TL;DR: HBPPA compliance for the average IMB takes about 30 minutes to understand. Operational alignment takes about 30 days. The legal text is short. The work is in matching every customer-contact moment to a documented exemption (originator-of-record, servicer, depository institution, or documented opt-in consent), and proving it if challenged. None of this is legal advice — every item below should be pressure-tested with counsel.
HBPPA considerations: an operational walkthrough for IMB ops directors and compliance officers
This is the expanded operational detail behind the eight-item considerations checklist in our HBPPA pillar. The pillar covers the “what” in a paragraph each. This covers the “how” with example scenarios so the ops team can run the alignment without re-reading the bill text every time.
HBPPA’s enforcement is FCRA-based, which means civil penalties exist and consumer disputes can trigger investigation. Compliance is operational, not theoretical. The specifics matter.
Consideration 1: third-party data broker contracts
The question: Are you still buying trigger leads from any third-party data broker, lead aggregator, or repackager?
What to look for: Existing SOWs that reference “trigger leads,” “credit-pull-based leads,” “shopping signals from credit bureaus,” or any product that delivers consumer contact information triggered by a residential mortgage credit inquiry. Some vendors have rebranded post-HBPPA without changing the underlying data flow. The legal status of repackaged or stockpiled trigger-lead data is unclear, but the safest path is to assume it’s prohibited unless the vendor can document either (a) the consumer’s opt-in consent or (b) your existing relationship with the consumer.
Action: Pull every active lead-vendor contract. Identify which products are trigger-lead-derived. Renegotiate or terminate. For replacement products that claim HBPPA compliance, ask the vendor for written documentation of how they’re satisfying the exemption.
Consideration 2: opt-in form consent language
The question: Do your existing opt-in lead capture forms collect documented authorization that satisfies HBPPA’s “documented opt-in” standard?
What to look for: Generic consent like “I agree to be contacted” or “I agree to terms” likely doesn’t meet the standard. The consumer needs to affirmatively consent to receive solicitations from third parties about residential mortgages, and the consent has to be on file in a way that can be produced if disputed.
Action: Audit the consent language on every form (refi calculator, rate-watch tool, home-value tracker, contact form, demo request). Run the language past counsel. The ones that don’t meet the standard either get rewritten or get treated as relationship-maintenance only (no third-party solicitation).
Consideration 3: borrower-by-borrower exemption documentation
The question: For each borrower in your active book, can you document which exemption applies? (Originator of record, current servicer, depository institution with current account, or documented opt-in.)
Why it matters: The exemption-eligibility documentation is what protects you if a borrower disputes contact. If a consumer files an FCRA complaint and the lender can’t produce evidence of which exemption applied to the contact, the lender is exposed.
Action: Tag every borrower in the CRM with the exemption category. Most CRMs (including BNTouch) support custom fields for this. Build a flag like hbppa_exemption with values originator_of_record, servicer_of_record, depository_relationship, documented_opt_in, or none. Borrowers tagged none don’t get solicited.
Consideration 4: servicing rights and originator-of-record continuity
The question: If you sold servicing rights, does your originator-of-record claim still hold?
The legal nuance: The originator-of-record relationship is generally considered persistent — you originated their loan, you’re the originator of record, period. Selling servicing rights to an aggregator doesn’t terminate the originator relationship. But this depends on contract language. Some servicing-sale contracts include non-solicitation clauses that may restrict your ability to contact the borrower for refi solicitation, even though HBPPA’s exemption technically applies.
Action: Pull your servicing-sale agreements. Identify any non-solicitation clauses. If present, the contract may bind you tighter than HBPPA does. Run with counsel.
Consideration 5: TCPA + PEWC compliance is separate and still applies
The question: Do your text and call scripts comply with TCPA prior-express-written-consent requirements?
The context: HBPPA doesn’t change TCPA. The two laws operate independently. The FCC reinstated the prior-express-written-consent (PEWC) standard on August 29, 2025, and pushed the revoke-all rule to January 31, 2027. Your scripts and consent records still need to be TCPA-clean even when the HBPPA exemption is satisfied.
Action: Audit your text/call consent records separately from the HBPPA exemption documentation. Borrower can have an HBPPA-exempt relationship with you AND have revoked TCPA consent. Both have to be respected. For the related 10DLC compliance layer on text messaging specifically, our 10DLC registration walkthrough covers what’s required.
Consideration 6: vendor SOW renegotiation for post-HBPPA volume
The question: Are your lead-vendor contracts renegotiated for the post-HBPPA volume drop?
What changes: Vendors that were charging based on monthly trigger-lead volume are now selling a smaller pool of compliant leads (opt-in only). Pricing should reflect this. Some vendors are quietly trying to keep flat fees with reduced delivery — that’s the contract review.
Action: Audit every vendor’s monthly delivery volume vs. contracted minimums. Vendors falling short have to renegotiate or refund. Vendors whose product changed materially may need new SOWs.
Consideration 7: database hygiene as a compliance prerequisite
The question: Is your database clean and segmented enough to support HBPPA-compliant outreach?
Why it’s a compliance issue, not just an operations issue: If your database has bad email addresses, stale phone numbers, or duplicated records, you risk contacting someone who isn’t actually the borrower of record (e.g., the phone number now belongs to a different person). That contact may not be HBPPA-exempt under the existing-relationship rule because the contact information is no longer connected to the original borrower.
Action: Run a data-hygiene pass. Email validation, phone-number verification, address-of-record updates. Mark records that fail validation as do_not_contact until verified.
Consideration 8: incident-response plan
The question: Do you have an incident-response plan if a borrower complains about being contacted post-pull?
What FCRA enforcement looks like: A consumer complaint triggers a CFPB or state-AG inquiry. The lender is asked to produce documentation of the exemption category that applied to the contact. If the documentation is solid, the inquiry typically closes. If it’s not, civil penalties and corrective-action requirements can follow.
Action: Document the incident-response playbook in a single-page SOP. Who handles the inbound complaint, what evidence gets pulled (CRM records, exemption tag, consent record, contact log), what the timeline is for response. Train the customer-service team and the LOs on the playbook.
What you don’t need to do
HBPPA generated a lot of noise from compliance vendors trying to sell new products. Some of that noise is overengineering. You don’t need:
- A separate HBPPA-specific compliance platform (your existing CRM and consent-management already handle the relationship-tagging if configured).
- To re-onboard every existing borrower with new opt-in consent (the existing-relationship exemption applies to relationships that pre-date HBPPA).
- To restrict all borrower contact to inbound-only (HBPPA doesn’t prohibit outreach; it restricts the trigger-lead source of contact).
The work is in alignment, not in adding new tooling on top.
Common questions
What are the actual civil penalties under HBPPA?
HBPPA enforcement is through the existing FCRA framework. FCRA Sections 616 and 617 specify penalties for willful and negligent non-compliance, including actual damages, statutory damages up to $1,000 per violation, and potential punitive damages for willful violations. The CFPB and state attorneys general have enforcement authority. Consult counsel for specifics on your state.
Can I be sued by an individual borrower?
FCRA includes a private right of action. Yes, individual consumers can sue for FCRA violations, including HBPPA-related ones. This is one reason exemption documentation matters: it’s the defense against private-action claims as well as regulatory enforcement.
What if a borrower opts out after I’ve already contacted them?
Honor the opt-out immediately. Mark the record as do-not-contact in the CRM. Continued contact after a documented opt-out is a separate violation under TCPA and possibly state-level consumer-protection law. The opt-out should propagate across all communication channels (email, text, call).
Does the existing-relationship exemption have a time limit?
HBPPA’s text doesn’t specify a time-decay for the existing-relationship exemption. As the originator of record, the relationship is persistent unless terminated by a non-solicitation contract clause or borrower opt-out. In practice, a 5-7 year relationship-maintenance window is reasonable; beyond that, the relationship signal weakens and counsel may recommend treating the contact as new outreach requiring opt-in.
The downloadable considerations checklist (PDF)
A printable single-page version of this checklist is available for ops directors and compliance officers to run against their stack. Email-gated; entering your email subscribes you to the BNTouch monthly compliance update, which you can opt out of any time.
(PDF is attached/linked — confirm with Yuri before publishing.)
See how Credit Check Alerts work →
Book a Demo →
Related reading: RESPA Section 8 and co-marketing compliance, 10DLC registration step-by-step, BNTouch Enterprise CRM for IMB compliance workflow.
