Pular para o conteúdo principal
Beancount.io LogoBeancount.io

CFPB Section 1071 Small Business Lending Rule Explained

8 min para lerMike ThriftMike Thrift
CFPB Section 1071 Small Business Lending Rule Explained

The next time you apply for a business loan or line of credit, don't be surprised if the application asks a question that has nothing to do with your credit score: "What is the race, ethnicity, and sex of your business's principal owners?"

That question isn't a mistake, and you're not required to answer it. It's the result of a rule fifteen years in the making — the Consumer Financial Protection Bureau's Section 1071 small business lending rule — and after years of delays, lawsuits, and a near-complete rewrite, it now has a real compliance date: January 1, 2028. Here's what actually changed, who has to comply, and what it means for you the next time you sit across from a lender.

What Section 1071 Is (and Why It's Taken 15 Years)

2026-07-08-cfpb-section-1071-small-business-lending-rule-explained

Section 1071 was written into the Dodd-Frank Act back in 2010. The idea was simple in concept: the Home Mortgage Disclosure Act already forces mortgage lenders to report detailed data on who gets approved and who gets denied, which is how regulators and researchers spot patterns of discrimination in home lending. Section 1071 does the same thing for small business credit — requiring lenders to collect and report data on loan applications so regulators can monitor whether small businesses owned by women, minorities, or other groups are getting fair access to capital.

The problem is that "simple in concept" turned into over a decade of rulemaking. The CFPB didn't issue a proposed rule until 2021, finalized it in 2023, watched it get challenged in court and partially stayed, delayed compliance dates multiple times, and finally released a substantially revised final rule in May 2026 that scraps the original's tiered timeline in favor of one clean deadline and a much lighter data-collection burden.

The Big Changes in the May 2026 Final Rule

If you read anything about the original 2023 version of this rule, most of it is now out of date. The CFPB explicitly pivoted to what it called a "start small, expand carefully" approach. The headline changes:

  • One compliance date for everyone. The 2023 rule staggered compliance across three tiers based on lending volume, with the largest lenders going first in mid-2026 and smaller ones phasing in through late 2027. The 2026 final rule scraps the tiers entirely: every covered institution now has the same January 1, 2028 compliance date, giving lenders roughly 20 months from the rule's effective date to build out reporting systems.
  • A higher volume threshold to be "covered" at all. A lender only has to comply if it originated at least 1,000 covered small business credit transactions in each of the two preceding calendar years — up from the 100-loan threshold in the original proposal. This exempts a large swath of small community banks and credit unions that only occasionally make small business loans.
  • A narrower definition of "small business." The borrower has to have $1 million or less in gross annual revenue for its preceding fiscal year to count under the rule — tightened down from the $5 million threshold in the earlier rule. That threshold will adjust for inflation every five years starting in 2030.
  • Fewer things get reported. The CFPB dropped a list of discretionary data fields that lenders had pushed back on hardest, including application method, application recipient, denial reasons, pricing components, and number of employees. What survives is closer to the statutory minimum: loan amount and type, action taken, census tract, gross annual revenue, NAICS industry code, time in business, number of principal owners, and demographic data on those owners.
  • Simplified demographic categories. Race and ethnicity are now collected as broad aggregate categories rather than the more granular disaggregated subcategories originally proposed. Sex/gender data collection uses binary male/female categories.
  • Several loan types are excluded entirely, including merchant cash advances, agricultural lending, small-dollar loans of $1,000 or less, and any lending by Farm Credit System institutions.
  • A 12-month grace period. For the first year after the compliance date, the CFPB says it will focus supervisory attention on institutions making "good-faith efforts" to comply rather than aggressively penalizing early mistakes.

Who Actually Has to Report

A "covered financial institution" under the final rule is any bank, credit union, online lender, community development financial institution, nonprofit lender, or other entity that originated 1,000 or more covered small business credit transactions in each of the two calendar years before the determination. If you're a smaller community lender who does a modest volume of small business lending, there's a real chance the higher threshold takes you out of scope entirely — a meaningful win for the community banking lobby, which had argued the original 100-loan threshold would sweep in institutions with no real capacity to build compliance infrastructure.

If your lender does meet the threshold, the transactions that count include most extensions of credit to small businesses: term loans, lines of credit, and business credit cards, among others. Merchant cash advances and agricultural credit are carved out under the final rule, so if your business relies heavily on those products, don't expect this data to capture your borrowing pattern.

What "Small Business" Means Here

For a loan to be covered, the borrower — not just the lender — has to fit the rule's definition of a small business: gross annual revenue of $1 million or less for the preceding fiscal year. That's a meaningfully tighter bar than the $5 million figure floated in earlier drafts, so if your business is solidly in the "small" category by SBA standards but comfortably above $1 million in revenue, your loan applications may not generate 1071 data at all — though your lender will likely still ask, since they need the revenue figure to determine coverage in the first place.

What You'll Actually See on Applications

Starting with applications processed on or after January 1, 2028, expect covered lenders to add a short block of questions to their applications covering:

  • Gross annual revenue and time in business
  • NAICS industry code
  • Number of principal owners
  • Race, ethnicity, and sex of principal owners

Here's the part worth remembering: you are not required to answer the demographic questions. The rule requires lenders to tell applicants that providing race, ethnicity, and sex information is optional, that the lender cannot discriminate based on whether you answer, and that the law requires the question in order to help monitor fair lending — not to influence your individual application decision. If you decline to answer, the lender cannot guess based on your name or how you look; they're required to record the response as "not provided" rather than infer it themselves.

The revenue, time-in-business, and NAICS data, however, aren't optional in the same way — they're standard underwriting inputs lenders already collect. What's new is that this information now flows into a standardized federal report rather than staying purely internal to the underwriting file.

Why the Recordkeeping Matters More Than the Compliance Date

Notice what's actually driving the reportable data: gross annual revenue, time in business, and industry classification. These aren't numbers a loan officer invents on the spot — they come straight from your financial statements, your tax filings, and how consistently you've tracked revenue by category. A lender asking for "gross annual revenue for the preceding fiscal year" wants a number you can substantiate, not a rough estimate, and a messy set of books that can't produce a clean, defensible revenue figure on request slows down every loan application you'll ever file — 1071 reporting or not.

This is also a good moment to make sure your NAICS classification and entity details are consistent across your loan applications, tax returns, and accounting records. Lenders cross-reference these figures, and discrepancies between what you told one lender last year and what your current books show can trigger extra scrutiny that has nothing to do with your creditworthiness.

Plain-text, version-controlled accounting makes this easier than it sounds. When every transaction lives in a ledger you can query and audit, pulling "gross revenue for fiscal year 2027" or reconciling that figure against your tax filing takes minutes, not a week of digging through spreadsheets and bank statements before a loan deadline.

The Bottom Line

Section 1071 has been "coming soon" for so long that it's easy to tune it out. This time the deadline is real, but the rule that finally lands in 2028 is considerably lighter than what was originally proposed: fewer lenders are covered, fewer data points get collected, and the demographic questions remain optional for applicants. If you're a small business borrower, the main practical impact is a handful of new questions on loan paperwork starting in 2028 — and a good reminder that the revenue and industry data underlying every loan application should come from books you actually trust.

Keep Your Books Loan-Ready

Whether or not your next loan application triggers Section 1071 reporting, lenders will always want a clean, defensible revenue number and a clear financial history. Beancount.io gives you plain-text accounting that's transparent, version-controlled, and easy to audit — no black boxes, no reconstructing a year of transactions the night before a loan deadline. Get started for free and see why developers and finance professionals are switching to plain-text accounting.