I. INTRODUCTION
The Consumer Financial Protection Bureau (CFPB) has issued its final rule revising the 2023 small business lending data collection and reporting rule under the Equal Credit Opportunity Act (ECOA) and Regulation B, which implements Section 1071 of the Dodd-Frank Act. The final rule becomes effective on June 30, 2026 ,and the compliance date for initial data collection is January 1, 2028, with the initial Small Business Lending Application Register to be filed by June 1, 2029.
The final rule confirms that the initial Section 1071 data collection and reporting regime will focus on mainstream business loans, lines of credit, and credit cards; will exclude merchant cash advances, agricultural lending, small dollar loans at or below $1,000 (subject to inflation adjustment) and exempt Farm Credit System lenders from coverage; will apply only to lenders that meet a 1,000 originations threshold for small business credit; and will require a trimmed-down set of data points.
II. INSTITUTIONS COVERED
The final rule applies to “covered financial institutions.” A “covered financial institution” is any financial institution (bank, credit union, online lender, community development financial institution, nonprofit lender, governmental lender, and others) that originated at least 1,000 covered credit transactions for small businesses in each of the two preceding calendar years. The final rule explicitly excludes FCS lenders from the definition of covered financial institution.
Financial institutions will need to determine if they are covered financial institutions annually. A financial institution that is not a covered financial institution may voluntarily collect data under the final rule in certain circumstances, such as if it recently reported data as a covered financial institution, is about to become a covered financial institution, or is not covered but commits to report data it voluntarily collects.
III. TRANSACTIONS COVERED
When determining whether it is a covered financial institution a financial institution must count covered originations, which are certain covered credit transactions that it originated to small businesses. Similarly, a covered financial institution must collect and report data about an application if the application is from a small business and is for a covered credit transaction. Thus, it is important to know how the final rule defines the terms “small business” and “covered credit transaction.”
A. Small Business
Pursuant to the final rule, a business is treated as small if its gross annual revenue for the preceding fiscal year was $1 million or less. Every five years, beginning with a comparison of January 2030 and January 2035 CPI‑U, the CFPB will adjust the threshold up or down and round to the nearest $100,000, with any change taking effect on January 1 of the following year.
The CFPB has also confirmed that lenders may rely on applicant‑stated revenue for small business determinations, but must update those determinations if they obtain more accurate information during underwriting.
B. Covered Credit Transaction
Generally, a covered credit transaction includes small business loans, lines of credit, and credit cards, while excluding merchant cash advances agricultural lending, and small dollar business loans.
Merchant cash advances are defined as lump‑sum payments in exchange for a percentage of future sales or income up to a ceiling amount and are excluded from “covered credit transactions.” Agricultural lending transactions used to fund crop and livestock production or to acquire/refinance farmland, agricultural equipment, breeder livestock, and similar farm capital assets are also excluded. Loans of $1,000 or less are carved out as “small dollar business credit,” with the $1,000 threshold to be adjusted every five years based on the Consumer Price Index for All Urban Consumers (CPI‑U) and rounded to the nearest $100.
C. Covered Originations
For purposes of determining whether a financial institution is a covered financial institution and the compliance date tier (discussed below), financial institutions count covered originations. A covered origination is a covered credit transaction that the financial institution originated to a small business. Refinancings can be covered originations. However, extensions, renewals, and other amendments of existing transactions are not considered covered originations even if they increase the credit line or credit amount of the existing transaction.
D. Data Points
The final rule confines data to statutory fields plus a limited set of additional items (NAICS, time in business, number of principal owners), removes a series of discretionary fields, including application method, application recipient, denial reasons, pricing components, and number of workers.
Institutions will not initially be required to collect or report the pricing and denial‑reason granularity that the 2023 final rule contemplated.
The final rule confirms that, at least initially, small business lenders will collect only aggregate race and ethnicity categories for principal owners (Hispanic or Latino versus not Hispanic or Latino, and the five aggregate race groups), with no requirement to collect disaggregated national origin or subgroup data.
E. Demographic Data Collection
Demographic collection has been reshaped to comply with Executive Order 14168 by removing LGBTQI+‑owned business status and replacing free‑form “sex/gender” fields with a binary male/female sex data field.
Accordingly, institutions must now:
Small business lenders must inform applicants that they are not required to provide this information, that the lender may not discriminate based on the information or whether it is provided, and that federal law requires the questions to help ensure fair treatment and to assess small business credit needs.
F. Anti-Discouragement Provisions Removed
The final rule no longer treats low response rates as indicia of discouragement and removes extensive ongoing monitoring and remediation obligations for small business lenders. However, institutions must still maintain procedures reasonably designed to obtain responses for applicant‑provided data
IV. LIMITING ACCESS TO CERTAIN DATA (FIREWALL)
The final rule implements the statutory requirement to limit certain persons’ access to certain data (i.e., the firewall). The firewall concept from the final rule — preventing decisionmakers from accessing demographic responses absent a narrow statutory exception — remains in place. The final rule adds more detail around who is subject to that firewall (including certain affiliate personnel) and what counts as “access” to demographic information. It also specifies the content and timing of the notice institutions must give if they invoke the firewall exception and allow decisionmakers to view demographic responses. The final rule clearly protects institutions that collected demographic data in reasonable belief that an application was covered but later determined it was not, and Appendix F provides numerical tolerances for errors in each data field based on random samples of the institution’s data. As a result, a covered financial institution should establish a process to ensure that demographic information, subject to the exception described below, is kept out of the hands of those with lending authority (an employee or officer “involved in making any determination” concerning a reportable application).
Pursuant to the final rule, employees and officers of a covered financial institution or its affiliates are prohibited from accessing an applicant’s response to the final rule’s required inquiries regarding the applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses and regarding its principal owner’s ethnicity, race, and sex if that employee or officer is involved in making any determination concerning the applicant’s covered application.
A. Exception to Firewall
The final rule provides for an exception to the firewall, if the bank determines that it is not feasible to limit the employee’s or officer’s access to the applicant’s responses. Where the bank deems the employee or officer should have access, the bank must provide a notice to each applicant whose responses will be accessed informing the applicant that one or more employees or officers involved in making determinations concerning the covered application may have access to the applicant’s responses.
V. COMPLIANCE DATE IN TRANSITION
Small business lenders that meet the 1,000‑origination threshold in 2026 and 2027 must begin collecting data on January 1, 2028 and file their first Small Business Lending Application Register by June 1, 2029. Lenders that cross the threshold in later years will come under the rule subsequently, but not before January 1, 2029. The final rule also contains a grace‑period for the first 12 months of data collection, suggesting that the CFPB’s supervisory focus for 2028 data will be based on good‑faith efforts, rather than strict liability for errors.