On May 1, 2026, the Consumer Financial Protection Bureau (CFPB) released its long-anticipated final rule (the “Final Rule”) revising its initial rulemaking in 2023 (the “Prior Rule”) to implement the small business lending data collection requirements under Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. The Prior Rule was the subject of extensive litigation, re-proposals and compliance date extensions, which the CFPB, in the Final Rule, attributes to the Prior Rule’s expansive collection requirements. The Final Rule has a compliance date of January 2028, and the revisions will result in a reduction in both the number of institutions subject to its requirements and the number of data points, and detail, required to be collected. In addition, the Final Rule removes references in the Prior Rule to presumptive indicia that an institution may have discouraged applicants from providing requested data. Below, we set out key areas where the Final Rule revised prior requirements.
What Changed? Key Rule Scope Reductions
The Final Rule extends the compliance date and materially reduces the universe of covered institutions and transactions and reportable data points:
|
|
2023 Final Rule |
2026 Final Rule |
|
Compliance Date 12 C.F.R. § 1002.114(b)
|
Tiered compliance dates based on origination volume. |
Single compliance date of January 1, 2028, for all covered financial institutions |
|
Covered Financial Institutions and Exempt Institutions 12 C.F.R. § 1002.105 |
Any entity engaging in financial activity that has originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years. |
Now expressly excludes Farm Credit System lenders and increases the threshold origination number of covered credit transactions from 100 to 1,000. |
|
Small Business Definition 12 C.F.R. § 1002.106 |
Has the same meaning as the term “small business concern” in 15 U.S.C. § 632(a), as implemented in 13 C.F.R. §§ 121.101 - 121.107, but sets the size standard for gross annual revenue for the preceding fiscal year at $5 million on less. |
Decreases the size standard of gross annual revenue from $5 million or less down to $1 million or less. |
|
Covered Credit Transactions and Excluded Transactions 12 C.F.R. § 1002.104 |
Definition of “covered credit transactions” excludes: · trade credit · HMDA reportable transactions · Insurance premium financing transactions · Public utilities credit · Securities credit · Incidental credit |
Retains the current six exclusions and adds the following as additional exclusions: · Merchant cash advances · Agricultural lending · Small dollar loans ($1,000 or less) |
|
Data Points 12 C.F.R. § 1002.107(a) |
Requires collection and maintenance of 20 discrete points of data, including LGBTQI+ business status and sex or gender identity. |
Eliminates collection and maintenance requirements for the following types of data: · method of application submission, · recipient of the application, · denial reason, · pricing information, and · number of workers. In addition, the rule removes data collection of LGBTQI+ business status and references to gender in data collection forms. |
|
Anti-Discouragement Provisions 12 C.F.R. § 1002.107(c) |
Contains express prohibitions on discouragement of applicants from responding to data collection efforts and express statement that low response rates and failure to maintain reasonably designed procedures to obtain data may indicate discouragement. Requires initial request for data to occur prior to notifying applicant of final action. |
Express prohibition on discouragement and inferences of discouragement have been removed. Also provides that data may be collected at another time reasonably designed to receive a response. |
|
Sample data collection form Appendix E |
Provides sample form. |
Replaced with a revised form that reduces the detail of data collected and aligns to revised data collection points. |
|
Bona Fide Error Tolerance Thresholds Appendix F |
Establishes error tolerance thresholds for bands of application counts. |
Eliminates bands below 1,000 to align with new covered credit transaction thresholds but otherwise does not alter sample size and threshold numbers and percentages. |
|
Official Interpretations |
In addition to removing interpretations related to removed data collection points such as number of workers, pricing information, LGBTQI+ business status, etc., the interpretations remove requirements for financial institutions to permit an applicant to provide ethnicity and race information using specified disaggregated subcategories. |
Notable Observations:
- No elimination of the Prior Rule’s firewall provisions: The CFPB declined to eliminate or weaken the statutory firewall provision in § 1002.108. The firewall provision generally prohibits employees involved in making credit decisions from accessing an applicant’s demographic information collected under Section 1071 and requires notice to the applicant when it is not feasible to limit access because a determination has been made that an employee “should have access” to the information. The CFPB noted the concerns raised by commenters with the firewall provisions, including that its requirements may disrupt established workflows, slow communication and decision-making, introduce inefficiencies, and increase compliance costs, potentially leading to reduced access to credit. Commenters also backed an alternative approach that the CFPB instead rely on applicant disclosure or notice provision similar to HMDA. Ultimately, however, the CFPB declined to make requested changes, emphasizing that the firewall provision is an explicit statutory requirement under 15 U.S.C. § 1691c-2(d).
- Reduction of CFPB discretionary data point collection requirements: Using its statutory authority, the CFPB included collection requirements of discretionary data points in the Prior Rule. As reflected in the chart above, the CFPB has removed discretionary data points in the Final Rule, including the Prior Rule’s collection of information regarding LGBTQI+ ownership and forms that reflected requests to identify based on gender identity, citing recent Executive Orders on these matters and the Administration’s broader deregulatory agenda.
- Removal of anti-discouragement provisions. The CFPB removed anti-discouragement and monitoring provisions providing additional significant operational relief for institutions. While the CFPB has retained the affirmative obligation to maintain procedures reasonably designed to collect applicant-provided data, many of the specific requirements of the Prior Rule have been removed based on the CFPB’s conclusion that they were redundant and added unnecessary regulatory complexity.
- Indication of Intention to Pursue a Public Notice and Comment Period regarding the Publication of Application-Level Data: The CFPB committed to issuing a notice of proposed rulemaking addressing data modification and deletion decisions before publishing application-level data. The CFPB noted that it will need a full year’s worth of reported data to conduct the appropriate review and determine appropriate modifications or deletions, particularly considering concerns noted by some commenters regarding the potential for re-identification in rural and niche markets. The first full year of data will be collected in 2028 and submitted to the CFPB by June 1, 2029, meaning publication of any data is likely years away.
What’s Next?
The Final Rule represents a meaningful recalibration of the Section 1071 data collection framework, but it likely does not represent the end of the data collection story. The CFPB has noted that it views the Final Rule as imposing “modest requirements” and as having a narrower focus compared to the Prior Rule, but the CFPB has also been explicit in stating that the Final Rule also represents “an incremental approach” that could later lead to inclusion of additional data points or expansion of the rule’s coverage. So, while covered financial institutions should certainly use the time before January 1, 2028, to finalize system modifications and data collection forms for compliance with the Final Rule, it may be wise that they do so with an eye to scalability that could accommodate the integration of more expansive data collection requirements in the future.
MemberJohn brings extensive experience representing clients as a member and as a regulatory and compliance lawyer and provides legal advice on the interpretation and application of laws and regulations to financial products, services ...
AssociateEmily’s experience spans a broad range of corporate and regulatory matters. She regularly conducts preemption analyses under the National Bank Act, NSMIA, and other federal and state financial laws. Her work includes preparing ...
About MVA White Collar Defense, Investigations, and Regulatory Advice Blog
As government authorities around the world conduct overlapping investigations and bring parallel proceedings in evolving regulatory environments, companies and individuals face challenging regulatory and criminal enforcement dynamics. We provide in-depth analysis and up-to-date information to help our clients navigate these fast-moving areas.
The latest from MVA White Collar Defense, Investigations, and Regulatory Advice Blog
- A Lighter Supervisory Touch, But Not a Lower Bar: What the 2026 GSIB Regulatory Feedback May Signal for Resolution Planning
- Irreconcilable Differences: Analyzing the Split in the First and Second Circuit Courts of Appeals’ Decisions on National Bank Act Preemption of State Interest-on-Escrow Laws
- CFPB scales back the small business credit data collection rule - but also indicates future expansion is possible
- Farm Credit Administration’s 2026 Priorities Reflect Some Alignment with Federal Banking Regulators, With Continued Focus on Risk Management and System‑Specific Nuances