Regulation F for AI Voice Debt Collection: The 7-in-7 Ledger, the Limited-Content Message, and the Per-Debt Architecture

The 7-in-7 Rule Is About Per-Debt Architecture, Not the Dialer

The CFPB's Regulation F at 12 CFR 1006.14(b)(2)(i) reads that a debt collector is presumed to violate the harassment prohibition if it places telephone calls to a particular person in connection with the collection of a particular debt more than seven times within a seven-day period. The presumption is per particular debt and per particular person, and it is a presumption rebuttable in either direction. A program that runs at the seven-call ceiling on every account is not in safe harbor. A program that runs at three calls and produces seven hang-ups by an automated dialer in a single hour is not in safe harbor either. The rule's structure is about the cumulative pressure on the consumer for the specific debt, and the agent has to keep the ledger that proves it.

The first thing institutions misread when they replace a dialer with an AI voice agent is that the 7-in-7 obligation transfers wholesale to the new system on day one, including the historical seven-day window the dialer started. The migration that does not import the prior-window call counts into the agent's ledger is the migration whose first week looks compliant on paper and produces a complaint forty-eight hours later, when the borrower whose account the dialer hit six times in the trailing week takes two more calls from the new agent before anyone catches the carryover. The ledger is a state object owned by the program, not by the channel.

We build the agent that handles outbound and inbound collections traffic for banks, non-bank lenders, mortgage servicers in default-on-acquisition status, and licensed third-party collectors. The architecture below is the one that survives a CFPB sweep and a state attorney-general complaint.

What Regulation F Actually Reaches at the Loan Level

The FDCPA and Regulation F reach a "debt collector" as defined at 15 U.S.C. 1692a(6) and 12 CFR 1006.2(i), which is a person who regularly collects debts owed to another, including a mortgage servicer that began servicing the debt while it was already in default. The first-party creditor collecting its own debt is not a "debt collector" under the FDCPA, which is the line institutions use to argue Reg F does not apply to them. The argument is half right.

The half that is right is that 1006.14 and 1006.6 do not directly bind the first-party creditor. The half that is wrong is that Section 1031 of the Dodd-Frank Act prohibits unfair, deceptive, and abusive acts and practices, and the CFPB has signaled in its 2022 Bulletin 2022-06 that conduct prohibited by Reg F is a candidate for UDAAP liability when committed by a non-Reg-F actor. State little-FDCPA statutes in California, New York, Texas, and Florida bind first parties directly. So the operationally honest posture is to encode Reg F at the agent layer regardless of which side of the FDCPA's "debt collector" line the institution sits, because the cost of the encoding is small and the exposure of running without it is not.

Mortgage servicers in particular need to look at the loan-level test. A servicer that acquired servicing rights while the loan was current can collect that loan as a creditor; if the same servicer acquired servicing rights while the loan was in default, the servicer is a debt collector for that loan and Reg F applies in full. Our customers' servicing portfolios contain both populations, and the agent runs a per-loan coverage flag that drives whether 1006.14 enforcement applies as a rule or as a UDAAP-defensive practice. The flag is set at boarding and reasserted on transfer.

The Per-Particular-Debt Ledger the Agent Has to Keep

The ledger is per particular debt and per particular consumer. "Particular debt" is the unit, and the CFPB's Official Interpretation at Comment 14(b)(2)(i)-2 is the place the operational definition lives. Two mortgage loans against the same property are two particular debts. A credit-card debt and a personal-loan debt with the same originator are two particular debts. A consolidated debt that subsumed three prior debts becomes one particular debt going forward; the prior three do not survive the consolidation for ledger purposes, but the call history before the consolidation does not vanish, and a sensible program preserves the history so a regulator can reconstruct the consumer's total exposure to the program's outreach.

What counts as a "telephone call" for the 7-in-7 count is the place the implementation usually goes wrong. The CFPB has said the count is the placed call, which means the agent that placed a call that rang once and went to voicemail counts the same as the agent that connected and spoke for ten minutes. A dialer that abandoned the call after one ring still consumed an entry in the ledger if the call was placed at all. Hang-ups by the consumer do not reset the count. Multiple calls in the same hour to a different number associated with the same person are each entries. The architecture has to write to the ledger at the moment the call is placed by the originating system, not at the moment the call connects or the moment the agent reports back, because the originating system is the only place the placed-but-not-connected calls are observable.

