In 2026, debt collection is not just an operational challenge — it is a legal minefield. The landscape has become significantly more complex: the Consumer Financial Protection Bureau (CFPB) has faced staffing reductions and legal battles, but state attorneys general across California, New York, Massachusetts, and Texas have aggressively stepped up enforcement to fill the regulatory vacuum. The result is a patchwork of overlapping federal and state rules that collections operations leaders must navigate with extraordinary precision.
The cost of getting it wrong is staggering. TCPA violations now carry penalties ranging from $500 to $1,500 per call, per violation — with willful violations eligible for treble damages. A single SMS campaign to a list with consent gaps can generate liability in the tens of millions of dollars. TCPA class action filings rose 67% in 2024 and by January 2025, monthly filings had hit 172 — a 268% increase over January 2024, according to Prospeo research.
This playbook is designed for operations leaders, compliance officers, and executives at banking, financial services, and collections organizations who need a clear, current, and actionable understanding of the three primary federal frameworks governing U.S. debt collection: the Fair Debt Collection Practices Act (FDCPA), the Telephone Consumer Protection Act (TCPA), and CFPB Regulation F.
The Fair Debt Collection Practices Act (FDCPA) was enacted in 1977 and remains the foundational federal law governing debt collection in the United States. It is enforced by both the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). A critical distinction: the FDCPA applies to third-party debt collectors — meaning collection agencies, debt buyers, and collection law firms — not to original creditors collecting their own debts.
However, many states have extended FDCPA-equivalent protections to original creditor collections as well. Organizations in multiple states must be aware of these nuances to avoid exposure.
The FDCPA establishes four primary categories of prohibited conduct:
The statutory damage for an individual FDCPA violation is $1,000, plus attorney fees and actual damages. While the per-violation amount appears modest compared to TCPA, FDCPA class actions can result in aggregate damages of up to $500,000 or 1% of the defendant’s net worth. The deeper risk is reputational: FDCPA complaints to the CFPB are publicly searchable, and patterns of violations can trigger regulatory enforcement actions.
The Telephone Consumer Protection Act (TCPA), enacted in 1991 and updated multiple times since, regulates how businesses use automated technology to contact consumers by phone and text. For collections operations, the TCPA is arguably the most financially dangerous regulatory framework because its penalties apply per call or message, scale instantaneously with volume, and attract class action attorneys who specialize in TCPA litigation.
Violation Type | Penalty Per Violation | Additional Exposure |
Standard TCPA violation | $500 per call/text | Class action eligible |
Willful/knowing violation | $1,500 per call/text | Treble damages |
FCC forfeiture order | $2,500 per call | Regulatory action |
DNC violation (TSR/FTC civil) | Up to $50,120 | Federal enforcement |
State mini-TCPA (e.g., Connecticut) | Up to $20,000 | State AG enforcement |
To illustrate the financial scale: a mid-size collections operation sending 100,000 text messages to a list with consent documentation gaps faces potential liability of $50 million at the $500 standard rate — and $150 million if violations are deemed willful. These are not theoretical numbers; multiple nine-figure TCPA settlements have been reached in the debt collection industry over the past five years.
Do Not Call (DNC) Registry: Collections calls to numbers on the National DNC Registry without prior consent or an established business relationship are separate TCPA violations.
Regulation F (12 CFR Part 1006) was issued by the CFPB on November 30, 2020, and took effect on November 30, 2021 — the most significant update to federal debt collection regulation in more than 40 years. It does not replace the FDCPA; rather, it implements and modernizes the FDCPA for the realities of 21st-century communication channels, establishing specific rules where the statute was silent or ambiguous.
In 2025–2026, with the CFPB operating under reduced staffing and enforcement capacity due to budget disputes and organizational changes, the practical enforcement of Regulation F has shifted meaningfully toward state attorneys general and private litigation. The regulatory framework remains fully in force; what has changed is who is most likely to bring an enforcement action.
The Regulation F 7-in-7 Rule 7 calls in 7 days A debt collector is presumed to have violated the FDCPA prohibition on harassment if they call more than 7 times within a 7-consecutive-day period regarding a specific debt, OR call within 7 days after a telephone conversation with the consumer about that debt. This is a ceiling, not a quota. |
This distinction — ceiling, not quota — is one of the most common operational compliance failures. Operations leaders who treat the 7-in-7 rule as permission to make seven calls per week on every account will eventually face enforcement actions. The rule establishes a presumption of harassment; regulators retain authority to pursue violations at lower frequencies if other evidence of harassment is present.
Regulation F was specifically designed to address the reality that debt collection no longer happens exclusively by phone and letter. Key provisions include:
As federal enforcement has contracted, state-level debt collection regulation has expanded significantly. Organizations operating nationally must now maintain compliance frameworks that accommodate both federal rules and a growing body of state-specific requirements.
State | Key Additional Requirements | Notable Distinctions |
California | Rosenthal FDCPA — applies FDCPA to original creditors | Most expansive state law in the US |
New York City | NYC Admin Code — stricter contact limits and disclosures | Applies to NYC-based debtors |
Massachusetts | 209 CMR 18 — specific time restrictions and contact limits | Applies to first and third-party |
New York State | Consumer Credit Fairness Act — requires summons of service proof | Statute of limitations 3 years for credit card debt |
West Virginia | WVCCPA — adds private right of action with statutory damages | Allows $1,000+ per violation |
Texas | TDCA Finance Code 392 — covers first & third-party collectors | 4-year statute of limitations |
Technology does not solve a compliance gap — it operationalizes a compliance strategy. Organizations that deploy AI and automation correctly can significantly reduce violation risk while maintaining effective collection operations. Key applications include:
AI-driven contact management systems can enforce the 7-in-7 rule at the account level in real time, preventing agents or auto-dialers from exceeding permitted call attempts. These systems can also track the seven-day post-conversation lockout period, which is one of the most commonly violated Regulation F provisions.
Automated consent management platforms log prior express consent at the point of collection, track consent type (oral vs. written vs. electronic), and immediately flag revocations across all communication channels. In a compliance audit or litigation proceeding, this documentation is often the difference between a defensible position and a settlement.
Integration with the FCC’s Reassigned Numbers Database before each campaign prevents the most common source of TCPA exposure: calling a number that has been assigned to a new consumer since consent was obtained.
AI-powered QA platforms can score every agent interaction against FDCPA and Regulation F requirements in real time, flagging potential violations before they are completed and triggering supervisor review for high-risk interactions.
If your organization outsources any portion of your ARM operations, your compliance exposure does not transfer with the contract. BPOs can be held directly liable for FDCPA and TCPA violations, but client organizations are also frequently named in consumer lawsuits and CFPB complaints. When evaluating a third-party collections partner, require documentation and audit rights covering:
Regulation F creates a presumption of harassment if a debt collector calls a consumer more than seven times within a seven-consecutive-day period regarding a specific debt, or if they call within seven days after having a phone conversation with the consumer about that debt. Each debt is counted separately. The rule is a ceiling on presumed permissible contact, not a quota for expected contact volume.
Individual FDCPA violations carry statutory damages of up to $1,000 per action, plus attorney fees and any actual damages suffered. In class actions, the aggregate cap is $500,000 or 1% of the defendant’s net worth, whichever is less. Intentional, systemic violations can also trigger CFPB enforcement actions with broader financial consequences.
Yes. Third-party BPOs and collection agencies can be directly liable for TCPA violations they commit on behalf of a client. Client organizations can also face liability if they directed the BPO’s conduct or if the BPO was acting as their agent. This is why client organizations must conduct due diligence on BPO compliance systems and maintain audit rights over outsourced collections operations.
The federal FDCPA applies specifically to third-party debt collectors, not to original creditors collecting their own debts. However, several states — most notably California through the Rosenthal Act — have extended FDCPA-equivalent protections to original creditor collections. Organizations doing first-party collections must assess their exposure under applicable state laws.
AI can enforce TCPA compliance at scale by automating consent verification before each contact attempt, integrating with the FCC’s Reassigned Numbers Database to prevent contact with numbers that have been reassigned, tracking and enforcing consent revocations in real time across all channels, and monitoring contact frequency to prevent 7-in-7 violations. These systems reduce human error, which is responsible for the majority of TCPA violations in high-volume operations.