Financial services outbound calling TCPA compliance checklist

TCPA violations cost financial firms $500, $1,500 per call. Use this checklist to cover consent, DNC scrubbing, call hours, and autodialer rules before you dial.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-09

Compliance officer reviewing outbound call lists at a desk for financial services TCPA compliance
Compliance officer reviewing outbound call lists at a desk for financial services TCPA compliance

TL;DR

Financial services outbound calling under TCPA requires written consent before using an autodialer or prerecorded message to reach a cell phone, DNC list scrubbing within 31 days of each call, calling only between 8 a.m. and 9 p.m. local time, and a written do-not-call policy. Violations carry $500 to $1,500 per call. This checklist covers every requirement your team needs before dialing.

Why does TCPA compliance matter so much for financial services specifically?

Banks, mortgage lenders, debt collectors, insurers, and card issuers dial at a scale that turns TCPA into a real business risk. The volume is the problem. At $500 per negligent violation and $1,500 per willful violation [1], a campaign that reaches 50,000 unconsented cell numbers can produce $75 million in statutory damages before anyone walks into a courtroom.

The statute itself, 47 U.S.C. § 227, says a person may sue for "$500 in damages for each such violation" and that a court may triple that amount if the defendant "willfully or knowingly" violated the Act [1]. That gives plaintiffs and class-action attorneys a claim with easy arithmetic.

Financial firms sit near the top of the settlement leaderboard. The Credit One TCPA settlement resolved for $12.5 million after allegations that the bank called consumers on cell phones without consent. The Cash App TCPA class action settlement shows how fast a fintech brand becomes a target.

There is no blanket exemption for your industry. A handful of informational calls, like fraud alerts and data breach notices, get limited exemptions under FCC rules [2]. Those carve-outs are narrow. They cover specific message types, not account marketing or debt collection outreach.

What are the core TCPA rules that apply to outbound financial calls?

Four pillars. Miss one and you are exposed.

1. Prior express consent for informational calls to cell phones using an autodialer or prerecorded voice. The FCC's 2012 Order (FCC 12-21) tightened consent requirements sharply [2]. Any call that uses an automatic telephone dialing system (ATDS) or an artificial or prerecorded voice to reach a mobile number needs at least prior express consent. Telemarketing calls need prior express written consent.

2. Prior express written consent for telemarketing calls. Written consent has to be a signed agreement (electronic signatures count) that authorizes calls to a specific number using an ATDS or prerecorded voice. It must disclose that consent is not a condition of purchase [2]. Consent buried in a 40-page loan application block is a favorite target in litigation.

3. DNC compliance. The National Do Not Call Registry covers telemarketing calls. Consumers on the registry cannot get telemarketing calls unless they gave prior express written consent or have an established business relationship that has not lapsed [3]. Scrub your call lists against the registry within 31 days before dialing [3].

4. Calling hours and identification. Federal rules ban calls before 8 a.m. or after 9 p.m. in the called party's local time [1]. Every call must give the caller's name, the company the call is made for, and a phone number or address where the consumer can reach that company [1].

For cold calling generally, this is the floor. State laws frequently sit higher.

What counts as an autodialer under TCPA, and does it affect financial services calls?

Yes, and the definition has been fought over hard. The Supreme Court settled part of it in Facebook, Inc. v. Duguid (2021), holding that an ATDS must have the capacity to store or produce telephone numbers using a random or sequential number generator [4]. That narrowed the definition compared to some earlier circuit court readings. It did not end autodialer liability for most financial callers.

Why not? Most modern predictive dialers used in financial outreach, mortgage marketing, and collections do store lists of numbers and dial them automatically without a human on each call. Whether those systems count as ATDSs under the post-Duguid standard is still being litigated in the district courts. The safer posture is to treat any system that dials without a human pressing "send" for each call as a potential ATDS and get consent to match.

