Compliance Blog

May 24, 2023
Categories: Business Lending

CFPB Guide Helps Readers Parse Section 1071 Final Rule

As many readers know, the CFPB’s section 1071 final rule was a long time coming – nearly 13 years. The CFPB dropped its 918-page section 1071 proposed rule in early September 2021. NAFCU’s comments can be found here. On March 30, 2023, a day before the publication deadline set by a California federal district court in July 2022, the CFPB issued its marginally slimmer 888-page section 1071 final rule as well as a handful of companion resources, including an executive summary and a key dates chart. We’ve previously blogged about the final rule here, and NAFCU has also published a final regulation summary here (NAFCU members only).

While the final rule’s official commentary includes some helpful examples, they are scattered through a document that is hefty enough to prop open a walk-in freezer. Many readers will likely benefit from also reading the CFPB’s comparatively shorter section 1071 companion resources, which now include a Small Entity Compliance Guide.

Though the guide purports to include “a detailed summery of the final rule’s requirements”, no one responsible for ensuring their credit union is section 1071-compliant should rely on the guide exclusively (or, similarly, treat this post as a substitute for the guide). That said, most readers are likely to find the guide and its supplemental explanations of many of the examples from the final rule’s official commentary helpful in answering both common operational questions and helping map out and guide their credit union’s small business lending programs. Let’s dig in.

Covered Financial Institutions

Section 1071’s statutory text defined a “financial institution” to include an expansive list of different types of entities that may engage in small business lending. The law did not, however, set a loan-volume threshold or establish another metric by which the CFPB was to collect small business lending data. In many ways, the world was the CFPB’s oyster on this point. NAFCU pushed back against the CFPB’s proposal to define a covered financial institution as any that originated at least 25 covered credit transactions for small businesses in each of the two preceding calendar years. In its section 1071 final rule, the CFPB adopted a 100 loan-volume threshold.

If readers take away only one thing from this post, it should be this – only a financial institution’s originations of covered small business credit transactions count towards its loan-volume threshold. A financial institution’s originations of other types of credit transactions and small business applications for covered credit transactions, alone, do not.

Some credit unions have such robust small business lending programs that their clearing this still-too-low 100 loan-volume threshold is obvious. But, given the final rule’s adoption of a NAFCU-suggested tiered loan-volume mandatory compliance timeline, the guide’s explanations of whether and when various small business lending transactions count towards a credit union’s loan-volume threshold, will likely be helpful even for those at credit unions who originate roughly 2,500 covered credit transactions each year. For those at credit unions closer to the 100 loan-volume threshold, the guide makes clear when a financial institution could be a covered financial institution in one year but not the next and how to calculate the loan-volumes of merged financial institutions under various scenarios.

Importantly, the guide also highlights and explains examples of covered credit transaction originations involving multiple financial institutions. Because only the last financial institution with the authority to set the transaction’s material terms must count the origination towards its loan-volume threshold, readers should review the relevant example in this section.         

 Covered Credit Transactions

The final rule’s definition of a covered credit transaction is extremely broad and includes such minor transactions as small business credit card limit increases and a variety of small business loan refinancings. But credit unions should explore the final rule’s short list of excluded transactions, and the guide provides fuller explanations of excluded trade credit, incidental credit, and HMDA-reportable transactions, among others.

Small Businesses

The CFPB adopted its proposed $5 million gross annual revenue threshold. That threshold may be adjusted for inflation in $500,000 increments, at the CFPB’s discretion, every five years following the first potential adjustment that could become effective in January 2031. A covered financial institution may generally rely on an applicant’s self-provided gross annual revenue when determining whether an applicant is a small business. But, if the applicant provides updated information or the financial institution verifies the applicant’s gross annual revenue during the application process, the financial institution must use the updated or verified gross annual revenue information.

Application Procedures

Covered financial institutions must collect and report section 1071 data for covered applications to the CFPB, but covered financial institutions have some discretion in establishing their small business lending application procedures. The guide covers a range of what are and are not covered applications, including multiple requests by applicants and requests by multiple co-applicants, as well as the regulatory guardrails that limit covered financial institutions’ procedural discretion in this area.

Demographic Information and Other Reportable Data Points

The CFPB’s proposals surrounding covered financial institutions’ mandatory collection of applicants’ sensitive demographic information were among the very worst parts of the early section 1071 rulemaking process. NAFCU unequivocally opposed any requirement that any covered financial institution’s employees be required to guess an applicant’s race, ethnicity, gender, or other sensitive demographic information based on visual observation or surname if an applicant declines to provide the information. Thankfully, the CFPB largely dropped that proposal. Yet, covered financial institutions still face significant challenges in how they will be required to collect, report, and store applicant’s reportable demographic information.

The guide provides examples of how covered financial institutions must design, implement, and audit procedures reasonably intended to collect this information from applicants as well as how applicants’ demographic information must generally be shielded from underwriters and stored separately from applicants’ other reportable section 1071 data.

In total, there are 20 reportable section 1071 data points, and many of those data points require that covered financial institutions also report second-level application data. The guide provides in-depth examples of most of these primary and second-level reportable section 1071 data points. These examples are likely to be particularly important when credit unions are working through seemingly straightforward but sometimes Gordian knot-like questions such as, “What amount did the applicant apply for?”, “The applicant identified an ethnicity but then checked ‘Decline to Identify’. What do we report?”, or “How many owners does the applicant have?” Spoiler alert – readers should not assume they can simply split the difference on any of these questions.

Readers with still unanswered regulatory questions may submit questions directly to the CFPB here. Additionally, NAFCU-member credit unions can receive answers to their compliance questions within one business day be emailing


Just Released! Get 2023 Credit Union Compliance Roadmap for your ENTIRE CU! 

The 2023 Credit Union Compliance Roadmap simplifies complex CU regulations into easy-to-understand language. Updates include NCUA supervisory priorities for 2023, revised regulatory thresholds, CUGMA proposed rule, and more. Try a sneak peek for free