Last updated 2026-07-09

TL;DR
The FDIC compliance manual flags the Telephone Consumer Protection Act as a consumer protection law subject to examination. Banks and lenders face $500 per violation, up to $1,500 for willful violations, under 47 U.S.C. § 227. Examiners look at consent documentation, autodial use, and DNC compliance. A gap in any of those areas can become a formal exam finding and a private lawsuit.
What does the FDIC compliance manual say about TCPA?
The FDIC Consumer Compliance Examination Manual lists the Telephone Consumer Protection Act (47 U.S.C. § 227) among the consumer protection laws examiners review during a bank's compliance examination [1]. It sits alongside the Fair Debt Collection Practices Act, the Truth in Lending Act, and other statutes the manual pulls into direct examination coverage.
The manual does not re-write TCPA. It tells examiners to verify that the institution has policies and procedures covering TCPA's requirements, that those procedures are actually followed, and that consumer complaints about unwanted calls or texts get tracked and resolved. Put plainly: if your bank or credit union auto-dials consumers without proper consent, or ignores the National Do Not Call Registry, an FDIC examiner can cite that as a compliance deficiency.
Why does this matter beyond the FCC? Because a TCPA finding in an FDIC examination can escalate. It can become a Matter Requiring Attention, trigger a formal enforcement action, or color your Community Reinvestment Act context. It also hands private plaintiffs a documented record that the institution was on notice about its TCPA obligations. That fact carries weight in class action litigation.
The manual is public and gets updated periodically [1]. Any compliance officer at a supervised depository institution should treat its TCPA section as a floor, not a ceiling.
What is the TCPA and which calls and texts does it cover?
The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, was enacted in 1991 and restricts certain outbound calls and text messages [2]. The Federal Communications Commission implements the statute through its rules at 47 C.F.R. Part 64.
At its core, TCPA bars using an automatic telephone dialing system (ATDS) or a prerecorded voice to call or text a cell phone without the called party's prior express consent. Prerecorded messages to residential landlines carry the same consent requirement. The statute also restricts fax advertising and sets rules for telemarketing calls generally, including opt-out mechanisms and time-of-day limits (no calls before 8 a.m. or after 9 p.m. in the recipient's local time) [2].
For banks, the consent analysis splits in two. Informational calls, like fraud alerts, balance notifications, or appointment reminders, need prior express consent, meaning the consumer gave the bank their number in connection with the account. Marketing calls need prior express written consent, a higher bar that means a signed or electronically signed agreement clearly authorizing marketing messages [3].
The Supreme Court's 2021 decision in Facebook, Inc. v. Duguid narrowed the ATDS definition. The Court held that a system must have "the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator" to qualify [4]. That trimmed exposure for banks calling from curated customer lists. It did not eliminate TCPA risk, because prerecorded message calls and DNC violations stay actionable no matter how the ATDS question comes out.
What are the TCPA penalties banks actually face?
Statutory damages run $500 per violation, and $1,500 per violation if the court finds the conduct willful or knowing [2]. Each call or text is its own violation. A marketing campaign that fires 50,000 texts without proper consent carries $75 million of exposure at the trebled rate. Courts have entered numbers in that range in class settlements.
Banks have not been immune. Truist Bank reached a TCPA class action settlement over alleged unauthorized calls, and Credit One Bank has faced multiple TCPA suits over debt collection calling practices, including the Joseph Snyder v. Credit One matter. UnitedHealthcare agreed to pay $2.5 million to resolve TCPA allegations in a separate matter that shows how healthcare-adjacent financial services companies carry the same exposure.
Beyond private litigation, the FCC can issue forfeitures under 47 U.S.C. § 503(b). The agency has proposed forfeitures against robocallers exceeding $100 million in recent years, though the amounts actually collected after appeals tend to run lower [5]. For FDIC-supervised institutions, an exam finding that the bank lacks adequate TCPA controls can also produce civil money penalties under the Federal Deposit Insurance Act.
The realistic cost to a small bank or credit union is rarely the headline class number. Nuisance settlements in the $200,000 to $2 million range for mid-size calling programs are common. Defense costs alone often push into six figures before anyone signs a settlement.
How does the FDIC examination process evaluate TCPA compliance?
FDIC examiners follow the consumer protection section of the Consumer Compliance Examination Manual when they look at TCPA [1]. In practice they review four things: written policies and procedures, employee training records, complaint management, and a sample of actual call or text practices.
On policies and procedures, examiners want a written document that names TCPA's requirements, assigns responsibility for compliance, and sets controls around consent collection and revocation. A legal disclaimer buried in a vendor contract is not a policy. Neither is a policy written in 2015 and never touched after the FCC's 2015 Declaratory Ruling or the Facebook v. Duguid decision.
Training records matter because examiners want proof that the people making calls or sending texts know the rules. A three-paragraph blurb inside an annual compliance module probably does not clear the bar if the institution runs a high-volume outbound program.
Complaint management is a real focus area. If consumers complained about unwanted calls and those complaints closed without investigation, or never reached the compliance function, that is a red flag. Examiners cross-reference complaint logs against call records when resources allow.
Call and text sampling is less common at smaller institutions given exam resource limits. But for banks with meaningful consumer lending or collections operations, examiners may pull call logs, consent records, and DNC scrub documentation. If you cannot produce a consent record tied to a specific number you called, you cannot prove compliance. In litigation, the burden sits on the caller, not the consumer.
What consent documentation does TCPA require for financial institutions?
Consent under TCPA is not a handshake. The FCC's rules at 47 C.F.R. § 64.1200 spell out what qualifies [3]. For marketing calls or texts to a cell phone using an ATDS or prerecorded voice, the regulation demands prior express written consent, defined as an agreement that meets the E-SIGN Act's electronic signature requirements and clearly and conspicuously authorizes the specific type of marketing communication.
Non-marketing informational calls need only prior express consent, not written. The FCC has held that giving a cell number in the ordinary course of a transaction, such as listing it on a loan application, counts as prior express consent for informational calls tied to that transaction [3]. That consent does not stretch to cross-selling other products. Cross-selling needs written consent.
Consent can be revoked. The FCC's 2015 Declaratory Ruling confirmed that consumers may revoke at any time through any reasonable means [5]. A consumer who tells a call center rep to stop calling has revoked. The bank has to honor that fast and cannot force the consumer into a specific method. If your CRM has no field for a revocation with a timestamp, you have a gap.
For financial institutions, the ugliest consent gap usually shows up in collections. A consumer who gave a cell number on a credit application years ago may have since dropped that number, and it now belongs to someone else. The FCC's reassigned-number rules created liability for callers who reach the wrong person. The FCC built a reassigned numbers database to address this [5], and checking it is fast becoming standard practice even where it is not strictly mandatory.
How does the National Do Not Call Registry apply to banks?
The National DNC Registry, run by the FTC under 16 C.F.R. Part 310 (the Telemarketing Sales Rule), and the FCC's parallel DNC rules under TCPA, bar telemarketing calls to registered numbers unless the caller has an established business relationship with the consumer or the consumer gave prior written consent to be called [6].
Banks often assume they are off the hook because they have a relationship with their customers. Partly true. A call to a customer about that customer's existing account can ride the established business relationship exemption. But calls to prospects, or calls to customers about new products they never asked about, may not qualify. The exemption has clocks: 18 months from the most recent transaction, or 3 months from a consumer inquiry [6].
The FDIC compliance manual folds DNC compliance into the broader TCPA review. Examiners ask whether the institution scrubs call lists against the registry before campaigns, how often those scrubs run (the FTC requires scrubbing no more than 31 days before calling), and whether the institution keeps its own internal DNC list for consumers who asked not to be called [1].
Not scrubbing is a preventable risk. Third-party scrubbing services are everywhere, and the FTC's own registry access runs about $80 per area code per year, with a flat annual fee for full national access [6]. Weigh that against one TCPA settlement. The math is not hard.
What TCPA risks are specific to bank debt collection calling?
Debt collection is where banks and their servicers generate the most TCPA exposure. High call volume, lists full of outdated or reassigned numbers, and consumers who are already unhappy pile up into a concentrated liability pool.
The FDCPA and TCPA overlap but are not the same statute. FDCPA reaches third-party debt collectors. TCPA reaches anyone making the call, including the original creditor. A bank collecting its own charged-off loans sits outside FDCPA but squarely inside TCPA. That distinction trips up plenty of bank compliance teams.
The specific risks: calling a number reassigned to a stranger, calling after the consumer revoked consent, calling with a prerecorded message more than the rules allow, and running dialers that qualify as an ATDS under the post-Duguid standard. That last point is genuinely unsettled in some circuits. Certain courts still apply a broader ATDS definition than the Supreme Court's holding in particular fact patterns.
