CFPB Final Rule Narrows Small Business Lending Data Collection Requirements

On May 1, 2026, the CFPB published a sweeping Final Rule (the Final Rule or 2026 Final Rule) amending Subpart B of Regulation B, which implements the ECOA. ECOA broadly prohibits discrimination in any aspect of a credit transaction on the basis of race, color, religion, national origin, sex, marital status, age (provided the applicant has the capacity to contract), receipt of public assistance income, or the good-faith exercise of rights under the Consumer Credit Protection Act. The Final Rule implements Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which directs the Bureau to require financial institutions to collect and report certain data on applications for credit from small businesses, women-owned businesses, and minority-owned businesses to the CFPB. The Final Rule takes effect June 30, 2026, with a single compliance date of Jan. 1, 2028, for all covered financial institutions.

Background

After years of rulemaking activity — including a 2017 request for information, a 2020 Small Business Regulatory Enforcement Fairness Act process and panel report, and a 2021 proposed rule — the Bureau finalized its initial Section 1071 data collection regulation in May 2023 (the 2023 Rule). That rule required financial institutions originating at least 100 covered credit transactions per year to collect and report a broad set of data points — including pricing information, denial reasons, application method, LGBTQI+-owned business status, and disaggregated race and ethnicity subcategories — on applications from businesses with $5 million or less in gross annual revenue.

Bank trade associations, community banks, and other lenders challenged the 2023 Rule in federal court, resulting in nationwide preliminary injunctions and judicial stays.¹ The litigation caused a series of compliance date extensions as the Bureau sought to avoid a situation in which only a subset of lenders (those not subject to judicial stays) were obligated to comply. All three cases remain pending as of the date of this GT Alert.

In November 2025, the Bureau proposed a revised rule announcing a pivot away from the 2023 Rule’s broad approach. The Bureau acknowledged that the 2023 Rule’s wide institutional coverage, expansive product scope, and extensive data requirements had generated industry concern about compliance costs and potential disruption to small business credit markets. Drawing an analogy to the multi-decade incremental development of HMDA data collection requirements, the Bureau proposed to start with a narrower set of core lenders, core products, and core data points, with expansion reserved for later rulemaking cycles. The Bureau finalized the revised rule substantially as proposed.

Key Changes from the 2023 Rule

The Final Rule makes substantive changes in six primary areas: (1) covered financial institution definition; (2) covered credit transaction scope; (3) small business definition; (4) required data points; (5) time and manner of collection; and (6) compliance dates and transition rules. The table below summarizes and details these developments.

Covered Financial Institutions: 1,000-Origination Threshold and FCS Exclusion

Reporting Coverage Requires a Higher Origination Threshold

The 2026 Final Rule increases the origination threshold from 100 to 1,000 covered credit transactions for small businesses in each of the two preceding calendar years. The Bureau estimates that, notwithstanding this tenfold increase in the threshold, the revised rule will still cover approximately 92 to 93% of the number of small business loans originated by depository institutions, compared with 94 to 95% under the 2023 Rule. Accordingly, the Bureau notes that while as many as 1,570 depository institutions that would have been covered under the 2023 Rule are no longer covered under the 2026 Final Rule, the majority of small business loan volume by depository institutions remains within scope.

• Only originations count toward the threshold — credit line increases, renewals, extensions, and purchases of existing loans do not.
• Where multiple institutions are involved, only the last institution with authority to set material credit terms counts (and reports) the origination. If that final decision-maker is not a covered financial institution, the application is not reported.
• The two-year look-back period renders coverage status an annual determination. An institution that falls below the threshold in any one of two consecutive years is not covered for that year’s data collection.

Categorical Exclusion of Farm Credit System Lenders and Agricultural Credit

The 2026 Final Rule adds an explicit, categorical exclusion for Farm Credit System (FCS) lenders — cooperatives chartered under and subject to oversight by the Farm Credit Administration (FCA), from the definition of “covered financial institution,” regardless of loan volume. The Bureau concluded that FCS lenders’ unique cooperative structure, mission-driven charter, patronage dividend mechanics, and existing FCA reporting obligations render their loan data difficult to compare with data from commercial lenders, such that inclusion would create analytical complications rather than advance Section 1071’s purposes. By contrast, the 2023 Rule had not categorically excluded any specific type of financial institution.

To ensure FCS lenders are excluded, the CFPB further excludes transactions to fund crop, fruit, vegetable, and livestock production, or to fund the purchase or refinancing of capital assets such as farmland, agricultural machinery and equipment, breeder livestock, and farm real estate improvements. The 2023 Rule had covered agricultural credit, intending to reach “all covered applications from small businesses for transactions that meet the definition of business credit under existing Regulation B,” observing that ECOA does not exclude agricultural credit and that agricultural businesses can be small businesses as defined by the U.S. Small Business Administration (SBA).

The Bureau reversed that determination in the Final Rule, finding that agricultural loans’ distinctive underwriting characteristics — collateral tied to biological assets subject to weather, disease, and commodity price cycles — make such data difficult to compare with commercial lending data. The Bureau also emphasized that agricultural lending is already subject to reporting requirements under Community Reinvestment Act regulations, FCA oversight, and U.S. Department of Agriculture  Farm Service Agency programs that collect demographic data.

Loan Type Exclusions from Covered Credit Transactions

Merchant Cash Advances

The 2023 Rule expressly required data collection on merchant cash advance transactions (MCAs), defined as agreements under which a small business receives a lump-sum payment in exchange for the right to receive a percentage of the business’s future sales or income up to a ceiling amount. The Final Rule, by contrast, expressly excludes MCAs from the definition of “covered credit transaction.”

The Bureau acknowledged that MCAs had been the subject of stakeholder attention during the 2023 rulemaking. In the Final Rule, the CFPB concluded that it “erred in the 2023 Rule by prematurely determining that collection of data on MCA transactions would serve section 1071’s statutory purposes.” The Bureau noted the varied legal characteristics of MCAs across different markets, the evolving landscape of state-level MCA regulation, and the absence of clear case law resolving whether MCAs constitute “credit” under ECOA as reasons to defer coverage. The Bureau committed to continue monitoring the MCA market.

Despite its action on MCAs, the CFPB rejected requests to exclude other categories of business finance from the Final Rule.

Small-Dollar Business Credit

Covered credit transactions do not include business credit transactions of $1,000 or less. This minimum loan size threshold, which the Bureau declined to adopt in the 2023 Rule, is subject to CPI-U inflation adjustment every five years beginning in 2030, rounded to the nearest $100. The Bureau declined to adopt the higher thresholds ($5,000, $25,000, or $50,000) requested by various commenters, finding that amounts above $1,000 represent substantive commercial credit warranting coverage for fair lending and community development analysis purposes. The Bureau noted that amounts below $1,000 typically represent incidental credit ancillary to deposit accounts, such as overdraft facilities, which would distort the dataset without material analytic value.

Small Business Definition: $1 Million Revenue Threshold

The Final Rule reduces the gross annual revenue threshold in the definition of “small business” from $5 million or less to $1 million or less for the preceding fiscal year, narrowing which businesses are small enough to qualify. SBA has approved this alternative size standard. Like the small-dollar loan threshold, the $1 million revenue cap is subject to CPI-U adjustment every five years beginning in 2030, rounded to the nearest $100,000. Based on the first adjustment cycle (comparison of January 2030 and January 2035 CPI-U), the threshold will not change until at least Jan. 1, 2036.

Covered financial institutions may rely on applicant-stated revenue to determine small business status and are not required to independently verify that figure unless they obtain contrary information during underwriting. The Bureau does not aggregate unaffiliated co-applicants’ revenue for this determination but allows — and in some cases requires — lenders to consider affiliate revenue.

Required Data Points: Statutory Core Plus Limited Supplemental Fields

Removed Discretionary Data Points

The 2026 Final Rule eliminates five of the discretionary data points added by the 2023 Rule pursuant to the Bureau’s authority under ECOA to collect data “determined to aid in fulfilling the purposes of this section”:

• Application method (in person, phone, online, mail). 12 C.F.R. § 1002.107(a)(3) (removed).
• Application recipient (direct vs. through third party). 12 C.F.R. § 1002.107(a)(4) (removed).
• Denial reasons. 12 C.F.R. § 1002.107(a)(11) (removed). Note: applicants may still obtain denial reasons through existing ECOA adverse action notice requirements under 12 C.F.R. § 1002.9.
• Pricing information (interest rate, origination charges, broker fees, annual charges, MCA cost differentials, prepayment penalties). 12 C.F.R. § 1002.107(a)(12) (removed).
• Number of workers. 12 C.F.R. § 1002.107(a)(16) (removed).

The Bureau found that its value-to-burden analysis in the 2023 Rule had overweighted the analytic value of these points and underweighted the operational complexity of collecting them, particularly at the launch of a new data collection regime. The Bureau emphasized the analogy to HMDA’s incremental development: pricing data was not added to HMDA until two decades after data collection commenced, and even then initially only in simplified form.

Retained Data Points

The following statutory and supplemental data points are retained under the 2026 Final Rule (12 C.F.R. § 1002.107(a)):

• Unique identifier (§ 1002.107(a)(1));
• Application date (§ 1002.107(a)(2));
• Credit type (product, guarantee type, loan term) (§ 1002.107(a)(5));
• Credit purpose (§ 1002.107(a)(6));
• Amount applied for (§ 1002.107(a)(7));
• Amount approved or originated (§ 1002.107(a)(8));
• Action taken (§ 1002.107(a)(9));
• Action taken date (§ 1002.107(a)(10));
• Census tract (§ 1002.107(a)(13));
• Gross annual revenue (§ 1002.107(a)(14));
• 3-digit NAICS code (§ 1002.107(a)(15));
• Time in business (§ 1002.107(a)(17));
• Minority-owned and women-owned business status (§ 1002.107(a)(18)) [LGBTQI+ status removed];
• Ethnicity, race, and sex of principal owners (§ 1002.107(a)(19)) [aggregate race categories only; and binary sex only]; and
• Number of principal owners (§ 1002.107(a)(20)).

Changes to Demographic Data Collection

Race and Ethnicity — Aggregate Only. The 2023 Rule required collection of both aggregate and disaggregated racial and ethnic subcategories for principal owners. The 2026 Final Rule eliminates disaggregated subcategories. Institutions must collect only the five aggregate race categories (American Indian or Alaska Native, Asian, Black or African American, Native Hawaiian or Other Pacific Islander, White) and two aggregate ethnicity categories (Hispanic or Latino; Not Hispanic or Latino). The Bureau decided that disaggregated categories risked poor data quality due to free-form text fields and low applicant response rates, paralleling HMDA experience, without commensurate analytic benefit at the outset of the program.

Sex — Binary Male/Female. The 2023 Rule used a “sex/gender” label with a free-form text field permitting any response. The 2026 Final Rule replaces that with a binary male/female selection, consistent with Executive Order 14168, and the Bureau’s reading that Section 1071 requires collection of “sex” (not gender identity).

LGBTQI+-Owned Business Status — Removed. The 2023 Rule required collection of LGBTQI+-owned business status as a discretionary data point. The 2026 Final Rule removes this field entirely, based on the Bureau’s conclusion that sensitivities and privacy concerns associated with the inquiry exceed the data’s utility at the start of a long-term data collection regime. References to this status are also removed from Regulation B, Subpart A.

Right to Refuse — More Prominent. The applicant’s statutory right to refuse to provide demographic information (see 15 U.S.C. § 1691c-2(c)) is now written directly into the regulatory text of 12 C.F.R. § 1002.107(a)(18) and (19), rather than only appearing in commentary. A revised sample data collection form in revised Appendix E to Part 1002 presents the right to refuse prominently — before listing the demographic categories — particularly when data is collected orally.

