Key Takeaways
- The CFPB's final Section 1071 rules officially exclude merchant cash advances from small business loan data collection requirements, confirming MCAs are not "covered credit transactions."
- Without federal data reporting mandates, MCA funders bear full responsibility for building their own verification and risk infrastructure, making bank verification software for funders more critical than ever.
- The exclusion creates a regulatory asymmetry where traditional lenders face heavy compliance burdens while MCA providers operate with more flexibility but less institutional cover.
- Funders who invest in AI-powered bank statement analysis and automated underwriting now gain a structural advantage over competitors still relying on manual review.
- Self-regulation through auditable verification workflows is the strongest defense against future state-level scrutiny and stacking fraud.
MCAs Are Officially Outside Section 1071. That Is Not a Free Pass.
On April 30, 2026, the Consumer Financial Protection Bureau filed final rules for its small business loan data collection program under Section 1071 of the Dodd-Frank Act. Buried in the details was a confirmation that many in the alternative lending industry had anticipated: merchant cash advances are excluded. Because MCAs are structured as purchases of future receivables rather than credit transactions, they fall outside the rule's scope entirely. For funders, this changes the calculus around bank verification software for funders, compliance strategy, and the technology investments needed to stay competitive in a market growing at record pace.
The exclusion removes one layer of federal oversight, but it does not remove risk. If anything, it concentrates responsibility. Without a federal data collection mandate, MCA funders cannot lean on standardized reporting to demonstrate responsible underwriting. They must build that evidence themselves. The funders who thrive in this environment will be those with automated, auditable verification systems that prove every deal was underwritten with rigor, whether a regulator ever asks or not.
What the Section 1071 Exclusion Actually Means for MCA Operations
No Federal Reporting Means No Federal Cover
Section 1071 requires covered lenders to collect and report data on small business credit applications, including demographic information, loan amounts, pricing, and outcomes. The goal is fair lending oversight. Traditional lenders, SBA lenders, and online lending platforms offering credit products will need to comply with detailed data collection protocols starting in phases through 2026 and 2027.
MCA funders are exempt. The CFPB's rationale is straightforward: an MCA is a commercial transaction, not a loan. There is no principal, no interest rate, no repayment term in the traditional sense. The agency's final rule documentation treats this as settled, closing the door on earlier proposals that considered including MCAs.
But this legal distinction does not shield funders from scrutiny. States like California, Virginia, and New York have already enacted or proposed disclosure and licensing requirements specifically targeting MCA providers. As we covered in our analysis of Virginia's 229 registered MCA providers, state regulators are building their own frameworks. The absence of federal reporting may actually accelerate state-level action, because legislators can argue that the industry lacks adequate oversight.
Self-Regulation Becomes the Competitive Advantage
In a market without federal data mandates, the funders who voluntarily maintain rigorous documentation and verification workflows gain two advantages. First, they reduce their exposure to state enforcement actions and litigation. When a merchant alleges predatory practices or a broker submits fraudulent applications, a complete audit trail is the funder's best defense. Second, they build institutional credibility with capital partners. Institutional investors backing MCA portfolios increasingly require evidence of systematic underwriting, not just portfolio performance metrics.
This is where bank verification software becomes a strategic asset rather than an operational convenience. Automated bank statement analysis, AI-powered document extraction, and structured application tracking create the kind of institutional-grade paper trail that manual processes simply cannot match. Let's Submit was built for exactly this scenario: capturing every document, extracting every data point, and preserving every step of the review process in a format that satisfies both internal risk teams and external auditors.
Regulatory Asymmetry Creates Opportunity and Risk
There is an underappreciated dynamic at play. Traditional small business lenders now face significant compliance costs to meet Section 1071 requirements. Data collection, validation, storage, and reporting all add friction and expense to the origination process. MCA funders, freed from these burdens, can move faster. Speed to fund has always been the MCA value proposition, and the regulatory gap widens that advantage.
But speed without controls is reckless. The same regulatory asymmetry that gives MCA funders agility also makes them a target. When an industry operates outside federal reporting, every high-profile fraud case, every stacking scandal, and every merchant complaint becomes ammunition for advocates pushing tighter regulation. The industry's reputation depends on individual funders making responsible choices, and those choices start with how thoroughly you verify the documents in front of you.
Building Verification Infrastructure Without a Federal Mandate
The practical question for every MCA funder in 2026 is this: if nobody is requiring you to collect and verify data systematically, why should you invest in doing it anyway? The answers are concrete and measurable.
Fraud Detection That Scales With Volume
Stacking fraud, synthetic identities, and fabricated bank statements do not care about your regulatory status. As origination volumes climb, as Enova's record $1.7 billion Q1 demonstrates across the broader SMB lending space, the sheer number of applications makes manual review unsustainable. A single underwriter reviewing PDF bank statements page by page will miss inconsistencies that an AI extraction engine catches in seconds: mismatched fonts, altered transaction amounts, duplicated statement periods, or deposits that do not reconcile with reported revenue.
Let's Submit's AI-powered extraction layer parses uploaded bank statements automatically, flagging anomalies and structuring data for review before an underwriter ever touches the file. This is not about replacing human judgment. It is about ensuring the human reviewer starts from a position of verified, structured data rather than raw PDFs and gut instinct. The distinction matters, as we explored in our analysis of why humans fail at underwriting and why AI alone will not fix it.
Audit Trails Built for the State Compliance Wave
California's disclosure requirements, Virginia's registration mandates, New York's proposed rules: the trend line is clear. State regulators are stepping in where the CFPB stepped back. Each of these frameworks demands some form of documentation showing that the funder verified the merchant's financial condition before advancing funds.
An async verification workflow, where merchants upload documents to a secure portal and AI extracts the relevant data before a human reviews it, creates a timestamped, immutable record of every step. When a state examiner requests proof that you verified bank statements before funding a deal, you produce the audit trail from your dashboard. When the process is manual, involving email attachments, phone calls, and spreadsheets, recreating that proof is expensive, slow, and often incomplete.
Preserving Speed to Fund Without Cutting Corners
The fear among many funders is that more rigorous verification means slower funding. In a market where ISOs shop deals to multiple funders simultaneously, a 24-hour delay can mean a lost deal. This concern is legitimate, but it is based on an outdated model of verification where every step requires manual labor.
Modern bank verification software eliminates the tradeoff. Let's Submit's upload links allow merchants to submit documents directly, removing the broker bottleneck. AI extraction runs in minutes, not hours. The underwriter reviews structured, pre-verified data rather than starting from scratch. The result is faster decisions with better data, the combination that separates funders who scale profitably from those who scale into losses. For a deeper look at this dynamic, see our breakdown of how speed to lead depends on bank verification software.
Frequently Asked Questions
Are merchant cash advances covered by Section 1071 data collection?
No. The CFPB's final rules, published in April 2026, explicitly exclude merchant cash advances from Section 1071's small business loan data collection requirements. Because MCAs are structured as purchases of future receivables rather than extensions of credit, they do not meet the definition of a "covered credit transaction" under the rule. This means MCA funders have no federal obligation to collect or report demographic, pricing, or outcome data on their advances.
Do MCA funders still need bank verification software if they are exempt from Section 1071?
Absolutely. Federal exemption from data reporting does not reduce the operational need for bank verification. Funders still face fraud risk, stacking risk, and state-level compliance requirements that demand verified financial data. Bank verification software automates the extraction and validation of bank statement data, catches document manipulation, and creates audit trails that protect funders during regulatory examinations or litigation. The Section 1071 exclusion actually increases the importance of self-imposed verification standards, because funders cannot rely on federal oversight to signal credibility.
How does AI-powered extraction improve MCA underwriting in an unregulated environment?
AI-powered extraction tools parse bank statements, applications, and financial documents automatically, converting unstructured PDFs into structured data fields like average daily balances, deposit frequency, NSF counts, and revenue trends. In an environment without federal reporting mandates, these tools give funders the ability to build consistent, repeatable underwriting standards at scale. They also detect anomalies, such as altered transactions or inconsistent formatting, that manual reviewers frequently miss. The result is faster decisioning with lower fraud exposure.
Will states increase MCA regulation now that Section 1071 excludes MCAs?
The trend suggests yes. States including California, Virginia, New York, and Texas have already enacted or proposed legislation targeting MCA disclosure, licensing, or transaction practices. The federal exclusion may embolden state legislators who argue that the industry needs oversight. Funders who proactively adopt transparent verification and documentation practices will be better positioned to comply with whatever frameworks emerge, without scrambling to retrofit their operations after the fact.
Conclusion
The CFPB's decision to exclude MCAs from Section 1071 is not a regulatory victory. It is a transfer of responsibility. Funders who treat the exclusion as permission to skip verification will find themselves exposed to fraud, state enforcement, and reputational damage. Funders who use this moment to invest in automated bank verification, AI-powered document extraction, and auditable underwriting workflows will build businesses that withstand any regulatory environment.
Let's Submit gives MCA funders the infrastructure to verify bank statements, extract financial data with AI, and track every application from submission to approval, all without slowing down your funding speed. Visit letssubmit.ca to see how async verification fits into your workflow and start building the audit trail your business needs.