Regulatory Compliance for MCAs and Alternative Finance: A 2026 Operator's Guide

Nothing in this article is legal advice; talk to your counsel for your specific situation. But I have sat through enough state examinations, capital-partner diligence calls, and SBFA working groups to know what the operating reality looks like for serious funders in 2026. This is that reality in one document.

1. State commercial-financing disclosure laws

Between 2018 and 2024, nine states passed laws requiring non-bank funders to provide standardized disclosures, often including APR or estimated APR, at the point of offer for commercial financing products (MCAs, revenue-based financing, factoring, and various other structures depending on the state).

• New York: Commercial Financing Disclosure Law (S5470-B). Implementing regulations effective August 1, 2023. Requires offer-stage disclosure including APR, total amount paid, payment amount, and prepayment policy.
• California: SB 1235, with DFPI regulations effective December 9, 2022. Similar structure to NY with slightly different APR methodology.
• Virginia: Sales-Based Financing Act (HB 1027), effective July 1, 2023.
• Utah: Commercial Financing Registration and Disclosure Act, effective January 1, 2023.
• Connecticut: Commercial Financing Disclosure law (Public Act 23-201), effective July 1, 2024.
• Georgia: SB 90, effective January 1, 2024.
• Florida: Commercial Financing Disclosure Law (HB 1353), effective July 1, 2023.
• Missouri: Commercial Financing Disclosure Law (HB 2150), effective in 2024.
• Kansas: Commercial Financing Disclosure Act, effective in 2025.

2. Section 1071: small business lending data collection

Section 1071 of the Dodd-Frank Act, implemented by the CFPB through Regulation B amendments, requires covered financial institutions to collect and report 25+ data points on small-business credit applications. The final rule was issued March 30, 2023; compliance has been subject to litigation and tiered implementation dates have shifted multiple times.

Practical posture: even if you are not technically covered, instrument as if you were. Capture standardized application fields, collect demographic information about principal owners through compliant flows, log every credit decision with its reason codes, and build the ability to run disparity analysis on approval and pricing across protected classes. Your future institutional-capital partners will require this; your future regulators may; and the operational cost of putting it in retroactively is several multiples of building it correctly the first time. The fair-lending mechanics inside the model itself are covered in our AI underwriting article.

3. ECOA / Regulation B applies to commercial credit

A common and consequential misunderstanding: the Equal Credit Opportunity Act and Regulation B are not just consumer rules. They apply to commercial credit transactions, including MCAs and small-business loans. The implications:

• Prohibited bases of discrimination: race, color, religion, national origin, sex, marital status, age, receipt of public assistance, and exercise of rights under consumer credit laws.
• Adverse-action notices are required for declined and counter-offered applications, with reasons that are specific and accurate.
• Spousal-signature rules apply: you generally cannot require a guarantee from a spouse based solely on marital status if the applicant individually qualifies.
• Record retention obligations on applications and decisions.

4. AML and Bank Secrecy Act considerations

Whether you are technically a financial institution under the Bank Secrecy Act depends on your structure (non-bank funders are often not directly covered as a "financial institution" under FinCEN definitions, but money services businesses and certain structures are). Regardless, almost every serious capital partner (banks, family offices, institutional debt funds) will require you to operate KYC/KYB and sanctions-screening programs that mirror BSA standards:

• Customer identification program (CIP) at the entity and beneficial-owner level (FinCEN beneficial-ownership requirements apply to many small businesses).
• OFAC sanctions screening on entity, beneficial owners, and authorized signers.
• Ongoing monitoring for suspicious patterns.
• A written compliance program with named compliance officer responsibilities.
• Documented staff training and audit cadence.

5. Broker registration and disclosure

New York's Commercial Financing Disclosure Law extended specific disclosure responsibilities to brokers: funders are required to provide brokers with the disclosure for delivery to the merchant. Several other states have introduced or are considering broker-registration regimes. The practical impact: your ISO management process now has to track which brokers can lawfully operate in which states, verify their status, and capture their disclosures back to you. (We work with brokers and ISOs every day, see our ISO solutions.)

6. Usury, characterization, and the line between sale and loan

A core legal premise of the MCA structure is that it is a sale of future receivables, not a loan, and therefore not subject to state usury caps. Courts have generally respected this characterization when the structure has the right substantive features: meaningful reconciliation rights for the merchant, no absolute obligation to repay regardless of performance, and risk on the funder. New York's 2023 Davis v. Richmond Capital decision and similar rulings in other states have emphasized that the substance, not just the documentation, must support the receivables-sale characterization. Sloppy documents and aggressive collections practices are the fastest way to lose this argument.

7. Operationalizing compliance

Compliance fails when it lives in a Word document on a shared drive. It works when it is engineered into the platform. The features we expect to see in a 2026-compliant servicing/origination stack:

• State-aware disclosure generation at the point of offer, with APR methodology versioned and logged.
• Standardized application fields with demographic capture flows that are 1071-ready.
• Adverse-action notice automation with decision-reason mapping.
• OFAC and KYB screening built into the application pipeline, with re-screening on material changes.
• Full event-level audit log on every state transition (application, offer, decision, modification, payment).
• Document retention with tamper-evident storage and configurable retention schedules.
• Role-based access control with separation of underwriting, servicing, and collections functions.

8. What a state exam actually looks like

When a state regulator opens an exam, the typical document request covers: a sample of recent originations with full transaction file, your written compliance program, training records, complaint logs, adverse-action samples, your disclosure templates and APR methodology documentation, and your audit trail for a handful of specific transactions. The funders who get through this cleanly are the ones who can pull a complete, time-stamped event log for any deal in minutes, not the ones who have to manually reconstruct what happened. (This is exactly what our servicing platform and reporting product are designed to produce.)

Where to start if you are behind

If your compliance program is informal today, the highest-ROI sequence is usually: (1) audit your current state footprint against the nine state disclosure laws and remediate any gaps in offer-stage disclosure; (2) instrument your application flow for 1071-readiness; (3) build the adverse-action notice and decision-reason mapping; (4) install OFAC and KYB screening at application intake; (5) commission a formal compliance program document and a SOC 2 readiness assessment.

We've helped funders walk through this exact sequence as part of platform onboarding. Get in touch if you want to compare notes.

Frequently asked questions