Bank and financial institution TCPA exemptions explained

Banks get narrow TCPA exemptions for fraud alerts and account notices, not marketing calls. Learn what qualifies, what does not, and the $500, $1,500 per-call risk.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-11

Bank teller counter with a telephone handset in the foreground, financial institution setting
Bank teller counter with a telephone handset in the foreground, financial institution setting

TL;DR

Banks and credit unions are not exempt from the TCPA. The FCC grants limited exemptions only for specific non-marketing calls to wireless numbers: fraud alerts, data breach notices, money transfer confirmations, and similar transactional messages. Those exemptions carry strict conditions. Any call that promotes a product or service loses the exemption entirely, and violations still cost $500 to $1,500 per call.

Is there a TCPA exemption for banks and financial institutions?

Sort of, and the "sort of" is where banks keep getting sued.

The TCPA, codified at 47 U.S.C. § 227, prohibits using an autodialer or prerecorded voice to call a wireless number without prior express consent [1]. Congress wrote no blanket exemption for banks. What exists instead is a narrow FCC-created exemption for a specific category of non-marketing, informational calls. The FCC issued it in 2016 under its authority to exempt calls that are "not charged to the called party" and are in the public interest [2].

That 2016 FCC order (In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, FCC 16-99) listed financial institutions alongside healthcare providers and schools as entities that could make certain automated calls to cell phones without prior written consent, but only under a strict set of conditions [2]. The exemption is not a free pass. It is a narrow lane.

Fit every condition in that lane and you skip consent for that one call type. Drift one inch outside it and you need consent like any other caller. The exposure is $500 per violation for negligent violations and up to $1,500 per call for willful ones [1].

What specific calls do the FCC's financial institution exemptions cover?

The FCC's 2016 order named a short list of financial calls that qualify [2]. Every one is transactional. None includes an offer.

  • Fraud or identity theft alerts
  • Data security breach notifications
  • Calls about possible illegal use of a debit or credit card
  • Money transfer notifications (confirming a transfer was initiated or completed)
  • Notices that a mortgage payment is about to be due or is overdue
  • Reminders that an automatic payment is about to be triggered
  • Alerts of a deposit or withdrawal over a threshold the customer set

The customer has an account, something happened or is about to happen with that account, and the bank is telling them. No upsell. No promotion baked in.

The FCC language is explicit. The exemption applies to calls "for which there is exigency and that contain content solely to alert customers to potential fraud or identity theft, or to facilitate or confirm a commercial transaction" [2]. The word "solely" is doing a lot of work there. One sentence about a new credit card offer in the middle of a fraud alert wipes out the exemption for that call.

Banks are not a special category under the statute itself. The rules for financial institutions sit inside the same structure that governs every other industry, which you can see laid out in our tcpa primer.

What conditions must a bank meet to use the FCC exemption?

The FCC did not hand financial institutions a blanket pass. The 2016 order attached conditions that must all hold at once [2]:

1. The call must be free to the recipient. The customer cannot be charged for the call or text. 2. The call must relate to the customer's existing account. You cannot call prospects. The person must have an account relationship with your institution. 3. The call must not include marketing or advertising. Zero promotional content. Period. 4. The caller must identify themselves. The institution must state its name during the call. 5. The caller must provide a phone number for the customer to call back or opt out. 6. The caller must honor opt-out requests immediately. After the customer says stop, you stop. 7. Volume and timing limits apply. The FCC capped these exempted calls at no more than three per event over a three-day window, and only between 8 a.m. and 9 p.m. local time.

That three-call, three-day cap is the one condition most compliance teams underestimate. A fraud alert system that fires more automated attempts on day two because the first two went to voicemail can blow through the limit fast. Your dialing system has to track per-event call counts, more than per-day totals [2].

Miss any single condition and the exemption does not apply to that call. You are back to needing prior express written consent under the standard TCPA rules.

Key TCPA numbers for financial institutions Statutory thresholds, caps, and fines under federal law 500 Min. damages per TCPA violation 1,500 Max. damages (willful) per violation 52k Max. FTC DNC fine per violation (2024) 3 Max. exempt calls per triggering event (3-day win… Source: 47 U.S.C. § 227; FCC 16-99 (2016); FTC DNC rules (2024)

Do these exemptions cover text messages too?

