and reporting requirements. That strategy is now formalized. The final rule confirms that the initial Section 1071 data collection and reporting regime will focus on mainstream business loans, lines of credit, and credit cards; will exclude merchant cash advances, agricultural lending, small dollar loans at or below $1,000 (subject to inflation adjustment) and Farm Credit System lenders from coverage; will apply only to lenders that meet a 1,000‑originations threshold for small business credit; and will require a trimmed set of data points anchored in the statutory text.

The CFPB continues to frame this as a “start small, expand carefully” approach. The Bureau is explicit that Section 1071 is a multi‑decade project and that the initial rule is a foundation, not an endpoint. As we noted in 2025, that carries two implications: the near‑term compliance burden is lower than under the 2023 final rule, but lenders should expect the regime to grow more complex and comprehensive over time. The Bureau also acknowledges that multiple lawsuits challenging the 2023 final rule remain pending, and that narrowing the rule may itself invite new challenges from stakeholders who favored the broader 2023 framework. As a result, there is still some litigation risk and potential for further judicial review even as implementation of the 2026 Final Rule moves forward.

Coverage

Our prior analysis highlighted the proposed shift from a 100‑loan coverage threshold to a 1,000‑origination threshold, using only small business originations and looking at two consecutive calendar years. The 2026 Final Rule adopts that structure. A “covered financial institution” is now any financial institution (banks, credit unions, online lenders, community development financial institutions, nonprofit lenders, governmental lenders, and others) that originated at least 1,000 covered credit transactions for small businesses in each of the two preceding calendar years.

The final rule goes further than the proposal in one respect: it explicitly excludes Farm Credit System (FCS) lenders from the definition of covered financial institution. In practical terms, FCS lenders are exempt from this first‑phase Section 1071 regime altogether, regardless of volume. As the Bureau notes in its commentary, the final rule also excludes agricultural lending as a covered credit product to ensure that FCS lenders are excluded from coverage. 

At the same time, the Bureau makes clear that it is not opening the door to broad additional carve‑outs. The preamble notes that the CFPB received numerous requests to exclude other categories of business credit (including various point‑of‑sale products, equipment finance, and other specialty finance models), but that it declined to do so. Outside of the specific exclusions for merchant cash advances, agricultural lending, and small dollar loans, small business lending products remain in scope if they otherwise meet the definition of a covered credit transaction and are originated by a covered financial institution.

The final rule also clarifies reporting responsibility in multi‑party structures. Where more than one financial institution is involved in originating a single covered credit transaction, only the last financial institution with authority to set the material terms (such as selecting among competing offers or modifying pricing, amount, or repayment duration) must count and report the origination. If that last decision maker is not a covered financial institution, the application is not reported by anyone. The final rule further confirms that purchases of loans or interests in loans after origination are not “covered credit transactions,” so purchasers do not incur Section 1071 obligations merely by acquiring seasoned paper. The CFPB specifically declined to exclude indirect lending models from coverage; instead, they are addressed through this “last decision‑maker” framework as opposed to a categorical carve‑out.

Product Scope

In our prior blog post, we explained that the proposal would narrow coverage to mainstream small business loans, lines of credit, and credit cards, while excluding merchant cash advances (revenue‑based financing), agricultural lending, and small dollar business loans. The final rule adopts those carve‑outs largely as proposed, and the official interpretations now provide detailed guidance on how they operate in practice.

Merchant cash advances are defined as lump‑sum payments in exchange for a percentage of future sales or income up to a ceiling amount and are excluded from “covered credit transactions.” Agricultural lending transactions used to fund crop and livestock production or to acquire/refinance farmland, agricultural equipment, breeder livestock, and similar farm capital assets are also excluded. And loans of $1,000 or less are carved out as “small dollar business credit,” with the $1,000 threshold to be adjusted every five years based on the Consumer Price Index for All Urban Consumers (CPI‑U) and rounded to the nearest $100.

These exclusions will matter for lenders whose business models are concentrated in revenue‑based financing, small ticket equipment credit, or ag finance. For institutions that combine those products with traditional business loans and lines, the carve‑outs will complicate scoping and system logic and will require clear product mapping.

Small Business Definition

In its proposed rule, the Bureau proposed to tighten the “small business” definition from $5 million to $1 million in gross annual revenue, with future inflation adjustments. The final rule adopts that revenue cap and clarifies the adjustment mechanics. For purposes of Section 1071, a business is treated as small if its gross annual revenue for the preceding fiscal year was $1 million or less. Every five years, beginning with a comparison of January 2030 and January 2035 CPI‑U, the Bureau will adjust the threshold up or down and round to the nearest $100,000, with any change taking effect on January 1 of the following year. The CFPB notes that, even at this lower threshold, it expects the final rule to capture data on the vast majority of small businesses (92-93% of the market) while materially reducing complexity and burden relative to the original $5 million cap.

In the near term, small business lenders can assume a $1 million cap through at least 2035, but must design systems with the expectation that the threshold will change over time. As the proposal signaled, the Bureau also confirms that lenders may rely on applicant‑stated revenue for small business determinations, but must update those determinations if they obtain more accurate information during underwriting.

Data Points

We previously described the proposal’s plan to confine data to statutory fields plus a limited set of additional items (NAICS, time in business, number of principal owners), and to remove a suite of discretionary fields, including application method, application recipient, denial reasons, pricing components, and number of workers. The final rule implements that data field reduction essentially as proposed. Institutions will no longer be required, in this first phase, to collect or report the pricing and denial‑reason granularity that the 2023 final rule contemplated.

The Bureau goes on to resolve a question it left open at the proposal stage — the level of detail for race and ethnicity data. The final rule confirms that, at least initially, small business lenders will collect only aggregate race and ethnicity categories for principal owners (Hispanic or Latino versus not Hispanic or Latino, and the five aggregate race groups), with no requirement to collect disaggregated national origin or subgroup data. This change from the 2023 final rule aligns with the Bureau’s stated objective of reducing complexity and error risk at launch.

Demographic Data Collection

As forecasted in the proposed rule, demographic collection was reshaped to comply with Executive Order 14168 by removing LGBTQI+‑owned business status and replacing free‑form “sex/gender” fields with a binary male/female sex data field. The final rule fully incorporates that structure.

Institutions must now:

  • Ask whether the applicant is a minority‑owned business and/or a women‑owned business, using the detailed definitions in § 1002.102 and without collecting LGBTQI+‑owned status.
  • Collect principal owners’ sex using only “male” or “female” categories.
  • Continue to collect principal owners’ ethnicity and race using aggregate categories, with the ability to report multiple race categories for an individual.

The final rule also strengthens and clarifies the associated notices: small business lenders must inform applicants that they are not required to provide this information, that the lender may not discriminate based on the information or whether it is provided, and that federal law requires the questions to help ensure fair treatment and to assess small business credit needs. As we noted previously, the applicant’s right to refuse is unchanged, but information regarding that right is now made more prominent in the regulatory text and sample forms.

Time and Manner of Collection: Anti‑Discouragement Framing Removed

One of the more controversial aspects of the 2023 final rule was the specific “anti‑discouragement” framing around Section 1071 data collection, i.e. treating low response rates as indicia of discouragement and dictating extensive ongoing monitoring and remediation obligations for small business lenders. The proposed rule indicated that it would strip that framing and reframe the obligation more flexibly. The final rule does exactly that.

Institutions must still maintain procedures reasonably designed to obtain responses for applicant‑provided data, but the final rule no longer defines low response rates as evidence of discouragement. Instead, the official interpretations focus on practical elements such as when the initial request is made (ideally before final action), whether the request is prominently presented, whether it is easy for applicants to respond, and how data can be reused across applications.

Firewall, Safe Harbors, and Error Tolerances

The firewall concept from the proposed rule — preventing decisionmakers from accessing demographic responses absent a narrow statutory exception — remains in place. The final rule helpfully adds more detail around who is subject to that firewall (including certain affiliate personnel) and what counts as “access” to demographic information. It also specifies the content and timing of the notice institutions must give if they invoke the firewall exception and allow decisionmakers to view demographic responses.

In addition, the final rule fleshes out safe harbors and bona fide error tolerances in ways only sketched in the proposal. The rule now clearly protects institutions that collected demographic data in reasonable belief that an application was covered but later determined it was not, and Appendix F provides numerical tolerances for errors in each data field based on random samples of the institution’s data. These features give institutions a more concrete framework for testing, validation, and remediation and should be incorporated into Section 1071 governance and audit plans.

Privacy and Data Publication

One area the 2026 Final Rule leaves largely for another day is how the CFPB will handle privacy and public disclosure of Section 1071 data. The 2023 final rule described only a preliminary approach to masking and modifying data prior to publication, and did not make binding decisions about which fields would be suppressed or altered. In this new rule, the Bureau reiterates that it will conduct a separate, full notice‑and‑comment rulemaking, likely after it has at least one full year of reported data, to decide what application‑level information will be made public and what modifications are necessary to protect borrower privacy and proprietary business information. For now, institutions should assume that both aggregate and some level of application‑level data will ultimately be published, but that the exact contours of that disclosure are still to be determined.

Compliance Date and Transition: January 1, 2028 Is Now Firm

Finally, the single January 1, 2028 compliance date from the proposed rule is now codified by regulation. Small business lenders that meet the 1,000‑origination threshold in 2026 and 2027 must begin collecting data on January 1, 2028 and file their first Small Business Lending Application Register by June 1, 2029. Lenders that cross the threshold in later years will come under the rule subsequently, but not before January 1, 2029. The CFPB also reaffirms a grace‑period for the first 12 months of data collection, indicating that its supervisory focus for 2028 data will be based on good‑faith efforts and building effective programs, rather than strict liability.

As before, institutions that expect to be covered may begin collecting only minority‑/women‑owned status and principal‑owner ethnicity/race/sex data up to 12 months before their compliance date to test systems, subject to the firewall and record‑separation rules. Applications received before the compliance date but decided afterward are not subject to data collection or reporting requirements, simplifying cutover.

What Financial Institutions Should Do Now

Small business lenders should confirm whether they are likely to meet the 1,000‑origination threshold using the $1 million revenue cap and the new estimation tools; map their product sets against the narrowed list of covered transactions; and align data architecture and workflows with the trimmed data set and revised demographic data collection, firewall, and recordkeeping requirements. The extended runway to January 1, 2028 should be used to build and test systems under the final rule’s more concrete guidance, rather than to delay planning. Given the continuing litigation environment and the Bureau’s stated intent to revisit privacy concerns and potentially expand scope over time, covered institutions should also plan for ongoing engagement with regulators and industry groups as the Section 1071 data collection and reporting regulatory regime evolves.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph Reilly Joseph Reilly

Financial services companies depend on Joe for all aspects of their regulatory and compliance needs. Drawing from two decades of experience in the sector, he provides actionable guidance in a complex and evolving landscape.

Read more about Joseph ReillyJoseph's Linkedin Profile
Photo of Caleb Rosenberg Caleb Rosenberg

Caleb is counsel in the firm’s Consumer Financial Services Practice Group. He focuses his practice on helping federal and state-chartered banks, fintech companies, finance companies, and licensed lenders navigate regulatory risks posed by state and federal laws aimed at protecting consumers and small…

Caleb is counsel in the firm’s Consumer Financial Services Practice Group. He focuses his practice on helping federal and state-chartered banks, fintech companies, finance companies, and licensed lenders navigate regulatory risks posed by state and federal laws aimed at protecting consumers and small businesses in the credit and alternative finance products industry.

Read more about Caleb Rosenberg
Show more Show less
Photo of Lori Sommerfield Lori Sommerfield

With over two decades of consumer financial services experience in federal government, in-house, and private practice settings, and a specialty in fair lending regulatory compliance, Lori counsels clients in supervisory issues, examinations, investigations, and enforcement actions.

Read more about Lori SommerfieldLori's Linkedin Profile
Photo of Chris Willis Chris Willis

Chris is the co-leader of the Consumer Financial Services Regulatory practice at the firm. He advises financial services institutions facing state and federal government investigations and examinations, counseling them on compliance issues including UDAP/UDAAP, credit reporting, debt collection, and fair lending, and defending…

Chris is the co-leader of the Consumer Financial Services Regulatory practice at the firm. He advises financial services institutions facing state and federal government investigations and examinations, counseling them on compliance issues including UDAP/UDAAP, credit reporting, debt collection, and fair lending, and defending them in individual and class action lawsuits brought by consumers and enforcement actions brought by government agencies.

Read more about Chris WillisChris's Linkedin Profile
Show more Show less
Photo of Taylor Gess Taylor Gess

Taylor focuses her practice on providing regulatory advice on matters related to federal and state consumer protection, consumer finance, and payments laws, including those that apply to payment cards, lines of credit, installment loans, electronic payments, online banking, buy-now-pay-later transactions, retail installment contracts…

Taylor focuses her practice on providing regulatory advice on matters related to federal and state consumer protection, consumer finance, and payments laws, including those that apply to payment cards, lines of credit, installment loans, electronic payments, online banking, buy-now-pay-later transactions, retail installment contracts, rental-purchase transactions, and small business loans.

Read more about Taylor Gess
Show more Show less
Photo of Lane Page Lane Page

Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues.

Read more about Lane Page
Related Posts
 New York Proposes Sweeping Licensing and Consumer Protection Regime for BNPL Lenders
February 27, 2026
US Dollars paper currency closed up background
Wisconsin Lawmakers Propose “True Lender” Test and 36% APR Cap for Consumer Loans
December 23, 2025
 What the CFPB’s New Buy Now, Pay Later Market Report Shows
December 22, 2025