Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

CFPB Small Business Lending Data (Section 1071)

Final rule governing data collection and reporting

KPMG Regulatory Insights

Regulatory attentions on small businesses at both the federal and state levels put forth “consumer protection-like” requirements/expectations. The release of the long-anticipated Dodd-Frank-required “1071 data” collection rule serves to reinforce the focus on small businesses in addition to the significant data collection, data quality, and regulatory reporting requirements and associated analytics (similar to mortgage lending reporting under the Home Mortgage Disclosure Act (HMDA)).  This final rule will subject small business lending to additional supervision under other historically “consumer” laws and regulations. Heightened risk and compliance areas requiring business and risk management include: data (accuracy, privacy, security); fair lending; community development; UDAAP; KYC/AML; operational procedures/training, disclosures; models; and technology (systems upgrades, constraints, reporting).   

April 2023

The Consumer Financial Protection Bureau (CFPB) has issued its final small business lending rule, which amends Regulation B to implement changes to the Equal Credit Opportunity Act (ECOA) made by Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the rule requires covered financial institutions to collect and report to CFPB data on applications for credit for small businesses, including those that are owned by women or minorities.

The final rule is substantially similar to the proposal with some modifications including:

  • An increase to the qualifying origination threshold for “covered financial institutions” from 25 to 100 “covered credit transactions.”
  • Adoption of a phased implementation schedule, with compliance for the largest covered financial institutions to begin October 2024.
  • A requirement that applicant’s “protected demographic information” is to be provided by the applicant; the proposed requirement for loan officers was not adopted.
  • Exclusion of loans reportable under HMDA from the data collection and reporting requirements.

The final rule will become effective ninety (90) days after publication in the Federal Register.

Highlights from the final rule are outlined below.


  • “Covered financial institutions” means any financial institution (“partnership, company, corporation, association (incorporated or unincorporated), trust, estate, cooperative organization, or other entity that engages in any financial activity”) that originated at least one hundred (100) “covered credit transactions” for small businesses within each of the preceding two years (up from the twenty-five (25) transactions in the proposed rule).
  • “Covered credit transactions” means a transaction that meets the definition of business credit under Regulation B, such as loans, lines of credit, credit cards, and merchant cash advances (including such credit transactions for agricultural purposes and those that are also covered by HMDA). Certain exclusions apply to:
    • Trade credit, public utilities credit, securities credit, and certain incidental credit 
    • HMDA-reportable transactions
    • Insurance premium financing
  • “Small business” means businesses with annual gross revenues of $5 million or less in the previous fiscal year. (Note: the final rule applies to women-owned and minority-owned businesses that meet this definition of a small business; CFPB states that non-profit organizations and governmental entities are not small businesses as they do not satisfy the Small Business Administration’s (SBA) definition of “small business concern.”) The final rule anticipates updates to this size standard not more than every five years.
  • “Covered application” means an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested. It does not include either reevaluation, extension, or renewal requests on an existing business credit account, or inquiries or prequalification requests.

Data Collection

The final rule identifies numerous data points that are required to be collected and reported, including:

  • Information generated by the financial institution, including unique identifier, application date, application method, application recipient, action taken, action date, amount approved, denial reason (if applicable), and pricing information (interest rate, total origination charges, broker fees, initial annual charges, prepayment penalties).
  • Information provided by the applicant or that the financial institution can determine from information provided by the applicant, including information about the:
    • Credit being applied for (credit type, credit purpose, and amount requested)
    • Applicant’s business (census tract, gross annual revenue, NAICS code, number of workers, time in business, number of principal owners.)
  • Information about the demographics of the applicant’s principal owners, including minority-owned business status, women-owned business status, and LGBTQI+-owned business status (a new data point that expands from SBA), and the ethnicity, race, and sex of the applicant’s principal owners (collectively, “protected demographic information”). In addition:
    • The final rule includes a sample data collection form, which collects principal owners’ ethnicity and race using aggregate categories and disaggregated subcategories and enables principal owners to self-describe their sex and other demographic information. Note, the final rule did not adopt the proposed requirement to collect this information via visual observation or surname if an in-person applicant did not provide the information for any principal owners.
  • Covered financial institutions must not discourage applicants from responding to requests for applicant-provided data and must maintain procedures to collect applicant-provided data at a time and in a manner that are reasonably designed to obtain a response. At a minimum, these provisions should seek to ensure that:
    • The initial request for applicant-provided data occurs prior to notifying an applicant of the final action taken on an application.
    • The request for applicant-provided data is prominently displayed and presented.
    • Applicants are not discouraged from responding to such requests.
    • Applicants can easily respond to such requests.
  • Covered financial institutions are permitted to rely on information provided by an applicant or appropriate third-party source but are required to report verified information if choosing to verify applicant-provided information.
  • The final rule generally permits the reuse of certain previously collected applicant-provided data to satisfy the requirement to collect and report certain data points, only if:
    • The data was collected within thirty-six (36) months of the current covered application.
    • The financial institution has no reason to believe the data are inaccurate.

Reporting, Publication, Data Access, and Recordkeeping

  • Calendar year data collection is required with reporting to CFPB by June 1 of the following year. CFPB has provided a Filing Instructions Guides on its website, here.
  • Data provided to the CFPB will be made publicly available through the CFPB’s website, subject to certain modifications or deletions as determined by the CFPB to “balance” the privacy risks to applicants/borrowers and the disclosure benefits (to include facilitating enforcement of fair lending laws and enabling the identification of business and community development needs and opportunities for small businesses). CFPB states that it “will determine what, if any, modifications and deletions are appropriate after it obtains a full year of data.”
  • The final rule requires limiting access to applicants’ data, particularly the applicant’s “protected demographic information” (minority-owned, women-owned, and LGBTQI+-owned business statuses and principal owners’ ethnicity, race, and sex), and prohibits employees and officers of a covered financial institution or its affiliate from accessing the information if that employee or officer is involved in making any determination concerning the applicant’s covered application (referred to generally as a “firewall”). Likewise, employees and officers are prohibited from disclosing applicants’ data to other parties, except in limited circumstances.
  • The final rule requires:
    • Retention of copies of small business lending application registers and other evidence of compliance for at least three (3) years after the application register is required to be submitted to the CFPB.
    • Maintenance of applicants’ responses regarding “protected demographic information” separate from the rest of the application and accompanying information.

Effective Date and Compliance Date Tiers

  • The final rule is effective ninety (90) days after publication in the Federal Register. However, compliance with the final rule is not required at that time. Below are summaries of when different compliance date tiers become effective for various companies:
    • “Tier 1” - A financial institution must begin collecting data and otherwise complying with the final rule on October 1, 2024, if it originated ≥ 2,500 covered credit transactions in both calendar years 2022 and 2023.
    • “Tier 2” - A financial institution must begin collecting data and otherwise complying with the final rule on April 1, 2025, if it meets all of the following:
      • Originated ≥ 500 covered credit transactions in both 2022 and 2023.
      • Did not originate 2,500 or more covered credit transactions in both 2022 and 2023.
      • Originated ≥ 100 covered credit transactions in 2024.
    • “Tier 3” - A financial institution must begin collecting data and otherwise complying with the final rule on January 1, 2026, if it originated ≥ 100 covered credit transactions in both 2024 and 2025.
  • Note: The initial data submissions from Tier 1 and Tier 2 financial institutions to CFPB will only cover data collection from their respective compliance dates through the end of the relevant calendar years.
  • Note: CFPB intends to provide a 12-month grace period from these compliance dates in which it will generally not require data resubmission or assess penalties with respect to errors in the data submissions covering the first 12 months of data collected (for example, for Tier 1 institutions, the grace period will cover the 3 months of data collected in 2024 and 9 months of data collected in 2025). Any examinations of these initial data submissions will consider the good faith efforts of the financial institutions to comply with the data collection and reporting requirements and will assists financial institutions in diagnosing compliance weaknesses.

Dive into our thinking:

CFPB Small Business Lending Data (Section 1071)

Download PDF

Explore more

Get the latest thinking from KPMG

KPMG Regulatory Insights comprise key industry practitioners and regulatory advisors from across the KPMG global network.

Thank you

Thank you for subscribing to Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest thinking from KPMG

KPMG Regulatory Insights comprise key industry practitioners and regulatory advisors from across the KPMG global network.

Please enter your information to receive KPMG Regulatory Insights updates.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.