CFPB Final Rule Narrows Small Business Lending Data Collection Requirements

The CFPB’s 2026 Final Rule marks a strategic retreat from the expansive 2023 data‑collection framework, responding to industry pushback over reporting burdens. By lifting the origination threshold to 1,000 loans and narrowing the small‑business definition to $1 million in revenue, the agency retains oversight of roughly 92 percent of small‑business loan volume while sparing many community banks and credit unions from costly data‑gathering systems. Excluding Farm Credit System lenders, agricultural financing, merchant cash advances, and sub‑$1,000 loans further concentrates the rule on core commercial credit, aligning the scope with the CFPB’s stated incremental approach.

The rule also streamlines reporting requirements, eliminating five discretionary fields such as application method, denial reasons, pricing details, and worker counts. Lenders now focus on a core set of identifiers, loan terms, and aggregate demographic categories, reducing the operational complexity of data collection and firewall management. The shift to binary sex reporting and the removal of LGBTQI⁺ status reflect a narrower statutory interpretation, though it may raise concerns among advocacy groups seeking broader equity insights. Nonetheless, the retained firewall and error‑tolerance safe harbors preserve key consumer‑protection safeguards.

Compliance timelines give institutions a clear runway: a single start date of Jan. 1, 2028 and a 12‑month grace period for good‑faith errors. This window allows banks to reassess coverage status, update underwriting workflows, and test vendor solutions before mandatory filing in June 2029. While the final rule eases immediate pressures, the CFPB’s commitment to a phased, HMDA‑style data regime suggests future expansions in coverage and data granularity, making early preparation essential for long‑term regulatory readiness.