Does the Telemarketing Sales Rule apply to banks?

Banks are partly exempt from the FTC's Telemarketing Sales Rule, but not the FCC's TCPA. Here's exactly where each rule applies and what banks must still follow.

LeadCompliant Team
21 min read
In This Article

Last updated 2026-07-09

Empty bank branch lobby with teller counter and warm overhead lighting
Empty bank branch lobby with teller counter and warm overhead lighting

TL;DR

The FTC's Telemarketing Sales Rule (TSR) largely exempts banks, federal credit unions, and common carriers because the FTC has no jurisdiction over them. The FCC's TCPA is a different story. It fully applies to banks that call and text. Ignore it and you face $500 to $1,500 per call in statutory damages, and courts have not been kind to banks that guessed wrong.

What is the Telemarketing Sales Rule and who enforces it?

The Telemarketing Sales Rule is a federal regulation the Federal Trade Commission issued under the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994 (15 U.S.C. 6101 et seq.) [1]. It sets the ground rules for outbound telemarketing: when you can call, what you have to disclose, what practices are banned (misrepresentation, abusive call patterns), and how the National Do Not Call Registry ties in.

The FTC enforces the TSR against most for-profit businesses. Civil penalties reach $51,744 per violation under current inflation adjustments [2]. That number stings.

But the FTC's authority stops at a hard statutory line. Congress carved certain industries out of FTC oversight when it built the agency, and it has reinforced those carve-outs since. Banks chartered by the Office of the Comptroller of the Currency, state-chartered banks supervised by the Federal Reserve or FDIC, federal savings associations, federal credit unions, and common carriers all sit outside the FTC's reach [3]. That line decides everything about how the TSR touches them, or doesn't.

Are banks exempt from the Telemarketing Sales Rule?

Yes, with a real but narrow caveat. The TSR at 16 C.F.R. Part 310 applies only to entities the FTC can regulate [4]. The FTC has no authority over national banks, federal savings associations, and federal credit unions under the FTC Act, so those institutions fall outside the TSR entirely.

The mechanics are simple. The TSR defines 'seller' and 'telemarketer' broadly, but the FTC can only bring a case against a party it has jurisdiction over. It cannot sue a national bank. So the TSR's practical reach over that bank is zero from the FTC's side.

Here's the catch that trips up compliance teams. The exemption does not mean a bank can call anyone, anytime, about anything. The DNC rules that live inside the TSR have a twin at the FCC under the TCPA, and those apply separately (more on that below). The OCC, FDIC, CFPB, and state banking regulators each carry their own unfair or deceptive act or practice authority (UDAP/UDAAP) that can reach telemarketing conduct [5].

So when a banker says "we're exempt from telemarketing rules," they are half right and half dangerously wrong.

Does the TCPA apply to banks even if the TSR doesn't?

It absolutely does. The Telephone Consumer Protection Act (47 U.S.C. 227) is an FCC statute, not an FTC statute, and the FCC governs every entity that makes calls and sends texts, full stop [6]. Banks get no pass.

The TCPA restricts autodialed calls, prerecorded voice messages, and texts to cell phones without prior express consent. It restricts calls to numbers on the National DNC Registry. It requires specific caller ID disclosures. None of those restrictions carve out depository institutions.

Federal courts have confirmed this again and again. A bank that autodials a customer's cell phone without the required consent is on the hook for $500 per call, or $1,500 per call if a court finds the violation willful [6]. Multiply that by thousands of calls or texts and the math turns ugly fast. Class actions over bank auto-dialing have settled for tens of millions of dollars.

One TCPA point matters a lot for banks. The old "established business relationship" shelter got narrowed hard by FCC rulings. Since the FCC's 2012 omnibus TCPA order, prior express written consent is required for autodialed or prerecorded marketing calls to cell phones, no matter how long someone has banked with you [7]. An account holder is not a consenting target by default.

Key numbers in bank telemarketing compliance Federal thresholds and damages figures every bank compliance team should know 500 TCPA statutory damages per violation (negligent) 1,500 TCPA statutory damages per violation (willful) 52k FTC TSR civil penalty per violation (max) 31 DNC scrub frequency required (days) Source: 47 U.S.C. 227 (TCPA); FTC penalty schedule (2024); FCC DNC rules

What rules do bank regulators add on top of TCPA?

The Consumer Financial Protection Bureau has authority under the Dodd-Frank Act to prohibit unfair, deceptive, or abusive acts or practices (UDAAP) by banks with more than $10 billion in assets and by nonbank financial firms [5]. Aggressive or deceptive telemarketing by a bank can trigger a CFPB UDAAP action even when neither the TSR nor a TCPA private suit is in the picture.

The OCC supervises national banks and can act on unsafe or unsound practices, a category that has covered consumer harm from deceptive sales tactics [12]. The FDIC covers state non-member banks. State attorneys general can enforce the TCPA under 47 U.S.C. 227(g), and plenty have gone after financial firms.

State consumer protection laws stack on another layer. Florida, Oklahoma, and Washington have enacted stricter telemarketing statutes that reach banks operating in those states, exemption or not [8]. If you run outbound calling from a bank in one state and dial into another, map the destination state's rules first. Your home state's rules matter less than where the phone rings.

How does the National Do Not Call Registry work for banks?

This is where the TSR and TCPA overlap gets most confusing. The National DNC Registry is run by the FTC, but the FCC folded DNC obligations into its own TCPA regulations for calls to residential phones [6]. So banks still have to honor DNC registrations even though the FTC's TSR doesn't bind them.

A bank making telemarketing calls (calls meant to encourage a purchase, rental, or investment in property, goods, or services) to residential numbers must scrub those numbers against the DNC Registry before dialing. The same 31-day honor period applies. The internal DNC list requirement applies too: if a consumer asks not to be called, the bank has to record that request and honor it for at least 5 years [6].

The established business relationship exception to DNC rules still exists under the TCPA for residential landline marketing calls. It covers calls to someone who made a purchase or inquiry in the prior 18 months or holds an existing account. But it's narrow. The moment that customer says stop, the exception is gone and the bank has 30 days to honor the request [6].

For cell phones, the EBR exception gives no shelter at all when the bank uses an autodialer or prerecorded message. Written consent is required. No exceptions.

What counts as telemarketing for a bank under these rules?

Both the TSR and the TCPA split the world into informational calls and telemarketing calls. That split matters for banks because so much bank outbound calling is transactional: fraud alerts, payment reminders, account notices. Those get treated differently.

Under the TCPA, a call is telemarketing when it is made to encourage the purchase or rental of, or investment in, property, goods, or services [7]. A call that mixes information with even a side pitch can flip into telemarketing. The FCC and the courts have found that a "dual-purpose" call, say a payment reminder that also floats a new credit card offer, triggers consent requirements for the marketing part.

A pure fraud alert with zero sales content? Generally not telemarketing. The FCC has exempted certain financial institution calls from prior express consent for informational messages to cell phones, as long as the call is free to the recipient, carries no marketing, and stays short [7]. Banks lean on this exemption hard for account alerts sent by text.

The working rule is blunt. Any call or text that mentions a product, rate, offer, or service the customer doesn't already have gets treated as telemarketing for consent and DNC purposes. Don't get clever. Clever loses in front of a judge.

This is where bank compliance programs tend to leak.

For autodialed or prerecorded marketing calls or texts to cell phones, the TCPA requires prior express written consent [6]. The FCC defines that as a written agreement (electronic signatures count) that clearly authorizes calls or texts from the bank about its products and services. The agreement has to include the specific phone number, cannot be a condition of buying anything, and has to carry a clear and conspicuous disclosure that the person is agreeing to receive automated calls or texts [7].

Lots of banks captured "consent" language in account-opening paperwork years ago that no longer clears the bar, because the FCC tightened the rules in 2012. If your consent language predates 2012, or if it was buried in a general terms-of-service page with no specific mention of autodialing, a court can toss it as deficient.

Manually dialed calls (a real human dialing one number at a time, no predictive or automated tech) don't trigger the written consent requirement, though DNC rules still apply. The definition of an autodialer got narrowed by the Supreme Court in Facebook v. Duguid, 592 U.S. 395 (2021) [9], which held that an autodialer has to actually use a random or sequential number generator to produce or store numbers. That ruling handed some banks an argument that their systems aren't autodialers. It did not kill TCPA risk, and plaintiffs' attorneys rebuilt their theories around it within months.

