The CFPB’s Small Business Lending Rule (1071 data) is changing how financial institutions handle small business loans. Juliya Kofman Greenfield—a compliance expert and Principal at Exton business consulting firm RKL, LLP—broke down essentials of 1071 at a recent presentation from the Financial Managers Society (FMS) in King of Prussia, PA.
CFPB 1071: The Sister Rule to HMDA
“1071 is essentially HMDA’s sister,” Greenfield began. “For HMDA, we report dwelling-secured transactions. But with 1071, it’s all about small businesses.”
Small business loans—including lines of credit, credit cards, and merchant cash advances—are the focus of the rule. Consumer credit is excluded. “It’s crucial to distinguish between business and consumer credit for accurate reporting,” she emphasized. Consumer and business purpose loans are reported under the HMDA rule, but not under the small business lending rule.
Extensive Data Collection Requirements of CFPB 1071
The data collection requirements of 1071 are hefty, requiring institutions to report 81 specific data points. Greenfield explained. “There are nuances here that financial institutions must be prepared for.”
She further clarified, “You don’t need to verify every piece of data an applicant provides. But if something changes during the application process, like gross annual revenue, you must update the report.”
Collecting and Reporting Data on Diverse Business Ownership Under CFPB 1071
An essential aspect of 1071 is the focus on minority-, women-, and LGBTQI+-owned businesses. Greenfield highlighted how the data associated with those identities sheds light on lending practices. “We’re talking about businesses where more than 50 percent of ownership is held by individuals from these groups,” she said. “What the applicant states is what you report—the rule requires us to rely on applicant statements.”
The rule’s focus on demographics aims to create transparency around how institutions serve underrepresented groups. “It’s all about fairness in lending,” Greenfield added.
The 1071 Firewall Requirement: Keeping Sensitive Data Secure
One of the most challenging aspects of 1071 is its firewall requirement, which ensures that sensitive demographic information is kept separate from the individuals making loan decisions. “It’s not just a suggestion—it’s a legal requirement,” Greenfield stressed.
“For institutions using paper files, you’re literally taking two pieces of paper out and putting them in a different location that no one else can have access to unless they have the keys,” she explained. “This separation is crucial for protecting demographic data.”
For those using electronic systems, Greenfield pointed out the need to create specific roles within loan origination systems. “You need to make sure only certain people can access this data, and you have to test those roles in the system you’re relying on,” she said.
1071 Compliance Requirements: Utilizing Safe Harbor Provisions
1071 has safe harbor provisions for certain data points if a financial institution inadvertently collects demographic data. As long as the data are handled correctly, “You’re not in violation if you thought you needed the data but later find out you didn’t,” Greenfield explained. “You must follow the rules for the firewall and recordkeeping to take advantage of the safe harbor.”
This provision, however, doesn’t give institutions a free pass on everything.
New CFPB 1071 Compliance Dates and Deadlines: The Three Tiers
One of the critical updates to 1071 involves its tiered compliance dates, which dictate when institutions need to begin complying based on the volume of loan originations. Greenfield explained the three tiers:
- Tier 1, institutions that originated at least 2,500 loans in both 2022 and 2023 or 2023 and 2024, have to start complying by July 18, 2025
- Tier 2, which covers institutions with 500 to 2,499 originations, has a compliance date of January 16, 2026
- Tier 3, those with 100 to 499 originations, have until October 18, 2026, to enact compliancy
Leveraging Partial-Year Reporting Periods
Greenfield emphasized the importance of using the partial-year reporting periods to your advantage: “When the government gives you the option to not report for a full year, take it. Don’t expose yourself to unnecessary risk. If your reporting period starts in the middle of the year, only report the data for that period.”
Annual Tier Re-evaluation
Moreover, she reminded attendees of the need for yearly evaluations: “You need to know where you fall in the tier structure. If you cross that 100-loan threshold in two consecutive years, you’re required to comply with the rule and reporting requirements.”
Defining a Small Business for 1071 Compliance
The rule defines a small business as one with gross annual revenues of $5 million or less in the previous fiscal year. “You can rely on the applicant’s representation of their revenue,” Greenfield said, “but if new information comes up during underwriting, you have to update it.”
She also highlighted the complications with multiple requests. “If a business requests multiple facilities, each request should be treated as a separate application,” she clarified.
1071 Recordkeeping Requirements: A Three-Year Lookback
Recordkeeping is another critical component of 1071. Institutions must retain evidence of compliance for at least three years after reporting, which is different from other retention requirements. “Don’t purge your business application records after 12 months,” Greenfield warned. “Make sure your systems are set up to retain the data for the full three years.”
This recommendation applies to both loan application registers and any documentation related to the small business or demographic data collected. “It’s not just about keeping the loan file—it’s about keeping everything you need to prove compliance,” Greenfield advised.
Don’t Delay: Start Preparing for 1071 Compliance Now
As the compliance dates loom closer, Greenfield urged institutions to start preparing now. “1071 is complex, but with proper preparation, you can get through it,” she advised. “Work across departments—compliance can’t do it alone. Everyone, from lending to IT, needs to be involved. You must have an implementation plan in place.”
The Small Business Lending Rule (1071) requires financial institutions to report their small business lending activities. With its focus on transparency, fairness, and detailed data collection, the time to act is now.
As Greenfield put it, “Once you’re in, you’re in. There’s no turning back.”
Looking for further clarity? Would you like to see the entire presentation? Email Julyia Kofman Greenfield directly.
