TCPA compliance for banks: what your team must know

Banks face TCPA fines up to $1,500 per call or text. Learn the consent rules, lawsuit risks, and compliance steps every bank team needs right now.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-10

Empty bank branch interior with sunlight and compliance folders on counter
Empty bank branch interior with sunlight and compliance folders on counter

TL;DR

Banks are among the most-sued industries under the TCPA (47 U.S.C. § 227). Every autodialed call or text to a customer's cell phone needs prior express written consent for marketing, or prior express consent for informational messages. Violations cost $500 to $1,500 per contact. Major banks have paid settlements in the tens of millions. Consent records and revocation handling are where banks slip.

Why do banks get sued under the TCPA so often?

Banks call and text constantly. Collections, fraud alerts, payment reminders, promotional offers, account updates. The volume is enormous, and every contact to a cell phone is potential TCPA exposure the moment the consent chain or the technology chain breaks.

The Telephone Consumer Protection Act, codified at 47 U.S.C. § 227, passed in 1991. It gives private citizens the right to sue for $500 per violation and up to $1,500 per willful violation [1]. There is no cap on class damages. A bank that sends one bad marketing text to 200,000 customers is looking at $100 million in statutory exposure before anyone argues willfulness.

Courts certify class actions against financial institutions at a high rate for a simple reason. Banks keep large, identifiable lists of affected consumers and detailed call records that make damages easy to calculate. That is exactly what plaintiffs' firms want.

The Truist Bank TCPA class action settlement and the Credit One TCPA settlement show how fast exposure balloons in banking. Both turned on whether the bank had good consent at the moment of contact.

What does the TCPA actually prohibit banks from doing?

The core prohibition sits in 47 U.S.C. § 227(b)(1)(A). It bans using an automatic telephone dialing system (ATDS) or a prerecorded voice to call any cell phone without prior express consent [1]. A separate provision at § 227(b)(1)(B) covers prerecorded calls to residential landlines without consent.

For banks, the practical breakdown looks like this:

Contact TypeTechnologyConsent Required
Marketing call or text (cell)ATDS or prerecordedPrior express written consent
Marketing call (residential landline)PrerecordedPrior express consent
Informational/transactional call or text (cell)ATDSPrior express consent
Live agent call (cell)Human-dialed onlyNo TCPA consent required
Emergency callAnyNo consent required

The FCC's 2012 rule at 47 C.F.R. § 64.1200(a)(2) requires that written consent for marketing calls and texts be signed and include the consumer's agreement to receive such messages, the number they consent to be called at, and a disclosure that consent is not a condition of purchase [2]. A checkbox at account opening without that disclosure does not cut it.

The "prior express consent" standard for informational bank calls, like a fraud alert, is lower but still real. The FCC's 2008 debt-collection ruling held that a consumer who provides a cell number in connection with an existing debt has given prior express consent to be contacted about that debt [2]. That implied consent evaporates the moment the consumer revokes it, and it never covers promotional content, even when promotional content rides along inside an informational message.

How does the ATDS definition affect bank dialing systems?

This is where a lot of bank compliance teams got confused after the Supreme Court's 2021 ruling in Facebook, Inc. v. Duguid. The Court held that an ATDS must have the capacity to store or produce numbers using a random or sequential number generator [3]. That narrowed the definition sharply from how some lower courts had read it.

What it means in practice: a predictive dialer that only calls numbers from a pre-loaded list, with no random or sequential generation, may not qualify as an ATDS under Duguid. Many banks changed their legal posture after the ruling. Some cut back their consent documentation. That is a mistake.

Here is why. Duguid answered the ATDS question and left the prerecorded-voice prohibition untouched. If your system plays any recorded audio, including a short greeting before an agent picks up, you still need consent. And many state laws (more on those below) ignore the ATDS definition entirely and reach further.

The safe posture for a bank program is plain. Treat any system that automates outbound dialing as subject to TCPA scrutiny, collect consent anyway, and hold the Duguid argument in reserve as a litigation defense. It is a shield, not a reason to skip consent.

For marketing texts, the FCC's 2012 rules require prior express written consent. That means a signed agreement (electronic signatures count) stating clearly that the consumer agrees to receive autodialed or prerecorded marketing calls and texts, naming the phone number, and including a line that consent is not required to buy anything [2].

For transactional or informational texts (payment reminders, fraud alerts, low-balance warnings), prior express consent is enough. Banks usually get this at account opening when a customer hands over a cell number. But the FCC's interpretations have not been perfectly consistent, and some courts read the rules more strictly.

