On May 1, 2026, the CFPB has issued a revised final rule under Section 1071 of the Dodd-Frank Act. The Bureau stated that the revised rule is intended to improve data quality, reduce compliance burden, and minimize disruptions to small business lending markets.

The CFPB concluded that the original 2023 rule took an overly broad approach to covered lenders, products, and data points. The revised rule instead focuses on a more limited set of core lending activities and institutions, with the expectation that the program may be further refined over time based on early implementation experience.

Key changes in the final rule include the following:

• Covered credit transactions

• Limits data collection to core, widely used small business lending products

• Excludes the following from coverage:

• Merchant cash advances (MCAs)

• Agricultural lending

• Small dollar loans

• Covered financial institutions

• Narrows the scope of lenders subject to reporting requirements

• Excludes Farm Credit System (FCS) lenders

• Raises the origination threshold from 100 to 1,000 covered credit transactions per year (for two consecutive years)

• Includes conforming changes to enforcement provisions, including bona fide error standards

• Small business definition

• Revises threshold for what qualifies as a small business

• Lowers gross annual revenue cap from $5 million to $1 million or less

• Data points required

• Focuses reporting on statutorily required core data points

• Removes several discretionary data elements, including:

• Application method

• Application recipient

• Denial reasons

• Pricing information

• Number of workers

• Revises demographic and ownership reporting requirements to align with executive branch directives and improve consistency

• Time and manner of data collection

• Removes certain procedural requirements deemed non-essential to statute

• Clarifies statutory rights for applicants participating in data collection

• Compliance timeline

• Extends compliance date to January 1, 2028 for all covered financial institutions

• Introduces transition flexibility for institutions that may fall into coverage over time

• Establishes a grace period from January 1, 2028 through December 31, 2028

• Privacy and Data Publication Considerations.

  • The CFPB also revisited its approach to privacy and data publication under Section 1071. The Bureau emphasized that it has not yet finalized decisions regarding:

• The timing of application-level data publication

• The methodology for privacy-based modifications or deletions

• The procedural framework for finalizing its privacy analysis

While the Bureau previously indicated it may publish aggregate data early in the implementation process, it has now committed to addressing privacy and publication issues through a future notice-and-comment rulemaking after collecting at least one year of data. The Bureau also reiterated that data alone will not be used to determine fair lending compliance and must be evaluated alongside broader underwriting and pricing considerations.

The final rule can be found here.