CFPB Proposes Revised Small Business Lending Data Collection Rule

The Consumer Financial Protection Bureau (“CFPB”) has issued a new proposed rule that would substantially revise the 2023 small business lending data collection and reporting rule (discussed in our previous advisory) under the Equal Credit Opportunity Act and Regulation B, which implements Section 1071 of the Dodd-Frank Act (“Section 1071”). The CFPB is reconsidering coverage of certain credit transactions and financial institutions; the small business definition; inclusion of certain data points and how others are collected; and the compliance date. These changes would substantially reduce the regulatory burden on banks as compared to the 2023 rule.

A. Overview

The CFPB believes that a potentially long-term data collection regime should start with a focus on core lending products, lenders, small business, and data points. More specifically, the CFPB believes in retrospect that the approach it took in the 2023 final rule – a broad initial coverage of lenders, products, small businesses and data points – was not conducive to the long-term success of the data collection regime under Section 1071. As a result, the CFPB now believes that a better, long-term approach to advance the statutory purposes of Section 1071 would be to commence the collection of data with a narrower scope to ensure its quality, and to limit, as much as possible, any disturbance of the provision of credit to small businesses.

B. Proposed Changes

Covered Credit Transactions

The CFPB believes that the initial iterations of data collection under the rule should focus on the core, widely used lending products most likely to be foundational to small businesses’ formation and operation. The CFPB therefore proposes to exclude merchant cash advances, agricultural lending, and small dollar loans from the definition of covered credit transaction to help ease the initial period of data collection, while seeking to minimize disruptions and regulatory complexity in the credit markets subject to Section 1071.

Covered Financial Institutions

The CFPB believes that the initial iterations of data collection under the rule should focus on larger core lenders. The CFPB therefore proposes two changes to the covered financial institution definition: first, to exclude farm credit system lenders from coverage; and second, to raise the origination threshold from 100 to 1,000 covered credit transactions for each of two consecutive years.

Small Business

The CFPB believes that the focus of the rule, at least initially, should be truly small businesses. The CFPB therefore proposes to change the gross annual revenue threshold in the rule’s definition of small business from $5 million or less to $1 million or less.

The CFPB will retain the use of a simple, broad definition of a small business across industries but is proposing to change the gross annual revenue threshold from $5 million or less to $1 million or less, and to make conforming changes throughout the regulatory text and commentary. The CFPB is seeking Small Business Administration approval for this alternate small business size standard pursuant to the Small Business Act.

Data Points

The CFPB believes that the initial iterations of data collection under the rule should focus on core data points and be consistent with other executive agency directives concerning the collection of demographic data.

The CFPB therefore intends to focus data collection on data points specifically identified in Section 1071 and a limited number of other data points needed to facilitate the collection of these statutory data points (e.g., NAICS code, time in business, number of principal owners). The CFPB proposes to remove the discretionary data points in the 2023 rule for application method, application recipient, denial reasons, pricing information, and number of workers, noting that these data points are not statutorily required and are not otherwise relied upon by or intertwined with the statutorily required data points.

Demographic collection would also change in two ways. First, consistent with Executive Order 14168, the proposed rule would remove LGBTQI+‑owned business status and require collection of principal owners’ sex using a static male/female choice, replacing free‑form text asking the applicant to state their “sex/gender.” Second, while the rule would still require race/ethnicity for principal owners, the CFPB seeks comment on whether to move from disaggregated subcategories to only aggregate categories in the initial build to reduce complexity. The right for applicants to refuse to provide demographic information would be more prominent in the rule text and sample forms, and the firewall notice remains — applicants must be informed if underwriting staff will access the demographic responses.

Time and Manner of Data Collection

The CFPB proposes changes to the provisions on the time and manner of data collection, to remove certain requirements that are not statutorily required and appear to anticipate or presume non-compliance with the rule. Specifically, the 2023 final rule’s “anti‑discouragement” language specific to Section 1071 collection would be pared back. Institutions would still have to maintain procedures “reasonably designed to obtain a response,” but prescriptive expectations (e.g., monitoring low response rates as “indicia of discouragement”) would be removed or recast as guidance.

The CFPB also proposes to add a provision that would emphasize for applicants their statutory rights under the rule.

C. Compliance Date

The CFPB proposes to set a single compliance date – January 1, 2028 – for all institutions above the threshold in both 2026 and 2027.

D. Conclusion

The CFPB believes these proposed changes would streamline the rule, reduce complexity for lenders, and improve data quality, advancing the purposes of Section 1071 and complying with recent executive directives.

However, institutions must still collect and maintain statutory fields, keep demographic responses separate from application files, and provide firewall notices when applicable. The applicant’s right to refuse demographic questions is unchanged (and emphasized), and subpart A adverse action obligations remain intact. Even if denial reasons drop as a Section 1071 data field, lenders still must meet the business‑credit adverse action notice requirements for businesses under the revenue threshold in subpart A.

Comments on the proposed rule must be submitted to the CFPB by December 15, 2025.

This advisory is a general overview of the proposed rule and is not intended as legal advice. The proposed rule is very detailed and must be reviewed in its totality.

If you have any questions about the proposed rule or Section 1071 in general, please feel free to contact Joseph D. Simon at (516) 357-3710 or via email at jsimon@cullenllp.com, Elizabeth A. Murphy at (516) 296-9154, or via email at emurphy@cullenllp.com, David Curatolo at (516) 357-3773 or via email at dcuratolo@cullenllp.com, or Gabriela Morales at (516) 357-3850 or via email at gmorales@cullenllp.com.