Time and Manner of Collection: Anti-Discouragement Provisions Removed

The 2023 Rule contained prescriptive anti-discouragement provisions: it defined low applicant response rates as indicia of potential discouragement; required covered institutions to monitor response rates through peer comparisons; and imposed specific monitoring, self-identification, and remediation obligations.

The 2026 Final Rule removes these provisions. The Bureau retained the core obligation: that covered institutions must “maintain procedures to collect applicant-provided data ... at a time and in a manner that are reasonably designed to obtain a response.” However, the Bureau argued that the 2023 monitoring requirements were redundant (given the general affirmative obligation), unsupported by empirical evidence of anticipated non-compliance, and raised First Amendment concerns by appearing to restrict institutions from communicating non-misleading opinions about the rule.

The Final Rule adds practical flexibility for indirect lenders: where the reporting institution has had no prior direct contact with the applicant before the credit decision, the institution may make its initial request for applicant-provided data after notifying the applicant of the final credit decision, provided the timing is “reasonably designed to obtain a response.” This addresses an operational concern raised by indirect auto, equipment, and other dealer-intermediated lending models.

Firewall: Retained with Clarifications

The statutory firewall requirement, prohibiting employees and officers involved in making credit decisions from accessing applicant demographic information collected under Section 1071, is retained without modification. The firewall is an express statutory mandate. As the Bureau noted, Congress was aware of HMDA’s lack of a comparable firewall when it enacted Section 1071 and deliberately chose to include one.

The 2026 Final Rule provides enhanced clarity on two aspects of the firewall. First, it addresses the scope of the feasibility exception, explaining that an institution that determines that limiting access is “not feasible” because an employee “should have access” to perform their assigned duties may invoke the exception without hiring additional staff, upgrading systems, or restructuring roles (12 C.F.R. § 1002.108(c) and cmt. 108(a)-2.iii). Second, it clarifies the content and timing of the required disclosure to applicants when the exception is invoked (12 C.F.R. § 1002.108(d)). Community banks and smaller institutions where lending officers wear multiple hats may generally rely on the feasibility exception as a practical matter, subject to providing the required notice to applicants.

Enforcement: Safe Harbors and Bona Fide Error Tolerances

The 2026 Final Rule retains the enforcement framework of the 2023 Rule, including the bona fide error safe harbor under 12 C.F.R. § 1002.112(b) and the four enumerated safe harbors for census tract geocoding, North American Industry Classification System code reporting, incorrect small business/covered transaction status determinations, and errors within specified numerical tolerances. Revised Appendix F to Part 1002 updates the numerical error tolerance thresholds to reflect the new 1,000-origination minimum, eliminating rows in the table associated with application counts below 1,000.

Safe harbor for incorrect status determinations protects institutions that collected demographic data in good-faith belief that an application was a covered application for a covered transaction from a small business but later concluded otherwise, provided the institution complies with applicable data protection, recordkeeping, and firewall requirements for the collected data.

Single Compliance Date: Jan. 1, 2028

The Final Rule replaces the tiered compliance date structure of the 2023 Rule, which had staggered deadlines based on origination volume, with a single compliance date of Jan. 1, 2028, for all covered financial institutions. A covered institution must begin collecting data on Jan. 1, 2028, and must file its first small business lending application register with the CFPB by June 1, 2029. Institutions that cross the 1,000-origination threshold in subsequent years (e.g., in both 2027 and 2028) must comply beginning Jan. 1, 2029, but no earlier.

Look-Back Period and Transitional Options

To determine initial coverage, institutions must count originations of covered credit transactions for small businesses in each of calendar years 2026 and 2027. Alternatively, under a new special transitional rule, institutions may opt to use calendar years 2025 and 2026 as the look-back period if that provides greater certainty. Institutions that cannot readily determine small business status for prior-year originations may use reasonable estimation methods, including sampling or annualizing a subset of transactions.

Grace Period: Jan. 1 Through Dec. 31, 2028

The CFPB reaffirms a 12-month grace period for data collected during the first calendar year of compliance (Jan. 1, 2028, through Dec. 31, 2028). During this period, the Bureau will not assess penalties for unintentional, good-faith errors; will not require resubmission of data unless errors are material; and will conduct examinations in a diagnostic rather than enforcement posture. However, the grace period does not protect intentional non-compliance, deliberate discouragement of applicants, or bad-faith errors. Institutions that make voluntary data submissions for 2028 data are also covered by the grace period.

Optional Pre-Compliance Data Collection

Institutions that reasonably anticipate meeting the 1,000-origination threshold may begin collecting minority-/women-owned business status and principal owner demographic data (but not the full data set) up to 12 months before their compliance date — i.e., as early as Jan. 1, 2027 — subject to compliance with the applicable firewall and record-separation requirements. Applications received before an institution’s compliance date but decided on or after that date are not required to be collected or reported.

Data Publication and Privacy: Future Rulemaking

The 2026 Final Rule does not resolve questions regarding how and when the CFPB will publish application-level Section 1071 data or what privacy modifications and deletions it will make prior to publication. The Bureau acknowledges that the 2023 Rule’s preliminary privacy analysis — which described only tentative approaches to data suppression and modification — was not a final, binding decision.

The Bureau has revised its position on the appropriate procedural vehicle for these decisions. It now commits to issuing a notice of proposed rulemaking with specific proposed modification and deletion decisions for individual data points, to be published after receiving and analyzing a full year of Section 1071 data. That first full year of data will be collected in 2028 and submitted to the Bureau by June 1, 2029. The Bureau noted that Section 1071 requires data to “annually be made available to the public generally by the Bureau, in such form and in such manner as is determined by the Bureau, by regulation,” suggesting that modifications to published data must themselves be established through a rule finalized after notice and comment.

Key Takeaways

The 2026 Final Rule represents a recalibration of the Section 1071 data collection regime that reduces near-term compliance burden, particularly for community banks, credit unions, and smaller non-depository lenders. The Bureau has framed 1071 compliance as beginning a multi-decade data collection program akin to HMDA, with the stated intention to expand coverage, products, and data points over time as the agency and industry accumulate experience. Lenders should consider building systems with this continual evolution in mind.

Covered and potentially covered institutions may wish to use the time between now and Jan. 1, 2028, to confirm coverage status, redesign data collection workflows, update forms, assess vendor readiness, and engage with the ongoing litigation landscape and the forthcoming data publication rulemaking.

Additional GT Resources

• Small Business Lenders: CFPB’s Anticipated Section 1071 Rule Would Impose New Data Collection, Reporting Obligations | Insights | Greenberg Traurig LLP
• Small Business Lenders: CFPB Issues Final Rule on Small Business Lending | Insights | Greenberg Traurig LLP
• A Lender's Guide To CFPB's New Small Business Rule | Insights | Greenberg Traurig LLP
• Court Issues Nationwide Stay of CFPB’s Section 1071 Small Business Lending Rule | Insights | Greenberg Traurig LLP
• Total Stay Of CFPB Small Biz Data Rule Is Boon To Lenders | Insights | Greenberg Traurig LLP
• CFPB Announces New Compliance Deadlines for Small Business Lending Rule | Insights | Greenberg Traurig LLP
• CFPB Will Not Enforce Small Business Lending Rule | Insights | Greenberg Traurig LLP

1 See Texas Bankers Ass’n v. CFPB, No. 7:23-CV-00144 (S.D. Tex. Oct. 26, 2023); Monticello Banking Co. v. CFPB, No. 6:23-CV-00148-KKC (E.D. Ky. Mar. 11, 2025); Revenue Based Fin. Coal. v. CFPB, No. 1:23-CV-24882-DSL (S.D. Fla. May 6, 2025).