Navigating CFPB Section 1071: A Complete Guide for Lenders

5/4/2026 views1

If you're in the business of lending to small businesses, you've probably heard the term "CFPB Section 1071" buzzing around. It's not just another piece of regulatory jargon. It's a fundamental shift in how lenders collect and report data, aimed squarely at uncovering lending disparities. For many financial institutions, the initial reaction is a mix of confusion and dread. The rules are dense, the data requirements are extensive, and the penalties for non-compliance are real. But here's the thing: understanding and implementing Section 1071 isn't just about avoiding fines. Done right, it can sharpen your underwriting, improve your community outreach, and even reveal new market opportunities you've been missing. Let's break it down, step by step, without the legalese.

In this Article

What Exactly Is CFPB Section 1071?

CFPB Section 1071 refers to a specific part of the Dodd-Frank Act. Its core mandate is simple: to shine a light on the small business lending market. For decades, we've had detailed data on mortgage lending through HMDA. Section 1071 aims to do the same for small business loans. The Consumer Financial Protection Bureau (CFPB) finalized the rule in March 2023, and it's rolling out in stages.

The goal is to identify potential discrimination and track whether financial institutions are adequately serving minority-owned, women-owned, and other underserved small businesses. The CFPB and researchers will use this data to enforce fair lending laws. But the implications for lenders go far beyond reporting. It changes the application conversation.

The Bottom Line: Section 1071 transforms small business lending from a largely opaque process into a data-rich, transparent one. You're not just collecting data for a form. You're building a detailed profile of your market engagement that regulators will analyze.

Who Must Comply with These New Rules?

This isn't just for big banks. The net is cast wide. You're covered if you originated at least 100 "covered credit transactions" for small businesses in each of the two preceding calendar years. The term "covered credit transaction" is broad: term loans, lines of credit, credit cards, merchant cash advances, and even certain types of farm loans.

So, who's a "small business"? The definition uses the SBA's size standards, which vary by industry. Generally, it's a business with $5 million or less in gross annual revenue for the preceding fiscal year. That captures a huge swath of the market.

I've seen community banks and credit unions mistakenly think their volume is too low. They count their commercial real estate loans and large commercial lines but forget about the dozens of small business credit cards or equipment loans under $100,000. Those count. My advice? Start auditing your 2023 and 2024 originations now to see if you'll hit the 100-loan threshold for 2025. Don't wait for the official count.

The Data You'll Need to Collect: A Detailed Breakdown

This is where the rubber meets the road. Section 1071 requires you to collect over 20 data points on each application. Some are straightforward, like loan amount and interest rate. Others are more sensitive and require careful handling.

The most discussed—and most challenging—points involve demographic information about the business's principal owners: ethnicity, race, and sex. This data must be collected based on self-identification by the applicant. You cannot guess or infer. The rule provides specific language for how to ask these questions.

Data Point Category Specific Examples Why It's Tricky
Application & Loan Details Application date, credit type, amount requested, amount approved, action taken (approved, denied, withdrawn), pricing (rate, fees), census tract. Pricing data requires pulling from multiple systems. Census tract needs accurate business address.
Business Demographics Gross annual revenue, NAICS code, number of workers, time in business. Applicants often estimate revenue loosely. Choosing the right NAICS code can be ambiguous.
Owner Demographics Ethnicity, race, sex of principal owners (owners with 25%+ equity). Requires a sensitive, standardized interview. Must allow for "I do not wish to provide." Multi-owner scenarios need aggregation logic.

A major pitfall I see lenders preparing for is treating this like a checkbox exercise at the end of the process. That's a mistake. Asking for race and gender data after a credit decision has been made, even informally, can create legal risk. The questions need to be integrated into the application flow in a way that feels natural and compliant. Some lenders are testing online portals with these fields alongside business revenue questions, while others are scripting precise language for loan officers.

The Nuance of "Principal Owner"

This trips people up. You only collect demographic data for owners holding 25% or more of the business. For a sole proprietorship, that's one person. For an LLC with four equal partners, that's all four. But what about a complex ownership structure with a holding company? You need to trace through to the natural persons. Your loan origination system likely isn't set up to calculate and track this ownership percentage dynamically. This is a systems and process gap you'll need to plug.

A Practical Implementation Roadmap for Lenders

Compliance dates are staggered based on your loan volume. The largest lenders (those who originated at least 2,500 covered loans in 2022 and 2023) started in October 2024. If you're in the next tier, you have until April 2025 or later. But starting now is non-negotiable.

Here's a phased approach that works:

Phase 1: The Discovery Audit (Months 1-2). Don't buy software yet. First, map your current small business lending workflow from inquiry to closing. Identify every touchpoint. Then, pull a report of all originations from the past two years. Categorize them. Do you have 100+ covered transactions? Be brutally honest. This audit will define your entire project scope.

Phase 2: Process Redesign (Months 3-5). This is the creative part. How and when will you ask the demographic questions? I recommend designing two flows: one for digital applications and one for in-person/phone applications. For digital, build the questions directly into the form. For loan officers, create a separate, scripted "demographic information interview" that occurs early in the process, separate from the credit discussion. Train staff on the why—not just the what—to reduce discomfort.

Phase 3: Systems & Vendor Integration (Months 6-10). Now you talk to your core processor, LOS vendor, and potential third-party compliance software providers. You need a way to capture, store, and eventually report this data. The biggest headache here is data validation and ensuring the new fields flow through your ecosystem without breaking existing processes. Demand demos and test rigorously.

Phase 4: Dry Run & Reporting (Months 11-12). Before your compliance date, run a 3-month pilot. Collect data on real applications in a test environment. Generate a mock submission file using the CFPB's published technical specifications. Find the glitches now, not when you're facing a deadline.

Common Pitfalls and How to Avoid Them

After consulting with several institutions going through this, a few consistent errors emerge.

Pitfall 1: Underestimating the cultural shift. Loan officers are relationship managers. Asking pointed questions about an owner's race can feel invasive and off-putting to them and the customer. If you just hand them a new script without context, they'll resist or fumble it. Solution: Involve your top loan officers in designing the process. Let them pilot the language. Their buy-in is critical for smooth adoption.

Pitfall 2: Silos between compliance and tech. The compliance team writes the policy, then throws it over the wall to IT to implement. This leads to solutions that are technically sound but operationally clunky. Solution: Form a cross-functional team from day one. Include compliance, lending operations, IT, and a front-line lender.

Pitfall 3: Data integrity neglect. You collect the data, but is it accurate? Is "gross annual revenue" entered consistently? Is the NAICS code for a freelance graphic designer (541430) or a web design firm (541511)? Inconsistent data will make your regulatory reporting useless and could trigger questions. Solution: Build dropdowns, validation rules, and clear definitions directly into your data entry points.

Your Section 1071 Questions, Answered

We're a small community bank. Our loan officers have long-standing relationships with business owners. How do we ask for race and gender data without damaging that trust?
This is the most common concern I hear. The key is transparency and framing. Train your officers to say something like, "As part of a new federal regulation designed to ensure fair access to credit for all small businesses, we are now asking for optional demographic information. This helps regulators identify market needs. Your response is voluntary and has no impact on your credit decision. May I ask for this information now?" Practicing this script removes the awkwardness. The relationship is built on the loan itself, not this one compliance question.
What happens if a business has multiple owners and they select different race categories? How do we report that?
The rule requires you to report multiple selections if applicable. For example, if one owner selects "White" and another selects "Black or African American," you would report both. Your system needs to accommodate storing and reporting multiple values for a single application. Don't try to force a single selection; that misrepresents the data and defeats the purpose of the rule.
Our bank primarily serves agricultural businesses. Are farm loans really included?
This is a nuanced area. The rule generally includes credit extended for agricultural purposes. However, there is an exclusion for certain transactions covered by the Farm Credit Act. Many farm loans from traditional banks will be covered. The CFPB's Small Entity Compliance Guide has a flowchart on this. If a significant portion of your portfolio is agricultural, consulting with counsel who specializes in both ag lending and consumer finance is a wise investment. Don't assume you're exempt.
We use a third-party online application platform. Are they responsible for collecting this data?
No. The ultimate legal responsibility for collecting and reporting the data lies with the financial institution making the credit decision. You must ensure your third-party provider's application forms and workflows are configured to comply with Section 1071's specific requirements. Review your contracts and service level agreements. You'll need to actively manage that vendor relationship—you can't outsource the compliance risk.

Related Articles

AI Total Addressable Market: Size, Drivers & How to Capture Value

AI Total Addressable Market: Size, Drivers & How to Capture Value

What is the true size of the AI Total Addressable Market (TAM), and how can your business capture a share? This deep dive explores the staggering $1.8 trillion forecast, key growth drivers beyond software, and actionable strategies for investors and companies.
Apr-10, 2026