Section 1071: Key moment for FI’s and Fintech lenders

Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Section 1071) would be easy to see as yet another time-consuming compliance project. Smart institutions will see it as a moment to embrace the possibilities of data and technology.


Capitol dome

In a 2022 survey of banking leaders, 45% of respondents indicated their bank relies on outdated technology with 48% stating they are not effectively using/aggregating their bank’s data. Given that many banks use old, legacy core banking and loan origination systems, it’s unsurprising that so many banks face challenges with effective data management. New regulations under Section 1071 are creating a moment for financial institutions to reckon with how they will better leverage data and technology in the future.

What is Section 1071?

On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) released its final rule implementing small business lending data collection requirements under Section 1071. The goal of the rule is to help facilitate the enforcement of fair lending laws and identify needs and opportunities for women-owned, minority-owned, and small businesses.

Key facts for financial institutions.

The CFPB has released thorough documentation of the regulations for banks and other financial institutions to follow. Below is a summary of key details.

Implementation deadlines

As part of the ruling, the CFPB created a tiered compliance schedule with the first tier required to begin data collection by Q4 of 2024. Each tier is based on the number of “covered originations” –a covered credit transaction– made to a small business including declined, withdrawn, and incomplete applications. Under the ruling, a small business is defined as any business that made $5 million or less in gross annual revenue from the preceding year. Note that credit renewals, extensions, and amendments are not counted as a covered origination.

The original deadline was set for data collection to begin in October 2024. The ruling was stayed last year pending a Supreme Court decision in CFPB v. CFSA. The Supreme Court decided on May 16, 2024, in favor of the CFPB. The CFPB has now issued an interim ruling pushing back the original deadlines 290 days with a first data collection date of July 18, 2025.

Data collection requirements

The rule requires the collection of specific data points under three categories.

Data points to be generated by the financial institution.

Data points to be provided by the applicant or a third-party source.

Data points to be collected based on demographic data.

Under the ruling, the financial institution must request demographic information but cannot require it. If an applicant declines to provide the information, the institution should report that the applicant declined. 

Some applicant-provided data points such as the NAICS code are notoriously difficult to collect accurately. The ruling does not require lenders to verify the accuracy of applicant-provided data including if that data is pulled from a 3rd-party source.

While banks are already documenting denial reasons under Adverse Action rules, banks who previously relied on oral notices and notations for businesses with $1 million in gross revenue or less will need to adapt their system to ensure all of the denial reasons are recorded consistently to make aggregating and reporting the information easier.

For those institutions engaged in partnerships with brokers or banking-as-a-service providers, ultimately it is the party responsible for setting the terms of the credit transaction (the financial institution) that will be required to collect and report data to the CFPB. That being said, fintech tools can be a powerful tool to help banks improve their data collection techniques by collecting and storing the data at the time and place that makes the most sense to the customer.

Firewall requirements 

Perhaps one of the more difficult requirements created by the rule, financial institutions are required to shield demographic data from underwriters. Today, most underwriters typically have access to the entire borrower file. To fully comply with the ruling, FIs will need to build new systems for collecting, storing, and reporting data. For smaller community banks, the firewall requirement creates a unique challenge since employees often serve multiple roles. If it’s determined that an employee in the loan decisioning process must view demographic data, the bank must give notice to the applicant. 

Current lawsuits and their implications.

Multiple lawsuits have been filed combatting the small business lending rule. On Oct. 26, 2023, a U.S. District Court in Texas issued a nationwide injunction prohibiting the rule’s implementation or enforcement, pending a ruling from the U.S. Supreme Court. Since the Supreme Court ruled in favor of the CFPB, all compliance deadlines have been extended based on how long the stay was in place. A Kentucky federal district court issued a similar injunction. In December 2023, the House voted to overturn the CFPB’s final rule, but the resolution was vetoed by President Biden. Congress is not expected to have the votes to override the veto.

Data requirements won’t be going away.

Regardless of ongoing litigation, data collection requirements are unlikely to disappear. A Thomson Reuters survey of compliance leaders found that 73% believe regulatory changes will increase over the next 12 months with only 2% expecting regulations to decrease.

Embracing data

If nothing else, this ruling should serve as yet another reminder to banks to upgrade outdated systems and start looking for ways to turn data collection into an asset instead of a burden. While the CFPB has its reasons for creating a database of relevant SMB data, banks already have extensive databases of highly valuable data waiting to be leveraged. Depositors’ transaction data can be analyzed not only to prequalify potential borrowers for a loan but also to provide more accurate and fairer underwriting decisioning for SMBs – the very area the CFPB is seeking to monitor more closely.

Technology upgrades

Much of the stir around Section 1071 has been around the implementation deadlines indicating the rules touched on another sore spot in the finance community- many systems are too clunky to adapt quickly to changing environments. Partnering with fintech companies that know how to build flexible systems can serve as a stopgap as banks adjust their in-house technology. 

Increasing oversight

While it hasn’t received as much attention, one key detail to note about Section 1071 is that it doesn’t just apply to traditional lenders. Non-traditional lenders, such as those that provide merchant cash advances, are also required to collect data under the ruling. While fintech lenders have avoided a lot of oversight in the past, this will likely be the first of many rules impacting them moving forward.

Leveraging partnerships to enable compliance.

Fintech partners can play a critical role in enabling compliance with the rule. Partners can help banks collect legally required information with less friction by collecting and storing the data at the time and place that makes the most sense for the customer. Demographic data can then be safeguarded and only shared with the lender when appropriate helping financial institutions meet firewall requirements. These partners may also be used as a central repository for collecting declination reasons and generating reports required under Section 1071. 

The opportunity in SMB lending.

A recent Lendio survey found that 84% of banks see SMB lending as a high priority; yet many banks struggle to scale SMB lending programs profitably due to manual systems and siloed datasets. While it may not be the original intention of Section 1071, the ruling may spur banks to adopt the systems they need to turn SMB lending into a powerful source of revenue. Read the entire small business lending survey here.

Discover how Lendio Intelligent Lending can increase your lending staff capacity.

Schedule a consultation or demo