Regulation Roundup: Navigating Dodd Frank Section 1071 Data Collection and Reporting Requirements in 2026

Hello, and thank you all for joining us today. My name is Kara Talcott. I am the Marketing Communications Coordinator here at Alligent. In today's webinar, we're going to walk through what the upcoming Dodd Frank Section ten seventy one changes mean for your institution and ways to reduce operational risk through more structured document and data management. Joining us today are Cameron Marks, our director of product management for FastStocks, and Jen Mitchell, our Director of Product Management for AccuAccount. If any questions come up today during the webinar, please feel free to type them into the chat box. We'll have a designated Q and A segment to answer any of those at the end. And with that, I'm gonna hand things over to them to kick it off. Thank you, Kara. So who is Alligent? Alligent has been serving financial institutions for decades, helping them modernize the entire transaction and information life cycle. We support banks and credit unions with scalable purpose built technology across payments, ECM, and loan management. With more than two hundred team members and over twenty five strategic partnerships, were committed to delivering secure, innovative solutions that evolve with regulatory and operational demands. So why Allergens? What sets Allogene apart is our ability to integrate seamlessly with more than one hundred and twenty five systems, our deep industry expertise, and our commitment to enterprise grade security. We also provide analytics that help institutions make smarter decisions and continuously innovate to stay ahead of regulatory changes. At this time, I'm gonna pass it over to Cam. So today's focus is on fair lending and how institutions can protect sensitive demographic information under Dodd Frank. Section ten seventy one introduces new data collection and reporting requirements. And with that comes the responsibility to manage access, maintain confidentiality and ensure accurate reporting. So section ten seventy one requires institutions to collect and report data on certain credit applications to the CFPB. The goal is to enforce fair lending laws and identify opportunities for businesses and community development. This includes strict rules about what information can be accessed, how it must be maintained and ultimately how it's reported. So the data points fall into three primary categories, application and credit transaction details, business attributes, and protected demographic information. With respect to application and credit transaction details, lenders must provide specific technical and logistical information about each request, a unique identifier, an alphanumeric code assigned to each application, application logistics, the date received, the method used, and the recipient, director, third party. The credit type and purpose. So the specific product they're applying for and how the funds will be used. Loan details, the amount that they applied for, the amount approved or originated, the loan terms and any guarantee types. Pricing information, competitive or comprehensive details for approved originated loans, including interest rates, origination charges, broker fees, and prepayment penalties. Then the action taken the final steps and the date of that action and denial reasons up to four reasons must be reported if an application is rejected. And then with respect to business attributes, this data describes the applicant's business characteristics. So geography, census track where the proceeds will be used, the industry, the North American industry classification system code, the company size, gross annual revenue from the prior fiscal year, and then operational details, the number of workers including full and part time and the business's total time and operation. And then with regard to protected demographic information. So this demographic data is particularly sensitive and institutions must ensure that it's handled appropriately. Sensitive data must be collected via self identification and lenders can generally not use a visual observation. In areas where we collect data now include the business ownership status, whether the business is minority owned, woman owned, or LGBTQIA plus owned. The principal owner data, the ethnicity, race, sex of each principal owner and the owner count, the total number of principal owners of the business. Additionally, institutions must limit access to demographic information such as minority owned, women owned, and LGBTQIA plus owned status, as well as race, ethnicity, and sex of principal owners. Maintaining strict access controls is essential for compliance and this information cannot be disclosed to underwriters or other parties involved in credit decisions. Now, as of November, twenty twenty five, the CFPB has proposed several changes. And some of those changes include the reduction in scope of the collected data, by removing some of the discretionary fields, adjusting demographic categories, including removing LGBTQIA plus own status and simplifying sex reporting. And then they're also considering aggregated race ethnicity reporting to reduce complexities. And these changes aim to simplify compliance while maintaining fair lending protections. So compliance and first filing deadlines are now tiered and they're based on loan origination volume. So for tier one, that tier includes two hundred or sorry, two thousand five hundred originations. Tier two is five hundred plus originations and tier three is a hundred plus in originations. So understanding your tiers critical for your planning, planning your implementation timeline, including the new compliance date and the first filing deadline. So collecting the data is only part of the challenge, managing it securely, whether on paper or electronically is where institutions face the greatest risk. So at this point, I'll hand over to Jen to talk about some of the processes in place for managing this data. Great, so first we're gonna talk about the paper process. On the surface, it gives us physical control when you have that paper, documents are stored in a secured location, and we can track who accesses them by log. But the risks here are significant. First, paper inherently limits visibility. Even with access logs, we don't have real time insight into who has viewed or copied that information. Second, full data access means anyone handling the documents can see everything. There's no way to segment or restrict sensitive content on those documents. The biggest exposure though is off-site storage. Anytime documents leave the building, whether for review, transport, or archiving, we introduce risk of loss, damage, or unauthorized access. And while we apply the data policy, enforcement is manual, inconsistent, and dependent on people following procedures perfectly. That's a fragile module. Now let's look a little bit at the electronic process using a shared drive or network drive at your institution. This option improves security in some ways. First, your digital controls allow us to lock down documents and manage access more precisely, but it also introduces its own risk. Shared drives often lack strong governance. Without strict permission, documents can be over shared or accessed by people who shouldn't see them. Full data access remains a concern here as well. Unless we implement granular controls, users may still see more information than necessary. There's also the risk of version sprawl, multiple copies, outdated files, and inconsistent application of the policy. And while the policy can be applied, shared drives don't enforce compliance automatically. They rely heavily on users to clarify to classify, store, and manage documents correctly, which creates operational and regulatory risk. This is where a purpose built software becomes essential. A centralized ECM or loan management system can enforce access, restrictions, automated workloads, and maintain complete audit trail, reducing compliance risk and operational burden. I'm gonna pass it back over to Cam for a slide, and then I'll be back to discuss the last slide. we take a look at what it takes to effectively manage a Dodd Frank section ten seventy one, an enterprise content management solution becomes a critical enabler. Section ten seventy one requires institutions to collect, maintain, and report on detailed application level data for small business lending. That means that we need absolute control over how documents are stored, accessed, and audited. ECM platform gives us exactly that. First, it provides centralized image and document management. All application materials, demographic data, supporting documents, and correspondence live in one governed repository. This eliminates the fragmentation that creates reporting gaps and compliance risk. Second, ECM gives us role based security and controlled viewing access. Section ten seventy one includes strict rules about who can see protected demographic information. With role based controls, we can ensure that only authorized users access sensitive fields while frontline staff remain shielded from the data they're not permitted to view. We also gain redaction tools, which are essential for ten seventy one workflows. These tools allow us to mask protected demographic information when documents are shared for underwriting quality control or audit review. And that reduces the risk of inadvertent exposure and supports the firewall expectations built into rule ten seventy one. Another major advantage is full audit logging and view history. Section ten seventy one requires institutions to demonstrate how data was handled, who accessed it, and when. ECM gives us a complete immutable audit trail, something manual or shared drive processes simply cannot deliver. Together, these capabilities directly support our ability to meet section ten seventy one's data collection, access control, and audit readiness requirements. So Jen will go ahead and give us an example of this process in practice. So looking at a use case here, let me walk you through how our section ten seventy one workflow operates inside our ECM suite and how it protects the institution while keeping the process simple for staff. So the first step is the customer application applied for the loan. It starts the moment a customer submits a loan application. As soon as the documents enter our system, it automatically organizes them into the correct loan file. This ensures we're capturing everything consistently from day one. Now, the demographic data is automatically segregated. We immediately place the demographic information into a restricted access tab. This is critical because section ten seventy one requires us to firewall demographic data from anyone involved in credit decisions. Loan officers and underwriters can still see the application itself, but they cannot access the demographic data. That separation happens automatically. No manual workarounds, no risk of accidental exposure. Next is compliance team reviews for accuracy. While the lending team continues their normal workflow, the compliance team has full access to the demographic information. They can review it for completeness and accuracy, verify that all required fields are captured, and ensure the data aligns with our reporting obligations. This keeps compliance and control of sensitive data without slowing down that lending process. Next, we have that full logging and audit trails. Every time someone accesses the demographic document, our system will log it. We know who viewed it, when they viewed it, and what actions they took. That level of transparency is essential for demonstrating that our firewall is working as intended. Of course, examiners access during the audit. When examiners arrive, we can provide them with controlled access to both the documents and the access logs. They can see the full audit trail, which shows that only authorized personnel viewed the demographic data. This gives regulators confidence that we're not just collecting the right information, we're protecting it and managing it responsibly. So from intake to audit, our ECM suite gives us a clean, compliant, and fully documented workflow for section ten seventy one. It reduces risk, simplifies operation, and ensures we're meeting the requirements of the regulation. All right, looks like we're gonna move into our Q and A section. If you have any questions, now's the time for you to drop them in the chat. Let's see. First one that I see is, is the information only accessed by users with certain permissions? I'll go ahead and take that one, Cam. Yes. The information you actually get to decide and determine what users have access to that information within the system. Perfect. Next one I see is, can you see which users access the information? Yeah, I'll go here, Jen. Yes, and there's an audit trail that reports user access in the form of creation, viewing, and modification of documents within the system that gives full traceability to that audit record control of the document. Thank you for that. Next one that I see in chat is, do we get identify the area on the document that is redacted? Yeah, I'll take this one as well. Yes, redactions can be performed manually by the knowledge worker in redacting, for example, some great race ethnicity information on a loan application. And then that redaction can be assigned to a security group separate from what a credit officer would use to review the document for approval purposes. Thank you. And last one that I see in chat is, are these documents still available to share with auditors? I'll take that one, Kim. Yes, these documents can be shared with auditors. They have the ability to have access to the system to review what's in the system, or we have the audit module, which will export the information to an external location where they can then review the information as needed. Thank you both for your answers. As we wrap up, I would want to highlight that the Dodd Frank Section ten seventy one resource we discussed today is available for download on the Alligent website. I have dropped the link in the chat if you want to check it out. We do encourage you to review the full piece for additional insights and practical guides to support your compliance strategy. Thank you everybody for joining us today. If any additional questions have popped up, please reach out to marketingalligent dot com or visit our website. Be sure to check out our events page for all future webinars if you enjoyed this one. We appreciate your time with us this afternoon and hope you have a great day.