Small business lending data collection rules are changing

In May 2023, the Consumer Financial Protection Bureau (CFPB) published a final rule to amend Regulation B. The provisions in that rule established requirements for certain financial institutions to collect and report certain small business loan data to the CFPB. The new data collection and reporting provisions would create the first comprehensive database of small business credit applications in the United States.

In July 2024, in light of ongoing litigation, the CFPB issued an interim final rule to amend its 2023 final rule. This rule extended the compliance dates and made other date-related conforming adjustments. Then, in November 2025, the CFPB published a proposed rule to make additional amendments to address the concerns of the plaintiffs in the pending lawsuits.

In May 2026, the CFPB issued another final rule amending coverage of certain transactions and institutions, data points and the compliance date.

To what financial institutions does this rule apply?

Under previous iterations of this rule, the CFPB based institutional coverage on a threshold of 100 covered credit transactions in each of the prior two calendar years.

However, as a result of the May 2026 rule, this was amended to reflect that a “covered financial institution” refers to a financial institution, other than a Farm Credit System lender, that originated at least 1,000 covered credit transactions for small businesses in each of the two preceding calendar years.

See other information on definitions provided below.

What is the compliance date for this rule?

In earlier rulemaking, the CFPB established a tiered approach to compliance dates based on loan volume. However, as a result of the May 2026 rule, the tiered approach was replaced with one compliance date of January 1, 2028, for all covered financial institutions.

This means that a covered financial institution that originated at least 1,000 covered credit transactions for small businesses in 2026 and 2027 is to comply with this rule beginning January 1, 2028.

A financial institution that did not originate at least 1,000 covered credit transactions for small businesses in 2026 and 2027 but subsequently originates 1,000 such transactions in two consecutive calendar years shall comply with this rule no earlier than January 1, 2029.

What are the special transitional rules?

The provisions include three special transitional rules that are available for an institution, as follows:

• An institution that reasonably anticipates it will be a covered financial institution as described above is permitted but not required to collect information regarding whether an applicant for a covered credit transaction is a minority-owned business and/or a women-owned business and the ethnicity, race and sex of the principal owners beginning 12 months prior to the compliance date (subject to certain requirements).
• An institution that is unable to determine the number of covered credit transactions it originated for small businesses in each of calendar years 2026 and 2027 for purposes of determining its covered financial institution status, because information is lacking to make a determination, is permitted to use any reasonable method to estimate its originations to small businesses for either or both of the calendar years 2026 and 2027. The Regulation B official interpretations to 1002.114(c) provides examples of reasonable methods.
• An institution may use an alternative time period for determining its covered financial institution status. The final rule permits an institution to use its originations of covered credit transactions in each of calendar years 2025 and 2026 in lieu of calendar years 2026 and 2027.

What applications and transactions are included in the scope of this rule?

As with any regulation, definitions are very important in clarifying what is included in the scope of new requirements. While the new rule contains several definitions, here are some highlights related to the scope of the rule, some of which were amended as a result of the May 2026 rule:

• Covered applications: An oral or written request for a covered credit transaction that is made in accordance with procedures used by the institution for the type of credit requested, except for reevaluation, extension or renewal requests on an existing business account unless additional credit amounts are requested. Inquiries and prequalification requests are not covered applications.
• Covered credit transactions: An extension of business credit that is not excluded. Excluded credit includes: Trade credit, HMDA-reportable transactions, insurance premium financing, public utilities credit, securities credit, incidental credit, merchant cash advances, agricultural lending and small-dollar business financing in an amount of $1,000 or less (which is subject to adjustment every five years after January 1, 2030).
• Small business: A business is a small business if and only if its gross annual revenue for its preceding fiscal year is $1 million or less. The gross annual revenue threshold will be adjusted every five years after January 1, 2030.

What data is to be compiled?

The rule contains regulatory provisions along with clarifying commentary related to the collection of certain data points of covered applications from small businesses. While covered financial institutions should review detailed specifics as included in the rule, the information provided below provides high-level descriptions. Also of note, the May 2026 final rule:

• Removed the following data points: Application method, application recipient, denial reasons, pricing information and number of workers. These data points no longer appear in the table below.
• Amended certain data points as indicated by the AMENDED reference included in the table below: These amendments were focused on the removal of information related to LGBTQI+ businesses, which were included in earlier iterations of the rule.
• Revised the sample data collection form: The revisions more prominently reflect that the applicant is not required to provide information, removed the question regarding LGBTQI+ status, removed the free-form field for sex/gender and removed the disaggregated race and ethnicity fields.

What do the firewall provisions require?

The regulation contains a general prohibition on access by an employee or officer who is involved in making any determination concerning the covered application to information regarding whether the applicant is a minority-owned and/or women-owned business and regarding the ethnicity, race and sex of principal owners.

The rule contains an exception to this prohibition. The exception can apply in instances where the institution determines that it is not feasible to limit access to the referenced information, and a notice has been provided to each applicant whose responses will be accessed. The notice informs the applicant that one or more employees or officers involved in making determinations concerning the application may have access to the applicant’s responses. While sample language is included in the sample data collection form in Regulation B, Appendix E, institutions are free to use different language.

• If the notice is provided orally, it must be provided prior to asking the business status and owner’s ethnicity, race or sex questions.
• If the notice is provided on the same paper or electronic form that collects such information, the notice must appear before the inquiries.
• If the notice is provided separately from the form that collects such information, the notice must be provided at the same time as the data collection form is provided or earlier.

What should a covered institution know about data reporting?

Covered institutions should be aware that data collected under this rule is subject to annual reporting, on or before June 1, following the calendar year for which the data are collected. Data is to be submitted in a format prescribed by the CFPB and shall be certified as to its accuracy and completeness.

Reported data will subsequently be made available to the public by the CFPB, subject to certain deletions or modifications. A covered institution is to make available to the public on its website or otherwise upon request a notice that the institution’s small business lending application register (SBLAR), subject to modifications, is or will be available from the CFPB. The institution’s notice is to be provided on its website when it submits an SBLAR and shall maintain it for as long as it has an obligation to maintain the SBLAR. The CFPB has provided language to use in satisfying this requirement within the regulation’s commentary to §1002.110(c).

Does the rule contain recordkeeping requirements?

Yes. An institution shall retain evidence of compliance, including a copy of its SBLAR, for at least three years after it is required to be submitted. The provisions also require that information related to the applicant’s status as a minority-owned and/or women-owned business, as well as ethnicity, race and sex information be maintained separately from the rest of the application and accompanying information.

Recommendations for next steps

By January 1, 2028:

1. Review the rules to determine potential applicability. Then, throughout the remaining steps below, consider budgeting additional staff and/or technological needs.
2. Review and update any existing Regulation B, business lending and record retention policies to coincide with the new rules. Updates should reflect policy-level information and designate the position responsible for overseeing the policy.
3. Work with business line(s) that receive covered applications and originate covered credit and determine the number of originated covered credit transactions in each of the calendar years 2026 and 2027, or for 2025 and 2026 as permitted. Based on the information, determine status as a covered financial institution.
4. Review small business application processes and availability of any loan operating system (LOS). If an LOS is currently being used, contact the platform provider to discuss their platform support of new data collection requirements. If no LOS is currently used for small business applications, consider obtaining one to support data collection.
5. Establish small business lending-related procedures to support compliance related to:
   • Application processes and use of sample data collection form (Regulation B, Appendix E).
   • Internal standards related to the collection and maintenance of required data points (this in-depth analysis should consider the delegation of responsibilities, determination of how unique identifiers are generated, determination of how certain fields will be addressed where options are available, information mapping and what technology will be used).
   • Determining firewall feasibility or whether the exception will be used by providing appropriate notice(s).
   • Required certification and annual submission of the SBLAR.
   • Required availability statements on the institution’s website or as requested.
   • Recordkeeping evidence of compliance in a manner required by the regulation.
6. Train staff on data collection processes and standards.
7. Implement internal controls to assess compliance with data collection and the accuracy and completeness of data points.

How Wipfli can help

We specialize in helping financial institutions comply with lending regulations. Let’s talk about how we can help your institution navigate today’s regulatory environment with confidence. Start a conversation.

Start developing a compliance plan

Read more

CFOs: If your bank is approaching $1 billion in assets, you can’t keep putting off FDICIA

The SBA is strengthening lending rules. What do financial institutions need to know?

Should more financial institutions offer student loan products? Here’s how to get started.