TCPA compliance for financial advisors: what you must know

Financial advisors face TCPA fines up to $1,500 per call or text. Learn the exact consent rules, DNC obligations, and how to avoid a class action lawsuit.

LeadCompliant Team
24 min read
In This Article

Last updated 2026-07-09

Financial advisor reviewing compliance documents at a desk with phone nearby
Financial advisor reviewing compliance documents at a desk with phone nearby

TL;DR

Financial advisors must follow TCPA rules when calling or texting prospects and clients. Without prior express written consent, autodialed calls and texts to cell phones are illegal and carry penalties up to $1,500 per violation. Financial services firms face heightened risk because of high call volume, frequent list purchases, and the FCC's 2024 one-to-one consent rule.

What is the TCPA and why does it apply to financial advisors specifically?

The Telephone Consumer Protection Act, 47 U.S.C. § 227, was signed into law in 1991 to stop unwanted telemarketing calls [1]. It restricts autodialed calls, prerecorded messages, and text messages to cell phones, and it requires businesses to honor the National Do Not Call Registry. The statute applies to any company making marketing calls, full stop. There is no carve-out for licensed financial professionals.

Financial advisors sit in an exposed spot. They call and text a lot. Many buy lead lists from third parties. They often run CRMs with automatic dialing features that may qualify as autodialers under FCC interpretations. And the average enforcement action in financial services has been large enough to wipe out a small RIA's entire book of business.

The FCC's 2024 one-to-one consent rule, effective January 27, 2025, made things much stricter [2]. Under the old framework, a consumer could give blanket consent to a lead generator, and dozens of firms could ride on that single checkbox. The new rule kills that. Consent must name your company. If you bought leads where the consent form named only the lead generator, or named a vague category like 'financial services companies,' that consent is worthless for TCPA purposes now.

The statute says violators are liable for 'actual monetary loss or $500 in damages for each such violation,' and courts can triple that to $1,500 per violation if the violation was 'willful or knowing' [1]. One campaign to 10,000 people without valid consent is a $5 million to $15 million problem. That math is why class action attorneys treat financial services as a target-rich field.

What counts as an autodialer under TCPA, and do financial advisor phone systems qualify?

This is where most small teams get surprised. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the autodialer definition to systems that use a random or sequential number generator to either store or produce numbers to dial [3]. That sounds like it lets most modern predictive dialers off the hook, and for some it does. The picture is messier than the headline suggests.

Many CRM-integrated dialers and power dialers used by advisors have features that, depending on configuration, may still qualify. The FCC has not fully updated its guidance after Facebook, and plaintiff attorneys keep arguing that stored-list dialers hold onto ATDS status under certain architectures. The honest answer: nobody has complete certainty on where the line sits until more post-Facebook case law piles up. The safe assumption is simple. If your system dials from a pre-loaded list automatically without a human clicking each number, get a legal review before you decide you are clear.

Prerecorded or artificial voice calls are a separate matter entirely. The TCPA restricts those to cell phones regardless of the autodialer question [1]. Drop a prerecorded voicemail to a prospect's cell phone and you have almost certainly violated the TCPA without prior express written consent. Ringless voicemail drops are not a workaround. The FCC has treated them as calls subject to the TCPA [4].

Texting deserves its own flag. SMS messages sent from a platform (not a person typing individually) to cell numbers are treated as autodialed messages under the TCPA's existing framework. If your firm uses any text-blast or drip-text feature in your CRM, you need prior express written consent for every number on the list. See our guide on text message marketing for how that consent process works in practice.

The TCPA draws a sharp line between informational calls and marketing calls, and the consent standard differs for each.

For purely informational or transactional calls, like telling an existing client that their account statement is ready, the FCC allows prior express consent, which can be oral or implied from the existing relationship. These calls are still restricted on the National DNC Registry, though. The relationship exception does not override DNC obligations for telemarketing.

For any call or text with a marketing purpose, you need prior express written consent. The FCC defines this as a written agreement that clearly authorizes calls to a specific phone number using an ATDS or prerecorded voice, discloses that consent is not required to buy anything, and is signed by the person receiving the calls (electronic signatures are fine under E-SIGN) [2][11]. The consent form must name your company, not a category. After January 2025, the one-to-one rule means a lead form that says 'I consent to be contacted by financial services companies' is not enough. Your company's name has to appear.

The practical impact for advisors who buy internet leads is severe. Most lead aggregators sold consent on a 'share with partners' model. That model is legally dead for TCPA purposes. Before you call anyone from a purchased list, verify the consent named your firm. If it did not, get fresh consent or restrict outreach to non-ATDS human-dialed calls on non-DNC numbers.

Keep records of consent. The burden of proving consent falls on the caller, not the consumer [2]. If someone sues you, you need to produce a dated, timestamped consent record with the specific number, the consent language, and your company name visible. 'Our vendor told us it was compliant' is not a defense.

How does the National Do Not Call Registry affect financial advisor outreach?

The National DNC Registry, maintained by the FTC under 16 CFR Part 310 (the Telemarketing Sales Rule), requires telemarketers to scrub their call lists against the registry every 31 days [10]. Financial advisors making marketing calls are telemarketers under this rule. The residential exemption for prior business relationships lets you call existing clients who are on the DNC for up to 18 months after the last transaction, and prospects who made an inquiry for up to 3 months, but you must stop the moment they ask.

The registry holds over 249 million active registrations, according to the FTC's National Do Not Call Registry Data Book [5]. So a large chunk of any cold-call list is on it. Scrubbing is not optional, and it is not a one-time task at list purchase. The 31-day window means a number that was clean when you bought the list may be registered now.

State DNC registries add another layer. Several states, including Indiana, Texas, Wyoming, and Colorado, run their own do-not-call lists with rules that differ from the federal registry [6]. Some charge separate registration fees. Some set shorter grace periods. If you operate across state lines, which most advisors do, scrub both the federal registry and any applicable state lists.

The TCPA and the TSR are parallel regimes. A single call can violate both. Penalty exposure stacks. The FTC enforces the TSR and can seek civil penalties above $50,000 per violation after the 2023 penalty adjustment [5].

What does TCPA non-compliance actually cost a financial advisor or RIA?

The statutory damages are $500 per negligent violation and $1,500 per willful violation [1]. In a class action, those numbers multiply by every person in the class. A campaign to 50,000 people can build $75 million in exposure if a court certifies the class and finds willful violations.

Real-world settlements have been smaller, but still firm-ending for small practices. UnitedHealthcare paid $2.5 million to settle TCPA allegations tied to its contact practices. Truist Bank settled a TCPA class action involving customer contact. Credit One Bank faced a significant TCPA settlement over autodialer use. These are large institutions with legal teams. A sole-practitioner RIA or a small broker-dealer does not have those resources.

The dollar amount is only part of it. FINRA and the SEC both read TCPA violations as evidence of supervisory failure. A TCPA class action settlement can trigger a regulatory inquiry, a disclosure obligation on your Form ADV or U4, and reputational damage that is hard to measure but very real in a business built on trust.

Defense costs alone, even for a case you win, can run $200,000 to $500,000 for a contested TCPA matter. Most small firms settle to dodge the cost of litigation. Plaintiff attorneys know this and use it.

The table below compares liability scenarios by violation type and scale.

ScenarioPer-violation penalty10,000 violations50,000 violations
Negligent TCPA violation$500$5M$25M
Willful TCPA violation$1,500$15M$75M
TSR violation (FTC)$50,120+$501M+N/A
State law (varies)$500-$5,000VariesVaries
TCPA statutory damages by violation type and campaign scale Total exposure at $500 (negligent) and $1,500 (willful) per violation 1,000 violations (negligent) $500k 1,000 violations (willful) $1.5M 10,000 violations (negligent) $5M 10,000 violations (willful) $15M 50,000 violations (negligent) $25M 50,000 violations (willful) $75M Source: 47 U.S.C. § 227, U.S. House of Representatives Office of Law Revision Counsel

The FCC's December 2023 Report and Order (FCC 23-107), effective January 27, 2025, changed how consent from lead generators works [2]. The old model was simple. A consumer fills out a comparison or lead form and checks a box consenting to contact from the site's 'marketing partners.' That single consent then got sold to dozens of insurance, financial services, and mortgage companies.

The FCC shut that down. The rule now requires that consent be 'logically and topically associated' with the website where it was given, and it must identify the specific seller by name. A financial advisor cannot lawfully call or text someone whose consent went to a lead aggregator unless that advisor's company name appeared on the consent form at the moment the consumer signed it.

This matters enormously for advisors who buy life insurance leads, annuity leads, retirement planning leads, or any other internet-generated financial lead. Most lead vendors have not fully rebuilt their consent forms to comply. Some claim compliance but hand over consent records that never name the buying firm. Before you run any campaign on purchased leads, request and review the actual consent form and record for a sample of numbers. If the form does not name your company, do not put an autodialer or text platform on that list.

The rule also reaches you if you generate leads for other advisors or broker-dealers. You need compliant consent forms too. The FCC order says the change will 'require that the consent identifies the seller obtaining consent, and that the consent be limited to a single seller' [2].

For SMS and text messaging campaigns, the consent problem is worse, because texting already draws closer judicial scrutiny and consumers are quicker to report unsolicited texts to the FCC.

What specific TCPA rules apply to calls and texts about annuities, life insurance, or investment products?

Financial products do not get different TCPA treatment because they are regulated. The TCPA does not care whether you are selling annuities or pizza. What matters is the method of communication and whether you had valid consent.

There are a few product-specific wrinkles worth knowing. Many annuity and life insurance lead campaigns route through the same lead aggregator networks the FCC's 2024 rule was built to stop. The FCC's rulemaking record discussed insurance and financial services lead generation as the primary concern [2]. This is not a general rule that happens to touch finance. It was aimed squarely at your industry.

For registered investment advisors, there is an added layer from SEC compliance. The SEC's Marketing Rule (Rule 206(4)-1 under the Investment Advisers Act) governs how advisors advertise [7]. The Marketing Rule does not directly address TCPA consent, but a TCPA violation stacked on an advertising compliance failure compounds your regulatory exposure. FINRA Rule 3110 requires member firms to supervise communications with the public, which includes call and text campaigns [8]. An unchecked TCPA-risky campaign is a supervisory violation waiting to happen.

If you are a dually registered rep who also holds insurance licenses, your state insurance department may have its own telemarketing rules. Several state insurance codes require affirmative disclosure during solicitation calls and restrict certain contact practices independent of federal law.

What internal processes should a financial advisor or RIA put in place to stay TCPA-compliant?

Compliance is a process, not a document you sign once. Here is what a working TCPA program looks like for a small-to-midsize advisory firm.

Start by auditing your dialing and texting technology. Know what every platform in your stack actually does. If your CRM or power dialer auto-sequences calls without a human starting each one, treat it as a potential ATDS and apply the full TCPA consent standard.

Second, build or buy a compliant consent process for every list you use. For inbound web leads you generate yourself, your contact form must carry clear, specific written consent language that names your firm, discloses that consent is not required to buy, and captures a timestamp and IP address. For purchased lists, stop assuming the vendor handled it. Request proof. Review it.

Third, scrub lists against the National DNC Registry before every campaign, not only at list acquisition [10]. The FTC's DNC system offers a Subscription Account for ongoing scrubbing. The cost is low against the exposure. State DNC lists need separate scrubbing.

Fourth, keep a tight internal do-not-contact list. Anyone who asks not to be called goes on it immediately, and that request must be honored within 30 days at the federal level, though immediate is better practice. The internal DNC list has to survive staff turnover and system migrations.

Fifth, document everything. Consent records, scrub certificates, call logs, opt-out requests and the dates you honored them. If you ever face a claim, this paperwork is the difference between a quick dismissal and a costly defense.

LeadCompliant's free TCPA compliance kit includes consent form templates, DNC scrub checklists, and documentation logs sized for small teams. Use it as a starting point, then have a telecom attorney review anything you plan to run at scale.

For firms that want ongoing monitoring, staying current with TCPA news is the simplest way to catch FCC rule changes before they turn into liability.

Can existing clients be called or texted without new TCPA consent?

This is one of the most common misunderstandings in financial services. The existing business relationship (EBR) exception under the TCPA is narrower than most advisors think.

The EBR exception applies to calls to residential landlines on the DNC registry. It lets you call existing clients for up to 18 months after the last transaction and prospects who made an inquiry for up to 3 months [10]. It does not apply to autodialed or prerecorded calls to cell phones. For those, you need prior express written consent for marketing calls, relationship or no relationship.

Many advisors assume that because a client wrote their cell number on account opening paperwork, consent exists. Not automatically. Handing someone your number is not consent under the TCPA. The consent must specifically authorize autodialed or prerecorded calls or texts for marketing, must name the calling company, and must make clear that consent is not a condition of service [2].

The practical fix is to work consent language into your onboarding documents and any annual review forms. A clear checkbox with specific language at account opening protects you going forward. For existing clients who never gave proper consent, a human-dialed call (a person starting each call, not a platform) is the safest way to reach them and ask them to consent through a web form or signed document.

What should a financial advisor do if they receive a TCPA demand letter or lawsuit?

Do not ignore it. Do not call the person back without legal counsel. Do not delete records.

A TCPA demand letter is often the opening move before a class action complaint. Plaintiff firms send them to test whether a firm will settle fast before formal litigation begins. The statutory damages structure means even a modest number of calls can justify a large demand.

Your first call should go to a telecom or consumer protection defense attorney, not your general business counsel. TCPA litigation is specialized. An attorney who does not know the technical arguments around ATDS definitions, class certification strategy, or the FCC's safe harbor provisions will cost you more than they save.

Preserve all records tied to the alleged contact: call logs, consent records, dialer configuration records, lead purchase documentation, and any communications with the lead vendor. Courts treat destruction of evidence severely.

If you used a third-party lead or consent provider and the complaint rests on defective consent from that vendor, document your relationship with them carefully. You may have indemnification rights. Most lead purchase agreements include indemnification clauses for TCPA claims arising from defective consent, but you have to enforce them.

Small teams who want to see what real TCPA litigation looks like should read how cases like Cash App's TCPA class action settlement and Albertsons/Safeway's TCPA settlement played out. The facts differ from financial services, but the litigation mechanics are the same.

Are there any TCPA safe harbors or defenses that financial advisors can realistically rely on?

A few, though none is as broad as advisors hope.

The established business relationship defense under the TSR is described above. It is narrow and does not cover cell phone marketing calls.

The FCC's 2015 order created a safe harbor for calls made in error to a reassigned number, but only if the caller had no knowledge of the reassignment and honored an opt-out after the first misdirected call [4]. This matters because cell numbers get reassigned often. You may hold valid consent from the prior owner of a number and be calling a completely different person. A check against the FCC's Reassigned Numbers Database before each campaign is cheap insurance [9].

The 'prior express consent' defense requires you to prove the consumer consented. It is not a safe harbor in the traditional sense, but it is the main defense in TCPA litigation. Its strength depends entirely on your documentation. Courts have dismissed TCPA claims where the defendant produced clean, timestamped consent records. They have also sided with plaintiffs when consent records were vague, missing, or could not be matched to the specific number called.

The one defense that never works is 'I relied on my vendor.' The TCPA imposes direct liability on the calling party. Vendor indemnification is a contract right you chase separately. It does not shield you from the statutory claim itself.

Frequently asked questions

Do TCPA rules apply to financial advisors calling their own clients?

Yes. For autodialed or prerecorded calls to cell phones, prior express written consent is required even for existing clients, unless the call is purely informational and not a marketing message. The existing business relationship exception applies only to residential landlines on the DNC Registry, not to cell phones. Review your onboarding documents to confirm clients gave proper written consent.

What is the penalty for a TCPA violation by a financial advisor?

The TCPA sets statutory damages at $500 per negligent violation and $1,500 per willful violation under 47 U.S.C. § 227. In a class action, those amounts multiply by every affected person. A campaign to 10,000 people without valid consent could generate $5 million to $15 million in statutory exposure, plus defense costs that can exceed $200,000 even in cases that settle.

Can I text prospects about financial products if they gave me their number?

No. Providing a phone number on a form or business card is not TCPA consent for marketing texts. You need prior express written consent that specifically names your firm, identifies the phone number, and makes clear consent is not a condition of service. Without that, texting prospects using any platform or automated system is a TCPA violation carrying up to $1,500 per text.

Directly and severely. Effective January 27, 2025, consent gathered by a lead generator must specifically name your company to be valid for autodialed or prerecorded calls and texts. Blanket consent to 'financial services companies' or 'marketing partners' no longer works. Review every lead source and request the actual consent records. If your firm is not named, human-dial only or get fresh consent before running automated campaigns.

Does FINRA or the SEC have additional rules on top of TCPA for advisor calls?

Yes. FINRA Rule 3110 requires broker-dealers to supervise member communications with the public, which includes call and text campaigns. The SEC's Marketing Rule under the Investment Advisers Act governs advertising content. Neither replaces TCPA, but both can compound your regulatory exposure if a campaign violates all three at once. A TCPA violation can trigger a FINRA supervisory review or an SEC inquiry.

How often do I need to scrub my call list against the National DNC Registry?

The Telemarketing Sales Rule requires scrubbing at least every 31 days. The list changes constantly, and a number that was clean at purchase may be registered by the time you call. The FTC's Subscription Account system makes ongoing scrubbing straightforward. State DNC registries carry separate scrubbing requirements, and several states have shorter windows or additional registration steps.

Almost certainly not without prior express written consent. The FCC has treated ringless voicemail drops as 'calls' under the TCPA. They are not a loophole. If you drop an RVM to a cell phone without prior express written consent, you face the same $500 to $1,500 per violation exposure as any other unauthorized prerecorded call.

At minimum, your consent form must name your firm specifically, identify the phone number being consented to, describe the type of calls or texts (autodialed, prerecorded, or text messages), disclose that consent is not required to obtain services, and be signed by the consumer with a timestamp. Electronic signatures are valid under E-SIGN. Generic 'contact me' language without these elements will not survive TCPA scrutiny.

What is the difference between a TCPA violation and a TSR (Telemarketing Sales Rule) violation?

The TCPA (47 U.S.C. § 227) is an FCC statute focused on the method of contact: autodialers, prerecorded voices, and text messages. The TSR (16 CFR Part 310) is an FTC rule focused on telemarketing conduct, including DNC compliance and deceptive practices. A single call can violate both. The TSR carries civil penalties exceeding $50,000 per violation, making combined exposure far larger than TCPA alone.

Can a financial advisor be sued individually for TCPA violations, or only the firm?

Both. Courts have allowed suits against the company that initiated the call and, in some cases, against officers or managers who directed or approved the non-compliant campaign. FINRA can also bring individual supervisory failure charges against the responsible principal. Assume personal exposure exists, particularly if you directly approved or supervised the campaign.

Do state laws add any TCPA-like restrictions beyond federal rules for financial advisors?

Yes, significantly. Florida's Mini-TCPA (FTSA) is stricter than the federal law and allows a private right of action. States including Indiana, Texas, and Wyoming run their own DNC registries. Several states have specific insurance telemarketing rules. Operating across state lines means you need to check the rules in each state where your prospects live, more than the federal baseline.

The TCPA has a four-year federal statute of limitations for private actions under 28 U.S.C. § 1658. Some state claims have longer windows. Best practice is to keep consent records, call logs, DNC scrub certificates, and opt-out records for at least five years. Store them so they survive system migrations and can be produced in litigation quickly, matched to the specific phone number called.

What is a good first step for a financial advisor who has never done a formal TCPA compliance review?

Audit your dialing and texting platforms first. Identify every system that touches outbound calls or texts and determine how each one starts contact. Then pull a sample of your active call list and trace consent records for 20 to 30 numbers. That sample will quickly show whether your consent documentation is litigation-ready or full of gaps. Then scrub the list against the National DNC Registry and compare results.

Sources

  1. U.S. Code, 47 U.S.C. § 227 (Telephone Consumer Protection Act): TCPA statutory damages are $500 per violation, trebled to $1,500 for willful violations; restricts autodialed calls, prerecorded messages, and texts to cell phones
  2. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed ATDS definition to systems using random or sequential number generators to store or produce phone numbers to dial
  3. FTC, National Do Not Call Registry Data Book: National DNC Registry holds over 249 million active registrations; civil penalties exceed $50,000 per TSR violation after the 2023 adjustment
  4. FTC, Complying with the Telemarketing Sales Rule: State DNC registries exist in several states including Indiana, Texas, Wyoming, and Colorado with requirements that differ from the federal registry
  5. SEC, Investment Adviser Marketing Rule (Rule 206(4)-1): SEC Marketing Rule under the Investment Advisers Act governs how registered investment advisors advertise; intersects with TCPA compliance obligations
  6. FINRA, Rule 3110 (Supervision): FINRA Rule 3110 requires broker-dealers to supervise member communications with the public, including call and text campaigns; TCPA violations can trigger supervisory failure findings
  7. FTC, Telemarketing Sales Rule, 16 CFR Part 310: TSR requires scrubbing against the DNC Registry every 31 days and establishes the 18-month existing business relationship exception and 3-month inquiry exception; enforced by FTC separately from TCPA
  8. Electronic Signatures in Global and National Commerce Act (E-SIGN Act), 15 U.S.C. § 7001: Electronic signatures are legally valid for TCPA consent purposes under the E-SIGN Act

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit