On June 25, 2024, the Consumer Financial Protection Bureau (CFPB) published an interim final rule to extend the compliance deadlines for the Small Business Lending Rule (the “Rule”) following a long delay during which its implementation was uncertain. These new requirements should be a part of year-end planning for 2025 compliance obligations.

After the CFPB first issued the Rule on March 30, 2023, a federal district court in Texas ordered a nationwide injunction that stayed all deadlines for compliance until the Supreme Court could issue a decision on the case CFPB v. Community Financial Services Association of America, regarding the constitutionality of the CFPB’s funding structure. The Supreme Court issued its decision in May 2024, declaring the funding structure constitutional, and the CFPB extended the compliance deadlines by 290 days. The earliest compliance deadline, which is for lenders with the highest volume of small business loans, is now July 18, 2025, extended from Oct. 1, 2024.

The Rule requires certain financial institutions to collect and report data regarding business credit applications from small businesses and implements the small business lending data collection requirements in Section 1071 of the Dodd-Frank Act (Section 1071), which amended the Equal Credit Opportunity Act (ECOA). The Rule applies to a wide range of lenders in the credit industry who make commercial loans (covered financial institutions), which include banks, savings associations, credit unions, nonbank lenders, online lenders, platform lenders, CDFIs, Farm Credit System lenders, lenders involved in equipment and vehicle financing, commercial finance companies, government lending entities, and nonprofit lenders. Motor vehicle dealers are excluded from coverage.

With reporting requirements similar to those for mortgage loans under the Home Mortgage Disclosure Act (HMDA), the Rule’s stated purpose is to facilitate the enforcement of fair lending laws and to enhance business and community development opportunities for small businesses, including businesses that are owned by women and minorities. Just as HMDA data helped to increase transparency and address discriminatory practices in the mortgage industry, the Rule is intended to be a tool to help prevent discrimination against small businesses when trying to access credit.

Under the Rule, data points from certain small business credit applications must be compiled and reported to the federal government. These data points include a unique identifier for a given application, the application date, application method, action taken by the financial institution, denial reason (if applicable), credit type, credit purpose, amount applied for, pricing information such as interest rate, census tract, gross annual revenue for the preceding fiscal year, number of people working for the applicant, and the amount of time the applicant has been in business.

Covered financial institutions must also report demographic information collected from the applicant about the applicant’s minority-owned, women-owned, and LGBTQI+-owned business status, as well as the applicant’s principal owners’ ethnicity, race, and sex. Financial institutions are required to ask an applicant to provide this demographic information but cannot require it and must inform the applicant that it cannot discriminate based on the information. Financial institutions are prohibited from discouraging applicants from responding to requests for demographic data and must maintain effective procedures to address signs of potential discouragement, including low response rates. The CFPB has stated that it intends to use its enforcement and supervisory authority to ensure that lenders do not discourage applicants from providing responsive data. Each affected institution will need to determine, with the advice of counsel, the most effective and efficient way to collect this information and how best to provide the required notices to applicants.

The Rule applies to covered financial institutions that originated at least 100 “covered credit transactions” for small businesses in each of the two preceding calendar years. A “small business” is defined as a business that has a gross annual revenue of $5 million or less for its preceding fiscal year. Non-profit organizations and governmental entities are not “small businesses” covered by the Rule, and therefore, their data is not reportable.

The “covered credit transactions” that must be reported are extensions of business credit, as defined in Regulation B, which is credit primarily for business or commercial (including agricultural) purposes, such as loans, lines of credit, credit cards, and merchant cash advances. There are a number of credit transactions that are excluded from coverage and do not have to be reported, which are trade credit, insurance premium financing, incidental credit, factoring, true leases (rather than finance leases), purchases in an interest in a pool of credit transactions, as well as a variety of other, more complex transactions.

Because of its potential overlap with HMDA, which requires reporting of both consumer-purpose and business-purpose mortgage loans that are secured by a lien on a dwelling, HMDA-reportable transactions are also excluded under the Rule. In other words, if a transaction is a “covered loan” under HMDA, it does not need to be separately reported under Section 1071.

To determine if it is covered under the Rule, a financial institution must count the number of covered credit transactions it originated for small businesses in the preceding two calendar years. In simple terms, financial institutions must report their data if they originated at least 100 covered credit transactions to small businesses in each of the previous two calendar years. As an example, if a lender originated 105 covered transactions in 2025 and 95 covered transactions in 2026, it would not be a covered financial institution for 2027 because it did not originate at least 100 covered transactions in 2026. Therefore, it is not obligated to compile and report data for 2027.

The CFPB intended the Rule to protect the privacy of applicants’ demographic information by prohibiting certain employees or officers of a financial institution from accessing it, which is referred to as a “firewall.” Specifically, employees or officers that are involved in underwriting or making credit decisions are prohibited from accessing an applicant’s responses about whether it is a minority-owned business, a women-owned business, or an LGBTQI+ owned business, and the ethnicity, race, and sex of the applicant’s principal owners, unless it is determined for business purposes that the employee or officer should have access to that information, and notice is provided to the applicant.

Covered financial institutions will need to report the data annually, on or before June 1, following the year the data is compiled or maintained (i.e., data collected for 2025 must be reported by June 1, 2026). Data must be reported on a data submission platform in a small business lending application register (LAR), which will be in a format prescribed by the CFPB. The CFPB will make the data available to the public on an annual basis. Notably, covered financial institutions must publish a statement on their publicly available website stating that their small business lending application register is available from the CFPB.

The required implementation dates for the Rule have a tiered timeline, based on an institution’s volume of covered originations from each of the preceding two calendar years. The interim final rule has extended these deadlines, and has given financial institutions the option to use their covered origination volume from either calendar years 2023 and 2024, or 2022 and 2023, to determine their compliance deadlines.

Compliance Tier	Original Compliance Date	New Compliance Date	First Filing Deadline
Tier 1: financial institutions that originated at least 2,500 covered originations in each of the previous two calendar years.	Oct. 1, 2024	July 18, 2025	June 1, 2026
Tier 2: financial institutions that originated at least 500 but less than 2,500 covered originations in each of the previous two calendar years.	April 1, 2025	Jan. 16, 2026	June 1, 2027
Tier 3: financial institutions that originated at least 100 but less than 500 covered originations in each of the previous two calendar years.	Jan. 1, 2026	Oct. 18, 2026	June 1, 2027

Covered financial institutions should be planning now for the ways their businesses may need to adapt in order to effectively collect and maintain the data required. Taft is advising clients to conduct a full risk assessment of their reportable small business lending data, assess what resources and infrastructure are needed for implementation of the Rule, and determine their mandatory compliance date as soon as possible. Most lenders will need to implement new software and technology, create new policies and procedures, train staff, and build out robust processes to collect and report the data.

For now, Taft expects that the Rule will increase enforcement activity and will become a regular part of fair lending examinations, as the CFPB has stated that the data will be used to select institutions for monitoring, examination, or investigation. Many financial institutions have voiced criticism about overreach by the CFPB, the burdensome costs to lenders offering small business credit, and the privacy risks of making such information available to the public. There exist a number of lawsuits challenging the Rule, and the CFPB’s enforcement priorities under the new Trump administration are yet to be known. Taft will continue to monitor the outcome of these cases and updates by the CFPB.