TCPA Compliance for Mortgage Loan Officers: 2026 Guide

The TCPA in plain English (what loan officers actually need to know)

The TCPA was passed in 1991 to stop unwanted telemarketing calls. Its core rule for loan officers in 2026 is unchanged from 2021: you cannot autodial or text a consumer’s cell phone for marketing purposes without their prior express written consent (PEWC). “Autodial” includes most modern dialer systems and any text platform that sends to multiple numbers automatically.

Manual one-to-one calls and texts (an LO typing a message to one borrower from their personal phone, not a bulk system) are not subject to the consent requirement. Everything routed through a CRM, dialer, or marketing automation platform is.

That distinction is the entire foundation of TCPA risk in mortgage. If your CRM sends an SMS to 200 past clients announcing a rate drop, every one of those 200 messages is a potential TCPA violation if any of those 200 borrowers did not give explicit, documented consent.

What “prior express written consent” actually means

Prior express written consent (PEWC) is a specific legal standard. To meet it, the consent must include all of the following:

1. Be in writing. Electronic agreements (e-signatures, form check-boxes) qualify. Verbal agreement does not.
2. Identify the seller. The consent must name the company sending the messages (not just “loan officer” generically).
3. Disclose the type of messages. Marketing texts and calls. Telemarketing is the operative word.
4. Disclose that consent is not required as a condition of purchase. The borrower must be allowed to apply for a loan even if they decline marketing messages.
5. Provide a way to opt out. Reply STOP, click an unsubscribe link, or call a number to be removed.
6. Be retained as an audit record. If you are sued, you need to produce the consent record for the specific borrower at the specific date.

The mortgage industry’s standard practice is to capture this consent in the demo request form, the rate quote form, or the loan application itself. The form needs the explicit checkbox or affirmative action and the disclosure language. A pre-checked box does not count.

Where the FCC “one-to-one consent” rule stands in 2026

In December 2023, the FCC issued a rule that would have required separate, “one-to-one” consent for each seller a borrower interacts with. The intent: stop lead-gen sites from selling a single consent to dozens of mortgage and insurance companies. The rule was set to take effect January 27, 2025.

On January 24, 2025, the U.S. Court of Appeals for the Eleventh Circuit vacated the rule in Insurance Marketing Coalition Ltd. v. FCC. The court held that the FCC exceeded its statutory authority. As of April 2026, the one-to-one consent rule is not in effect at the federal level.

What this means operationally (regardless of pending litigation)

The smart operator stance in 2026 is: build the workflow assuming one-to-one-style consent will eventually be enforced (federally or by state), and operate that workflow even though you are not legally required to today. The cost of building it is small; the cost of being unprepared if the regulatory environment tightens is large.

The 6-step TCPA-compliant workflow your mortgage CRM should run

Step 1: Capture explicit consent at the form fill

Every form that produces a lead must include an explicit consent checkbox tied to the specific company sending the messages. Sample disclosure language:

“By checking this box and clicking submit, I consent to receive marketing calls and text messages from [Company Name] at the phone number provided, including by autodialer or prerecorded voice. I understand consent is not required as a condition of obtaining a loan or service. Message and data rates may apply. Reply STOP to opt out at any time. View our [Privacy Policy] and [Terms of Service].”

Step 2: Store the consent record with timestamp + IP + form snapshot

The audit trail you need if sued: who consented, when, from what IP, and what consent language they saw. A modern mortgage CRM should capture and retain all four. Without the form snapshot specifically, you cannot prove what the borrower actually agreed to (the website may have changed since).

Step 3: Tag every contact with consent status before any outbound

Before a single SMS or marketing call goes out, the CRM should check: does this contact have valid consent on file? If no consent, the contact is excluded from all autodialed and text marketing automatically. Manual one-to-one calls remain allowed.

Step 4: Honor opt-outs in real time

Reply STOP must remove the contact from all marketing within minutes, not at the next batch send. The opt-out should propagate across SMS, email marketing, and dialer queues simultaneously. Re-subscribing requires fresh consent capture, not just removing them from the do-not-contact list.

Step 5: Apply contact frequency caps

TCPA does not specify a maximum contact frequency, but courts have viewed “harassment” patterns as evidence of bad faith. Industry standard is: no more than 3 marketing texts per week to a single contact, no more than 1 per day. Your CRM should enforce this cap automatically.

Step 6: Quarantine the dataset for compliance review

Once a quarter, run an audit: pull a sample of 20 contacts that received outbound marketing. Verify each one has documented consent on file with the disclosure language and timestamp. If you cannot produce the record, that contact has TCPA exposure. Either suppress or re-capture consent.

How mortgage CRMs handle TCPA (honest comparison)

The honest read: the mortgage-specific CRMs (BNTouch, Surefire, Total Expert, Bonzo) all handle the basics. They differ in audit-trail depth and opt-out latency. Generic CRMs (Salesforce-overlay or HubSpot) require custom configuration and ongoing legal review. If TCPA exposure keeps you up at night, a mortgage-specific CRM is meaningfully lower risk than a generic one.

Where the real risk hides (5 mistakes I see weekly)

1. Importing a “purchased” lead list and texting it

This is the highest-frequency violation. A loan officer buys a 5,000-name lead list and uploads it to their CRM, then runs a “rates dropped” SMS blast. Even if the seller claimed consent was captured, you (the operator of the dialer) are liable. Defense: only text contacts whose consent record YOU collected and YOU can produce in court.

2. Running a campaign to “old” past clients without re-consent

Consent is not lifetime. A consent capture from 2018 may not be enforceable in 2026, particularly if the consent disclosure didn’t anticipate current technologies. Best practice: refresh consent every 18-24 months for active marketing.

3. Texting from an LO’s personal phone “on behalf of the company”

If the LO’s personal SMS to one borrower is genuinely one-to-one and not a copy-paste of a marketing message sent to many, it’s outside TCPA. The moment the LO copies the same text to 10 borrowers using a CRM, the TCPA framework applies.

4. Forgetting state law

Florida, Oklahoma, Washington, and a growing list of states have mini-TCPAs that may exceed federal requirements. Operating in those states with a federal-only consent posture can create state-law exposure even if you are federally compliant.

5. Not honoring opt-outs across channels

Borrower replies STOP to your SMS. Two days later, your email automation sends them a marketing newsletter. They sue. STOP must propagate to SMS, email, calls, and direct mail in most interpretations. A CRM that only honors STOP for the SMS channel is a problem.

What changes if the FCC re-issues a one-to-one rule

The FCC has signaled they may revisit the one-to-one consent rule with revised statutory authority. If a new rule is issued and survives appeal, the operational change for mortgage shops is:

• Lead-gen sites can no longer sell a single consent to multiple mortgage companies. Each company must capture its own.
• Internet leads (LendingTree, Zillow, Bankrate model) become operationally harder; the lead vendor must facilitate a separate consent capture for each receiving lender.
• Mortgage shops that operate their own lead-gen channels (their own LO websites, their own ad campaigns to their own forms) are largely unaffected. They were already capturing direct consent.

The strategic implication: mortgage operations heavily reliant on third-party lead-gen sources have higher TCPA risk than operations that generate their own leads. Building owned lead-gen infrastructure (branded LO websites, paid ad funnels into your own forms) is both a marketing strategy and a compliance hedge.

What to do this week

1. Audit your forms. Pull every lead-capture form on your website and verify each has the explicit consent checkbox and full disclosure language. Pre-checked boxes do not count.
2. Pull a sample of 20 contacts who received outbound marketing in the last 30 days. Can you produce the consent record (form snapshot, IP, timestamp) for each? If not, suppress them and re-capture.
3. Test the opt-out flow. Have someone reply STOP to a marketing SMS from your CRM. Verify the contact is removed from SMS, email, dialer queue, and direct mail within 60 minutes.
4. Check state coverage. If you operate in Florida, Oklahoma, Washington, or other mini-TCPA states, confirm your consent disclosure meets the strictest applicable standard.
5. Schedule a quarterly review with your compliance lead or outside counsel. The TCPA landscape is shifting and a 30-minute quarterly check is much cheaper than a class-action defense.

Frequently Asked Questions