Prerecorded voice calls are regulated separately from ATDS calls. Even if your dialer is not an ATDS under Duguid, a call that delivers a prerecorded or artificial voice message still triggers TCPA's prerecorded voice rules. Firms using voicemail drops or ringless voicemail should watch this closely. The FCC has treated ringless voicemail as subject to those prerecorded voice rules in informal guidance, though formal rulemaking is ongoing [2].

One checklist item: document your dialing system's technical architecture. Know whether it generates or stores numbers for sequential or random dialing. That record matters when you get sued.

TCPA financial exposure: key numbers Statutory damages per violation under 47 U.S.C. § 227 500 $500 per negligent TCPA violation 1,500 $1,500 per willful TCPA violation 31 31-day max DNC scrub window (days) 30 30-day window to honor internal DNC request (days) Source: 47 U.S.C. § 227 via Cornell LII; FTC National DNC Registry FAQs; FCC Reassigned Numbers Database

This is where most compliance failures start. Teams assume a verbal "yes" on an old call, a checked box on a 2019 web form, or a signature on a loan application covers everything that comes after. It usually does not.

For telemarketing calls to cell phones, the FCC's 2012 Order requires prior express written consent that meets four criteria [2]:

  • A clear and conspicuous disclosure that the consumer will get autodialed or prerecorded calls.
  • The specific telephone number(s) to be called.
  • An acknowledgment that consent is not required as a condition of purchase.
  • A signature (wet or electronic).

For informational or transactional calls (payment reminders, fraud alerts, account notices) to cell phones using an ATDS, prior express consent is enough. It does not have to be written. You still have to prove it exists.

In practice, that means your CRM needs a field for consent source, consent date, consent language version, and the specific number consented for. Phone numbers change hands. The FCC's one-to-one consent rule, adopted in December 2023 and set to take effect in January 2025 [5], would have required consent to name the specific seller instead of a lead generation partner. That rule was challenged and remanded, but the regulatory direction is plain: consent has to be specific, not shared across a marketing network.

Document everything. If you cannot produce the consent record for a specific number in discovery, you effectively have no consent.

How do you scrub your call list against the DNC registry?

The National Do Not Call Registry is run by the FTC [3]. Financial firms making telemarketing calls have to register for access, pay the applicable fee (the FTC charges per area code, with the first five area codes free for businesses that access fewer than that [3]), and scrub their lists within 31 calendar days before each campaign.

The 31-day rule is a hard ceiling, not a suggestion. A list scrubbed 35 days ago is a non-compliant list.

The process: 1. Download updated registry data from the FTC's Telemarketing Sales Rule database. 2. Match your call list against registered numbers and suppress any matches. 3. Log the scrub date and the version of the registry file used. 4. Repeat before every campaign, even if the list has not changed, once more than 31 days have passed.

For internal DNC requests (consumers who told your firm directly to stop calling), federal rules require you to honor the request within 30 days and keep it on your internal suppression list for at least five years [3].

A few categories get limited exemptions from the registry: established business relationships and written consent. The established business relationship exemption for financial services generally applies if the consumer bought or asked about a product within the prior 18 months. It does not override an internal DNC request [3].

For a full breakdown of registry access and who counts as a telemarketer, see our guide to the do not call list and how do i get the do not call list.

What state laws add requirements on top of federal TCPA rules?

Several states run calling rules stricter than the federal baseline. Florida's Telephone Solicitation Act (FTSA), amended in 2021, is the most aggressive state analog in the country for financial teams. Florida created a private right of action for automated calls or texts to Florida residents without consent, damages of $500 per call, and it defined "autodialer" more broadly than the post-Duguid federal standard [6]. A predictive dialer that might not be an ATDS under federal law could still trigger FTSA liability for Florida numbers.

California adds separate layers, especially for call recording. California requires all-party consent to record a phone call [7], while federal law and most states need only one-party consent. If your agents record calls for quality assurance (and they should, for compliance documentation), you have to disclose recording at the start of every call to California numbers.

Other states with notable restrictions include Washington, Texas, and Oklahoma, each maintaining state DNC lists or extra telemarketing registration requirements. Washington's consumer protection statutes have been applied to outbound calling campaigns.

One checklist item: before any new campaign, identify which states you are calling into and run a state-law audit. The National Conference of State Legislatures keeps current summaries [8]. For coverage of mobile phone do not call list rules by state, including cell-specific protections, that resource maps the landscape.

What does a complete pre-campaign TCPA compliance checklist look like?

Here is the full checklist, grouped by category. Work through every item before a campaign goes live.

Consent verification

  • [ ] Confirm you have prior express written consent for every cell number being called for telemarketing purposes.
  • [ ] For informational calls using an ATDS or prerecorded voice, confirm you have at minimum prior express consent.
  • [ ] Verify consent records include the consented number, consent date, consent language, and source.
  • [ ] Confirm consent was not obtained as a condition of purchase.
  • [ ] If leads came from a third-party generator, verify consent specifically names your company.

DNC scrubbing

  • [ ] Scrub the call list against the National DNC Registry within the last 31 days.
  • [ ] Scrub against your internal do-not-call suppression list.
  • [ ] Scrub against any state DNC lists for your target geography (Florida, Indiana, Texas, Wyoming, Colorado, Louisiana, Massachusetts, Missouri, Pennsylvania, and Tennessee each maintain state lists [8]).
  • [ ] Log scrub date and registry version.

Dialing system review

  • [ ] Document whether your dialing platform qualifies as an ATDS under the Facebook v. Duguid standard [4].
  • [ ] Confirm prerecorded messages have been reviewed for legal content requirements.
  • [ ] Disable any ringless voicemail unless you have specific written consent and legal review.

Call timing and identification

  • [ ] Configure the dialer to restrict calls to 8 a.m. through 9 p.m. in the called party's local time zone, not your office time zone.
  • [ ] Confirm every call will include caller name, company name, and a reachable callback number.

State-specific review

  • [ ] Identify all states in the campaign target geography.
  • [ ] Check for state autodialer definitions broader than federal (Florida, especially).
  • [ ] Verify the call recording disclosure script for all-party-consent states (California, Pennsylvania, Florida, among others).
  • [ ] Confirm telemarketing registration in states that require it.

Internal policy

  • [ ] Written DNC policy exists, is dated, and has been reviewed in the last 12 months.
  • [ ] Agents are trained on how to process real-time DNC requests and how fast those requests must be honored (within 30 days federally).
  • [ ] Complaint and revocation tracking process is documented.

Record retention

  • [ ] Consent records are stored for at least 5 years (FCC recommends 4 years; best practice is 5 to match FTC record retention under the TSR [3]).
  • [ ] Call recordings are retained per your state and federal requirements.
  • [ ] Scrub logs are retained with timestamps.

For text message marketing campaigns running alongside your calls, a parallel SMS checklist applies. The written consent and opt-out mechanics for texts are a little different.

What are the biggest TCPA mistakes financial services callers make?

Consent decay is the single most common failure. A consumer gave consent in 2021 while applying for a mortgage. They closed the loan. Three years later, someone runs the same database for a refinance campaign without checking whether the consent was product-specific or whether the consumer revoked it. That is a class action waiting to happen.

Leaning on an established business relationship (EBR) for cell phone calls comes in second. The EBR exemption is a DNC registry concept. It does not create consent to use an ATDS to call a cell phone. Callers conflate these two legal theories constantly.

Third-party consent is a repeat offender. A lead aggregator collects a phone number on a comparison site and represents that the consumer agreed to calls from "financial partners." That kind of general consent language has been rejected in litigation for failing to identify the specific seller [5]. If you buy leads, audit the consent language those leads were collected under.

Time zone errors create needless exposure. Dialing a Los Angeles number at 9:15 p.m. because your call center sits in Chicago and the local clock reads 6:15 p.m. is a violation. Your dialer has to resolve the called party's local time, not your office's.

Revocation handling is broken at most firms. The FCC's rules let consumers revoke consent "at any time through any reasonable means" [2]. A consumer says "stop calling me" on a recorded call, your team fails to log it, and the next dial is a willful violation.

How do real TCPA lawsuits against financial firms play out?