What are the real penalties a bank faces for TCPA violations?

The TCPA sets statutory damages at $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones [6]. There is no cap per case. Courts certify class actions where each member got multiple calls or texts, and the numbers compound.

The settlements involving financial institutions show the scale of exposure.

Capital One settled a TCPA class action in 2014 for $75.5 million, covering millions of autodialed calls to cell phones without consent [10]. It stands among the largest TCPA settlements ever recorded for a bank.

The risk is lopsided. A bank with a compliant calling program spends money on consent infrastructure, scrubbing, and monitoring. A bank that skips that spend saves in the short run and then faces class exposure that can dwarf the compliance cost by orders of magnitude.

A few things push courts toward a willfulness finding: calling numbers on your internal DNC list after a consumer opted out, autodialing after you got written notice of a TCPA violation, and using a vendor with no written contract that addresses TCPA compliance. All three happen more often than they should.

LeadCompliant's free TCPA compliance tools help teams audit consent language and scrub call lists before dialing. That's a fair starting point for a smaller bank marketing team that has never run a formal TCPA review.

How does the TSR exemption interact with third-party vendors calling on behalf of banks?

Banks lean on outside lead generators, debt collectors, and marketing agencies to make calls for them. The TSR exemption that shields the bank does not stretch over those third parties.

A marketing firm that isn't a bank, calling on behalf of one, is subject to FTC TSR enforcement for its own conduct. The firm pitching a bank's mortgage product to consumers is a telemarketer under the TSR. And the bank can catch liability for the vendor's violations if the bank knew, or consciously avoided knowing, that the vendor was breaking the rules [4].

On the TCPA side, the bank owns the product being sold, and courts have held banks vicariously liable for TCPA violations by their vendors and agents. The FCC's 2013 declaratory ruling confirmed that vicarious liability attaches when a marketer places calls for a seller under actual authority, apparent authority, or ratification [7].

What this means in practice: banks need vendor contracts that require TCPA compliance, spell out consent standards, mandate DNC scrubbing, and give the bank audit rights. A boilerplate indemnification clause won't save you.

What should a bank's outbound calling compliance program actually include?

You don't need a giant legal department to run a defensible program. You need specific processes that you actually follow.

Start with a consent audit. Map every data source feeding your call list and confirm each one has consent language that meets current TCPA standards (post-2012 FCC rules, post-Duguid framework). Any list without documented, TCPA-compliant consent for autodialed cell calls gets treated as landline-only or manual-dial-only until you confirm consent.

Second, DNC scrubbing. Scrub against the National DNC Registry at least every 31 days. Keep an internal DNC list. Honor opt-outs within 30 days (most solid programs do it within 24 hours to cut class exposure). Timestamp every scrub.

Third, call-type classification. For each campaign, label the call informational or telemarketing, and write down why. Telemarketing gets full consent and DNC rules. Informational has to actually qualify for the financial institution exemption (free to recipient, short, no marketing content).

Fourth, vendor management. Get written TCPA compliance representations from every third party that calls or texts for you. Review their consent and scrubbing practices once a year, minimum.

Fifth, a litigation response plan. Know who fields a demand letter. Know exactly where your consent records live. Producing consent documentation within 48 hours of a demand can be the difference between a quick settlement and a year of expensive discovery.

LeadCompliant's compliance kit covers several of these pieces and is a fair free starting point for teams that haven't formalized any of this yet.

Do credit unions and thrifts get the same TSR exemption as banks?

Federal credit unions are exempt from FTC jurisdiction under 15 U.S.C. 45(a)(2), so they sit outside the TSR's direct reach for the same reason banks do [3]. State-chartered credit unions answer to state regulators and may not have that federal exemption, though the FTC has historically left them alone too.

Federal savings associations (thrifts) chartered by the OCC also fall outside FTC jurisdiction, and therefore outside the TSR.

Here's the part that doesn't change: TCPA applies to all of them. A federal credit union autodialing cell phones without consent is exactly as exposed under 47 U.S.C. 227 as a national bank doing the same thing. The TSR exemption has no bearing on TCPA liability whatsoever.

State-chartered credit unions should check their state telemarketing statute on top of the TCPA. California, for instance, has the Consumers Legal Remedies Act and specific financial institution telemarketing rules that can apply no matter which federal agency has jurisdiction.

What recent FCC or FTC rule changes affect bank telemarketing compliance?

A few developments are worth watching.

The FCC's one-to-one consent rule, from its 2023 rulemaking, aimed at the lead generation industry by requiring that express written consent be tied to each specific seller, not passed around through a consent-for-many-companies model [7]. For banks that buy leads from third-party generators, this means the consent paperwork on those leads needs a hard look. If the consumer consented to calls from "our marketing partners," that language may not clear the one-to-one bar.

The FTC amended the TSR in 2023 to cover business-to-business calls more specifically and to clarify certain disclosure requirements [4]. Those changes don't bind banks directly given the exemption, but a bank selling to small businesses needs to understand how the TSR governs the businesses it calls, even when it doesn't govern the bank placing the call.

The CFPB pushed a UDAAP policy expansion in 2022 that would treat discriminatory conduct as "unfair" under Dodd-Frank, which could reach targeting decisions inside a bank's telemarketing program [5]. That direction has faced legal challenges, but a bank with outbound sales that target or exclude demographic groups should keep an eye on it.

Frequently asked questions

Is a bank required to honor the National Do Not Call Registry?

Yes. Even though the FTC's Telemarketing Sales Rule doesn't apply to banks, the FCC's TCPA regulations independently require telemarketers, banks included, to honor the National DNC Registry for residential calls. Banks must scrub call lists every 31 days and stop calling any listed number unless an established business relationship exception or prior written consent applies.

Can the FTC take action against a bank for telemarketing violations?

Generally no. The FTC has no jurisdiction over national banks, federal savings associations, and federal credit unions under the FTC Act, so it cannot enforce the TSR directly against them. The CFPB, OCC, FDIC, and state banking regulators do carry overlapping authority to act on deceptive or abusive telemarketing by banks under their own supervisory frameworks.

Does the TSR exemption for banks cover their marketing subsidiaries?

Not automatically. A holding company's separate marketing subsidiary or lead-generation affiliate that isn't itself a chartered depository institution may not share the bank's TSR exemption. If the subsidiary is subject to FTC jurisdiction, the TSR applies to it. Banks running telemarketing through wholly-owned but separately organized subsidiaries should have counsel check the subsidiary's jurisdictional status before assuming the exemption transfers.

What is the 'established business relationship' exception and does it help banks?

The EBR exception lets a company call a customer who made a purchase or inquiry in the prior 18 months, or holds an existing account, even if the number is on the DNC Registry. For banks it applies to manually dialed residential calls. It does not apply to autodialed or prerecorded marketing calls to cell phones, where prior express written consent is required regardless of any account relationship.

Do TCPA rules apply to text messages sent by banks?

Yes. Texts count as 'calls' under the TCPA when they're autodialed to cell phones. A bank sending automated marketing texts without prior express written consent faces the same $500 to $1,500 per message exposure as autodialed voice calls. Purely informational texts, like fraud alerts, may qualify for the financial institution exemption if they carry no marketing content, are free to the recipient, and stay short.

What did the Supreme Court's Facebook v. Duguid decision mean for banks?

Facebook v. Duguid (2021) narrowed the TCPA's autodialer definition to systems that use a random or sequential number generator to produce or store numbers. Banks whose systems dial from a fixed, stored list without random or sequential generation have argued they aren't using an ATDS and dodge some TCPA requirements. Courts are still sorting out what that means, so treat the ruling as an argument, not a safe harbor, without counsel review.

Can a bank consumer sue the bank directly for TCPA violations?

Yes. The TCPA carries a private right of action under 47 U.S.C. 227(b)(3). Anyone who receives a call or text that violates the TCPA can sue in federal or state court for $500 per violation, or $1,500 for willful violations. No agency has to act first. Class actions are common, and courts have certified large classes against financial institutions.

What disclosures must a bank make at the beginning of a telemarketing call?

Under FCC rules, the caller has to disclose the caller's name, the name of the party the call is made for, and a phone number or address where the consumer can reach that party. These apply to all telemarketing calls. The TSR has similar prompt-disclosure rules, but since the TSR doesn't bind banks, the TCPA-based FCC rules are the operative source.

Are debt collection calls by banks covered by different rules?

Partly. Debt collection is primarily governed by the Fair Debt Collection Practices Act, but banks collecting their own debts are generally exempt from the FDCPA, which targets third-party collectors. TCPA rules still apply in full to bank collection calls, including prior express consent before autodialing a consumer's cell phone, even for collections.

Does the TSR apply to banks in states that have their own telemarketing laws?

State statutes vary. Florida, Washington, and Oklahoma have laws that don't replicate the federal TSR bank exemption and can independently require bank telemarketers to follow state registration, calling-time windows, or DNC requirements. Banks operating across multiple states need a state-by-state compliance map, not a reliance on the federal exemption alone.

If a bank hires a telemarketing vendor, who is liable for TCPA violations?

Both. The FCC's 2013 declaratory ruling established that sellers can be vicariously liable for TCPA violations by telemarketers acting on their behalf under actual authority, apparent authority, or ratification. Banks should require vendors to document TCPA-compliant consent, perform DNC scrubbing, and indemnify the bank contractually. Without that, the bank shares the litigation exposure.

What records should a bank keep to defend against a TCPA claim?

Retain consent records (signed agreements, electronic records with timestamps and IP addresses) for at least 4 years, ideally longer. DNC scrub logs with dates and list versions, internal DNC opt-out records, call disposition logs, and vendor compliance certifications all matter in litigation. Producing a specific consent record for a specific number quickly can end a demand letter before it becomes a lawsuit.

Does the TSR's prohibition on deceptive telemarketing practices apply to banks?

Not through the TSR itself, since the FTC can't enforce it against banks. But deceptive telemarketing by a bank is still reachable through CFPB UDAAP authority for larger banks, OCC and FDIC unsafe-practice authority for smaller ones, and state consumer protection laws wherever the bank operates. Banks have no free pass to deceive consumers. The enforcer is just a different one.

Sources

  1. FTC, Telemarketing Sales Rule (16 C.F.R. Part 310) overview page: The TSR was issued under the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994 (15 U.S.C. 6101 et seq.)
  2. FTC, Penalty Offenses page: FTC civil penalties for TSR violations can reach $51,744 per violation under current inflation adjustments
  3. FTC Act, 15 U.S.C. 45(a)(2), Cornell LII: The FTC Act excludes banks, federal savings associations, and federal credit unions from FTC jurisdiction
  4. FTC, Telemarketing Sales Rule text, 16 C.F.R. Part 310 (eCFR): The TSR applies only to entities subject to FTC jurisdiction; entities outside FTC jurisdiction, including banks, are not covered
  5. CFPB, Compliance and supervisory guidance page: The CFPB has authority under Dodd-Frank to prohibit unfair, deceptive, or abusive acts or practices by covered financial institutions
  6. 47 U.S.C. 227, Telephone Consumer Protection Act, Cornell LII: TCPA imposes $500 per violation statutory damages, $1,500 for willful violations, and applies to all entities making autodialed or prerecorded calls to cell phones regardless of industry
  7. Florida Telephone Solicitation Act, Fla. Stat. 501.059, Florida Legislature Online Statutes: Florida's FTSA imposes stricter telemarketing requirements that apply to callers operating in Florida, including financial institutions, independent of the federal TSR
  8. Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), Supreme Court of the United States: The Supreme Court held that a TCPA autodialer must use a random or sequential number generator to produce or store numbers to be called
  9. In re Capital One Telephone Consumer Protection Act Litigation, U.S. District Court, N.D. Illinois: Capital One settled a TCPA class action in 2014 for $75.5 million covering autodialed calls to cell phones without consent
  10. OCC, Consumer protection topics page: The OCC supervises national banks and can take enforcement action for unsafe or unsound practices that cause consumer harm, including through telemarketing

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit