Section 1071 of the Dodd-Frank Act, implemented by the CFPB's final rule issued in 2023, establishes significant new data collection and reporting requirements for small business lenders. For lenders already using or evaluating alternative data sources in their small business underwriting — including cash-flow based decisioning tools — the rule introduces obligations that need to be designed into the decisioning workflow from the start, not retrofitted after the fact.
The interaction between 1071 reporting requirements and alternative data underwriting is not always intuitive. This article walks through the key obligations, where the compliance risks concentrate, and what thoughtful workflow design looks like for lenders using cash-flow decisioning APIs in small business lending.
What Section 1071 Actually Requires
Section 1071 amends the Equal Credit Opportunity Act to require covered financial institutions to collect and report data on applications for credit from small businesses, including women-owned and minority-owned small businesses. The goal, as articulated in ECOA Section 704B and affirmed in the CFPB's final rule, is to facilitate enforcement of fair lending laws and enable the identification of business and community development needs.
The data points that must be collected and reported include:
- Application date and amount requested
- Credit type, purpose, and amount approved (if applicable)
- Action taken and action taken date
- Census tract of principal place of business
- Gross annual revenue of the applicant
- NAICS code
- Number of workers
- Time in business
- Demographic information: race, sex, and ethnicity of principal owners (collected on a voluntary self-identification basis from the applicant)
- Whether the applicant is a minority-owned, women-owned, or LGBTQI+-owned business
The rule applies to covered financial institutions that originated at least 100 covered small business credit transactions in each of the two preceding calendar years. The compliance tiers and implementation dates vary by origination volume, with larger lenders having earlier compliance deadlines. Lenders in the coverage threshold should treat 1071 compliance as an active obligation if they have not already begun implementation.
How Alternative Data Workflows Interact With 1071 Reporting
The 1071 rule creates three areas of compliance intersection for lenders using cash-flow decisioning APIs in small business lending.
First, the action taken field. Section 1071 requires reporting of action taken on each covered application: origination, approval not accepted, denial, withdrawn by applicant, file closed for incompleteness, etc. When the action taken is a denial or counteroffer, the reason(s) for that action must be reported — and the rule specifies a set of denial reason categories. Where a cash-flow decisioning API is the source of the adverse decision, the reason codes from the API must map cleanly to the 1071 denial reason categories. This requires deliberate mapping between the API's reason code library and the 1071 enumerated reasons: "Insufficient cash flow / insufficient liquidity" is explicitly one of the 1071 denial reason categories, which means cash-flow models that produce this reason code as output are well-positioned for 1071 compliance if the language mapping is done correctly.
Second, the demographic data firewall. One of the most operationally sensitive requirements in 1071 is the firewall between demographic information collected for 1071 reporting and the decisioning process. The CFPB's rule requires that the demographic data not be accessible to the personnel making or influencing credit decisions during the underwriting process. For automated decisioning systems — including cash-flow APIs — this requires confirming that the API does not receive demographic data as an input. If demographic data is collected by the LOS for 1071 purposes before the API is called, the integration architecture must ensure the API call does not transmit that data.
Third, coverage determination. Not all lending products or borrowers that appear "small business" are necessarily covered by 1071. The rule applies to credit for business purposes for businesses with gross annual revenue under $5 million in the preceding fiscal year. A solo gig economy worker applying for a personal loan is not covered; an LLC with $800,000 in annual revenue applying for a working capital line is. Lenders with mixed consumer/small business portfolios need clear procedures for determining whether a given application falls within 1071's coverage scope.
Data Quality: Why 1071 Requires Getting Cash-Flow Audit Logs Right
Section 1071 examinations will include data quality review. CFPB examiners reviewing 1071 data will check whether reported denial reasons are consistent with the lender's internal documentation and whether the data reflects actual decisioning patterns or post-hoc rationalization.
For lenders using cash-flow APIs, this means the API's decision log must be treated as a regulatory record, not just an operational log. Every API decision that contributes to a 1071-reportable outcome needs to be preserved in a format that supports reconstruction of the decision: what data was input, what features drove the output, what reason codes were generated, and what action was taken based on that output. A well-designed cash-flow decisioning platform produces this log natively as part of its audit trail capability. Lenders should verify before deployment that the API's audit log output is structured to support 1071 examination requirements, not just Regulation B adverse action documentation.
A Realistic Small Business Lender Scenario
Consider a CDFI that provides small business loans in the $10,000-$100,000 range to entrepreneurs in low-income urban communities. A significant portion of its borrower population consists of micro-businesses operating as sole proprietorships or single-member LLCs — businesses with two to five employees, annual revenues under $500,000, and owners who are personally thin-file for credit bureau purposes even though their business generates consistent cash flow.
The CDFI integrates a cash-flow decisioning API to supplement its judgmental underwriting. The API processes the business's bank account transaction history — 24 months of deposits, recurring obligation payments, and liquidity patterns — and returns a business cash-flow score. The CDFI also collects 1071 required data at the application stage, with demographic information captured on a separate screen with a firewall from the underwriting team's system view.
At year-end, the CDFI prepares its 1071 filing. The API's audit logs provide the denial reason data for declined applications. The compliance team maps each API reason code to the relevant 1071 category. The data is submitted. A regulator reviewing the CDFI's 1071 data can observe the approval rates by demographic group and examine whether the cash-flow-based denial reasons are consistent across groups — exactly the transparency the statute is designed to produce.
What Alternative Data Providers Should Have Ready for 1071
For lenders evaluating cash-flow decisioning vendors specifically for small business lending workflows, 1071 compliance support is a non-negotiable due diligence criterion. The specific capabilities to verify:
- Does the API's reason code library map to 1071 denial reason categories? The CFPB's enumerated categories include "insufficient cash flow/insufficient liquidity" — does the vendor's reason code library use compatible language?
- Does the API accept — or risk accepting — demographic data as input? The firewall requirement demands a clear data architecture boundary.
- Does the audit log support 1071 data quality examination? Can the lender reconstruct any decision, including the full feature-level explanation, from the log?
- Has the vendor conducted disparate impact testing of the model on small business borrower demographics? 1071 data will make fair lending patterns more visible; vendors whose models have not been tested for disparate impact on protected class proxies will expose their lender customers to examination findings.
We're not suggesting that section 1071 compliance is the primary reason to adopt cash-flow underwriting for small business lending. The primary reason is better risk assessment for a population that FICO cannot score reliably. But a well-designed cash-flow underwriting system is also a better 1071 compliance system — because the detailed decisioning audit trail and transparent reason codes that make cash-flow models effective are exactly what 1071 examination requires. The compliance case and the business case point in the same direction.