Impact of updates to Section 1071 on small business lending

Financial institutions should begin preparing for changes

While the Consumer Financial Protection Bureau (CFPB) finalizes its September 2021 notice of proposed rulemaking (NPRM) implementing small business lending data collection requirements as part of Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, financial institutions should take tactical next steps now to prepare for the final rule. Explore what’s changing and the next steps for firms.

Why prepare for Section 1071 updates now

With the CFPB soon finalizing Section 1071, financial institutions should consider acting now, especially if they are not experienced with the requirements around the Home Mortgage Disclosure Act (HMDA) and the regulatory expectations for collecting and reporting timely, accurate, and complete data. Though the issuance of the final rule is not expected until March 2023, financial institutions’ compliance with the changes will require a major transformation effort across people, process, and technology.

What’s changing?

The NPRM includes adding a new subpart (subpart B) to the Equality Credit Opportunity Act (Regulation B) to implement Section 1071’s requirements. The proposed requirements would apply to “covered financial institutions” that engage in small business lending and would require the collection and reporting of data on loan applications. And the NPRM would enable the first comprehensive database of small business credit applications in the United States, allowing regulators to identify and address fair lending concerns related to small businesses.

The data points

The NPRM outlines a comprehensive listing of more than 20 specific data points as well as supplemental data elements that covered financial institutions would be required to collect, and report related to their small business lending process.

  • Data elements the financial institution would provide or generate include unique identifiers for the covered application such as date, application method, and recipient. The action taken by the covered financial institution on the application, and applicable data of action would also be included. If the application is denied, a denial reason data point would be required, and if the application was originated or approved, data points related to pricing information would be required.
  • Data elements that could be provided by the application include data points that could be determined by reviewing the information provided by the applicant. This includes details of the credit being applicable for and applicable information related to the applicant’s business.
  • Data points related to the demographics of the applicant’s principal owners or ownership status include the business’s status as a minority or women-owned business and the principal owner’s ethnicity, race, and sex. These applicant details would likely be requested by the covered financial institution.

It includes an expectation for covered financial institutions to not only maintain procedures to collect applicant-provided data, but also maintain specific protocols to limit access to certain data related to covered applications. It also outlines the CFPB’s plans to enable submission of the data and its related availability to the public on an annual basis.

Key considerations for financial institutions

As a first step, institutions may consider establishing an enterprise project management office (EPMO) to lead the project plan development process. As they begin to determine the impacts, covered financial institutions should consider the following:

  • Establish data capabilities and enabling technology: The proposed data points for collection and reporting may require enhancements to small business loan applications and corresponding systems to properly capture and ingest the data elements. Additionally, covered financial institutions may also need to enhance existing data models to translate the data elements across multiple systems, including ensuring there are proper back-end data validation processes in place. These data and technology changes will also require updates to first-line business processes and related documentation as well as establishing new controls and reporting routines.
  • Integrate within fair and responsible banking risk management programs: Covered financial institutions may need to take a closer look at existing fair and responsible banking processes to identify potential revisions. Specifically, it may be necessary for potential enhancements to existing processes and related procedures to align with the required data capture and reporting requirements. Covered financial institutions should also consider developing or revising protocols that limit access to data, in alignment with the propped firewall provisions and required retention requirements. Front-line representatives will also need training on changes to the loan application process and the importance of nondiscriminatory practices in small business lending.
  • Oversight coordination across the three lines: The proposed changes will also result in impacts to covered financial institutions’ oversight and testing programs for all three lines. The first line should consider updating existing testing programs to ensure proper oversight of potential discriminatory practices, while the second line may need to revise existing fair lending testing programs (e.g., matched pair testing, mystery shopping, application survey tests). Additionally, the third line should conduct independent testing of processes to ensure proper oversight of data collection and reporting requirements.

To gain an in-depth understanding of how these changes can impact your organization and how you can prepare, download our report now.

Get in touch

Thomas Nicolosi
Principal | Deloitte & Touche LLP

John Graetz
Principal | Deloitte & Touche LLP

Deepak Ramakrishnan
Principal | Deloitte & Touche LLP

Paul Sanford
Independent Senior Advisor to Deloitte & Touche LLP

Shaun Nabil
Managing Director | Deloitte & Touche LLP

Jessica Golden
Manager | Deloitte & Touche LLP

Chandni Patel
Senior Consultant | Deloitte & Touche LLP


Deloitte Center for Regulatory Strategy

Irena Gecas-McCarthy
Principal | Deloitte & Touche LLP

Michele Jones
Senior Manager | Deloitte Services LP

Kyle Cooke
Senior Regulatory Analyst | Deloitte Services LP

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?