Yes. The FCC's financial institution exemption covers automated text messages under the same conditions that apply to voice calls [2]. A fraud alert sent by automated text to a customer's cell phone qualifies if it meets the same criteria: existing account, no marketing content, free to receive, opt-out honored, and within the three-message, three-day cap.

Text is where financial institutions get burned, because marketing teams love to bolt promotional content onto transactional texts. "Your payment of $214 has been received. Did you know you could earn 2x points this month?" That second sentence just turned the message into a marketing text. The exemption is gone.

For a closer look at how automated text compliance works across industries, see the rules around text message marketing. Marketing texts, including those from banks, require prior express written consent. That is a higher bar than the implied or verbal consent that covers some transactional calls to landlines.

What about mortgage servicing calls: is there a separate exemption?

Mortgage servicing gets its own treatment, partly through the FCC exemption and partly through a separate 2015 statutory amendment.

In 2015, Congress amended 47 U.S.C. § 227(b)(1)(A) to add an exemption for calls made solely to collect a debt owed to or guaranteed by the United States [1]. Federal student loans and some federally backed mortgage debt fall into this bucket. The FCC issued implementing rules in 2016, and the D.C. Circuit then vacated those rules in ACA International v. FCC (2018) [3]. The debt collection exemption has sat in legal limbo since. Compliance teams should not rely on it without checking current FCC guidance.

For ordinary mortgage servicing calls, the FCC's 2016 financial institution exemption covers reminders that a payment is coming due or is past due, but only under the same conditions above. Servicers calling delinquent accounts without consent, especially using predictive dialers, face the same TCPA exposure as anyone else. Several large servicers have settled cases for exactly this. The credit one tcpa settlement shows how autodialer use without adequate consent leads to nine-figure settlements even for well-funded financial companies.

Does the TCPA's existing business relationship rule help banks?

Not for cell phones. This is one of the most persistent misconceptions in financial services compliance.

The TCPA's "established business relationship" (EBR) exemption exists, but it applies only to calls to residential landlines, not cell phones [1]. A customer who opened a checking account ten years ago has an established business relationship with the bank. That relationship lets the bank call that customer's home landline with telemarketing even without express consent (subject to DNC scrubbing). It gives the bank zero extra room to autodial or use a prerecorded voice on that customer's cell phone.

Most customers today live on their cell phones. So the EBR exemption, which compliance teams sometimes treat as a safety net, does not protect the calls that matter most anymore. Calling cell numbers with an autodialer or prerecorded voice means you need either prior express consent or a qualifying exemption. Full stop.

This is also why you should review your cold calling practices and track manual calls separately from autodialed ones. A human agent dialing a cell phone by hand, with no predictive dialer, occupies different legal ground than an autodialed call, though the line between a human-paced dialer and an ATDS has been contested in courts since 2018.

How did the Facebook v. Duguid Supreme Court ruling affect banks?

The Supreme Court's April 2021 decision in Facebook, Inc. v. Duguid narrowed the definition of an automatic telephone dialing system (ATDS) sharply [4]. The Court held that an ATDS must use a random or sequential number generator to store or produce numbers. A system that only dials from a stored list of specific numbers, without that generating function, is not an ATDS under the TCPA [4].

For banks, this matters because most modern call systems dial from customer account lists, not randomly generated numbers. If your dialer pulls from a CRM list of existing account holders and dials them sequentially, it may fall outside the ATDS definition under Duguid, which would strip the TCPA's prior express consent requirement from those calls.

That is the good news. The complication is that state laws did not follow Duguid. Florida passed the Florida Telephone Solicitation Act (FTSA) in 2021 with a broader autodialer definition that looks more like the pre-Duguid federal standard [5]. A bank whose dialer clears the Duguid test federally can still face state liability. You have to check both.

Nobody has clean data on how many banks have reclassified their systems since Duguid. The safe move is to document your dialer's technical architecture and put that documentation in front of legal counsel.

What about the National Do Not Call Registry: do banks have to scrub against it?

Yes. The DNC question is separate from the ATDS question, and banks confuse the two constantly.

The National Do Not Call Registry rules at 47 C.F.R. § 64.1200 require telemarketers to scrub lists against the registry before making telemarketing calls [6]. Banks making calls that count as telemarketing (broadly: calls that promote a product or service) must scrub against the registry. The established business relationship carve-out runs for up to 18 months after the customer's last transaction, but that only helps if the call stays genuinely non-solicitation.

Informational calls covered by the FCC financial institution exemption are not telemarketing under the statute, so those specific calls skip registry scrubbing. If the call is even partly promotional, it is telemarketing, and you scrub.

For more on keeping contact lists clean, see how the do not call list rules interact with outbound programs. Banks calling both cell phones and landlines need a scrubbing process that handles registry compliance and TCPA consent tracking in parallel, because those are overlapping but distinct rule sets.

The FCC's DNC rules run alongside the FTC's, and fines for DNC violations can reach $51,744 per violation as of 2024 [6].

What does a TCPA violation actually cost a bank?

The statutory range is $500 to $1,500 per call or text [1]. In a class action, where the class represents thousands of account holders who got the same automated call without proper consent, that per-call figure becomes nine-figure exposure almost immediately.

Violation typeStatutory damages per callTrebling available?
Negligent TCPA violation$500No
Willful or knowing violationUp to $1,500Yes (court discretion)
State law additions (e.g., FTSA)$500, $1,500 additionalVaries by state

Real settlements give this weight. Capital One paid $75.5 million to settle a TCPA class action in 2014 [7]. Bank of America paid $32 million in a separate 2014 TCPA settlement [7]. These were not edge cases. They were direct results of autodialing that outpaced consent documentation.

The cash app tcpa class action settlement is a more recent fintech example showing app-based financial companies face the same exposure. The pattern across financial sector TCPA cases repeats: automated outreach scaled faster than the consent records behind it.

This is the gray zone where most financial institution TCPA exposure actually lives.

When a customer fills out an account application with a phone number field and some disclosure about "contact for account purposes," courts have sometimes found that provides limited implied consent for transactional calls. The FCC's position, set out in its 2012 order, is that a consumer who provides a telephone number in connection with a transaction has given prior express consent to be called about that transaction at that number [8].

That implied consent has hard limits. It covers transactional calls about the account. It does not cover marketing calls about other products. It applies to the number the customer actually provided on the application, not numbers the bank pulled from a third-party skip-trace. Courts have held the line on the skip-traced number issue: consent does not transfer to numbers the consumer never gave the creditor [8].

The cleanest practice is to collect affirmative written consent at account opening that explicitly covers automated calls and texts. Generic "you agree we may contact you" language in fine print has not held up well in litigation. If your account agreement language is more than three years old and TCPA counsel has never reviewed it, that is a real gap.

LeadCompliant's free consent language checker can flag common issues in account agreement consent clauses if you want a quick first pass before bringing in outside counsel.

Documentation is where cases are won and lost. Plaintiffs' attorneys in TCPA class actions subpoena call logs, dialer configurations, consent timestamps, and CRM data. If you cannot produce records showing when and how consent was obtained, or which exemption you relied on for a specific call type, you are arguing about credibility at trial instead of showing clean documentation at summary judgment.

For consent-based calls, a minimum documentation set looks like this:

  • Timestamp of when consent was obtained
  • The specific consent language the customer agreed to
  • The channel (web form, signed paper, recorded verbal call)
  • The phone number the consent covers
  • Any opt-out records and the date they were honored

For exemption-based calls, document the call's purpose, confirm it carried no marketing content, verify it stayed within the three-call, three-day cap for that triggering event, and log that the call went only to existing account holders.

Call records need to survive long enough to defend litigation. The TCPA has a four-year federal statute of limitations under 28 U.S.C. § 1658 [9], so four years of records is the floor. Some states run longer windows. California's Rosenthal Fair Debt Collection Practices Act, for one, adds its own limitations considerations [10].

Are credit unions treated the same as banks under the TCPA?

Yes. The TCPA makes no distinction between banks, credit unions, mortgage servicers, auto lenders, or any other type of financial institution. The FCC's 2016 exemption order uses the term "financial institutions" broadly and does not limit it to FDIC-insured banks [2].

Credit unions calling members about fraud alerts, deposit confirmations, or overdue payments can use the same exemption under the same conditions. The existing-account-holder requirement maps cleanly onto the member relationship that is core to how credit unions work.

Credit unions get caught most often in outreach to prospective members. A credit union using an automated system to call people in its field of membership who are not yet members, to offer products, is not using an existing-account relationship for that call. The FCC exemption does not help. Prior express written consent is required if those calls go to cell phones via autodialer.

The advice holds across bank types: separate your calling universes cleanly. Existing account holders (who may qualify for the exemption or who you have consent for) are a different population than prospects, and the systems and consent requirements for each differ.

Frequently asked questions

Do banks have to follow the TCPA?

Yes. Banks are fully subject to the TCPA. No statutory provision exempts financial institutions. The FCC has created narrow administrative exemptions for specific non-marketing calls to existing account holders, like fraud alerts and payment reminders, but those exemptions come with strict conditions. For any call that promotes a product or service, banks need the same prior express consent as any other company.

What is the FCC's financial institution exemption exactly?

The FCC's 2016 order (FCC 16-99) lets banks and similar institutions make automated or prerecorded calls to customers' cell phones, without prior written consent, for a narrow set of transactional notifications: fraud alerts, breach notices, money transfer confirmations, mortgage payment reminders, and similar account-related messages. The calls must be free to the customer, carry no marketing content, and be capped at three per triggering event over three days.

Can a bank autodial customers for collections without consent?

It depends on the debt type and the dialer. A 2015 TCPA amendment created an exemption for calls to collect debts owed to or guaranteed by the United States, but the FCC's implementing rules were vacated by the D.C. Circuit in 2018. For most consumer debt collection calls, banks need either prior express consent or must use a manual dialing method that does not qualify as an ATDS under the Supreme Court's 2021 Facebook v. Duguid ruling.

Does having a customer's phone number from their account application count as consent?

Courts and the FCC have found that a customer providing a number on an account application gives implied consent for calls about that account. That consent is limited: it covers transactional calls about the account, not marketing calls for other products, and it applies only to the number the customer actually provided, not numbers obtained from third-party data sources. Written affirmative consent is always the safer practice.

What happens if a bank includes a promotional message in an otherwise exempt fraud alert?

The exemption is lost for that call. The FCC's financial institution exemption requires calls to contain content solely related to the exempt purpose. Adding any marketing or promotional language, even a brief upsell sentence, converts the call to a telemarketing call subject to full TCPA consent requirements. If prior written consent was not obtained, the bank is exposed to $500 to $1,500 per call in statutory damages.

How does the Facebook v. Duguid ruling affect bank calling programs?

The Supreme Court's 2021 Duguid decision narrowed the ATDS definition to systems that use random or sequential number generators. Bank dialers that call from CRM lists of existing account holders, without random number generation, may not qualify as an ATDS under federal law. That removes the consent requirement for those calls federally. However, several states, including Florida, have broader autodialer definitions that may still apply. State law compliance is a separate analysis.

Do banks need to scrub against the National Do Not Call Registry?

Yes, for any call that counts as telemarketing, meaning calls that promote a product or service. The established business relationship exemption lets banks call existing customers' landlines for telemarketing purposes for up to 18 months after the last transaction without registry scrubbing. Informational calls that qualify for the FCC financial institution exemption are not telemarketing and are not subject to registry scrubbing. Marketing calls to cell phones still need prior express written consent regardless of DNC status.

Only for the specific categories covered by the FCC's 2016 financial institution exemption: fraud alerts, breach notices, money transfer confirmations, and similar transactional notifications to existing account holders. The same conditions apply as for voice calls: no marketing content, free to receive, three-message cap per event over three days, and immediate opt-out honored. Any promotional text to a cell phone requires prior express written consent.

How long is the statute of limitations for TCPA claims against a bank?

Four years under the federal catch-all limitations period at 28 U.S.C. § 1658. That means plaintiffs can sue over calls made up to four years before they file. Banks should retain call logs, consent records, dialer configurations, and opt-out records for at least four years. Some state law claims brought alongside TCPA claims may carry different limitations periods, so retaining records for five or more years is a more conservative and defensible practice.

What are the biggest TCPA settlements involving banks or financial institutions?

Capital One settled a TCPA class action for $75.5 million in 2014, one of the largest TCPA settlements at the time. Bank of America settled separately for $32 million in 2014. Both cases involved automated dialing to cell phones without adequate consent. These are not outliers: the combination of large customer bases, high call volumes, and inadequate consent documentation creates systematic class action exposure for any financial institution using automated outreach.

Do state TCPA-equivalent laws add extra risk for banks beyond the federal statute?

Yes, significantly. Florida's Telephone Solicitation Act (FTSA), effective 2021, uses a broader autodialer definition than the post-Duguid federal standard and allows a private right of action with $500 per call damages. California has its own consumer protection statutes. Washington, Texas, and other states have telemarketing rules that overlay federal TCPA requirements. A bank that passes federal TCPA muster may still face state-law claims depending on where its customers are located.

Can a credit union use the same TCPA exemptions as a bank?

Yes. The FCC's 2016 financial institution exemption covers credit unions and other financial institutions, not only banks. The existing-account-holder requirement maps directly onto the member relationship at a credit union. The same conditions apply: no marketing content, free to the member, three-contact cap per event over three days. Calls or texts to prospective members who do not yet have an account get no exemption benefit and require prior express written consent if made via autodialer.

What should a bank do if it receives a TCPA opt-out request?

Honor it immediately and document the timestamp. The FCC's exemption conditions require that opt-out requests be honored, and the broader TCPA framework treats failure to honor opt-outs as a separate violation. Update the contact record in your CRM and in your dialing system. If the customer has multiple accounts or contact records, the opt-out should apply across all of them. Delayed opt-out processing is one of the most common sources of continuing violations in enforcement actions.

Sources

  1. U.S. Government Publishing Office, 47 U.S.C. § 227, Telephone Consumer Protection Act: $500 to $1,500 per-call statutory damages, prohibition on ATDS calls to wireless numbers without prior express consent, and the 2015 federal debt collection exemption amendment
  2. FCC, Rules and Regulations Implementing the TCPA, FCC 16-99 (2016): Financial institution exemption conditions: no marketing content, existing account holder, free to recipient, three-call three-day cap, opt-out honored, 8am-9pm calling window
  3. U.S. Court of Appeals for the D.C. Circuit, ACA International v. FCC, No. 15-1211 (2018): D.C. Circuit vacated FCC rules implementing the government-backed debt exemption and portions of the ATDS definition in 2018
  4. U.S. Supreme Court, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held an ATDS must use random or sequential number generator to store or produce numbers; list-based dialers may not qualify
  5. Florida Legislature, Florida Telephone Solicitation Act, Fla. Stat. § 501.059 (2021 amendments): Florida FTSA adopted broader autodialer definition and private right of action with $500 per call damages, effective 2021
  6. Federal Communications Commission, National Do Not Call Registry rules, 47 C.F.R. § 64.1200: Telemarketers must scrub against the DNC registry; FTC DNC fines up to $51,744 per violation as of 2024
  7. Federal Trade Commission, cases and proceedings library: Capital One $75.5 million and Bank of America $32 million TCPA class action settlements in 2014 involving autodialed calls without consent
  8. FCC, 2012 TCPA Omnibus Declaratory Ruling and Order, FCC 12-21: Consumer providing number in connection with transaction gives prior express consent for calls about that transaction; consent does not extend to skip-traced numbers
  9. U.S. Government Publishing Office, 28 U.S.C. § 1658, federal four-year catch-all statute of limitations: Four-year federal limitations period applies to TCPA claims, requiring banks to retain call records for at least four years
  10. California Legislative Information, Rosenthal Fair Debt Collection Practices Act, Cal. Civ. Code § 1788: California Rosenthal Act adds state-level debt collection call restrictions alongside federal TCPA requirements, with its own limitations considerations

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit