TCPA Compliance for Mortgage CRMs in 2026: What Every Loan Officer Needs to Know.
1. What TCPA actually is
The Telephone Consumer Protection Act (TCPA) is a federal law passed in 1991 to regulate how businesses contact consumers via phone, fax, and (later) text message. The law has been amended multiple times, most recently with the FCC’s 2024 ruling that took effect in 2026 establishing the 1:1 consent rule.
For mortgage loan officers, TCPA matters because the law governs three things you do every day:
- Outbound calls and texts to leads or past clients. Including calls to mobile numbers that are on the national Do Not Call list.
- Automated dialing systems and pre-recorded messages. The use of an Automatic Telephone Dialing System (ATDS) triggers stricter consent rules.
- SMS marketing campaigns. Bulk texting to your database is regulated under both TCPA and the more recent 10DLC carrier registration framework.
2. The 1:1 consent rule (2026 update)
The FCC’s 1:1 consent rule represents the biggest TCPA change since the law was first written. As of 2026, you can no longer rely on “general” consent for marketing calls or texts. Each consumer must give consent for each individual seller they want to be contacted by.
What changed in practical terms
Before 2026, a borrower who clicked a “lead form” on a comparison site might have been sharing their information with 50 different lenders, all of whom received that consent as a marketing opt-in. The new rule requires that consent be granted to one seller at a time, with each seller named explicitly in the consent language.
For mortgage brokers and lenders who buy leads from third-party generators, this is a fundamental change. A lead-gen list with consent obtained for “our partners” or “lenders we work with” no longer counts as compliant TCPA consent for you specifically.
What this means for your forms
Every form your borrower fills out (your website, your landing pages, your lead-capture flows) must include consent language that explicitly names your business, the type of communications they’re consenting to, and any automated dialing technology you use to send them. The phrase that meets the rule is roughly:
The exact wording can vary, but the four required elements are: your business name, the type of communications, mention of automated technology if used, and the opt-out mechanism.
3. 10DLC carrier registration explained
10DLC stands for “10-Digit Long Code” — the standard 10-digit phone number you use to send and receive SMS in the US. Beginning in 2023 and now fully enforced in 2026, US carriers (AT&T, Verizon, T-Mobile) require business senders to register their 10DLC numbers through The Campaign Registry (TCR) before any business SMS can be delivered.
If you’re sending texts to borrowers from an unregistered 10DLC, the carriers may filter, throttle, or outright block your messages. You may not even know your texts aren’t being delivered.
What 10DLC registration requires
- Brand registration: your legal business name, EIN or tax ID, business address, vertical (mortgage / financial services), and a brief description of your messaging use case.
- Campaign registration: a description of the types of messages you’ll send (lead nurture, status updates, marketing, customer service), expected volume, and sample message content.
- Throughput tier: based on your trust score (a function of brand verification + campaign vetting), you’re assigned a throughput limit measured in messages per second.
Why most solo LOs aren’t registered
10DLC registration costs $4-100/month per campaign through TCR plus a one-time vetting fee, and the paperwork is non-trivial. Most solo LOs and small mortgage brokers have skipped it, which means their carrier-level message deliverability is degrading silently. A platform that handles 10DLC registration on your behalf solves both the compliance and deliverability problems at once.
4. Fine structure and real enforcement cases
TCPA fines are assessed per violation. Each individual non-compliant call, text, or fax counts as one violation. The fine ranges:
| Violation type | Fine range | Notes |
|---|---|---|
| Standard violation | $500 per call/text | Default amount under 47 U.S.C. § 227(b)(3) |
| Knowing or willful violation | Up to $1,500 per call/text | Tripled if the court finds the violation was intentional |
| DNC list violation | $500-$1,500 per call | Calling a number on the National Do Not Call Registry |
| Automated dialer (ATDS) violation | $500-$1,500 per call | Using an automatic dialer without express written consent |
The fines compound fast. A single bulk SMS campaign sent to 1,000 borrowers without proper consent could expose you to $500,000 to $1.5M in statutory damages, before legal fees.
Recent enforcement cases
Mortgage broker pays $4.1M for unsolicited texting
A mortgage brokerage operating in the Southeast settled a TCPA class action in 2024 for $4.1 million. The class action was filed by a borrower who received four marketing texts after being on the company’s “marketing exclusion” list. The case turned on the absence of an audit trail showing the borrower had been removed.
Lender fined $300K for missing consent records
A regional lender was fined $300,000 by the FCC after multiple complaints from borrowers who received automated calls. The lender claimed the borrowers had consented through a partner’s website. They could not produce the timestamped consent records, which is what the law requires. No records, no defense.
Lender wins TCPA case on documented consent
A national lender successfully defended against a TCPA suit filed by a borrower claiming unwanted texts. The defense produced an audit trail showing the consent capture (timestamp, IP address, source URL, exact form language), the borrower’s two subsequent confirmations, and the system log of every message sent. Case dismissed at summary judgment. The audit trail was the win.
5. The 5 most common ways LOs violate TCPA
- Texting from a personal cell phone. No documented consent capture, no opt-out logging, no audit trail. The borrower’s right to opt out via STOP is technically respected, but you have no record proving it. Every text from a personal phone is a TCPA exposure.
- Calling a number on the DNC list. Without a recent DNC scrub against your outbound list, you’re likely calling at least 1-3% of borrowers who have registered their number on the National Do Not Call Registry. Each call is a $500-$1,500 violation.
- Reusing pre-2026 consent records. Consent obtained under the old “shared consent” rules from lead-gen partners is no longer valid for marketing under the 1:1 rule. If your CRM is full of borrowers acquired through Zillow or LendingTree partnerships, a portion of those records require re-consent.
- Failing to honor STOP requests. A borrower texts STOP, and your CRM still allows you to send them future messages. The opt-out has to be processed within 10 business days under the FCC rules; many CRMs don’t enforce this automatically.
- Generic disclosure language on lead forms. Forms that say “By submitting, you agree to be contacted by our partners” don’t meet the 1:1 consent rule. The consent must name you specifically.
6. What TCPA-compliant mortgage outreach actually looks like
In practice, TCPA compliance for mortgage outreach comes down to four operational requirements. None are optional under the current rules.
The non-negotiable compliance checklist
- Consent capture at the source. Every form, every call recording, every signed agreement explicitly captures consent with timestamp, IP, source URL, and the exact consent language presented to the borrower.
- 10DLC carrier registration completed. Brand and campaign registered with The Campaign Registry. Trust score validated. Throughput tier confirmed.
- DNC list scrubbing on every outbound. National Do Not Call Registry scrubbed against your outbound list within the last 31 days, with state DNC lists for states that maintain them.
- STOP/HELP automation. Inbound STOP messages immediately move the contact to opt-out status, blocking all future automated outreach. HELP messages return the required disclosure language.
- Outbound time windows. Marketing calls and texts are restricted to 8 AM to 9 PM in the recipient’s local time zone.
- Audit trail per message. Every outbound message logged with consent reference, send time, content, delivery status, and any opt-out interactions.
A platform that handles all six requirements automatically is the difference between TCPA exposure and TCPA compliance. A platform that handles three of the six is just exposure with extra steps.
7. The audit trail TCPA defense lawyers ask for
If a borrower files a TCPA suit, the first thing your defense attorney will ask for is the consent and communications audit trail. The case usually turns on whether the audit trail exists and what it shows.
What a defensible audit trail looks like
- Consent capture record: form data, timestamp, IP address, source URL (which page captured the consent), exact consent language displayed at the moment of submission.
- Communication log: every outbound call, text, and email logged with timestamp, channel, content, sender, recipient, delivery status, and consent reference.
- Opt-out events: any STOP, HELP, or unsubscribe action recorded with timestamp and the action the system took in response.
- Contact frequency: demonstrable that the borrower’s communication preferences were respected, including frequency caps and time-of-day restrictions.
- Source provenance: if the lead came from a third-party generator, evidence that the consent obtained on the partner’s form named your business specifically (under the 1:1 rule) or that you obtained re-consent before contacting.
The audit trail isn’t something you assemble after a complaint. It needs to exist continuously, automatically, on every contact. Trying to reconstruct it after a complaint is filed is what produces the $4.1M settlements above.
8. Do Not Call list scrubbing for mortgage outreach
The National Do Not Call Registry has roughly 250 million registered phone numbers. The Federal Trade Commission requires telemarketers to scrub their outbound lists against the registry every 31 days, and state DNC lists where applicable.
Two layers of DNC compliance
- Federal DNC list: maintained by the FTC. Free for consumers to register, paid access for businesses. List scrubs run via a recognized service (or via your CRM’s built-in scrubber).
- State DNC lists: 11 states maintain their own DNC registries with state-specific rules. Some require additional registration. Scrubbing only the federal list leaves you exposed in those states.
For mortgage outreach, the DNC rules apply to all marketing calls. Established business relationship (EBR) exemptions (calls to existing customers) are allowed but with strict definitions: the relationship has to be active, the borrower hasn’t asked to stop being contacted, and the call has to relate to the existing relationship.
10. How BNTouch handles TCPA in the platform
This is a pillar page, not a sales pitch. But it would be incomplete without explaining what TCPA-compliant mortgage outreach looks like in practice. Here’s what BNTouch builds in by default, since the alternative (assembling compliance across 4-5 separate tools) is what produces most of the violations above.
- Consent capture at lead entry. Every form across BNTouch landing pages and lead-capture flows captures TCPA-compliant consent with timestamp, IP, source URL, and the exact consent language displayed.
- 10DLC registration handled. BNTouch runs the brand and campaign registration with The Campaign Registry on behalf of users. Throughput tier confirmed before SMS goes live.
- DNC scrubbing automated. National DNC list scrubbed continuously. State DNC lists scrubbed for relevant states. Outbound to scrubbed numbers blocked at the platform layer.
- STOP/HELP automation built in. Inbound STOP moves the contact to opt-out within seconds and blocks all future outreach. HELP returns the required disclosure language automatically.
- Time-window enforcement. Marketing messages restricted to 8 AM-9 PM in recipient time zone. The system queues messages for the appropriate window automatically.
- Audit trail per message. Every outbound logged with full provenance. Exportable for legal defense at any time.
For LOs running marketing from a personal cell phone, a generic CRM, and an unregistered text platform, the gap between current state and the checklist above is the exposure. For LOs running BNTouch, the checklist is the default, not the configuration step.
11. FAQs
Does TCPA apply to texts to past clients?
Yes. Past clients are covered by the same TCPA rules as new prospects. The exception is the established business relationship (EBR) exemption, which permits some marketing communications to existing customers, but only within strict limits and only if the borrower has not asked to be excluded. Most LOs are safer treating past clients exactly like prospects: documented consent at every step.
Is voicemail covered by TCPA?
Yes, including ringless voicemail (RVM) drops. Multiple federal court rulings have confirmed that ringless voicemail counts as a “call” under TCPA, requiring consent. The “ringless” technology does not exempt the message from TCPA scrutiny.
What about calls vs texts? Are the rules different?
Different in detail, similar in principle. Both require prior express written consent for marketing communications using automated technology. Calls are also subject to DNC list rules; texts are also subject to 10DLC carrier registration. The consent capture and audit trail requirements are essentially the same.
If I’m calling manually (no automated dialer), do I still need consent?
For DNC purposes, yes. Calls to numbers on the National Do Not Call Registry require an established business relationship or written consent, regardless of whether the call is manual or automated. The dialer rules add additional consent requirements on top of DNC, but DNC applies to all telemarketing calls.
How long does consent last?
TCPA consent does not have a fixed expiration date in the law itself. As a practical matter, the safest approach is to refresh consent if the contact has been dormant for 12+ months, and absolutely required to refresh consent obtained under the pre-2026 “shared consent” rules to meet the new 1:1 standard.
What if a borrower replies to one of my texts? Does that count as consent?
An inbound reply to an existing conversation is generally treated as continued engagement, not as new consent. If the original consent was inadequate, a reply does not retroactively cure the violation. Inbound replies to a non-consented outbound do not establish consent for future marketing.
Can I rely on my CRM to handle TCPA for me?
Depends entirely on the CRM. Some platforms (BNTouch is one) build TCPA compliance in by default with the six checklist items above. Other platforms (generic CRMs, personal cell phones, file folders) put the burden on the LO. If your current setup doesn’t have automated consent capture, automated 10DLC registration, automated DNC scrubbing, automated STOP/HELP, and automated audit trail, you are doing TCPA compliance manually whether you realize it or not.
What about compliance for marketing emails?
Email marketing is governed by CAN-SPAM, not TCPA. The two laws have different requirements. CAN-SPAM is generally less strict than TCPA but still requires opt-out mechanisms and accurate sender identification. Most email marketing platforms handle CAN-SPAM compliance by default; the TCPA requirements above apply specifically to calls and texts.
TCPA exposure isn’t a future problem. It’s the texts you sent yesterday.
Free demo. We’ll walk through your current outbound setup and identify where TCPA exposure exists today.
Get a free demo