December 2023 | Point of View

Prepare now for the changes coming to small business lending

CFPB's 1071 ruling will reshape small business lending—make sure you’re prepared to meet data demands and tech readiness

Prepare now for the changes coming to small business lending

The Consumer Financial Protection Bureau (CFPB) issued a final ruling amending Regulation B (Reg B) to implement changes to the Equal Credit Opportunity Act (ECOA) through section 1071 of the Dodd-Frank Act. Under this ruling, covered financial institutions (FIs) will be required to collect and report on significant amounts of new data from small business applicants seeking credit. While implementation of the 1071 ruling is currently on hold pending court challenges, many are diligently preparing for significant changes expected to the small business lending process. 

The amendment has been designed to be consistent with Reg B (including how a “complete application” is defined), while significantly expanding the reporting requirements for financial institutions related to small business lending applications, credit decisioning, reporting, and recordkeeping. 

The scope of these new requirements will require FIs to develop, maintain, and report on a consistent process for small business application intake and decisioning across all application intake channels.

It’s important to have a comprehensive understanding of all the ways in which the 1071 ruling will impact the end-to-end process by which small credit requests are handled.


While it’s simple to say that the final rule applies to new money credit transactions to small businesses (a business that had less than $5 million in gross annual revenue for its preceding fiscal year), it’s more difficult to identify all existing customers that meet that revenue threshold across all lines of business and application channels. It’s also critical for financial institutions to consider people, process, and technology in tandem when evaluating readiness for 1071. Changes to information collection practices, data storage/reporting, and corresponding technologies will have significant impacts on the end-to-end process for small credit requests. 

While the final rule does not take effect for Tier 1 financial institutions until October 2024, banks must start planning and implementing changes now to ensure new processes, technology, change management, and controls are in place and tested. 

We recommend that preparedness for 1071 be considered across five distinct lenses:

1. Applicability of 1071 to your financial institution and customers, including asking the following: 

  • How will you ensure that required data is consistently collected across all application channels for covered transactions? 
  • Does your financial institution have a robust customer record that can serve as a consistent source of truth for whether a customer qualifies as a small business and for responses to sensitive demographic questions? 
  • Does your financial institution have a consistent method for identifying an applicant’s prior fiscal year revenue and then updating this information, if necessary, during underwriting?
  • Have you considered that covered applicants include newly formed entities with no revenue in the prior year? What will this mean to the lending process across your lines of business? 

2. Roles and responsibilities will likely shift within your organization. Gain clarity around the following: 

  • Do RMs have approval authority for any small business loans? If yes, then they will need to ensure that they do not access the applicant’s responses to sensitive demographic questions to ensure the data does not impact the credit decision.
  • Can you properly identify credit actions (renewals, extensions, certain modifications) that are not reportable under the ruling as well as those (new money requests, refinancings) that are reportable? 

3. Process and procedures throughout the end-to-end lending lifecycle will need to be updated. It will be important to be consistent in the collection and treatment of data for all qualified transactions: 

  • How will you be sure that data is collected consistently when collected through multiple application channels (branch, call center, digital, RMs, etc.)?
  • How will your financial institution design a consistent small business credit application process that enables collection of required data while preventing access to sensitive demographic data by individuals with responsibility to underwrite or decision the credit request? 

4. Technology infrastructure must be equipped to handle the intake of new data fields, the combination of data from various sources, and the translation into the required format for reporting. Consider the following: 

  • Is application data consistently captured into a Loan Origination System (LOS) regardless of the application intake channel? 
  • Are you able to update your LOS and any supporting platforms to enable the required data collection and retention? 
  • Can your LOS accessibility controls be modified to ensure that sensitive demographic data is not accessible to those responsible for underwriting or decisioning a covered small business credit request? 
  • Do you have a reliable data repository that can aggregate, translate, and prepare data for quality assurance and reporting? 
  • Are current data retention methods compatible with 1071 requirements?  
  • Can the current LOS platform(s) reliably retain the required data for three years, or is a separate data warehouse/reporting tool needed? Can that data then be shown back to the customer at a later date to validate if something changes?
  • Will current LOS accessibility controls need to be modified to account for firewall? 

 5. Data storage, retention, and quality assurance processes will be foundational to successfully complying with the new 1071 rule. Answer the following: 

  • Do you have a reliable data repository that can aggregate, translate, and prepare required 1071 data for quality assurance and reporting? 
  • What systems will serve as the tools by which the application data is reviewed and transmitted to the CFPB? How will you ensure that the information reported under 1071 is consistent with the data reported under other regulations (CRA, HMDA, etc.)? 


Much has been made of the significant changes required to fully comply with the CFPB’s 1071 ruling. At the end of the day, we believe the question that you should ask is whether your organization is prepared to offer your customers a consistent lending experience regardless of the channel via which they apply for business credit. 

Are your people, processes, and technology aligned to offer a streamlined credit experience that is fully compliant? If not, what is stopping you from creating a lending experience that will both drive new small business revenue and provide transparency into your end-to-end credit process?


Explore our latest perspectives