Compliance Calendar for Mortgage Loan Officers in 2026: TCPA, RESPA, and State Rules

Mortgage compliance changes faster than most loan officers realize. New federal rules, state-level updates, and CFPB enforcement actions reshape how you can market, follow up, and communicate with borrowers each year. Your CRM should enforce these rules automatically — but it can’t if you don’t know what to look for.

This is the 2026 compliance calendar of changes that matter for your CRM configuration, your marketing sequences, and your daily LO workflow.

Federal-level rules that shape mortgage CRM workflows in 2026

TCPA — Telephone Consumer Protection Act

TCPA remains the dominant compliance constraint on outbound communications. The 2026 enforcement environment continues to focus on:

• Express written consent required before automated SMS or robocalls to a cell number. Express consent means signed (electronic or paper) acknowledgment.
• Do-not-call list scrubs on the federal DNC registry every 31 days minimum. State DNC lists also apply in many states.
• Opt-out enforcement. When a recipient texts “STOP,” the system must stop sending within 30 seconds. Continuing to send after STOP is a per-message TCPA violation.
• Revocation channels. Borrowers can revoke consent by any reasonable means — text, email, phone call, even verbal during a call. Your CRM needs to capture revocations from any channel and apply them universally.

What this means for your CRM: it should enforce TCPA at the platform level, not rely on your team to remember the rules. Every contact should have a consent timestamp, every opt-out should propagate within seconds, every campaign should automatically exclude DNC-listed numbers.

RESPA Section 8 — Anti-Kickback Rules

RESPA Section 8 prohibits payments, gifts, or things of value in exchange for referrals related to federally related mortgage loans. The 2026 CFPB enforcement focus has been particularly aggressive around:

• Marketing service agreements (MSAs) between mortgage companies and real estate brokers. The agreement must reflect bona fide services at fair market value. The CFPB has fined LOs and lenders heavily for arrangements that don’t pass this test.
• Co-marketing campaigns where mortgage and real estate brokers share marketing costs. Allowed if both parties pay fair-market-value proportional share. Disallowed if one party is effectively subsidizing the other.
• Gifts and entertainment. Strict limits on what mortgage professionals can give Realtor partners. Some states have additional restrictions.

What this means for your CRM: any Realtor co-marketing sequence should be configurable to track who paid what share of which campaign, with documentation that satisfies a RESPA audit. Generic CRMs don’t do this. Mortgage-built CRMs (BNTouch included) provide co-marketing infrastructure with RESPA-ready documentation.

HBPPA — Homebuyers Privacy Protection Act (NEW in 2025)

HBPPA effectively ended the trigger lead industry. Trigger leads were the practice of credit bureaus selling notifications when consumers had credit pulled for mortgages — letting competing lenders solicit borrowers in the middle of an active loan.

Under HBPPA, trigger leads are now banned for residential mortgage solicitation purposes. This has two implications for your CRM workflow in 2026:

• You can no longer buy trigger leads. Lead acquisition channels that depended on trigger leads have to shift to other sources.
• Your past clients are now safer, but you still need to defend them. Competitors can no longer trigger-lead your borrowers mid-application, but they can still credit-pull your past clients when those past clients shop refinances or new mortgages. Credit pull alerts (which monitor your own database, not the broader market) remain critical for past-client recapture.

What this means for your CRM: your CRM should have credit pull alerting on your past-client database (which is legal — you’re monitoring your own contacts) and should have removed any trigger-lead-based acquisition workflows.

UDAAP — Unfair, Deceptive, or Abusive Acts and Practices

UDAAP enforcement covers a wide range of practices including misleading advertising, hidden fees, deceptive loan terms, and pressure tactics. The CFPB’s 2026 focus areas have included:

• Rate quote disclosures — APR vs note rate clarity
• Discount point pricing transparency
• Rate lock terms and what happens at lock expiration
• Marketing claims around savings (must be substantiated)

Most of these are content-level rules — what you can say in marketing and disclosures. Your CRM should have a content library that’s been reviewed for UDAAP compliance, particularly for any pre-approval, rate quote, or savings-claim templates.

State-level rules that matter for mortgage CRM in 2026

State-level mortgage compliance varies significantly. The states with notable 2026 changes affecting CRM and communication workflows:

• California: CCPA/CPRA continue to require explicit privacy disclosures and consumer data access rights. Your CRM needs to support consumer data export and deletion requests.
• New York: Telephone solicitation rules stricter than federal TCPA — narrower calling hours, additional disclosure requirements.
• Florida: Mortgage Brokering Act amendments around licensing and disclosure for branch operations.
• Texas: Recording retention rules and call-disposition standards for compliance with TX state mortgage licensing.
• Washington and Oregon: Privacy-of-financial-data rules require encryption of contact records and audit trails.

What this means for your CRM: at minimum, your CRM should let you configure compliance settings at the branch or state level, with audit trails sufficient to satisfy state-specific examinations.

How to use this calendar throughout the year

Q1 (January-March): refresh consent documentation. Audit your past-client database for opt-outs and revocations from Q4. Update any campaign templates that have rate-related language for the new year.

Q2 (April-June): RESPA audit on co-marketing arrangements with Realtor partners. Renew any MSAs that need annual review. Update content library for the spring purchase season.

Q3 (July-September): state-specific rule review. Check for mid-year legislative updates in states where you do significant volume. Update CRM compliance settings accordingly.

Q4 (October-December): year-end audit prep. Verify TCPA opt-out tracking is current. Review HBPPA compliance on any acquisition channels. Update consent disclosures for the coming year.

What to look for in a compliance-ready mortgage CRM

If you’re evaluating mortgage CRMs against compliance requirements, ask these specific questions:

1. Does the CRM track explicit TCPA consent timestamps for every contact, and does it block messaging until consent is verified?
2. Does the CRM scrub against federal and state DNC lists automatically, and how often?
3. When a contact texts STOP, does the opt-out propagate within seconds across all channels?
4. Does the CRM support RESPA-compliant co-marketing documentation?
5. Does the CRM enforce state-specific calling hours and disclosure requirements?
6. Are audit trails complete enough to satisfy a CFPB or state regulator examination?
7. Are compliance settings configurable at the branch level for multi-state operations?

If the answer to any of these is “no” or “we can build that,” compliance lives in your training documents, not the platform. The risk of an enforcement action is real and material — averaged six-figure settlements in recent CFPB actions.

Frequently Asked Questions

Does a mortgage CRM make me TCPA-compliant by itself?

No. The CRM enforces the technical rules (consent, DNC scrubs, opt-out propagation, calling hours) but you remain responsible for the substantive compliance — what you say in your messaging, whether your express consent disclosures are sufficient, whether your training is current. A good mortgage CRM removes the technical execution as a failure point.

How often should I run DNC scrubs on my database?

Federal TCPA requires scrubs at least every 31 days. Best practice is to run them weekly or to let your CRM scrub automatically before any campaign deployment. Many state DNC lists also apply and may require more frequent scrubbing.

Are credit pull alerts on my own past clients still allowed under HBPPA?

Yes. HBPPA banned trigger leads — the practice of buying credit-pull notifications on the broader market. Monitoring credit pulls on your own past-client database via a service that watches your specific contacts is not the same thing and remains legal. This is exactly what mortgage CRM credit pull alerts do.

What’s the difference between TCPA express consent and prior express written consent?

Express consent allows informational messages (loan status, document requests). Express written consent — signed, with TCPA-specific disclosure — is required for marketing messages including automated calls and texts about new loan products. Mortgage CRMs should distinguish between the two consent levels in the contact record.

How do state-level rules interact with federal TCPA?

Federal TCPA sets a floor. Most states have additional restrictions — narrower calling hours, additional disclosure requirements, separate state DNC lists. Where state law is stricter than federal, you must comply with the state rule. Your CRM should support state-level configuration for multi-state operations.