CFPB Substantially Scales Back Section 1071 Small Business Lending Rule And Resets Compliance Timeline

On May 1, the Consumer Financial Protection Bureau (CFPB or the Bureau) published a final rule (2026 Rule) limiting the scope of data collection on small business lending by covered financial institutions under Regulation B.¹ The 2026 Rule represents a significant retrenchment from the Bureau’s 2023 final rule, narrowing both the population of covered lenders and the scope of reportable transactions, while eliminating a substantial portion of discretionary data fields.² The 2026 Rule supersedes the CFPB’s previous final rule published in 2023 (2023 Rule), which never came into effect due to ongoing legal challenges and subsequent compliance deadline extensions.³ Those challenges—most prominently, the constitutional challenge to the Bureau’s funding structure in CFPB v. Community Financial Services Association of America⁴ and related Section 1071 litigation—created prolonged uncertainty around implementation and informed the Bureau’s decision to recalibrate the rule.

Section 1071 requires covered financial institutions to collect and report to the CFPB certain data points regarding applications for covered credit transactions by women-owned, minority-owned, and small businesses.⁵ The 2026 Rule limits the scope of the covered financial institutions required to collect data; the covered credit transactions for which data must be collected; the gross annual revenue threshold for the definition of "small business"; and the number of data points which covered financial institutions are required to collect, as well as the time and manner of collecting such data. As revised, the 2026 Rule reflects a deliberate shift toward the statute’s minimum data-collection mandate, with the Bureau largely retreating from its prior reliance on discretionary authority under Section 1071.

Covered Credit Transactions

The 2026 Rule narrows the applicable "covered credit transactions" for which covered financial institutions are required to collect small business lending data.⁶ The Bureau reoriented the rule toward "core, generally applicable lending products," expressly excluding from the definition of "covered credit transactions" categories it characterized as "niche or specialty products": merchant cash advances (MCAs), agricultural lending, and small dollar loans.⁷ This product-level narrowing is particularly significant for fintech and nonbank platforms, many of which had focused compliance efforts on merchant cash advance and specialty credit products under the 2023 Rule.

The 2026 Rule defines MCAs as "agreements under which a small business receives a lump-sum payment in exchange for the right to receive a percentage of the small business's future sales or income up to a ceiling amount."⁸ Agricultural lending is defined "as a transaction to fund the production of crops, fruits, vegetables, and livestock, or to fund the purchase or refinance of capital assets such as farmland, machinery and equipment, breeder livestock, and farm real estate improvements."⁹ And finally, a small dollar loan is defined as "any transaction in an amount of $1,000 or less, to be adjusted for inflation over time."¹⁰ The CFPB declined to adopt any other categorical product exclusions.¹¹ Notably, the Bureau declined to adopt a broader principles-based exclusion framework, suggesting that future interpretive disputes may arise at the margins of "core" versus "specialty" products.¹²

Covered Financial Institutions & Small Business

The 2026 Rule also narrows the "covered financial institutions" who are required to collect small business lending data with respect to covered credit transactions. First, the CFPB exempted Farm Credit System (FCS) lenders from the data collection requirements.¹³ Second, the CFPB raised the threshold amount of covered credit transactions from the 2023 Rule’s previous amount of 100 covered credit transactions to small business in each of the preceding two calendar years to a heightened amount of 1,000 covered credit transactions to small businesses in the same time frame. ¹⁴ The increase in the origination threshold will exclude a substantial portion of regional banks, fintech lenders, and platform-based originators that would have been captured under the 2023 Rule.

The 2023 Rule provides a gross annual revenue threshold such that a business is only considered a small business "if its gross annual revenue for its preceding fiscal year is $5 million or less."¹⁵ The 2026 Rule lowers that gross annual revenue threshold to $1 million or less.¹⁶ This change materially contracts the universe of reportable transactions and may disproportionately exclude middle-market small businesses that were previously within scope.

Data Collection

Under Section 1071, the CFPB is required to collect both statutorily-required data points, as well as "those promulgated based on Bureau discretion . . . sometimes referred to as discretionary data points, and which the Bureau has authority to add if the ‘Bureau determines [they] would aid in fulfilling the purposes of [Section 1071]."¹⁷ The 2026 Rule eliminates a significant set of discretionary data points that had been among the most operationally burdensome and litigation-sensitive aspects of the 2023 Rule: application method, application recipient, denial reasons, pricing, and number of workers.¹⁸ In particular, the removal of pricing and denial-reason data reduces fair lending risk exposure, which had been a central concern for covered institutions. The Bureau also to removed reference to LGBTQI+-owned business status,¹⁹ and eliminated the use of disaggregated categories in collecting race and ethnicity data points.²⁰

Separately, under the 2023 Rule, a covered financial institution is required to (1) not discourage an applicant from responding to requests for data; (2) identify certain minimum components when directly collecting applicant data; and (3) maintain procedures to identify and respond to indicia that they are discouraging applicants from responding to requests for data.²¹ The 2026 Rule removes the "discouragement" standard and associated monitoring obligations, which had created compliance ambiguity and potential supervisory risk due to their subjective nature.²² It also revises regulatory text "to adopt a flexible standard" for time and manner of collection, "while revising the commentary . . . to provide additional flexibility for certain ‘time and manner’ requirements."²³ Taken together, these changes significantly reduce both data governance complexity and fair lending risk associated with Section 1071 reporting.

Privacy and Data Publication

The Bureau deferred action on data privacy and public disclosure, stating that it will address these issues in a future rulemaking after at least one year of data collection.²⁴ This leaves unresolved a central industry concern—namely, the extent to which reported data may be publicly released and used by regulators, private litigants, and advocacy groups.

Compliance Date and Grace Period

The 2026 Rule removes the "tiered" compliance approach of the 2023 Rule, instead requiring "that all covered financial institutions that originate at least 1,000 covered credit transactions for small businesses in each of calendar years 2026 and 2027 begin to comply with the rule starting on January 1, 2028."²⁵ However, it is also adopting a "new special transition rule" that would allow covered financial institutions "to use the calendar years 2025 and 2026, instead of 2026 and 2027, for purposes of determining whether they must comply with the rule beginning January 1, 2028."²⁶ This reset effectively provides institutions with a multi-year runway, but also creates strategic timing considerations for institutions near the 1,000-loan threshold.

Furthermore, the 2026 Rule updates the "Grace Period Policy Statement" established in earlier versions of the rule to reflect the new compliance date provisions.²⁷ Under the new rule, the Bureau adopts a 12-month grace period following the January 1, 2028 compliance date during which it would not assess penalties for data reporting errors and only conduct examinations to diagnose compliance weaknesses for "covered financial institutions subject to the Bureau's supervisory or enforcement jurisdiction that make good faith efforts to comply with this final rule."²⁸ Importantly, the grace period is conditioned on "good faith efforts," preserving supervisory discretion and underscoring the need for documented compliance planning.

Takeaways

The 2026 Rule represents a substantial rollback of the CFPB’s original Section 1071 framework, reducing both compliance burden and fair lending exposure for many institutions. However, it does not eliminate Section 1071 risk—rather, it narrows and defers it.

Key implications for financial institutions include:

• Scope contraction: Many lenders—particularly fintechs and specialty finance providers—may fall outside the rule entirely based on product exclusions and higher origination thresholds.
• Reduced data exposure: Elimination of discretionary data fields materially limits fair lending analytics risk and downstream enforcement exposure.
• Strategic threshold management: Institutions near the 1,000-loan threshold should evaluate origination strategies and affiliate aggregation issues.
• Deferred but unresolved privacy risk: Future rulemaking on data publication remains a critical unknown.
• Continued state-law exposure: State-level small business lending and fair lending regimes may fill gaps left by federal retrenchment.

Although congressional action to codify or further revise Section 1071 remains uncertain, the current regulatory trajectory reflects a broader deregulatory posture toward ECOA and Regulation B. Financial institutions should recalibrate their Section 1071 implementation efforts in light of the narrowed scope, while continuing to monitor (1) future CFPB rulemaking on data publication and privacy, (2) potential shifts in enforcement posture, and (3) evolving state-level requirements.

Footnotes

1 Small Business Lending Under the Equal Credit Opportunity Act (Regulation B), 91 Fed. Reg. 23530 (May 1, 2026), https://www.federalregister.gov/documents/2026/05/01/2026-08494/small-business-lending-under-the-equal-credit-opportunity-act-regulation-b.

2 Small Business Lending Under the Equal Credit Opportunity Act (Regulation B), 88 Fed. Reg. 35150 (May 31, 2023), https://www.federalregister.gov/documents/2023/05/31/2023-07230/small-business-lending-under-the-equal-credit-opportunity-act-regulation-b.

3 See 91 Fed. Reg. 23530.

4 CFPB v. Cmty. Fin. Servs. Ass’n of America, 601 U.S. 416 (2024).

5 Id.

6 Id.

7 See 91 Fed. Reg. 23530, 23537 (May 1, 2026).

8 See 91 Fed. Reg. 23539.

9 See 91 Fed. Reg. 23542.

15 91 Fed. Reg. 23556.

16 91 Fed. Reg. 23557.

17 91 Fed. Reg. 23558.

18 See id.

20 See 91 Fed. Reg. 23564.

21 See 91 Fed. Reg. 23568.

22 See 91 Fed. Reg. 23569.

23 Id.

24 See 91 Fed. Reg. 23532-33.

25 91 Fed. Reg. 23571.

26 Id.

27 See 91 fed. Reg. 23576.

28 91 Fed. Reg. 23575-76.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.