The Cash App TCPA class action settlement shows how companies across industries land in class treatment when high-volume programs hit unconsented numbers. Banks with collections portfolios should treat class action exposure as the realistic scenario, not the worst case.
The fix is a consent audit. Pull your active calling list, match every number to a documented consent record, and flag any number where the consent is more than three years old or where the account changed hands. It is not glamorous work. It is the work that actually cuts your exposure.
How do FCC rules and FDIC examination interact for supervised banks?
The FCC enforces TCPA through its own forfeiture proceedings and complaint investigations [5]. The FDIC enforces its compliance examination standards through the bank examination process. These are parallel systems. They do not formally coordinate, but they reinforce each other.
If a bank generates a wave of consumer complaints about unwanted calls, those complaints can hit the FCC's consumer complaint system, the FTC, the CFPB, and state attorneys general at the same time. When the FDIC examiner shows up and asks about complaint management, a stack of TCPA complaints sitting in multiple regulatory databases is not a fact you can wave away.
The CFPB also supervises larger depository institutions and has cited TCPA-adjacent conduct under its UDAAP (unfair, deceptive, or abusive acts or practices) authority. The FDIC applies UDAP standards under Section 5 of the FTC Act for the institutions it supervises. An aggressive calling program can become a UDAP finding even when the TCPA violation itself is never directly charged.
For state-chartered banks that are FDIC-supervised (as opposed to national banks under the OCC or state member banks under the Fed), the FDIC is the primary federal regulator for consumer compliance. That makes the FDIC compliance manual the operative exam document, and TCPA gaps surface through that channel first.
What should a bank's internal TCPA compliance program actually include?
A program that survives an exam and, more to the point, prevents lawsuits has six parts. None of them are exotic.
First, a written TCPA policy specific to the bank's actual calling and texting activity. Not a template. A document that names the calling systems in use, identifies which departments dial out, and sets consent standards for each call category.
Second, a consent management system. This can be as simple as a CRM field carrying a consent type, a consent date, and a revocation flag. It has to be populated and actually checked before calls go out. Banks using marketing automation or a collections dialer should confirm those systems can accept and honor consent flags.
Third, regular DNC scrubbing. The FTC standard is no more than 31 days before the call [6]. Build the scrub into your campaign workflow as a required step, not an afterthought.
Fourth, a revocation handling process. When a consumer says stop, that instruction has to reach the system generating calls quickly. The FCC has not fixed a specific number of days, but its guidance treats promptly as within a business day or two at most [5].
Fifth, a vendor management process for any third-party caller, lead generator, or dialer provider. TCPA liability can attach to the company whose product is being marketed, even when a third party dialed. Your marketing vendor's TCPA compliance is your problem.
Sixth, training. The people building call lists, approving campaigns, and handling complaints need to know the rules, and you need to document that they were trained. FDIC examiners ask for training records.
Want a starting point? LeadCompliant's free compliance kit includes a TCPA policy template and a consent documentation checklist built around FCC and FDIC standards. It helps teams starting from zero.
For ongoing developments, the TCPA news section at LeadCompliant tracks FCC rulemakings, major court decisions, and settlement trends that hit financial institutions.
What recent FCC changes affect how banks manage TCPA compliance?
The FCC issued a significant declaratory ruling in December 2023, released in early 2024, that tightened consent rules for lead generation [7]. It set what the agency called a one-to-one consent requirement: a single consent given to a lead generation website cannot be recycled and resold to a crowd of callers. Each seller has to get its own prior express written consent from the consumer.
This matters a lot for banks and lenders that buy leads. If your mortgage, personal loan, or credit card acquisition program leans on third-party lead vendors, those vendors need one-to-one written consent that names your institution specifically before they hand you the lead. Blanket consent to hear from marketing partners no longer works under this ruling [7].
The FCC also finalized rules on the reassigned numbers database, making it easier for callers to check whether a number moved before dialing and offering a safe harbor for those who check and still reach the wrong person [5]. Banks with large outbound programs should wire a reassigned-number check into their pre-call workflow.
A separate FCC rulemaking on robotexts tightened text message marketing, especially around opt-out honoring and sender identification [5]. If your bank runs SMS account notifications or marketing, review your text platform's opt-out handling and confirm it meets the current standard.