Revocation is the biggest practical gap. The FCC has said repeatedly that consumers can revoke consent at any time through any reasonable means [4]. A consumer who texts "STOP," calls customer service, mails a letter, or sends an email has validly revoked. The bank has to honor it fast. Keep calling after revocation and a defensible violation turns willful, at $1,500 per contact.

For SMS, banks should do four things at a minimum. Honor opt-out keywords (STOP, QUIT, CANCEL, END, UNSUBSCRIBE) instantly and automatically. Send one confirmation text acknowledging the opt-out. Propagate that revocation across every messaging program, not only the channel the consumer used. Log the revocation with a timestamp. That last step is your evidence in court.

To see how SMS consent works in a wider marketing context, the text message marketing guide covers the mechanics.

Which major bank TCPA settlements should compliance teams know about?

Real settlements show where programs break. Study them, because the fact patterns repeat.

Capital One settled a TCPA class action in 2014 for about $75.5 million, covering roughly 17 million class members [5]. The case involved autodialed calls to cell phones for debt collection. Consent documentation was thin, and the bank kept calling people who had revoked.

Bank of America reached a $32 million settlement in a case built on autodialed calls to cell phones for loan payment reminders [6]. Same core issues: consent records and failure to honor revocation.

Citibank settled for $17.5 million where plaintiffs alleged the bank called cell phones using an ATDS without consent [6].

The Truist Bank TCPA class action settlement and the Credit One TCPA settlement follow the same script: dialing cell phones without documented consent or after revocation. The Joseph Snyder Credit One TCPA case is a clean single-plaintiff example of how individual suits run alongside class actions.

One pattern ties all of them together. The bank had a process to collect consent, it broke somewhere in the middle (at account transfer, after a number was reassigned, when a customer changed numbers, or at revocation), and litigation followed. No bank ever sued itself into a huge settlement by documenting consent perfectly and then respecting it. The failure lives in the gaps.

Notable bank and financial company TCPA settlements Settlement amounts in millions of dollars; all cases involved autodialed calls or texts to cell phones without adequate consent Capital One (2014) $75.5 Bank of America $32 Citibank $17.5 UnitedHealthcare $2.5 Source: National Consumer Law Center case summaries; court records (citations 5, 6)

What is the reassigned number problem and how do banks handle it?

A consumer gives a bank a cell number, consents to calls, then changes carriers or drops the number. The carrier hands that number to someone else. The bank keeps calling because its records still show valid consent. The new owner never consented to anything and has a clean TCPA claim at $500 to $1,500 per call.

This is not hypothetical. The FCC estimated in 2018 that about 35 million phone numbers are reassigned each year in the United States [4]. Banks with large loan portfolios or credit card books dial millions of numbers. The exposure math from reassignment alone is ugly.

The FCC built a fix. It created a Reassigned Numbers Database, a central registry where callers can check whether a number changed hands before dialing [4]. Access became commercially available in 2021. High-volume bank callers should query it regularly, both to protect themselves and because the FCC treats use of the database as part of a good-faith safe harbor.

Banks should also reverify cell numbers on a schedule, flag numbers that generate repeated failed contact attempts (a common reassignment signal), and update CRM records the moment a customer reports a number change through any channel.

How do state laws create additional compliance risk for banks?

The TCPA sets a federal floor. States build higher, and for a bank operating nationally, state law becomes a patchwork of extra rules.

California's Invasion of Privacy Act (CIPA) at Penal Code § 637.2 allows $5,000 per violation for unlawful call recording, and the California AG has read some automated text practices as covered [7]. Several CIPA class actions against financial institutions have settled for millions in recent years.

Florida amended its Telemarketing Act effective July 2021 to ban calls made with automated systems to Florida residents without prior express written consent, with no ATDS requirement. That makes Florida's law broader than the post-Duguid TCPA for any automated calling system. Violations run $500 per call under the Florida statute [8].

Washington, Texas, and Indiana each have telemarketing statutes with their own definitions and penalties. In several states, the attorney general can bring enforcement actions with per-violation penalties that stack on top of TCPA exposure.

For multistate outbound programs, the answer is to design to the strictest applicable standard (usually California or Florida) instead of juggling state-by-state permutations. That simplifies training, cuts audit complexity, and hands you a defensible program when a state AG comes knocking.

What does a solid bank TCPA compliance program actually look like?

There is no clever structure here. What works is boring, documented, and tested on a schedule.

Consent collection starts at account opening. Every intake form, paper, online, or in-branch, needs a compliant consent disclosure for marketing contacts that stands separate from other terms, not buried on page 30 of a cardholder agreement. The FCC has said plainly that consent buried in unrelated terms is not effective consent [2].

Consent storage matters just as much. Within days of a lawsuit landing, you need to produce a record showing who consented, what they agreed to, when, at what number, and through what channel. That means consent records tied to your CRM or loan origination system with immutable timestamps.

For dialing and texting, the compliance team needs a clear picture of which systems run and how they work technically. The "is this an ATDS" question is not for marketing to answer. It takes a technical review of the system's architecture.

Vendor oversight carries more weight than most teams expect. If you outsource collections or lead generation, the TCPA treats you as responsible for calls made on your behalf [2]. A vendor collecting consent for you has to follow your standard. Get it in writing and audit it.

LeadCompliant's free compliance kit includes a consent language template and a dialer system review checklist built around these requirements, which gives internal documentation a place to start.

Run a revocation audit at least quarterly. Pull a random sample of consumers who opted out and confirm no further contacts landed after the opt-out date. Find a gap and you have a compliance failure you can fix before it becomes a filing.

How does the TCPA apply to bank debt collection calls?

Collections is where most bank TCPA exposure has come from historically. Pressure to reach delinquent borrowers pushes volume up, consent documentation gets rushed at origination, and collectors keep dialing after revocation because the system still shows the account open.

For existing debt, the FCC's 2008 debt-collection ruling said a consumer who gives a number in connection with a debt gives prior express consent to be called about that debt using an ATDS [2]. That interpretation has survived most litigation. It has limits.

First, it applies only to the debt the consumer gave the number for. If a bank buys a portfolio of loans and the original account agreements lacked compliant consent disclosures, the acquiring bank does not automatically inherit valid consent. Consent due diligence is now standard in loan portfolio acquisitions.

Second, revocation bites just as hard in collections as in marketing. A consumer who sends a written revocation or plainly says "stop calling me" on a call has revoked. The collector who notes it in the file and makes one more call just booked a $500 to $1,500 violation. Collectors need real-time access to revocation records and training on what counts as a revocation request.

Third, calling on a debt does not override the Do Not Call rules for landlines. Banks sometimes confuse TCPA consent (cell phone ATDS calls) with the National Do Not Call Registry (telemarketing to any number). Different systems. The how to stop robocalls guide shows the consumer-side picture, which tells you what your obligations look like from the other end.

What do recent FCC orders mean for bank TCPA compliance going forward?

The FCC has stayed busy on TCPA interpretation since 2021, and two developments deserve close tracking.

First, the FCC's December 2023 one-to-one consent rule, adopted under TRACED Act authority, requires that lead-generation consent be specific to the company receiving it, not a blanket consent to "marketing partners" [9]. If your bank buys leads from third-party generators, the consumer must have consented specifically to your bank, not to "financial services companies." The rule was set to take effect in January 2025, though a court decision and FCC action delayed the one-to-one provisions. Banks relying on purchased lead lists should still verify their vendors collect individualized consent, because the direction of travel is clear.

Second, the FCC ruled in February 2024 that voices cloned with artificial intelligence count as "artificial or prerecorded" under the TCPA [10]. As banks test AI-assisted outreach, that classification matters. AI voice calls to cell phones need the same consent as any prerecorded message.

For ongoing tracking, the TCPA news section watches how FCC orders and court decisions move, and this area moves faster than most compliance teams plan for.

The upshot is practical. Design consent collection so it names your bank specifically, get it in writing, and never assume an AI-assisted channel sits in a softer regulatory category than a traditional robocall.

How much can TCPA violations actually cost a bank?

The statutory penalties under 47 U.S.C. § 227(b)(3) run $500 per violation for negligent or inadvertent conduct and $1,500 per violation for willful or knowing conduct [1]. Each call or text is its own violation. In class actions, those numbers multiply by class size.

Capital One's roughly $75.5 million settlement for about 17 million class members works out to around $4.44 per person, far below the $500 statutory floor. Class settlements almost always land below full statutory exposure. The $75.5 million is still an enormous number in absolute terms [5].

Outside class actions, individual plaintiffs with documented high-volume harassment (a bank dialing someone 50 times after revocation, say) can collect $75,000 or more in a single case. Plaintiff attorneys take these on contingency because the math works.

Regulatory fines sit separate from private litigation. The FCC and FTC have their own penalty authority, and state attorneys general have gone after banks with outbound calling violations.

Defense costs are real even when you win. A motion to dismiss or a class certification fight can run a bank several hundred thousand dollars in legal fees before settlement talks even start. Compliance investment is cheap next to that.

For more on how other financial companies got hit, the Cash App TCPA class action settlement and the UnitedHealthcare $2.5M TCPA case show the range of outcomes across financial services.

What records do banks need to keep for TCPA defense?

If you cannot prove consent, you did not have it. That is the working standard in TCPA litigation, because the burden of proving consent falls on the defendant in most circuits.

The minimum record set for each number you contact: the original consent record (form, timestamp, IP address for online consents, employee ID for in-branch), the specific phone number consented to, the scope of consent (marketing versus informational), any revocation requests with the date received, and the date and time of every contact made.

For marketing texts, FCC rules require you to keep consent records for at least four years [2]. Keep them longer as a matter of practice. The statute of limitations for TCPA claims runs four years from the violation under the federal catch-all at 28 U.S.C. § 1658, though some state claims run on different clocks.

Document the compliance program itself: training records, policy versions, audit results, vendor agreements. If a court sees a real program and a single breakdown behind the violation, you have a stronger argument against a willfulness finding and the trebled $1,500 penalty. With no program documentation at all, every violation looks willful.

LeadCompliant's free checkers verify whether specific numbers sit on the National DNC Registry, a good first pass before any outbound campaign, though it does not replace the full consent documentation described here.

Frequently asked questions

Fraud alerts fall in the informational category, which needs prior express consent rather than prior express written consent. The FCC has said a customer who provides a cell number in connection with an account gives prior express consent to be contacted about that account for transactional purposes. Fraud alerts fit. But the message cannot carry any promotional content, and consent can still be revoked at any time.

Can a bank text customers who signed up before the 2012 FCC consent rules?

Real gray area. The 2012 rules requiring prior express written consent for marketing texts were not retroactive, but courts have varied on how they treat pre-2012 consent language. If the old language did not meet the 2012 standards (disclosure that consent is not required for purchase, specific number, signed agreement), the safe move is to collect fresh compliant consent before sending marketing texts to that cohort.

What happens if a bank buys a loan portfolio and the original lender had inadequate TCPA consent?

The acquiring bank does not inherit liability for calls made before acquisition, but it does need valid consent to make its own ATDS calls going forward. If the original account agreements lacked compliant consent language, the acquiring bank cannot rely on them. TCPA consent due diligence is now standard in loan portfolio acquisitions. Some acquirers send written consent renewal notices to affected borrowers before starting outbound contact.

Does the TCPA apply to business-to-business calls from a bank?

The cell phone ATDS prohibition applies to calls to cell phones whether the recipient is acting as a consumer or a business person. However, the National Do Not Call rules under 16 C.F.R. § 310.6 exempt business-to-business calls from DNC requirements. Courts have split on whether a small business owner's cell phone used for business is covered by TCPA's consumer protections. This is a live litigation area; the safe answer is to get consent regardless.

How quickly must a bank honor a TCPA opt-out request?

The FCC's 2024 rules require opt-out requests to be honored within 10 business days, but courts and the FCC treat any contact after a clear revocation as a potential willful violation. For SMS, instant or same-day automated opt-out processing is the industry standard and is technically simple. For call-based revocations, update the record before the next calling session that could reach that number, generally within 24 hours.

Can a bank's third-party debt collector create TCPA liability for the bank?

Yes. The FCC and courts have held that a company can be vicariously liable for TCPA violations by third parties acting on its behalf under agency principles. If a bank hires a collections agency that makes unauthorized autodialed calls using the bank's name or account information, the bank faces potential exposure. Banks should require contractual TCPA compliance representations from all third-party collectors, run periodic audits, and document that oversight.

Does the TCPA apply to text messages the same way as phone calls?

Yes. The FCC ruled in 2003 that text messages to cell phones are covered by the TCPA under the same framework as calls, because texts use the same cell phone numbering resources. The consent rules are identical: prior express written consent for marketing texts, prior express consent for informational texts. The $500 to $1,500 per-violation penalty applies to each text sent.

What is the National Do Not Call Registry and do banks have to check it?

The National DNC Registry, maintained by the FTC under 16 C.F.R. § 310.4(b), lists numbers whose owners have asked for no telemarketing calls. Banks making outbound telemarketing calls must check the registry and skip registered numbers. An established business relationship exception lasts 18 months after the most recent transaction or 3 months after an inquiry. Collections calls are generally not telemarketing and are not subject to DNC registry requirements.

How does the Facebook v. Duguid Supreme Court decision affect bank TCPA risk?

The 2021 Duguid ruling narrowed the ATDS definition to systems that use a random or sequential number generator to store or produce numbers. Predictive dialers calling from a pre-loaded list may not qualify. This helped some banks cut litigation exposure for certain dialing systems, but it did not touch the prerecorded-voice rules, and state laws like Florida's 2021 statute impose broader restrictions that do not depend on the ATDS definition.

The FCC adopted one-to-one consent requirements in December 2023, requiring that consent for marketing contacts name the specific company that will call, not a category like 'financial services partners.' The provisions were set for January 2025 but were delayed after court action. Banks using third-party lead generators should still verify each lead includes consent that names the bank, since blanket multi-company consent forms are heading toward the exit.

Can a bank customer sue individually or only through a class action for TCPA violations?

Individual TCPA suits are common and need no class certification. A consumer who got 30 unauthorized calls can sue individually and seek $500 to $1,500 per call, potentially recovering $15,000 to $45,000. Many plaintiffs' attorneys handle these on contingency because the math is favorable. Class actions aggregate thousands of similarly situated consumers. Banks face both types of exposure at once from the same underlying conduct.

What is the TRACED Act and how does it affect bank phone compliance?

The Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act) was signed in 2019. It gave the FCC broader authority to pursue TCPA violators, extended the statute of limitations for FCC enforcement, and directed creation of the Reassigned Numbers Database. For banks, the practical consequence is that the FCC can impose per-violation fines of up to $10,000 in certain circumstances for illegal robocalls, separate from private lawsuit exposure.

Are there safe harbor provisions banks can use to avoid TCPA liability?

Yes, limited ones. The FCC recognized that using the Reassigned Numbers Database before calling provides some good-faith protection against reassigned number liability. The established business relationship exception exists under some state laws but not under TCPA's cell phone rules. Documented consent with proper disclosures is the strongest practical safe harbor. Courts have cut or dropped treble damages when defendants show a real compliance program and an isolated system error.

Prior express written consent is the higher bar. It needs a signed agreement (electronic signatures count) stating the consumer agrees to receive autodialed or prerecorded marketing calls and texts, naming the number, plus a disclosure that consent is not required to buy anything. It applies to marketing. Prior express consent is lower and can come from simply giving your number in connection with an account. It covers informational and transactional contacts only.

Sources

  1. Cornell LII / Legal Information Institute, 47 U.S.C. § 227 (TCPA full statute text): TCPA imposes $500 per violation and up to $1,500 for willful violations; bans ATDS calls to cell phones without prior express consent
  2. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held ATDS must have capacity to store or produce numbers using random or sequential number generator; narrowed definition from some lower court interpretations
  3. U.S. District Court, N.D. Illinois, In re Capital One Telephone Consumer Protection Act Litigation, MDL No. 2416: Capital One TCPA class action settlement approximately $75.5 million covering approximately 17 million class members; case involved autodialed calls to cell phones for debt collection
  4. National Consumer Law Center, TCPA case summaries and settlements: Bank of America $32 million TCPA settlement; Citibank $17.5 million TCPA settlement; both involved autodialed calls to cell phones without sufficient consent
  5. California Legislature, Penal Code § 637.2 (California Invasion of Privacy Act penalties): California CIPA provides $5,000 per violation for unlawful recording of calls; state law applies separate from and in addition to TCPA
  6. Florida Legislature, Florida Telemarketing Act, Fla. Stat. § 501.059 (2021 amendments): Florida's 2021 amendment bans calls using automated systems to Florida residents without prior express written consent; $500 per call penalty; broader than TCPA post-Duguid
  7. FTC, Telemarketing Sales Rule, 16 C.F.R. § 310 (National DNC Registry): National DNC Registry established under Telemarketing Sales Rule; 18-month established business relationship exception; business-to-business calls exempt from DNC requirements
  8. Congress.gov, TRACED Act, Public Law 116-105 (2019): TRACED Act expanded FCC enforcement authority, extended statute of limitations for FCC TCPA enforcement actions, directed creation of Reassigned Numbers Database, authorized FCC fines up to $10,000 per violation in certain cases

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit