Following years of legal challenges and delayed implementation, the CFPB has finalized a revised framework for small business lending data collection, bringing operational and governance implications for covered financial institutions.
Section 1071 amended the Equal Credit Opportunity Act (ECOA) to require financial institutions to collect and report certain data on applications for credit by small businesses. The Consumer Financial Protection Bureau (CFPB) originally finalized its Section 1071 rule in 2023, establishing broad requirements across lenders, credit products and data collection fields. The rule was subsequently challenged in multiple federal courts, resulting in compliance delays and reconsideration.
In response, the CFPB issued a revised final rule on May 1, 2026, amending Subpart B of Regulation B. The updated rule narrows scope and refines data collection requirements for small business lending, while continuing to support fair lending oversight and transparency for women-owned, minority-owned and small businesses.
Key Updates
The 2026 final rule significantly narrows the scope of the original 2023 framework while maintaining core statutory requirements:
- Reduced Institutional Coverage: Applies to institutions originating ≥1,000 covered small business loans in each of the prior two years (up from 100). Farm Credit System institutions are excluded.
- Revised Small Business Definition: Threshold lowered to ≤$1 million in gross annual revenue (previously $5 million), with future inflation adjustments.
- Narrowed Transaction Scope: Excludes certain products, including merchant cash advances, agricultural credit, loans ≤$1,000 and secondary market purchases.
- Streamlined Data Requirements: Retains required statutory data elements but eliminates several discretionary fields (e.g., certain pricing data, number of workers, application method) to reduce compliance burden.
- Updated Demographic Data Collection: Modifies how principal owner demographic information is collected and reported.
Effective and Compliance Dates
The final rule becomes effective 60 days after publication in the Federal Register. The compliance date for initial data collection and reporting is January 1, 2028, replacing the tiered compliance schedule included in earlier versions of the rule. Establishing a single compliance date is intended to promote consistent implementation across covered institutions following years of litigation-driven deadline extensions and staggered obligations.
Implications for Financial Institutions
The 2026 rule takes a more targeted approach, limiting applicability primarily to higher-volume lenders, but institutions should not underestimate its complexity. Covered institutions must reassess applicability under revised thresholds and definitions and, while certain reporting requirements are streamlined, core fair lending data collection remains intact, requiring meaningful updates to systems, processes, data governance and internal controls ahead of the January 1, 2028 compliance date.
How Schneider Downs Can Help
With over 20 years of experience advising financial institutions through regulatory change, Schneider Downs helps clients not only meet compliance expectations but strengthen risk management programs and improve data transparency.
Our team supports clients through targeted readiness assessments, data and reporting process reviews and alignment of policies, procedures and internal controls with regulatory expectations.
If your organization needs assistance in proactively addressing these changes, please contact our team at [email protected].
About Schneider Downs Financial Services
The Schneider Downs Financial Services industry group supports financial institutions as they navigate evolving risk, regulatory and governance challenges. Our professionals work with institutions to strengthen internal audit, risk advisory, and related risk management programs that support sound decision-making, operational effectiveness and regulatory alignment.
Through services spanning internal audit, risk advisory, IT risk advisory, third-party risk management, fraud risk advisory and enterprise risk and compliance, we help financial institutions design and enhance resilient, risk-based programs aligned with their strategic objectives and operating environment.
To learn more, visit our Financial Services Industry Group page.