Most TCPA cases against financial firms settle before trial because the math punishes defendants. Statutory damages are per call, per violation. A class of 100,000 consumers with one unconsented call each produces $50 million in exposure at the $500 rate, and $150 million if the court trebles for willfulness. Defendants rarely roll those dice.

The Credit One case shows the pattern. Plaintiffs alleged the bank kept calling cell phones with an autodialer after consumers revoked consent. The $12.5 million settlement included monetary relief and injunctive requirements to fix consent and revocation tracking. The injunctive piece, the operational overhaul, often costs more over time than the cash.

Class certification is the moment that decides everything. Once a court certifies a class, settlement pressure spikes because per-call damages scale with class size. Courts have certified TCPA classes in financial cases where plaintiffs showed the defendant used a single dialing system and a common list, which makes the liability questions common across the class.

One tactical note: arbitration clauses in account agreements have defeated class certification in some financial TCPA cases, because individual arbitration requirements block class treatment. Arbitration clauses do not kill individual TCPA claims, and they have to be drafted carefully to hold up.

For how these settlements shake out in amounts and timelines, the PACER federal court records system carries public filings for every major case.

What records does your firm need to survive a TCPA audit or lawsuit?

If you get sued or investigated, the first demand is your consent records, your DNC scrub logs, and your complaint and revocation records. No records, no proof of compliance.

Minimum record retention for outbound calling compliance:

Record typeRecommended retentionAuthority
Consent records (written)5 yearsFTC TSR, best practice [3]
DNC scrub logs5 yearsFTC TSR [3]
Internal DNC requests5 years (must honor indefinitely)47 CFR 64.1200 [1]
Call recordings2-5 years (state law varies)State-specific
Agent training records3-5 yearsBest practice
Written DNC policyCurrent plus prior 3 yearsFTC TSR [3]

Store consent records so you can pull a specific record by phone number in hours. Discovery deadlines are tight. A spreadsheet buried in someone's inbox is not a consent management system.

LeadCompliant's compliance kit includes consent record templates and a scrub log format that matches what courts and regulators have asked for in real investigations. If you want a ready-made starting point, it is a practical shortcut, but the structure above is what any system needs regardless of tool.

Cloud storage with access logs is worth the small extra cost, because it shows chain of custody if records get challenged in litigation.

Does the TCPA apply to debt collection calls from financial firms?

Yes, with a messy overlay. Debt collection calls are governed separately by the Fair Debt Collection Practices Act (FDCPA), but TCPA applies at the same time, independently [9]. One call can break both statutes, and plaintiffs' attorneys routinely plead both.

The FDCPA restricts calling hours (also 8 a.m. to 9 p.m.), bars harassment, and requires specific disclosure language [9]. TCPA stacks the consent and ATDS rules on top. First-party debt collectors (the original creditor calling its own customer) are exempt from the FDCPA but fully subject to the TCPA.

The FCC once created an exemption for certain government-backed debt calls. That is gone. The D.C. Circuit's ruling in American Association of Political Consultants v. FCC, affirmed by the Supreme Court in 2021, struck down the government debt exemption as an unconstitutional content-based speech restriction [10]. The FCC then removed it. For current debt collection calls, assume full TCPA compliance is required.

For cell phone contact specifically: the debtor's cell number has to have been provided by the debtor in connection with the debt (consent), or you need independent express consent. Buying a skip-traced cell number and dialing it with a predictive dialer is a common source of TCPA liability in collections.

What tools and processes reduce TCPA risk for financial outbound teams?

The honest answer: no software tool erases TCPA risk. Tools cut it by making compliant behavior easier and building the documentation trail you need to defend yourself. Here is what actually matters.

Consent management platform. A CRM that captures consent source, date, number, and the version of the consent language. Salesforce, HubSpot, and dedicated compliance tools all do this with configuration. The key is tying the consent field to the specific number instead of the contact record, because numbers reassign.

