How we got here (fast)
In March 2023, the CFPB finalized its small-business data collection rule under ECOA/Reg B (Dodd-Frank §1071), requiring covered lenders to collect and report application-level data including demographics on small-business credit. The Bureau’s landing page remains the single source of truth on rule scope and resources.
Litigation started almost immediately. In July 2023, a Texas federal district court enjoined enforcement for the plaintiffs and their members; by October 2023, the court expanded that relief nationwide, contingent on how the Supreme Court would rule in the separate CFPB-funding case, CFPB v. CFSA.
On May 16, 2024, the Supreme Court upheld the CFPB’s funding structure in a 7–2 decision, removing the existential question hanging over the agency and clearing the path for stayed rules to move forward.
Even so, the 1071 fight continued. In February 2025, the Fifth Circuit granted a stay pending appeal and then stayed further proceedings in the Texas Bankers Association case, relief that did not by itself rewrite compliance dates for the entire market but reinforced the need for the Bureau to reset the clock.
The CFPB hits pause, and promises a redo
To stabilize planning across the industry, the CFPB issued an Interim Final Rule (IFR) on June 18, 2025 to extend compliance dates, with a companion resource page for institutions sorting out tiering and timing. Then, on Oct. 2, 2025, the Bureau finalized those extensions via rulemaking and signaled adjustments to related date references in Regulation B.
At the same time, new leadership at the CFPB confirmed it will initiate a new 1071 rulemaking, acknowledging industry feedback and the practical impact of litigation delays.
For community banks, this combination extended dates now, fresh rulemaking ahead is the through-line: you have more time, but not an indefinite pass.
What the current timeline actually says
The October 2025 final rule keeps the three-tier structure but pushes each tier back roughly a year, and it explicitly allows early testing of demographic-data collection in advance of your mandatory start. The Federal Register summary is the authoritative reference; several industry briefs capture the same dates succinctly.
In plain language (as of the Oct. 2, 2025 final extension):
- Tier 1 (largest reporters) – The Bureau allows testing of protected-demographic collection on/after July 1, 2025; mandatory data collection begins July 1, 2026; first report due June 1, 2027.
- Tier 2 – Testing on/after Jan 1, 2026; collect Jan 1, 2027; report June 1, 2028.
- Tier 3 (smallest covered) – Testing on/after Oct 1, 2026; collect Oct 1, 2027; report June 1, 2028.
(NB: A number of banks saw earlier interim dates in mid-2025 summaries; rely on the Oct. 2, 2025 final notice for the dates above.)
What the Fifth Circuit stays to do and don’t do
It’s easy to over-generalize the February 2025 stays. The Fifth Circuit’s stay pending appeal is case-specific relief; it paused obligations for the parties in that litigation and propelled the CFPB to address timing for the broader market via rulemaking. The industry-wide effect you should anchor to, the dates your examiners will expect to see on your plan, is the CFPB’s finalized extension published Oct. 2, 2025.
One more moving part: a June 2025 Fifth Circuit order required the CFPB to brief its plans in the TBA case after the Bureau flagged, in the Federal Register, its intent to postpone compliance and restart rulemaking. That’s useful context for boards asking “why dates moved…again.”
What hasn’t changed (and what might)
The substance of 1071 including who’s covered, the data fields, the firewall, and the reporting construct, still derives from the March 30, 2023 final rule, pending whatever changes emerge from the new rulemaking. Banks should continue to plan against the current rule text, but with an eye on which elements are most likely to move in a refresh (e.g., application definition, data field calibrations, and firewall mechanics have been common pain points in comment letters).
Because the Bureau has affirmed it will re-open rulemaking, expect a notice of proposed rulemaking (NPRM) to surface that targets burden-heavy areas, potentially refining thresholds, clarifying what counts as a “covered application,” and smoothing operational kinks around demographic-data collection.
What a credible community-bank plan looks like now
Think of 1071 as a program, not a one-off sprint. With time restored, you can sequence work to reduce busy-work and vendor churn.
1) Freeze your timeline to the Oct. 2, 2025 calendar and brief the board.
Adopt the Tier 1/2/3 dates above in your project plan, with explicit milestones for testing, collection go-live, and first filing. Document the litigation context and the CFPB’s final extension so your plan reads coherently in exams.
2) Lock your tier and volume assumptions.
Tiering hinges on covered originations across specified look-back windows (e.g., 2022–2023, 2023–2024, or 2024–2025 depending on your tier). Many banks under- or over-count because of application/denial handling and product scoping. Validate counts now and memorialize your methodology.
3) Decide your “system of record” and vendor posture.
With ISO 20022-like schemas and granular fields (ownership, principal owners, pricing terms, action taken), you’ll need a durable data flow from intake to reporting. Whether you rely on your LOS, a middleware layer, or an external reporter, require field-level mapping, change-control, and audit trails in contracts.
4) Pilot demographic-data collection (firewall included).
Use the testing windows the CFPB explicitly allows (e.g., Tier 1 may test on/after July 1, 2025). Run “clean-room” trials on the demographic-data request and firewall, including what frontline staff see and don’t see before credit decisions. Train to the script.
5) Write exceptions playbooks now.
The hardest part of first filings isn’t the happy path; it’s “incomplete applications,” withdrawn files, pricing capture on renewals, and small-ticket products. Build exception codes, QA sampling, and attestations into BAU.
6) Track the re-opened rulemaking and keep a delta log.
When the CFPB’s new NPRM drops, run a redline-to-program: what changes field counts, workflow, or taxonomy? Keep a delta log so you can adjust build once, not repeatedly.
Bottom line
Section 1071 is being re-sequenced. The good news is you finally have a stable set of extended compliance dates anchored by an Oct. 2, 2025 final rule and a clear signal that the Bureau will revisit pain points through new rulemaking. Use the breathing room to finish the unglamorous work: validate tiering, harden data flows, pilot the firewall and scripts, and stand up exception handling. When the NPRM arrives, you’ll be calmly adjusting a live program.