For teams thinking through text message marketing more broadly, text message marketing covers the consent and campaign mechanics in more detail.
How should banks handle consumer complaints about unwanted calls?
Consumer complaints about unwanted calls are a compliance obligation and a litigation early-warning system. Treat them as both.
When a consumer contacts the bank directly to complain, log the date, the phone number, the nature of the complaint, and the action taken. If the complaint is that they never consented, pull the consent record right away. If there is no consent record, take that consumer off every calling list, review the program for similar records, and escalate to compliance.
Complaints filed with the CFPB, FCC, FTC, or state regulators are visible to FDIC examiners. A pattern of TCPA-related complaints in the CFPB complaint database, accessible at consumerfinance.gov, is exactly what examiners notice before they walk in the door [8]. Substantive responses beat form letters, for both the exam and any future lawsuit.
Class action TCPA cases almost always start with individual plaintiffs who complained first. The Credit One TCPA settlement and similar cases often show the named plaintiff trying to stop calls before filing. A documented, good-faith response to early complaints can shape how a court views the willfulness question that drives trebled damages.
For consumers on the other side who want to understand their rights, how to stop robocalls walks through the practical steps.
What are the key TCPA thresholds and limits banks need to memorize?
These are the numbers that matter operationally. Keep them somewhere your compliance team sees them.
| Rule | Requirement | Authority |
|---|---|---|
| Calling hours | 8 a.m. to 9 p.m. local time for recipient | 47 U.S.C. § 227(c)(5); 47 C.F.R. § 64.1200(c)(1) |
| DNC scrub freshness | No more than 31 days before the call | 16 C.F.R. § 310.4(b)(3)(iv) |
| Established business relationship (DNC exemption) | 18 months from last transaction, 3 months from inquiry | 16 C.F.R. § 310.2(o) |
| Statutory damages (per violation) | $500 standard, $1,500 if willful | 47 U.S.C. § 227(b)(3) |
| Consent type for marketing calls/texts | Prior express written consent (E-SIGN compliant) | 47 C.F.R. § 64.1200(a)(2) |
| Consent type for informational calls | Prior express consent | 47 C.F.R. § 64.1200(a)(1) |
| One-to-one consent for purchased leads | Required under FCC 2023/24 ruling | FCC Declaratory Ruling, FCC 23-107 |
| Abandoned call rate | No more than 3% per campaign | 47 C.F.R. § 64.1200(a)(7) |
The 3% abandoned call rate surprises teams. If your auto-dialer abandons more than 3% of calls in a campaign (a live person answers but no agent is available), that is a separate TCPA violation regardless of consent status. Check your dialer settings before the next campaign runs.
Frequently asked questions
Does the FDIC compliance manual require banks to follow TCPA?
Yes. The FDIC Consumer Compliance Examination Manual lists TCPA as a consumer protection law that examiners review during bank examinations. Examiners check policies, procedures, training records, complaint handling, and call practices. A TCPA gap found during examination can become a formal finding, a Matter Requiring Attention, or in serious cases, an enforcement action.
What is the TCPA penalty per call for a bank?
The statutory penalty under 47 U.S.C. § 227(b)(3) is $500 per violation. Courts can triple that to $1,500 per call or text when the violation was willful or knowing. Each individual call or text message is a separate violation, so high-volume campaigns can generate nine-figure exposure in class actions.
Does TCPA apply to banks calling their own customers?
Yes. TCPA applies to any caller, including original creditors calling their own customers. The FDCPA covers third-party debt collectors, but TCPA has no such carve-out. A bank auto-dialing its own borrowers without documented consent faces the same $500 to $1,500 per call exposure as any other caller.
What counts as prior express written consent under TCPA for a bank?
The FCC requires a written agreement, including electronic signatures under E-SIGN, that clearly authorizes marketing calls or texts and includes the specific phone number. It cannot hide in general terms and conditions. The consumer must agree to receive marketing communications from the specific company, not from a broad category of sellers.
Can a bank call a number on the National Do Not Call Registry?
Only if the bank has an established business relationship with that consumer (covering the 18 months after the last transaction or 3 months after an inquiry) or has obtained prior written consent to call. Calling DNC-listed numbers for new product marketing without one of these exemptions violates both FTC and FCC rules.
How did Facebook v. Duguid change TCPA risk for banks?
The 2021 Supreme Court decision narrowed the definition of an automatic telephone dialing system, holding it must use a random or sequential number generator. Calls from curated customer lists may not trigger ATDS liability under that standard. Prerecorded message calls and DNC violations remain actionable independent of the ATDS question, so overall bank exposure stays significant.
What did the FCC's one-to-one consent ruling change for banks buying leads?
The FCC's one-to-one consent ruling requires each seller to independently obtain prior express written consent naming that specific company. Banks and lenders that purchase leads from comparison sites or lead generators can no longer rely on blanket consents given to multiple buyers. This substantially changes how bank marketing acquisition programs must be structured.
How often does a bank need to scrub call lists against the DNC registry?
The FTC's Telemarketing Sales Rule requires that call lists be checked against the DNC registry no more than 31 days before the call is made. For ongoing outbound programs, this means building a regular scrub cadence into every campaign's pre-launch checklist, rather than scrubbing once at program launch.
What happens when a consumer revokes TCPA consent with a bank?
The bank must honor the revocation promptly. The FCC confirmed in 2015 that consumers may revoke consent through any reasonable means and that callers cannot require a specific revocation channel. Continuing to call after a revocation is a willful violation, exposing the bank to $1,500 per call. The revocation must be logged in the calling system with a timestamp.
Are there TCPA-specific risks for banks using third-party dialers or marketing vendors?
Yes. TCPA liability can attach to the company whose product is being marketed, even when a vendor makes the calls. If your marketing agency sends texts on your behalf without proper consent documentation, your bank can be named in the resulting lawsuit. Vendor contracts should require TCPA compliance warranties and audit rights, and your vendor management program should verify compliance before campaigns launch.
What is the abandoned call rate limit under TCPA?
The FCC's rules at 47 C.F.R. § 64.1200(a)(7) limit abandoned calls, calls where an auto-dialer connects but no agent is available, to no more than 3% of total calls per campaign per 30 days. Exceeding that rate is a violation independent of consent. Banks should verify their dialer vendor's settings before running outbound campaigns.
Which courts have jurisdiction over TCPA claims against banks?
TCPA claims can be brought in federal district court by private plaintiffs under 47 U.S.C. § 227(b)(3) and (c)(5). State courts also have jurisdiction for individual claims. Class actions under TCPA are typically filed in federal court under the Class Action Fairness Act. Plaintiffs can also file complaints with the FCC, FTC, or state attorneys general, who may refer or act independently.
Does TCPA apply to bank text messages as well as calls?
Yes. Text messages to cell phones are treated as calls under TCPA. Any text sent using an ATDS or prerecorded format to a cell phone requires prior express consent (informational) or prior express written consent (marketing). SMS marketing programs run by banks, including promotional texts and cross-sell campaigns, face the same consent and penalty standards as voice calls.
Sources
- FDIC, Consumer Compliance Examination Manual: The FDIC Consumer Compliance Examination Manual includes TCPA as a consumer protection law subject to examination review.
- Legal Information Institute, 47 U.S.C. § 227 (TCPA): TCPA imposes $500 per violation and up to $1,500 for willful violations; prohibits ATDS or prerecorded calls to cell phones without consent; restricts calling hours to 8 a.m. to 9 p.m. local time.
- FCC, 47 C.F.R. § 64.1200 (Telemarketing and Telephone Solicitation Rules): Prior express written consent is required for marketing autodialed or prerecorded calls; prior express consent sufficient for informational calls; consumer providing phone number in ordinary course of transaction constitutes consent for related informational calls.
- Supreme Court of the United States, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): The Supreme Court held that an ATDS under TCPA must have the capacity to store or produce telephone numbers using a random or sequential number generator.
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: DNC registry rules require scrubbing no more than 31 days before the call; established business relationship exemption covers 18 months from last transaction or 3 months from inquiry; FTC registry access costs approximately $80 per area code.
- CFPB, Consumer Complaint Database: CFPB complaint database is publicly accessible and visible to FDIC examiners reviewing consumer protection compliance.
- FCC, 47 C.F.R. § 64.1200(a)(7), Abandoned Call Rule: FCC rules limit abandoned calls to no more than 3% of total calls per campaign per 30-day period.
- National Do Not Call Registry, FTC: The National DNC Registry is maintained by the FTC; telemarketers must scrub lists against it no more than 31 days before calling.