Section 1071 Final Rule: What you need to know
... for those institutions who fall within the rules’ scope, it will still be quite the mountain to climb until compliance day.”
Whether you were counting down the minutes until its release or hoping it would be put off as long as possible, it’s finally here — the Section 1071 Final Rule. The Final Rule caps a more than 10-year wait from the enactment of the original statute that prescribed these requirements in the 2010 Dodd-Frank Act, and it was released a mere day before the CFPB’s publication deadline.
Surprisingly, perhaps, there were several changes from the Proposed Rule to the Final Rule that should provide some much-needed relief to community banks. However, the majority of the rules were finalized as proposed, so for those institutions that fall within the rules’ scope, it will still be quite the mountain to climb until compliance day.
What changed?
According to the CFPB, the changes reflect the consideration of more than 2,100 public comments on the Proposed Rule, as well as extensive public input predating the proposal.
Threshold increase
Undoubtedly, the biggest and most welcome change in the proposal is the threshold increase. Whereas the Proposed Rule called for institutions to be covered when making as few as 25 covered loans per year, the Final Rule increases this all the way to 100 per year. To be clear, this still covers a large majority of bank small business lending, and those under the threshold should note that the CFPB made clear that “Lenders originating less than 100 loans per year will still be required to adhere to fair lending laws.” Of course, we always knew that banks are subject to fair lending laws regardless of the number of loans originated, but the question will be how the CFPB and/or other regulators may interpret this assertion in this new Section 1071 world.
Phased implementation
Probably the second most welcome change is the phased implementation, which means that even for those institutions that are covered, some do not have to collect and report until 2026 and 2027, respectively. Specifically, the Final Rule includes compliance date “tiers” for when a covered financial institution must begin collecting and reporting data. See Figure 1.
Even if your institution originated fewer than 100 covered originations in 2022 or 2023, if you originate at least 100 covered originations in 2024 and 2025, you still must collect and otherwise comply with the rule starting on January 1, 2026.
Additionally, the bank must have a method to determine how many covered credit transactions it originated in order to determine its appropriate compliance tier. If the bank happens to not have the readily available information needed to make this determination, the Final Rule says that it can use “any reasonable method to estimate its covered originations” for 2022 and 2023, and provides several examples of this.
| Tier |
Annual originations in 2022 & 2023 |
Data collection start date |
Data reporting start date |
| Tier 1 |
2,500 or more covered credit transactions |
October 1, 2024 |
June 1, 2025 |
| Tier 2 |
500 - 2,499 covered credit transactions |
April 1, 2025 |
June 1, 2026 |
| Tier 3 |
100 - 499 covered credit transactions |
January 1, 2026 |
June 1, 2027 |
Figure 1
Visual observation requirement
A third important change from the Proposed Rule is that the bank will no longer be required (or allowed) to collect a business owners’ demographic information by way of visual observation or surname. This made many breathe a huge sigh of relief, as the idea of trying to collect ethnicity and race through these means raised a variety of concerns during the time of the Proposed Rule. So, under the Final Rule, this information will only be able to be collected directly from the applicant(s) and not through any other means.
What data points does this cover?
It is interesting that the original 2010 Dodd-Frank statute which enacted the 1071 rule required 13 data points, which have now ballooned in the Final Rule to be reportable through 81 data fields. One notable change in the data points for the final rule is the addition of “LGBTQI+” business status. Whereas in the Proposed Rule there were two separate data points for business status, the Final Rule just includes one data point for business status that encompasses all three of these:
… The Bureau notes that proposed § 1002.107(a)(19), “women-owned business status,” has been combined with proposed § 1002.107(a)(18), “minority-owned business status,” and the final § 1002.107(a)(18) 274 data point now addresses “minority-owned, women-owned, and LGBTQI+-owned business statuses.” As a result, the data points in proposed § 1002.107(20) and (21) have been renumbered as final § 1002.107(19) and (20) …
p. 274: https://files.consumerfinance.gov/f/documents/cfpb_1071-final-rule.pdf
What transactions are covered?
Covered credit transactions
Very generally, a covered credit transaction is an extension of business credit under Regulation B, but with certain exclusions, some specifically for purposes of Section 1071.
Despite the length of this list of exclusions, the definition is still extremely broad and covers a wide variety of transactions, including closed-end loans, open-end lines of credit, credit cards, merchant cash advances and various credit products used for agricultural purposes.
Covered originations
A very important thing to note in this area is that “covered originations” for purposes of determining institutional coverage and compliance dates is narrower than the above. A common question we have been getting on the Hotline is whether extensions and renewals should be counted. For this purpose, extensions, renewals and certain other loan amendments are not considered covered originations even if they increase the credit line or credit amount of the existing transaction.
What else to think about?
Firewall
A very unique aspect of this rule is the so-called “firewall” provision. In general, employees and officers should be prohibited from accessing the following responses if that employee or officer is involved in making any determination about the application:
-
The applicant’s minority-owned, women-owned and LGBTQI+-owned business statuses; and
-
Its principal owners’ ethnicity, race and sex.
There are limited exceptions to this firewall requirement, including a notice allowance. The Final Rule also prohibits the bank from disclosing this demographic information to other parties with limited exceptions.
Safe harbors
The Final Rule has a safe harbor for certain incorrect census tracts, NAICS codes and application dates. It also has a safe harbor regarding incorrect determinations of small business status, covered credit transactions and covered applications.
For example, if the bank initially concludes that an applicant is a small business, but later concludes the applicant is not a small business, the bank would not be in violation if, at the time the bank collected the demographic data, it had a “reasonable basis for believing that the application was from a small business.”
Action plan
There are a variety of questions and action steps our members should be considering, such as:
-
Is the bank covered under the new Final Rule? If so, what is the bank’s mandatory compliance date?
-
How will this affect the bank’s Compliance Management System (CMS)? What policies, procedures and other governance documents may need to be amended?
-
Is everyone well informed of the changes?
-
What type of training is planned and for whom?
-
What do the bank’s business lending processes look like currently and what change management will be required to implement these changes correctly and in a timely manner?
-
Has the bank established relationships with any vendors? Do the modules or other software offered need to be tailored to meet the bank’s needs?
-
What will the bank be employing for data integrity purposes?
-
What does a tailored project implementation plan look like for my institution?
Other resources
The CFPB published other accompanying materials.
One is a Fact Sheet, that outlines the history of the Section 1071 rulemaking and the various policy objectives driving it.
Another is a Policy Statement which indicates “… the CFPB intends to focus its supervisory and enforcement activities … on ensuring that covered lenders do not discourage small business loan applicants from providing responsive data, including … ECOA-mandated demographic data requests …”
The CFPB also published a Filing Instructions Guide, which provides an overview of the filing process, instructions for what to enter in each data field, validation requirements that must be met before the register can be filed, and additional resources to assist with inquiries.
A Data Points Chart provides a visual guide to the various data point fields and their respective regulatory references, along with a brief description and filing instructions for each.
An Executive Summary lays out an overview of the main facets of the Final Rule. Compliance Alliance will be publishing its own summary of the Final Rule very soon.