AInora
US Regulatory Compliance Guide

FDCPA & TCPA Compliance for AI Voice Agents

AI does not create exceptions to consumer protection law. Every FDCPA provision, TCPA consent requirement, and Regulation F frequency limit applies to your AI voice agent exactly as it applies to a human collector.

This guide covers what you must configure before deploying AI for US debt collection.

Try Live Demo: +1 (332) 241-0221AI Debt Collection Overview

Four Layers of US Regulation

AI debt collection in the US operates under four overlapping regulatory frameworks. Non-compliance with any single layer exposes you to lawsuits, fines, and operational bans.

FDCPA

Fair Debt Collection Practices Act

The baseline federal law. Governs how, when, and where collectors can contact consumers. Mini-Miranda disclosures, calling hours, harassment limits, validation of debt, and third-party disclosure rules.

TCPA

Telephone Consumer Protection Act

Regulates the technology used to make calls. Prior express consent for automated calls, ATDS restrictions, DNC registry compliance, and revocation of consent. Statutory damages of $500-$1,500 per call.

Reg F

CFPB Regulation F

The 2021 implementation of the FDCPA. Adds the 7-in-7 call frequency rule, limited-content message provisions, electronic communication rules, and harassment presumptions.

State

State-Level Laws

Most states have their own debt collection and telecom laws that exceed federal protections. All-party consent states, mini-TCPAs, broader ATDS definitions, and additional licensing requirements.

FDCPA Requirements for AI Voice Agents

Six FDCPA provisions that directly impact how your AI voice agent operates. Each must be programmed into the system - not left to chance.

1692d
15 USC 1692d

Harassment & Abuse Prohibition

AI voice agents must never use threatening language, profanity, or intimidation. The system cannot call repeatedly to annoy or harass. Under Regulation F, this means no more than 7 call attempts per debt within a 7-day period, and no calls within 7 days of a live conversation. Your AI must track every attempt across all channels and enforce these limits automatically.

1692e
15 USC 1692e

Mini-Miranda Warning

Every call must include the Mini-Miranda disclosure: the AI must identify the caller as a debt collector, state that the call is an attempt to collect a debt, and that any information obtained will be used for that purpose. This disclosure must happen at the start of every call - not buried in a fast-paced script. The AI voice must deliver it clearly and at a natural pace.

1692c
15 USC 1692c

Calling Hours & Contact Restrictions

AI agents can only call between 8:00 AM and 9:00 PM in the consumer's local time zone - not the collector's. This means your AI must resolve the debtor's time zone from their area code or address before dialing. If the consumer is represented by an attorney, the AI must contact the attorney instead. Calls to the consumer's workplace are prohibited if the employer disapproves.

1692c(c)
15 USC 1692c(c)

Cease-and-Desist Compliance

If a consumer requests in writing (or verbally during a call) that the collector stop contacting them, the AI must immediately flag the account and suppress all future automated contact. The system may only send one final notice confirming cessation or advising of specific remedies. Your AI must be trained to recognize cease-and-desist requests in natural conversation - not just keyword matching.

1692g
15 USC 1692g

Validation of Debt

Within 5 days of initial contact, the consumer must receive a written notice containing: the amount of the debt, the name of the creditor, a statement that the debt will be assumed valid unless disputed within 30 days, and the right to request verification. If the AI makes the first contact, it must either deliver this information verbally and follow up in writing, or ensure the written notice is sent within the 5-day window.

1692b
15 USC 1692b

Third-Party Disclosure

AI voice agents must never disclose the existence of a debt to third parties. If someone other than the consumer answers the phone, the AI must only identify itself and request a callback - never mention debt collection. This requires sophisticated speaker identification or verification questions before any debt-related discussion begins.

See how AI debt collection works in practice
$500 - $1,500 Per Violation

TCPA: The High-Stakes Law for AI Callers

AI voice agents use "artificial or prerecorded voice" technology by definition. That triggers TCPA consent requirements regardless of whether your system qualifies as an ATDS.

Prior Express Consent

The TCPA requires prior express consent before placing automated or prerecorded voice calls to any telephone number. For debt collection calls, this means "prior express consent" (not written consent) for informational calls, but "prior express written consent" for calls that include marketing content. AI voice agents are unambiguously "prerecorded or artificial voice" technology - there is no gray area here.

ATDS Definition & Implications

The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the ATDS (Automatic Telephone Dialing System) definition to systems that generate random or sequential numbers. However, many state TCPAs use broader definitions. If your AI system auto-dials from a list, it may not be an ATDS under federal law, but could be under California, Florida, or Washington state law. Always analyze both federal and state ATDS definitions.

