TCPA Compliance for Financial Services: What Banks Need to Know

Two things changed at once for banks, insurers and broker-dealers, and together they rewrote the cost of a careless phone call. Federal regulators started examining TCPA compliance during routine bank exams. At the same time, plaintiff firms filed Telephone Consumer Protection Act (TCPA) cases at a pace the industry had never seen. A misdialed autodialer used to mean a lawsuit you might settle quietly. Now it can also mean a finding in your next examination.

Financial services sits in the crosshairs for a simple reason: large customer bases, heavy outreach programs and statutory damages that multiply fast. Many institutions assume their calls and texts are exempt because they involve a customer's account. That assumption is where the exposure starts.

This guide covers what financial institutions need to get right on TCPA compliance in 2026: the regulatory shift, the consent rules that actually apply, the narrow exemptions banks tend to overread and a practical way to keep a calling program compliant.

The short version

• Bank examiners now check TCPA compliance. The OCC, FDIC and NCUA fold it into routine exams, so a violation can surface in an audit, not just a lawsuit.
• Litigation is climbing steeply. TCPA filings rose 67% in 2024, and the vast majority were class actions.
• Exemptions are narrow. Fraud alerts and urgent account notices can qualify; marketing never does, even when it concerns an existing account.
• The math is unforgiving. Statutory damages run $500 per violation, or $1,500 if willful, with no cap, across thousands of calls.

Why regulators and plaintiffs both turned toward banks

TCPA is now an exam item

For years, TCPA risk lived almost entirely in the courtroom. That ended when the OCC, FDIC and NCUA revised their interagency examination procedures to cover the statute. OCC Bulletin 2023-35 lays out exactly what examiners now look for.

The procedures reach national banks, community banks, federal savings associations and the federal branches of foreign banks. Examiners verify that any institution doing automated telemarketing or texting has real policies, documented consent and a process for honoring revocation. They single out three areas in particular: how you handle consent revocation, the limited fraud-alert exemption and the safe harbor for checking the FCC's reassigned-numbers database.

The practical effect is a second front. A consent gap that once stayed hidden until a plaintiff found it can now show up in your exam file, where it shapes ratings and supervisory attention long before any class is certified.

The litigation curve went vertical

Plaintiff-side TCPA work has industrialized, and the numbers show it. Trackers recorded 2,788 TCPA filings in 2024, up 67% from 2023, with class actions making up roughly 85% to 95% of filings in the closing months of the year. The pace did not let up: January 2025 alone brought 268% more class actions than January 2024.

Many of these firms do nothing but TCPA litigation. They run monitoring operations to surface violations, and they gravitate toward defendants with deep customer lists and constant outreach. That description fits almost every bank, insurer and broker-dealer in the country.

What the settlements actually cost

The headline numbers explain why compliance leaders lose sleep. Capital One's $75.5 million settlement in 2014, then the largest in TCPA history, resolved claims that the bank and its collection agencies used autodialers to reach cell phones without consent. A decade later the pattern held: in 2024, Citibank agreed to pay $29.5 million over prerecorded calls placed to people who were not even its customers.

Those figures are not anomalies. They are arithmetic. Statutory damages run $500 per violation, or $1,500 for a willful one, and there is no cap. Multiply a modest per-call penalty across a campaign that touched hundreds of thousands of numbers and the exposure reaches the millions on its own.

What the TCPA actually requires of you

Express written consent, documented and specific

Before any auto-dialed call or prerecorded message goes out for a marketing purpose, a financial institution needs the recipient's prior express written consent. "Written" is doing real work in that sentence. A verbal yes on a recorded line is not the standard. You need a record that shows who consented, to what and when, kept long enough to produce in litigation years later.

Consent is also specific. Permission to contact a customer about a checking account does not authorize marketing a mortgage or a credit card. Broad, bundled language that tries to cover everything tends to cover nothing when a court reads it closely, so keep the marketing consent separate from your general terms and conditions.

Marketing versus informational: the line that decides everything

Most financial-services TCPA trouble traces back to one misread distinction. An account relationship does not make a message exempt; the content does.

Genuinely informational, pro-consumer messages are the ones that tend to qualify: fraud alerts, suspected-breach notices, identity-theft warnings and time-sensitive account issues such as a payment due date or a hold on the account. These exist to protect the customer, and regulators recognize that pausing a fraud alert to chase consent would hurt the very person the law protects.

Marketing is a different animal, and it is never exempt. Cross-sell offers, promotions, a pitch for a second product or a credit-card upsell all require consent, even when they reference the customer's existing account. The exemption serves the customer's interests, not the institution's sales goals, and it applies only where a real account relationship already exists. Prospecting to non-customers needs full consent, every time.

Texts count too, and the states are tightening

Broker-dealers and advisors routinely forget that the TCPA treats a text the way it treats a call. The same consent rules apply to the message you send a client from your cell phone, which is why many compliance teams now retain client texting consent even where the law arguably does not demand it.

State law is moving in the same direction, often faster than the federal rules. Texas SB 140, effective September 1, 2025, expanded the state's telephone-solicitation statute to cover text messages explicitly and added a private right of action under the state's deceptive-trade-practices law. It is one of a growing set of state mini-TCPA laws that a national calling program has to track alongside the federal statute.

Building a calling program that survives an exam

Compliance here is less about a single policy than a repeatable process. Three pieces carry most of the weight.

Consent you can prove. Capture marketing consent on its own, record exactly what the customer agreed to receive, timestamp it and retain it. When someone revokes, log the revocation and push it across every system immediately, because a stale record is its own violation.

Classification before the first dial. The safest calling program decides who is callable before anyone picks up the phone. AvairAI's one-click TCPA Compliance System screens each contact and sorts it into CAN_CALL_AI, CAN_CALL_MANUAL or CANNOT_CALL, so reps are not asked to apply the statute from memory mid-campaign. For a bank or broker-dealer, that screen should fold in the questions that matter here: is there an account relationship, is the message marketing or informational, is consent on file and documented, and does the number sit on any internal do-not-call list? Screening before the dial stops a violation before it happens instead of documenting one after.

People and audits. Technology screens the list; it does not train the staff. Reps still need to understand the marketing-versus-informational line, audits still need to test consent records and DNC hygiene on a schedule, and someone still needs a clear path for handling complaints and revocations when they arrive.

One point is specific to automated voice. Under the TCPA, AI and automated calling is limited to warm or opted-in contacts, never cold lists. For a financial institution, that is not a constraint to engineer around. Treating compliant AI calling as a narrow, consent-gated capability rather than a volume channel is the rule that keeps you out of the next class action.

The cost of treating this as an afterthought

Financial services carries more downside than most industries when a TCPA program slips. An examination finding compounds the litigation and reputational exposure, and reputational damage lands harder in a business that runs on trust. The institutions pulling ahead are the ones building compliance into the outreach itself rather than bolting it on after a complaint, which is the same instinct behind ethical, consent-first prospecting in financial services.

That is the case for an AI sales prospecting platform with compliance built into the workflow. AvairAI runs on Pain-Signal Targeting: it learns the problems your product solves, then finds the companies showing public evidence of those problems right now, and it runs precise, multi-channel campaigns that screen every contact for TCPA exposure before any outreach goes out, so your reps spend their hours on the conversations that close instead of second-guessing whether a number is safe to dial. The platform surfaces interested leads; your salespeople book and close them. Get the compliance layer right and outreach stops being a liability and starts being an advantage.