Number scrubbing service. Services that scrub against the National DNC Registry, internal suppression lists, and state lists on a rolling basis. Many plug straight into dialers. Examples include Gryphon Networks and the built-in compliance features in platforms like Five9 and NICE CXone. Prices run from a few hundred dollars a month for small teams to enterprise contracts for larger operations.

Reassigned numbers database. The FCC launched the Reassigned Numbers Database in 2021 [11]. It lets callers check whether a number changed hands since the consumer gave consent. A call to a reassigned number is still a TCPA violation even if the prior subscriber consented, and the database gives you a safe harbor if you check it before calling.

Time zone resolver. Your dialer should resolve local time for the called number, not the server location. Most enterprise dialers do this right when configured. Verify it.

Call recording and transcription. Recording every call documents disclosures, revocation requests, and agent behavior. Pair it with a process to flag and honor any revocation request mentioned on a recording within 24 hours.

For the do not call telemarketer list scrubbing process, LeadCompliant's free number checker verifies individual numbers against the DNC registry. For campaign-level scrubbing, you want a dedicated service wired into your dialer.

Frequently asked questions

Does TCPA apply to calls made on behalf of a bank to existing customers?

Yes. TCPA covers all outbound calls to cell phones using an ATDS or prerecorded voice, regardless of whether the recipient is an existing customer. Existing customers may have consented when they opened their account, but that consent has to be specific to the type of call being made and cannot have been revoked. For telemarketing calls, written consent is required even for existing customers.

Prior express written consent is a signed agreement (wet or electronic) where the consumer clearly authorizes autodialed or prerecorded calls to a specific phone number and acknowledges that consent is not required to buy any product or service. The FCC's 2012 Order set these requirements. Generic terms-and-conditions checkboxes that do not specifically reference autodialed calls get challenged constantly and often fail in court.

Can a financial firm call a cell number it found through skip tracing?

No, not with an autodialer or prerecorded voice without consent. Skip-traced numbers carry no consent from the consumer. Calling one with a predictive dialer is a TCPA violation. If you need to reach a consumer at a skip-traced cell number, manual dialing by a live agent with no prerecorded message is the lower-risk approach, though you should still run your specific situation past counsel.

How quickly must a financial firm honor a do-not-call request?

Federal rules under 47 CFR 64.1200 and the FTC's Telemarketing Sales Rule require you to honor an internal do-not-call request within 30 days. The FCC has also said consumers may revoke TCPA consent at any time through any reasonable means. Best practice is to honor revocation within 24 to 48 hours and log the request immediately, because any call after revocation you cannot explain is a willful violation.

Are mortgage calls exempt from TCPA?

No general mortgage exemption exists. Mortgage lenders making telemarketing calls have to obtain prior express written consent before using an autodialer or prerecorded voice to reach a cell phone, scrub against the DNC registry, and meet every other TCPA requirement. Limited exemptions cover narrow categories like fraud alerts, but standard mortgage marketing or refinance outreach qualifies for nothing.

What is the FCC Reassigned Numbers Database and do I have to use it?

The FCC launched the Reassigned Numbers Database in 2021 as a tool callers use to check whether a phone number moved to a new subscriber since a consumer gave consent. You are not legally required to check it, but checking before calling and relying on the result gives you a safe harbor if the number was in fact reassigned and you called the new subscriber by mistake. The FCC established that safe harbor in the 2021 database launch rules.

Does Florida's telephone solicitation law apply to financial services firms calling Florida numbers?

Yes. Florida's Telephone Solicitation Act (FTSA), amended in 2021, applies to any person making a telephonic sales call to a Florida number, including financial firms calling from outside the state. The FTSA's autodialer definition is broader than the post-Duguid federal standard, and its private right of action allows $500 per call. Treat Florida as a high-risk state requiring extra consent documentation.

What is the difference between DNC registry compliance and TCPA consent compliance?

They are separate requirements that overlap. DNC registry compliance governs whether you can make telemarketing calls to a number at all, based on whether the consumer registered. TCPA consent compliance governs what technology you use and whether you got the required consent for that technology. A number not on the DNC registry still needs prior express written consent if you are calling a cell phone with an autodialer for telemarketing.

