CFPB’s Revised Section 1071 Small Business Lending Rule: What Financial Institutions Need to Know Before 2028

The CFPB’s revised Section 1071 small business lending rule materially narrows the 2023 framework, but it does not eliminate the rule. Covered financial institutions still need to prepare for applicability analysis, data collection, demographic information handling, firewall controls, recordkeeping, reporting, and audit readiness. The practical issue is how to turn the revised rule into a defensible compliance, data governance, and examination-readiness plan.

NETBankAudit works with financial institutions on compliance, internal audit, risk, and control readiness. If your team has questions about Section 1071 planning after reading this article, please reach out to our team.

What Changed in the 2026 Section 1071 Final Rule

The May 1, 2026 final rule is effective June 30, 2026, sets a January 1, 2028 compliance date, raises the coverage threshold from 100 covered originations under the 2023 framework to 1,000 covered credit transactions for small businesses under the revised rule, reduces the small business revenue threshold from $5 million to $1 million, excludes merchant cash advances, agricultural lending, and small-dollar business credit transactions, removes several 2023 data points, and retains number of principal owners, three-digit NAICS code, and time in business.

For institutions covered as of the January 1, 2028 compliance date, the first full year of data collection is expected to be 2028. Reporting is generally expected by June 1, 2029, subject to revised CFPB filing instructions. That timing should not be treated as extra time to postpone control design.

For covered institutions, the key question is not only whether the institution can submit a file. The institution must also be able to defend the decisions, controls, and data lineage behind that file. That means the 2026 rule should trigger a refreshed implementation analysis, not a simple calendar update.

Several changes should drive immediate recalibration of prior Section 1071 work. Institutions that scoped implementation under the 2023 rule may have product maps, field inventories, and system specifications that are now too broad. The following changes are the main starting point for a revised work plan.

• Covered institution threshold: Coverage now turns on at least 1,000 covered credit transactions for small businesses in each of the two relevant calendar years.
• Small business definition: The gross annual revenue threshold is now $1 million or less, rather than $5 million or less.
• Product exclusions: Merchant cash advances, agricultural lending, and business credit transactions of $1,000 or less are excluded.
• Removed fields: The rule removes application method, application recipient, denial reasons, pricing information, number of workers, and LGBTQI+-owned business status.
• Retained additional fields: The rule keeps number of principal owners, three-digit NAICS code, and time in business in addition to statutory data points.

The 1,000-Transaction Threshold Requires a New Coverage Analysis

Coverage is based on covered credit transactions originated to small businesses, not total business applications or total commercial lending volume. Institutions near the threshold should document how originations were counted, which products were excluded, and how small business status was determined under the revised 1,000-transaction standard.

For initial coverage, institutions generally look to 2026 and 2027 originations. The rule also includes a transitional option allowing use of 2025 and 2026 for determining whether the institution must comply by January 1, 2028. That option may help threshold-adjacent institutions avoid waiting until late 2027 for certainty.

The $1 Million Revenue Threshold Affects Systems and Controls

The lower revenue threshold changes both reportability and workflow design. Institutions need a reliable method for requesting, recording, verifying, reusing, and correcting gross annual revenue. If revenue data is inconsistent or stored only in unstructured documents, coverage and reporting decisions will be harder to defend.

Institutions should also avoid treating all previously collected data the same way. Revenue, demographic information, census tract, NAICS code, time in business, and principal owner information may have different reuse and freshness considerations.

Why CFPB Narrowed the Rule

The 2025 proposed reconsideration rule identified burden reduction, data quality, reduced market disruption, and preservation of small business credit availability as key reasons for moving away from the broader 2023 framework.

The CFPB’s revised approach focuses on core lenders, core products, and core data points. The Bureau also framed Section 1071 as an incremental reporting regime, similar in concept to how HMDA developed over time. That matters because the current framework may not be the final endpoint for the rule.

Operational concerns were not new. The 2020 SBREFA Panel Report documented small entity concerns about implementation cost, staffing, software changes, firewall feasibility, privacy, public disclosure, and possible effects on small business credit availability.

The 2026 Rule Responds to Long-Running Burden Concerns

The 2026 final rule is best understood as a recalibration. It reduces immediate coverage and removes several high-burden data points, but it preserves the statutory small business lending data framework. Pricing and denial reasons are especially important removals because they would have carried significant system, training, data integrity, and fair lending analytics implications.

For financial institutions, this means prior implementation work should be reviewed, not automatically abandoned. Product inventories, data maps, and governance structures may still be useful. The task is to narrow them to the current rule and remove obsolete assumptions.

Section 1071 Remains a Fair Lending Transparency Rule

Section 1071 of the Dodd-Frank Act amended ECOA to require collection and reporting of small business lending data, and the Section 1071 rulemaking page identifies fair lending enforcement and community development analysis as core statutory purposes.

The narrower rule does not erase fair lending exposure. It changes the scope of the data, the covered population, and the implementation burden. Covered institutions should be prepared to explain how they collect required information consistently and how they protect sensitive demographic data.

What Institutions Still Need to Prepare For

The June 2025 Small Entity Compliance Guide remains useful for operational concepts such as covered applications, collection procedures, firewalling, recordkeeping, and reporting, but institutions should read it against the 2026 final rule before relying on any specific requirement.

Implementation should begin with a gap assessment against the revised rule. Institutions should distinguish work that is no longer needed from work that remains necessary. Covered institutions should also avoid treating January 1, 2028 as the start of project work.

By the compliance date, the institution should have an operating model that has already been designed, trained, tested, and remediated. The remaining runway should be used to create evidence of control effectiveness. The workstreams below are the core areas for management, compliance, data governance, and internal audit coordination.

• Applicability Analysis: Recalculate coverage under the 1,000 covered credit transaction threshold. Document the look-back period, the products included or excluded, the small business revenue logic, and any transitional option used.
  
• Covered Product and Channel Mapping: Map business term loans, lines of credit, business credit cards, online applications, branch-originated requests, indirect channels, and brokered arrangements. A prior 2023 product map may overstate coverage if it included products now excluded.
  
• Covered Application Triggers: Institutions should define how a covered application is identified across channels. Online applications, branch requests, brokered applications, renewals, extensions, and requests for additional credit may not all receive the same reporting treatment.
  
• Data Point Inventory: Identify which retained data points are already captured, which are captured inconsistently, and which require new fields or workflow changes. Removed 2023 fields should not continue to drive system scope unless retained for another approved business reason.
  
• Principal Owner Procedures: Procedures should distinguish Section 1071 principal owner reporting from other ownership or beneficial ownership frameworks. The rule focuses on individuals with direct ownership of 25 percent or more of the business.
  
• Demographic Collection Controls: Covered institutions still need procedures for minority-owned business status, women-owned business status, and principal owner ethnicity, race, and sex. Demographic information should be applicant-provided, not inferred from visual observation, surname, or other information collected for another purpose.
  
• Firewall and Access Controls: Evaluate whether sensitive demographic information can be shielded from underwriters and other credit decision-makers where feasible. If firewalling is not feasible, the institution should have applicant notices, workflow evidence, and exception documentation.
  

Reporting Readiness and Public Data Issues Are Still Developing

The 2025 Filing Instructions Guide illustrates the technical nature of Section 1071 reporting, including structured register concepts, validation specifications, filing platform processes, and certification workflow, but CFPB has stated that filing instructions will be revised to incorporate the 2026 final rule.

That creates a two-track planning issue. Institutions should wait for revised CFPB filing instructions before locking final technical specifications. They should not wait to establish data ownership, field definitions, quality control, exception handling, and accountability for final submission.

Privacy and Application-Level Publication Are Not Final

The 2026 final rule does not finalize application-level publication modifications and deletions. CFPB expects to address privacy and publication issues later, likely after receiving a full year of reported data for re-identification analysis.

Institutions should prepare for eventual public visibility without assuming the final publication format. Fair lending and compliance teams should plan internal review of Section 1071 data before modified data becomes externally available.

Voluntary Collection Should Be Controlled

Institutions that are not covered should be careful about voluntarily collecting demographic information. If demographic data is collected under Section 1071 permissions, related procedural, firewall, recordkeeping, and disclosure obligations may apply. This is not a field to add casually to small business applications.

Examiner, Internal Audit, and Fair Lending Implications

Examiners and auditors will not look only at the final submission file. They will also evaluate whether the institution’s process produces reliable, consistent, and explainable data. That includes field ownership, source systems, manual overrides, applicant refusals, third-party collection, and exception resolution.

Internal audit should test readiness before the compliance date. A pre-implementation review can identify weak coverage logic, incomplete product mapping, unclear application triggers, missing firewall evidence, and unresolved system dependencies while there is still time to remediate.

Audit Testing Should Start With Defensibility

The first audit question should be whether the institution can defend its coverage decision. That requires support for transaction counts, excluded products, small business revenue determinations, and the treatment of indirect or partnership lending arrangements.

The next layer is process testing. Audit should determine whether required fields are collected at the right time, whether applicant-provided demographic data is handled correctly, whether refusals are captured, and whether sensitive data is shielded where feasible.

Fair Lending Teams Should Use the Implementation Period

Fair lending specialists should use the implementation period to understand what the new data may show internally. The data should be considered alongside underwriting standards, pricing policies retained for business purposes, exceptions, complaints, and market context.

Section 1071 data alone generally should not be treated as determinative. Still, once collected and reported, it may shape examiner questions, management reporting, and public scrutiny. Institutions should be ready to explain patterns before others interpret them.

Practical Takeaways Before January 1, 2028

The revised rule gives covered institutions more time, but meaningful implementation work remains. The strongest readiness plans will narrow scope, assign ownership, test controls, and preserve documentation. The following actions should be prioritized across compliance, risk, lending operations, data governance, and internal audit.

1. Recalculate coverage under the 1,000 covered credit transaction threshold.
2. Redo product mapping for merchant cash advances, agricultural lending, small-dollar business credit transactions, and other excluded categories.
3. Update small business classification procedures around the $1 million gross annual revenue threshold.
4. Define covered application trigger points across products, channels, renewals, extensions, and requests for additional credit.
5. Revise data collection plans around retained statutory fields and the three retained additional fields.
6. Remove obsolete implementation assumptions tied to application method, application recipient, pricing, denial reasons, number of workers, and LGBTQI+-owned business status.
7. Build or update firewall controls, including role-based access, masking, notices, and audit trails.
8. Review vendor contracts and system permissions for use, storage, retention, and redisclosure of demographic data.
9. Monitor CFPB updates for revised filing instructions and later privacy or publication rulemaking.
10. Schedule internal audit testing before January 1, 2028, with remediation time included in the project plan.

Section 1071 Readiness Support From NETBankAudit

The CFPB’s 2026 final rule narrows Section 1071, but covered institutions still need an auditable implementation plan. NETBankAudit can help banks and credit unions assess applicability, test product mapping, review data governance controls, evaluate firewall procedures, and prepare internal audit work plans before the January 1, 2028 compliance date.

If your institution needs independent support with Section 1071 readiness, fair lending controls, data governance, or audit preparation, contact NETBankAudit to discuss how our compliance and audit advisory team can help.