DNC Registry Compliance

Before any outbound call, the AI must scrub numbers against the National Do Not Call Registry (updated every 31 days), your internal DNC list (immediate effect), and any state-specific DNC lists. Calls to numbers on the DNC registry can result in fines of $500-$1,500 per violation. Your system must maintain real-time DNC checking with zero tolerance for stale data.

Safe Harbor Provisions

The FCC provides limited safe harbor protections for collectors who can demonstrate: the number was provided by the consumer, the caller had no reason to know it was reassigned, and a single call was made after discovering reassignment. To benefit from safe harbor, maintain detailed logs of how each number was obtained, when consent was given, and implement reassigned number databases (like the FCC's Reassigned Numbers Database).

Cell Phone vs. Landline Rules

The TCPA applies stricter rules to cell phone calls than landlines. Automated or prerecorded calls to cell phones require prior express consent even for non-marketing calls. Since most consumers now use cell phones as their primary number, AI voice agents must treat every outbound call as a cell phone call unless you can verify the number type. Use carrier lookup APIs to confirm before dialing.

Revocation of Consent

Consumers can revoke consent at any time through any reasonable means - including verbally during an AI call. The FCC has ruled there are no magic words required. Your AI must recognize phrases like "stop calling me," "take me off your list," "don't call again," and similar natural language variations. Once revoked, all automated contact must cease immediately. Log the revocation with a timestamp and audio reference.

Effective November 2021

Regulation F: Frequency Limits & Electronic Rules

The CFPB's Regulation F modernized the FDCPA for digital communication and established concrete call frequency limits. These rules directly constrain AI voice agent behavior.

7-in-7 Rule
Regulation F

7-in-7 Rule

Regulation F limits debt collectors to 7 telephone call attempts per debt within a 7-consecutive-day period. After a live telephone conversation, no further calls for 7 days. This applies per debt, not per consumer - if a consumer has 3 debts, the collector could theoretically make 21 calls in 7 days (though this invites harassment claims). Your AI must track attempts at the individual debt level.

Communication Frequency
Regulation F

Communication Frequency

Beyond the 7-in-7 phone limit, Regulation F caps total communications. Emails, text messages, and social media messages each count. The regulation creates a "rebuttable presumption" of harassment if you exceed the limits. Your AI system must aggregate contact attempts across all channels - phone, email, SMS - and enforce a unified frequency cap.

Electronic Communications
Regulation F

Electronic Communications

Regulation F permits debt collection via email, text, and social media, but with strict requirements: every electronic message must include an unsubscribe mechanism for that specific channel, the collector must not communicate via a medium visible to the general public (no Facebook wall posts), and the consumer must have used the email or phone number for the specific channel. AI systems sending follow-up texts or emails after calls must comply with these channel-specific rules.

Limited-Content Messages
Regulation F

Limited-Content Messages

Regulation F created "limited-content messages" - voicemails that contain only: a business name (that does not indicate debt collection), a request to reply, the name of a natural person to contact, and a phone number. These are not considered "communications" under the FDCPA, so they do not trigger the Mini-Miranda requirement. Your AI can leave limited-content voicemails without disclosing the debt collection purpose.

Time and
Regulation F

Time and Place Restrictions

Regulation F reaffirms the 8 AM - 9 PM calling window in the consumer's local time and adds that collectors must not contact consumers at times or places known to be inconvenient. If a consumer says "don't call me at work" or "don't call before noon," the AI must log and respect that preference. These per-consumer overrides must be stored and enforced in real time.

CFPB Guidance

“No Exceptions for New Technologies

The Consumer Financial Protection Bureau has made its position unambiguous: AI-powered debt collection must comply with every existing consumer protection law. There is no innovation exception, no technology safe harbor, and no grace period for novel approaches.

In its 2023-2024 guidance, the CFPB specifically addressed AI in financial services, stating that companies are responsible for the actions of their AI systems just as they would be for human employees. If your AI violates the FDCPA, your company violated the FDCPA. If your AI makes a TCPA-noncompliant call, the statutory damages apply to your company.

The Bureau has also targeted “dark patterns” in AI communications - systems designed to confuse consumers about their rights, pressure them into payments, or obscure required disclosures. AI that speaks too fast during the Mini-Miranda, buries opt-out language, or fails to recognize cease-and-desist requests is a CFPB enforcement target.

Key takeaway for AI deployers:

Your AI vendor's compliance claims are not your shield. The CFPB holds the deploying company responsible. You must independently verify that your AI voice agent complies with FDCPA, TCPA, Regulation F, and all applicable state laws before making a single call.

How to Configure AI Voice Agents for Compliance

Six systems your AI platform must implement before making a single collection call. If any is missing, you are not ready to deploy.

Timezone-Aware Calling Engine

Map every consumer phone number to a time zone using area code databases and carrier lookups. Enforce 8 AM - 9 PM windows in the consumer's local time. Account for daylight saving transitions. Block calls automatically outside permitted hours - no manual override possible.

Real-Time DNC Scrubbing

Integrate the Federal DNC Registry (refreshed every 31 days), state-specific DNC lists, and your internal suppression list. Check every number against all lists before the AI dials. Implement webhook-based updates for internal DNC additions - zero latency between consumer request and suppression.

Consent Management Platform

Track consent status per consumer, per channel, per debt. Record how consent was obtained (written, verbal, web form), when, and the exact language used. Support instant revocation through any channel. Maintain audit-ready consent records with immutable timestamps.

Call Recording & Disclosure

Record every AI call for compliance and quality purposes. Implement call recording disclosure at the start of each call - required in all-party consent states (California, Florida, Illinois, and 8 others). Store recordings encrypted with role-based access. Retain per your document retention policy (typically 3-7 years for debt collection).

Frequency Cap Enforcement

Track every contact attempt - calls, voicemails, emails, texts - at the per-debt level. Enforce Regulation F's 7-in-7 rule automatically. After a live conversation, block further calls for 7 days on that debt. Aggregate cross-channel contacts to avoid harassment presumptions.

Complete Audit Trail

Log every AI decision: when the call was attempted, what disclosures were made, what the consumer said, how the AI responded, and the outcome. Store call transcripts, recordings, consent records, and DNC checks in a single queryable system. This is your defense in any TCPA or FDCPA lawsuit.

State-Level Regulations Snapshot

Federal law is the floor, not the ceiling. These four states illustrate how state regulations add layers of complexity that your AI must handle per-jurisdiction.

CA

California

  • Rosenthal Fair Debt Collection Practices Act extends FDCPA protections to original creditors
  • All-party consent for call recording (Cal. Penal Code 632)
  • CCPA/CPRA grants consumers right to know what data is collected and right to delete
  • California mini-TCPA (broader ATDS definition than federal)
  • No calls before 8 AM or after 9 PM Pacific Time
  • Debt collection licensing required (California DFPI)
NY

New York

  • NYC Department of Consumer and Worker Protection licensing required
  • NYC rules prohibit deceptive, unconscionable, or threatening practices
  • One-party consent for call recording (NY Penal Law 250.00)
  • New York City has additional calling hour restrictions
  • AG enforcement of debt collection practices under GBL 349/350
  • Written validation notice requirements beyond federal standard
TX

Texas

  • Texas Debt Collection Act (TDCA) - third-party collectors must be licensed
  • One-party consent for call recording
  • Texas DTPA provides consumer remedies for deceptive collection tactics
  • Surety bond required for third-party collection agencies
  • No specific state TCPA equivalent - federal TCPA applies
  • AG can pursue violations under Texas Finance Code Chapter 392
FL

Florida

  • Florida Consumer Collection Practices Act (FCCPA) - broader than FDCPA
  • All-party consent for call recording (Florida Statute 934.03)
  • Florida mini-TCPA (Florida Telephone Solicitation Act) with broad ATDS definition
  • Registration required with Florida OFR for consumer collection agencies
  • No calls before 8 AM or after 9 PM (consumer's time)
  • FCCPA applies to original creditors - not just third-party collectors
EU vs. US Compliance

Why European-Built AI Is Inherently More Privacy-Forward

US Approach

Compliance is bolt-on - built after the product
Multiple overlapping laws with gaps
Enforcement-driven (sue after violation)
No universal data protection framework
AI disclosure not universally required
State-by-state patchwork of rules

EU Approach (GDPR + EU AI Act)

Privacy by design - built into the architecture
Unified GDPR framework across all member states
Prevention-driven (DPIA before deployment)
Comprehensive data protection as a fundamental right
Mandatory AI disclosure from day one
One regulation, consistent enforcement

AI systems built under GDPR and the EU AI Act come with consent management, data minimization, audit trails, human oversight, and mandatory transparency as foundational architecture - not afterthought features. When deployed in the US market, these systems naturally satisfy most FDCPA and TCPA requirements because the European standard is higher.

Read the full GDPR compliance guide

Related Resources

AI Debt Collection

How AI voice agents transform debt recovery operations - strategy, implementation, and results.

Read guide

GDPR Compliance Guide

European regulatory framework for AI debt collection - GDPR, EU AI Act, and country-specific rules.

Read guide

Best AI Software

Compare the leading AI debt collection platforms by features, compliance, and integration capabilities.

Read guide

Healthcare Collections

AI debt collection for healthcare - HIPAA compliance, patient sensitivity, and revenue cycle management.

Read guide

Frequently Asked Questions

Common questions about FDCPA, TCPA, and Regulation F compliance for AI voice agents.

Yes. The FDCPA applies to any "debt collector" as defined under 15 USC 1692a(6), regardless of the technology used. An AI voice agent making calls on behalf of a third-party debt collector is subject to every FDCPA provision - Mini-Miranda disclosures, calling hour restrictions, harassment prohibitions, validation of debt requirements, and cease-and-desist obligations. The CFPB has explicitly stated that using AI does not create an exemption from consumer protection laws.
Under the Supreme Court's 2021 Facebook v. Duguid ruling, an ATDS must generate random or sequential numbers. If your AI dials from a pre-existing list, it likely is not an ATDS under federal law. However, AI voice agents still use "artificial or prerecorded voice" technology, which independently triggers TCPA consent requirements. Additionally, several states (California, Florida, Washington) use broader ATDS definitions that may capture AI dialing systems. Always analyze state TCPA equivalents alongside federal law.
The Mini-Miranda is the required FDCPA disclosure at the beginning of every collection call: "This is an attempt to collect a debt and any information obtained will be used for that purpose." The AI must deliver this clearly, at a natural pace, early in the conversation. It must also identify the company name. The disclosure cannot be rushed, buried in legalese, or skipped on follow-up calls. Every single call requires it.
Regulation F limits collectors to 7 telephone call attempts per debt within a rolling 7-day window. After a live conversation occurs, no further calls are permitted for 7 days on that specific debt. The AI system must track attempts at the per-debt level (not per-consumer). If a consumer has multiple debts, each has its own 7-in-7 counter. The system must also count calls across all agents and channels - AI and human - against the same limit.
For cell phones, you need prior express consent for informational debt collection calls (which can be established when the consumer provided their number in the original transaction). For any call containing marketing content, you need prior express written consent. For landlines, the TCPA is less restrictive, but the FDCPA still applies. The safest approach: obtain and document written consent at account origination, verify numbers have not been reassigned, and treat every number as a cell phone unless you can confirm otherwise.
Yes. The FCC has ruled that consumers can revoke consent through any reasonable means, at any time, including verbally during an AI call. There are no "magic words" required. Your AI must be trained to recognize revocation language ("stop calling," "remove my number," "don't contact me again") and immediately cease the call after acknowledging the request. The revocation must be logged with a timestamp and enforced across all future contact attempts.
FDCPA: statutory damages up to $1,000 per lawsuit, actual damages, and attorney fees. Class actions can reach $500,000 or 1% of net worth. TCPA: $500 per violation (per call), trebled to $1,500 for willful violations. A single campaign calling 10,000 consumers without proper consent could result in $5M-$15M in damages. AI systems that make high-volume calls amplify risk exponentially - one misconfigured rule can generate thousands of violations per day.
There is no explicit federal requirement under the FDCPA or TCPA to disclose AI status. However, the FTC Act prohibits deceptive practices, and the CFPB has signaled that non-disclosure of AI could be considered deceptive. Several states (California's BOT Act, proposed federal legislation) require AI disclosure. Best practice: always disclose. Say "This is an AI-powered assistant calling on behalf of [company]" at the start. It builds trust and eliminates regulatory risk.
State laws frequently provide stronger protections than federal law. California's Rosenthal Act extends FDCPA rules to original creditors (not just third-party collectors). Florida and California require all-party recording consent. California and Florida have mini-TCPAs with broader ATDS definitions. New York City requires separate licensing. Texas requires surety bonds. Your AI must be configured per-state - a one-size-fits-all approach will violate state law somewhere.
The CFPB has been clear: "There are no exceptions in federal consumer financial law for the use of new technologies." The Bureau has issued guidance stating that AI-powered debt collection must comply with all existing laws, and that companies cannot use technology as a shield against accountability. The CFPB also focuses on "dark patterns" - AI systems designed to confuse, pressure, or mislead consumers face heightened scrutiny.
In all-party consent states (California, Florida, Illinois, Pennsylvania, and 8 others), every party on the call must consent to recording. The AI must disclose recording at the very start: "This call may be recorded for quality and compliance purposes." If the consumer objects, the AI must either stop recording or terminate the call. Your system needs a per-state configuration that automatically adds recording disclosure in all-party states and can disable recording if consent is refused.
European-built AI (like AInora) is designed under GDPR and the EU AI Act, which impose stricter privacy and transparency standards than US federal law. GDPR requires data minimization, purpose limitation, and privacy by design - principles that naturally produce more compliant systems. An AI built for European markets typically has consent management, data retention limits, audit trails, and human oversight built in from day one. These features directly map to FDCPA/TCPA compliance requirements. You are not retrofitting compliance - it is the foundation.
European-Built, US-Compliant

Deploy Compliant AI Collections With Confidence

Built under GDPR and the EU AI Act - the strictest privacy frameworks in the world. When you deploy AInora for US debt collection, FDCPA and TCPA compliance is not an add-on. It is the architecture.

Discuss Your Compliance NeedsTry Live Demo: +1 (332) 241-0221