336-886-3282[email protected]
Preferred Data Logo
Schedule

CFPB 1071 Effective June 30, 2026: NC SMB Lending Impact

CFPB Section 1071 final rule takes effect today, June 30, 2026. NC SMB lending data, who is covered, what to do. Call (336) 886-3282.

Cover Image for CFPB 1071 Effective June 30, 2026: NC SMB Lending Impact

TL;DR: The CFPB's revised Section 1071 small business lending data collection rule takes effect today, June 30, 2026, with mandatory data collection beginning January 1, 2028 (Federal Register, May 1, 2026). The new rule raises the covered-lender threshold tenfold from 100 to 1,000 originations annually, drops depository coverage by roughly 90% and non-depository coverage by about 95% per the CFPB's own estimates (Mayer Brown analysis), and excludes Farm Credit System lenders entirely. NC community banks, credit unions, CDFIs, and online lenders need to confirm whether they're still in scope and build the data-pipeline, security, and reporting infrastructure now — not on December 31, 2027.

Key takeaway: Even with the 90% coverage drop, every remaining covered NC lender is on the hook for collecting up to 81 demographic and underwriting data points per small business loan application, securing that data, reporting it to the CFPB annually, and surviving a grace period that ends December 31, 2028. The technology gap between "compliant" and "audit-ready" is large — and most community lenders have not started.

Need help scoping CFPB 1071 data, security, and reporting infrastructure for your NC community bank, credit union, or CDFI? Preferred Data Corporation provides managed IT, cybersecurity, and compliance support for NC financial institutions. Call (336) 886-3282 or request a 1071 readiness review.

What is CFPB Section 1071 and what changed June 30, 2026?

Section 1071 of the Dodd-Frank Act requires covered financial institutions to collect and report data on credit applications from small businesses, including women-owned and minority-owned businesses. The revised final rule, published May 1, 2026 in the Federal Register and effective June 30, 2026 (CFPB final rule page), narrows the scope of the original 2023 rule that was repeatedly delayed and litigated.

Per the Federal Register notice and Mayer Brown's May 2026 analysis, the three structural changes are:

  • Origination threshold raised from 100 to 1,000 small business credit originations in each of the two preceding calendar years for a lender to be a "covered financial institution."
  • Farm Credit System lenders excluded entirely. Per Arnold & Porter's May 2026 advisory, the FCS exclusion removes a sector that would otherwise have been a major data submitter.
  • Single compliance date of January 1, 2028 for all covered institutions, replacing the original 2023 rule's tiered, origination-volume-based timeline.

The CFPB's own coverage estimates (Greenberg Traurig May 2026 alert) project that depository coverage falls by roughly 90% and non-depository coverage by about 95% under the revised rule.

Is my NC community bank, credit union, or CDFI still covered?

You are covered if you originated 1,000 or more small business credit transactions in each of the two preceding calendar years (2026 and 2027) and you are not a Farm Credit System lender. Per the Consumer Financial Protection Bureau's 1071 rule page and the Congressional Research Service R47788 report, the covered-institution test:

  • Counts small business credit originations only, not consumer loans, residential mortgages, or HELOCs, and not credit transactions to large businesses (over $5M gross annual revenue).
  • Applies a two-year lookback, so a lender that crosses 1,000 originations in a single year does not become covered until they've crossed in both of the two preceding years.
  • Excludes any Farm Credit System lender regardless of origination volume.

For NC SMB-facing lenders, the practical effect:

Lender typeLikely 1071 coverageWhat to do
Large NC regional bankCoveredBuild full 1071 pipeline now
Multi-county NC community bankLikely covered if 1,000+ orig/yearConfirm 2-year history; scope build
Single-county NC community bankOften below thresholdVerify originations; document exclusion
NC credit union (large)Possibly coveredRun the count, then decide
NC credit union (small)Often below thresholdVerify and document
NC CDFIDepends on volumeRun the count by year
Farm Credit System lenderExcluded by ruleDocument the FCS exclusion
NC fintech / online SMB lenderLikely covered if volume crossedBuild full pipeline

What data do covered NC lenders have to collect and report?

Up to 81 data points per small business credit application across application, underwriting, pricing, demographics, and decisioning categories. Per the CFPB Section 1071 final rule page and the Schneider Downs May 2026 implementation analysis, the data categories include:

  • Application identifiers: Unique application identifier, application date, application method, application receipt date.
  • Credit and credit terms: Credit type, credit purpose, amount applied for, amount approved or originated, action taken and date, denial reasons, pricing (interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances), term, MSA/MD of business location.
  • Business demographics: NAICS code, number of workers, time in business, six-digit NAICS, gross annual revenue.
  • Owner demographics: Number of principal owners, ethnicity, race, sex of principal owners — collected on a "voluntary, applicant self-reported" basis with strict firewalling from underwriters.
  • Other: Census tract of the business, originator identifier, application channel, denial reason codes.

Quotable definition: CFPB Section 1071 turns every covered small business credit application into a data submission to the federal government. The technology problem is not the form — it's the pipeline behind the form: capture, validate, secure, segregate (so the underwriter never sees the demographic data), retain, and report annually with auditable evidence.

Need to scope the data-pipeline, segregation, and reporting infrastructure for your NC community lender? Call (336) 886-3282 or book a 1071 technology readiness review.

When do I have to be ready, and what's the grace period?

Mandatory data collection starts January 1, 2028, with a one-year grace period through December 31, 2028, during which the CFPB will not assess penalties for data errors if the lender makes good-faith efforts. Per Cherry Bekaert's May 2026 alert and the Consumer Finance Monitor's May 22, 2026 write-up:

  • June 30, 2026: Final rule effective. Coverage determination clock starts.
  • 2026-2027: Lenders run 2-year origination counts to confirm coverage status.
  • 2027 (full year): Build, test, and dry-run the data pipeline. Train front-line lending staff. Validate firewall between application data and underwriting.
  • January 1, 2028: Mandatory collection begins. Grace period for data errors active.
  • December 31, 2028: Grace period ends. Full enforcement on data accuracy.
  • 2029 onward: Annual reporting at full enforcement. Examiners on the floor.

The realistic build window for an NC community lender is 18-24 months. Most community lenders running on legacy loan origination systems (LOS), branch-based application capture, or paper-based small business loan applications need every month of that window.

What does CFPB 1071 actually demand from a lender's IT stack?

It demands a verifiable, segregated, audited data flow from application capture through CFPB submission, with a firewall between demographic data and underwriting decisions. Per the Carlton Fields 2026 implementation guidance on parallel SEC/CFPB rulemakings and the CFPB 1071 rule guides, the realistic IT requirements are:

  1. Application capture system that records the application date, method (in-person, online, phone, mail), and receipt date for every small business credit request — including denied-on-the-spot conversations. Most community lenders do not currently capture the "informal inquiry" channel at all.
  2. Demographic data segregation in storage and presentation. The principal owner's ethnicity, race, and sex must be collected after the application is otherwise complete, stored separately from the underwriting record, and not visible to the underwriter at decision time. This is a real database-schema and access-control problem, not a checkbox.
  3. NAICS code validation at six-digit precision, with edit-checks against the business's reported activity.
  4. Pricing and fees data capture that breaks out interest rate, origination charges, broker fees, initial annual charges, and MCA additional cost in a way the CFPB's edit-checks will accept.
  5. Action taken data flow that records the date and reason for denial, withdrawal, or incomplete application — with denial reason codes mapped to the CFPB's taxonomy.
  6. MSA/MD and census tract enrichment for business location, using a maintained geocoding service.
  7. Annual submission pipeline to the CFPB's filing portal, with internal QA before submission and re-filing workflow for corrections.
  8. Retention, audit trail, and examiner access. Multi-year retention with an audit trail every examiner can pull on demand.
  9. Information security. Per the FTC Safeguards Rule 2023 amendments and parallel federal banking guidance, the demographic data collected under 1071 is sensitive customer data — MFA, encryption at rest and in transit, access logging, and 30-day breach notification all apply.

Key takeaway: A lender that treats 1071 as a forms-and-PDF problem will fail the first examination. A lender that treats it as a data-pipeline-with-segregation-and-security problem will pass.

What should an NC community lender do in the next 60 days?

Run a four-step coverage and readiness sprint that turns the 18-month build window into a manageable plan. The plan:

  1. Count originations for 2025 and 2026 (week 1-2). Pull small business credit origination counts by year. Confirm whether the lender crosses 1,000 in both years. Document the count methodology for the examiner file.
  2. Inventory the application-to-submission data flow (week 2-4). Walk every small business credit channel — branch, online, broker referral, phone — and map the data captured today vs the 81 1071 data points. Identify gaps, paper-based steps, and channels not currently logged.
  3. Scope the segregation and security build (week 4-8). Per the FTC Safeguards Rule 30-day notification requirement and the parallel federal banking guidance, the demographic segregation and information-security control work is the largest line item. Decide: build inside the existing LOS, buy a 1071 module, or stand up a parallel pipeline.
  4. Build the 2027 dry-run plan (week 8-12). Set a January 1, 2027 internal data-collection start date. Run a full year of shadow collection before the 2028 live deadline. Use the year to fix edit-check errors without regulatory consequence.

Ready to scope your NC community lender's 1071 readiness? Call (336) 886-3282 or book a 1071 technology readiness review.

How does Preferred Data Corporation help NC community lenders prepare?

PDC has been an NC small business's IT and compliance partner since 1987, working with NC community banks, credit unions, CDFIs, and financial services firms on data infrastructure, cybersecurity, and regulatory technology. We bring four things to the 1071 readiness conversation:

  • Managed IT services: Predictable monthly support for the LOS, core banking, data warehouse, and reporting pipelines that 1071 sits on top of.
  • Managed cybersecurity services: Sensitive-data access logging, MFA enforcement, encryption at rest and in transit, and 24/7 monitoring sized for community-lender budgets — aligned with the FTC Safeguards Rule and parallel federal banking expectations.
  • Software development: Custom data-segregation, application-capture, and reporting workflow built when off-the-shelf 1071 modules do not fit the lender's LOS or core banking system.
  • AI transformation: Document-extraction and edit-check automation that turns paper-based small business loan applications into structured 1071 data without re-keying.

For NC community banks in High Point and the Piedmont Triad with 1,000+ small business originations, credit unions in Greensboro and Winston-Salem with growing SMB lending lines, and CDFIs in Charlotte and Raleigh serving minority- and women-owned businesses, the 1071 readiness window is now. PDC's compliance team will scope the IT, data, and security work needed to make the 2028 deadline a non-event.

Ready to make sure your NC lender's 2026-2028 1071 plan is technology-ready? Call (336) 886-3282 or book a 1071 readiness review.

Frequently Asked Questions

When does CFPB Section 1071 actually take effect?

The revised final rule is effective June 30, 2026 (today). Mandatory data collection starts January 1, 2028, and the one-year grace period for data errors runs through December 31, 2028. Per the Federal Register notice, full enforcement on accuracy begins January 1, 2029.

Who is exempt from CFPB 1071 under the revised rule?

Any lender that did not originate at least 1,000 small business credit transactions in each of the two preceding calendar years, and every Farm Credit System lender. Per Arnold & Porter's May 2026 advisory, the CFPB projects depository coverage drops by ~90% and non-depository coverage by ~95% versus the 2023 rule.

What is the difference between the 2023 and 2026 1071 rules?

The 2023 rule covered any lender originating 100+ small business credit transactions and used a tiered compliance timeline based on origination volume. The 2026 rule raises the threshold to 1,000, excludes Farm Credit System lenders, and consolidates compliance to a single January 1, 2028 date. Per the Consumer Finance Monitor write-up, the goal was to reduce community-lender burden while keeping data collection at the systemically significant lenders.

How does 1071 interact with the FTC Safeguards Rule or state breach notification?

The demographic data collected under 1071 is sensitive customer data. Per the FTC Safeguards Rule notification requirement now in effect, unauthorized acquisition of 500+ consumers' unencrypted information triggers a 30-day notification to the FTC. State breach laws stack on top. A 1071 data spill is not a paperwork incident — it is a breach event.

Do I have to capture small business applications I deny on the spot?

Yes. The CFPB explicitly includes denied-on-the-spot conversations as covered if the inquiry rises to the level of an application as defined under Regulation B. Per the CFPB final rule page, the "no informal channel" practice is one of the biggest gaps community lenders need to close before 2028.

What happens if my origination count crosses 1,000 mid-cycle?

The two-year lookback means a single-year spike does not automatically make you covered. Per the Congressional Research Service R47788 report, you become covered when you have crossed 1,000 in each of the two preceding calendar years. A lender hovering near the threshold should still build the pipeline — the build is what takes 18-24 months, not the regulatory determination.

Support