The ledger's rolling window is seven consecutive days, not the calendar week. The agent computes the window at the moment a call is queued and the queue check fails if the call would push the count above the presumption. Our implementation maintains the window per the consumer's local timezone derived from the address of record, because the rule's clocks are practical and the consumer's day is the day that matters to the consumer. A program that runs the window on the institution's server-time clock and gets a one-hour offset wrong is a program whose ledger and the regulator's ledger disagree.

The agent does not "almost" hit the ceiling. We default the outbound policy to a much lower cap (commonly three placed calls per seven-day window per particular debt, varied by account state and prior-contact outcome) because the presumption is a presumption against, not a target. The institutions that engineer to four or five and burn the budget early are the institutions whose collection-effective rate measured against complaint rate is worse than the institutions that engineer to two or three and use channel mix.

The Post-Conversation Seven-Day Wait Is a Different Timer

12 CFR 1006.14(b)(2)(ii) creates a separate presumption that a debt collector violates the harassment prohibition if it places a telephone call within seven days after having had a telephone conversation in connection with the collection of the debt. This is a different clock from the 7-in-7 frequency rule, and it runs from the moment the telephone conversation ended.

A "telephone conversation" is not a voicemail. The CFPB's commentary defines the trigger as the consumer answering the call and the parties speaking, which means the agent that left a voicemail did not start the seven-day wait. The agent that connected with the consumer and exchanged any substantive content did. A consumer who picks up, says "I cannot talk now, do not call me again," and hangs up is a conversation that started the wait timer and an opt-out request that the agent has to honor as a 1006.6(c) opt-out for that channel. Both effects happen at once and the agent has to log both.

The wait timer is per particular debt, the same way the 7-in-7 count is. A consumer with two loans who has a conversation about loan A is not in a wait window for outreach about loan B. Programs that run a single timer per consumer over-restrict their outreach and lose collection efficacy on a population that does not need to be restricted. Programs that run no timer at all over-call the consumer and earn a 1006.14 presumption against them.

The timer interacts with consumer-initiated contact in a way worth understanding. If the consumer calls in during the wait window and the agent answers, the conversation is not a violation because the rule is about calls the debt collector places, not calls the consumer places. The wait window resets from the new conversation, which means an inbound call from the consumer who wants to negotiate restarts the seven-day quiet period on outbound calls. The architecture has to capture inbound calls into the same ledger because a program that fails to reset the timer on an inbound call may eventually try to place an outbound call inside the new window.

The Limited-Content Message and the Voicemail an AI Agent Can Actually Render

12 CFR 1006.2(j) defines a "limited-content message" as a voicemail message for a consumer that includes specific required content and is allowed to include specific optional content. The required content is the consumer's name, a request that the consumer reply, the name or names of one or more natural persons whom the consumer can contact to reply, and a telephone number that the consumer can use to reply. The optional content includes a salutation, the date and time of the message, a generic statement that the message relates to an account, suggested dates and times for the consumer to reply, and a statement that if the consumer replies, the consumer may speak to any of the natural persons identified.

Anything else is not allowed in a limited-content message. The point of the definition is that a voicemail that meets these specifications is not a "communication" under 12 CFR 1006.2(d), which means it does not trigger the third-party-disclosure rule at 1006.6(d) when a family member or roommate hears it. A voicemail that adds the institution's name in a way that indicates the call is from a debt collector ("This is a message from Acme Recovery") collapses the safe-harbor structure of the definition and risks third-party disclosure if anyone other than the consumer hears it. The compliance team that approves the script that says "Acme Recovery" in the institution's voicemail thinks it is being clear with the consumer and is in fact giving up the rule's protective shape.