Can a financial firm text customers instead of calling to avoid TCPA call rules?

No. Text messages sent using an ATDS to a cell phone fall under TCPA on the same terms as calls. Prior express written consent is required for marketing texts. The FCC has consistently treated SMS as subject to TCPA. Firms that shift from calls to texts to cut exposure find the consent and opt-out requirements are basically the same. Texts also carry extra requirements under the CTIA guidelines that carriers enforce.

What should a written TCPA do-not-call policy include?

Federal regulations require a written do-not-call policy to include the company's name and contact information, how consumers can place a DNC request, the time frame for honoring requests (30 days), the duration the request will be honored (at minimum 5 years), and the employee training process. The policy must be available to any consumer who asks. An undated or never-updated policy is a gap plaintiffs point to.

Best practice is five years. The FTC's Telemarketing Sales Rule requires records for 24 months, but TCPA litigation can surface years after a campaign, and courts have looked at records going back several years during class certification. Five-year retention also tracks typical statutes of limitations for related claims. Store consent records in a searchable system tied to the specific phone number rather than the consumer's name.

What happens if a third-party lead vendor provided invalid consent?

You can still be liable. Courts have held that a caller cannot simply rely on a lead vendor's word that consent was obtained. If the consent language was deficient, such as failing to name your company, or was collected through deceptive means, the consent does not satisfy TCPA. Audit the consent language your vendors use, put representations and warranties about consent quality in your vendor agreements, and periodically test the lead vendor's consent flows yourself.

Are prerecorded voice messages to landlines treated differently than to cell phones?

Yes, with one big overlap. For landlines, prerecorded telemarketing messages require prior express written consent. For cell phones, prerecorded messages require at minimum prior express consent, and for telemarketing, written consent. The FCC's 2012 Order extended written consent to residential landlines for telemarketing calls, so the gap between landline and cell treatment narrowed a lot after 2012. Most compliance programs treat both the same to keep it simple.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act, Cornell LII: TCPA authorizes $500 per violation, trebled to $1,500 for willful violations; prohibits calls before 8 a.m. or after 9 p.m. local time; requires caller identification disclosures
  2. FTC, National Do Not Call Registry, business compliance information: Telemarketers must scrub call lists against the National DNC Registry within 31 days before calling; internal DNC requests must be honored within 30 days and retained for at least 5 years; established business relationship exemption applies within 18 months of a transaction
  3. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), opinion at supremecourt.gov: Supreme Court held that an ATDS must have the capacity to store or produce telephone numbers using a random or sequential number generator, narrowing the definition compared to prior circuit interpretations
  4. Florida Legislature, Florida Telephone Solicitation Act, Section 501.059, Florida Statutes: Florida's FTSA as amended in 2021 creates a private right of action at $500 per call for automated calls or texts to Florida residents without consent and uses a broader autodialer definition than post-Duguid federal standard
  5. California Legislature, California Invasion of Privacy Act, Penal Code Section 632: California requires all-party consent to record a confidential communication, including phone calls
  6. National Conference of State Legislatures, State Telemarketing Laws: Multiple states maintain state-level DNC lists and telemarketing registration requirements beyond the federal baseline, including Florida, Indiana, Texas, Wyoming, Colorado, Louisiana, Massachusetts, Missouri, Pennsylvania, and Tennessee
  7. FTC, Fair Debt Collection Practices Act text and compliance guide: FDCPA governs debt collection calls separately from but simultaneously with TCPA; debt collection calls are also restricted to 8 a.m. to 9 p.m. and prohibited from harassment
  8. U.S. Supreme Court, Barr v. American Association of Political Consultants, 591 U.S. 610 (2020), opinion at supremecourt.gov: The Supreme Court struck down the TCPA's government-debt exemption as an unconstitutional content-based speech restriction, resulting in the FCC removing that exemption
  9. FTC, Telemarketing Sales Rule, 16 CFR Part 310: FTC's Telemarketing Sales Rule requires telemarketers to retain records for 24 months; five-year retention is best practice for TCPA litigation defense

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit