The Consumer Financial Protection Bureau (CFPB) updated Section 1071 of the Dodd-Frank Act. This change requires financial institutions to collect and report detailed data on credit applications from small businesses — particularly those owned by women and minorities.

The goal? To promote fairness and transparency in lending while ensuring equal access to credit. But this rule has sparked controversy. Critics point to the privacy concerns and the substantial administrative burden it places on financial institutions.

Section 1071 demands that financial institutions not only collect and manage detailed demographic data but also securely store it. On top of that, they must comply with strict record-keeping rules and potential audits. 

These tasks require significant resources, including updated technology systems, employee training and nuanced data protection measures. As institutions work to meet these new standards, they face the difficult task of balancing transparency with the need to protect sensitive information.

This guide will walk you through why Section 1071 is important, who it affects and how your organization can stay compliant.

Why is Section 1071 Important?

Section 1071 is crucial because it champions fair lending practices for small businesses — key players in the U.S. economy. They employ nearly half of the American workforce and contribute 43.5% of the nation’s GDP. Ensuring small businesses have equal access to credit is, therefore, necessary for balanced economic growth and innovation. 

Section 1071 aims to promote transparency in lending by mandating data collection on credit applications, which helps identify discriminatory practices. However, this requirement brings challenges. Financial institutions must overhaul their data systems to meet compliance requirements, sparking concerns about privacy and security.

Most small businesses don’t have the technological capacity to collect this kind of data without incurring serious, unmitigated information security risks. Compliance demands advanced cybersecurity measures, such as:

• Encrypted storage.
• Secure access protocols.
• Regular security audits.

Yet, many small businesses lack the infrastructure and expertise to implement these safeguards, making them vulnerable to data breaches. With 61% of data breaches targeting small businesses, these capability gaps pose a real threat to data privacy. 

Additionally, compliance deadlines vary based on the size of the institution, meaning each must accurately assess its transaction volumes and update systems accordingly. Beyond system upgrades, significant staff training is essential to manage new data collection protocols and ensure adherence to regulations.

Who Does Section 1071 Affect?

Section 1071 aims to protect small businesses from discriminatory lending by giving regulators the data they need to monitor lending patterns. This means the rule affects two main groups: financial institutions and small businesses. 

Financial Institutions
Banks, credit unions, and other lenders must now comply with the new data collection and reporting requirements outlined in Section 1071. They must collect and report data about small business owners when these businesses apply for credit. The requirement applies to institutions of all sizes, with specific compliance deadlines depending on their transaction volumes.

Small Businesses
Businesses with gross annual revenues of $5 million or less are directly impacted by Section 1071. When applying for credit, they must provide detailed information, including: 

• Gross annual revenue.
• Owner’s demographic information, including race, ethnicity and gender.
• Business size and type, such as the number of employees and whether it is a sole proprietorship, partnership or corporation.
• Purpose of the credit application, such as working capital, equipment purchase or expansion.
• Location of the business, including the state and zip code.

When Does Section 1071 Go into Effect and Who Needs to Comply?

Section 1071 became effective 90 days after its publication, on June 28, 2023. However, the CFPB adjusted the compliance timelines, organizing them into tiers based on the volume of covered transactions to small businesses that a lender handled over the prior two calendar years. These covered transactions encompass any extensions, renewals or modifications of credit extended to small businesses.

Here’s how the reporting deadline tiers break down:

• July 18, 2025: Institutions with 2,500 or more covered originations.
• June 1, 2027: Institutions with at least 500 covered originations.
• June 1, 2027: Institutions with at least 100 covered originations.

It’s important to note that nonprofit organizations and governmental entities are not considered small businesses under this rule.

What Data Needs to Be Collected and Reported?

Under Section 1071, financial institutions must collect and report specific data points for small business credit applications. 

These include:

• Demographic information of the principal owners, including race, ethnicity and sex.
• Whether the business is minority-owned, women-owned or LGBTQI+-owned.
• The type and purpose of the credit being applied for, such as working capital, equipment purchase or business expansion.
• The amount of credit applied for and the amount approved or originated.
• The action taken on the application and, if applicable, reasons for denial.
• The census tract of the applicant’s principal place of business.
• The applicant’s gross annual revenue.

Prepare For Section 1071 With FileInvite

Section 1071 brings new challenges, but financial institutions can navigate these requirements effectively with the right tools and preparation. FileInvite offers customizable workflows and secure data management, ensuring seamless compliance and efficient data collection. With FileInvite, both financial institutions and small businesses can confidently meet regulatory standards without overburdening their staff or exceeding their budgets.