Pub. 13 2023 Issue 2

Section 1071 Final Rule: What You Need to Know

Whether you were counting down the minutes until its release or hoping it would be put off as long as possible, it’s finally here — the Section 1071 Final Rule. The Final Rule caps a more than 10-year wait from the enactment of the original statute which prescribed these requirements in the 2010 Dodd-Frank Act, and it was released a mere day before the CFPB’s publication deadline.

Surprisingly, perhaps, there were several changes from the Proposed Rule to the Final Rule that should provide some much-needed relief to community banks. However, the majority of the rules were finalized as proposed, so for those institutions who fall within the rules’ scope, it will still be quite the mountain to climb until compliance day.

What Changed from Proposed to Final?

Many were happy to see that the final rule contained some key changes from the proposal issued in September 2021. According to the CFPB, the changes reflect the consideration of more than 2,100 public comments on the Proposed Rule, as well as extensive public input predating the proposal.

Threshold Increase

Undoubtedly, the biggest and most welcome change from the proposal is the threshold increase. Whereas the Proposed Rule called for institutions to be covered when making as few as 25 covered loans per year, the Final Rule increases this all the way to 100 per year. To be clear, this still covers a large majority of bank small business lending, and those under the threshold should note that the CFPB made clear that “Lenders originating less than 100 loans per year will still be required to adhere to fair lending laws.” Of course, we always knew that banks are subject to fair lending laws regardless of the number of loans originated, but the question will be how the CFPB and/or other regulators may interpret this assertion in this new Section 1071 world.

Phased Implementation

Probably the second most welcome change is the phased implementation, which means that even for those institutions that are covered, some do not have to collect and report until 2026 and 2027, respectively. Specifically, the Final Rule includes compliance date “tiers” for when a covered financial institution must begin collecting and reporting data:

Note that even if your institution originated fewer than 100 covered originations in 2022 or 2023, if you originate at least 100 covered originations in 2024 and 2025, you still must collect and otherwise comply with the rule starting on Jan. 1, 2026.

Additionally, the bank must have a method to determine how many covered credit transactions it originated in order to determine its appropriate compliance tier. If the bank happens to not have readily available information needed to make this determination, the Final Rule says that it can use “any reasonable method to estimate its covered originations” for 2022 and 2023 and provides several examples of this.

Visual Observation Requirement

A third important change from the Proposed Rule is that the bank will no longer be required (or allowed) to collect a business owners’ demographic information by way of visual observation or surname. This made many breathe a huge sigh of relief as the idea of trying to collect ethnicity and race through these means raised a variety of concerns during the time of the Proposed Rule. So, under the Final Rule, this information will only be able to be collected directly from the applicant(s) and not through any other means.

What Data Points Does This Cover?

It is interesting that the original 2010 Dodd-Frank statute which enacted the 1071 rule required 13 data points, which have now ballooned in the Final Rule to be reportable through 81 data fields. One notable change in the data points for the final rule is the addition of “LGBTQI+” business status. Whereas in the Proposed Rule there were two separate data points for business status — one for women-owned and one for minority-owned — the Final Rule just includes one data point for business status which encompasses all three of these:

… The Bureau notes that proposed § 1002.107(a)(19), “women-owned business status,” has been combined with proposed § 1002.107(a)(18), “minority-owned business status,” and the final § 1002.107(a)(18) 274 data point now addresses “minority-owned, women-owned, and LGBTQI+-owned business statuses.” As a result, the data points in proposed § 1002.107(20) and (21) have been renumbered as final § 1002.107(19) and (20). …

p. 274:

While we can’t reasonably cover them all here, the remaining data points were similar to the Proposed Rule and may be reviewed in the CFPB’s Data Points Chart.

What Transactions Are Covered?

Covered Credit Transactions

Very generally, a covered credit transaction is an extension of business credit under Regulation B, but with certain exclusions, some specifically for purposes of Section 1071, such as:

  • Trade credit;
  • HMDA-reportable transactions;
  • Insurance premium financing;
  • Public utilities credit;
  • Securities credit;
  • Certain incidental credit;
  • Factoring;
  • Leases;
  • Consumer-designated credit used for business or agricultural purposes;
  • Purchases of a credit transaction;
  • Purchases of an interest in a pool of credit transactions; and
  • Purchases of a partial interest in a credit transaction (such as a loan participation agreement).

Despite the length of this list of exclusions, the definition is still extremely broad and covers a wide variety of transactions, including closed-end loans, open-end lines of credit, credit cards, merchant cash advances and various credit products used for agricultural purposes.

Covered Originations

A very important thing to note in this area is that “covered originations” for purposes of determining institutional coverage and compliance dates is narrower than the above. A common question we have been getting on the hotline is whether extensions and renewals should be counted. For this purpose, extensions, renewals and certain other loan amendments are not considered covered originations, even if they increase the credit line or credit amount of the existing transaction.

What Else Should I Be Thinking About?


A very unique aspect of this rule is the so-called “firewall” provision, which bears mentioning here. In general, employees and officers should be prohibited from accessing the following responses if that employee or officer is involved in making any determination about the application:

  • The applicant’s minority-owned, women-owned, and LGBTQI+-owned business statuses; and
  • Its principal owners’ ethnicity, race, and sex.

There are limited exceptions to this firewall requirement, including a notice allowance, and the Final Rule also prohibits the bank from disclosing this demographic information to other parties, again, with limited exceptions.

Safe Harbors

Interestingly, the Final Rule has a safe harbor for certain incorrect census tracts, NAICS codes, and application dates. It also has a safe harbor regarding incorrect determinations of small business status, covered credit transactions and covered applications.

For example, if the bank initially determines that an applicant is a small business, but then later concludes the applicant is not a small business, the bank would not be in violation if, at the time the bank collected the demographic data, it had a “reasonable basis for believing that the application was from a small business.”

Action Plan

Now that the Final Rule has arrived, there are a variety of questions and action steps our members should be considering, such as:

  • Is my bank covered under the new Final Rule? If so, what is the bank’s mandatory compliance date?
  • How will this affect the bank’s Compliance Management System (CMS)? What policies, procedures and other governance documents or materials may need to be amended?
  • Is everyone well informed of the changes and their effects, including the Board, senior management, business lines and other stakeholders?
  • What type of training is planned and for whom?
  • What do the bank’s business lending processes look like currently and what change management will be required to implement these changes correctly and in a timely manner?
  • Has the bank established relationships with any vendors? Do the modules or other software offered need to be tailored to meet the bank’s needs?
  • What will the institution be employing for data integrity purposes?
  • What does a tailored project implementation plan look like for my institution?

Other Resources

In addition to the Final Rule itself, the CFPB published a bevy of other accompanying materials.

One is a Fact Sheet, which outlines the history of the Section 1071 rulemaking and the various policy objectives driving it.

Another is a Policy Statement which indicates “… that the CFPB intends to focus its supervisory and enforcement activities … on ensuring that covered lenders do not discourage small business loan applicants from providing responsive data, including … ECOA-mandated demographic data requests …”

The CFPB also published a Filing Instructions Guide, which provides an overview of the filing process, instructions for what to enter in each data field, validation requirements that must be met before the register can be filed and additional resources to assist with inquiries.

A Data Points Chart provides a visual guide to the various data point fields and their respective regulatory references, along with a brief description and filing instructions for each.

An Executive Summary lays out an overview of the main facets of the Final Rule. Compliance Alliance will be publishing its own summary of the Final Rule very soon.

Finally, a Key Dates chart provides a visual representation of the three compliance tiers and their respective mandatory compliance collection and reporting dates.

Note that there are some additional tools on the CFPB’s resources page, and more may be added in the future.

We’re Here to Help!

It goes without saying that this is just an extremely brief overview of all the Final Rule entails. As you approach your compliance date, or just work to determine whether your institution may be covered at all, we’re here to help! Feel free to reach out to our compliance hotline by chat, email or phone and one of our advisors will be happy to walk through your questions with you.