An AI voice agent renders the limited-content message better than a human agent does, in our experience, because the script is invariant and the voice does not improvise. The agent reads the consumer's name, requests a reply, names the natural person to reply to (which has to be a real person at the institution who can take a callback, not the agent's brand name), and gives the callback number. That is the message. No more substantive content. The institutions that brought QA scores from sixty to over ninety on voicemail compliance in our deployments did it by removing the human's well-intentioned additions, not by adding any new control.

The natural person named in the message is a recurring question. The rule requires a name, not a role. The institution can rotate through a roster of agents and pick the next available person at callback time, but the message has to name someone who exists and who the consumer can actually reach. We log the named person per message and the rotation policy so the consumer who calls back and asks for that person can be transferred or told they will be returned. A program that names a fictitious person violates the false-representation rule at 12 CFR 1006.18(b) and produces a far worse outcome than the program that says "any available account representative" (which is not a limited-content message and is therefore a communication).

Time and Place: The 1006.6(b) Presumption and the Time-Zone Problem

12 CFR 1006.6(b)(1) presumes that contact before 8 a.m. or after 9 p.m. local time at the consumer's location is at an inconvenient time, absent knowledge of circumstances to the contrary. "Local time" is the consumer's local time, not the agent's local time and not the institution's, and the presumption operates per call.

The implementation problem is that the consumer's local time is what the consumer is actually experiencing, which depends on where the consumer is at the moment of the call rather than where the consumer's address of record places them. A consumer who moved to Hawaii and did not update the address is on Hawaii time at 8 p.m. Eastern, which is 2 p.m. Hawaii time, and the call is convenient under the rule. A consumer who lives in Indiana but commutes to Illinois and answers the call at 7:45 a.m. Central is at 8:45 a.m. Eastern, and depending on which time zone is the "consumer's location" at that moment, the call is either convenient or not.

The agent uses the consumer's address of record as the default time-zone source and updates the source from any signal the consumer provides about their actual location, including a self-reported new address on a prior call, an answer to a verification prompt, or a billing-address change pushed from the system of record. The agent does not place calls in the first or last hour of the local window when the address of record is stale (defined operationally as no consumer contact in the prior ninety days), because the cost of a placed call inside the presumed-inconvenient window is much higher than the cost of waiting one cycle.

The 1006.6(b)(1) presumption is also rebuttable. A consumer who told the agent that 7 a.m. is a convenient time has rebutted the presumption for that specific time, and the agent can call at 7 a.m. for that consumer going forward. The rebuttal is logged with the consumer's statement that produced it. A program that places calls at 7 a.m. by default and adds a "consumer authorized" flag without the underlying transcript is a program whose audit file will not hold up.

The Cease-Communication Right and the Medium-Specific Opt-Out

12 CFR 1006.6(c) implements the FDCPA cease-and-desist right at 15 U.S.C. 1692c(c): when a consumer notifies the debt collector in writing that the consumer refuses to pay the debt or wants the debt collector to cease further communication, the debt collector has to stop communicating with the consumer with respect to that debt, except for the narrow categories the rule permits. The cease-communication right is debt-specific in scope and channel-comprehensive: it stops every medium for the particular debt the consumer named.

A medium-specific opt-out is a different request and runs on different mechanics. The electronic-communication procedures in 1006.6 require a clear and conspicuous opt-out instruction in every email and text message, and a consumer's reply opting out from the email or text channel binds the debt collector on that channel. A telephone-channel opt-out (the consumer says "stop calling me") does not map to the 1006.6(c) cease-and-desist right unless the consumer's words reach refusal to pay or a general cease request, and the operationally honest read of a bare "stop calling me" is that the request applies to telephone outreach across the consumer's other debts at the institution too, because the consumer is telling the institution the channel does not work for them. The institutions we work with apply the telephone-channel opt-out across the consumer's portfolio rather than per-debt, because a narrower reading produces calls about loan B the day after the consumer asked the institution to stop calling about loan A, which is a complaint event whether or not the rule narrowly required it.

The agent's consent ledger is the operational record of which medium is permitted for which consumer, with debt-level overlays where the cease-and-desist right under 1006.6(c) has been exercised. An opt-out arrives in many forms. A consumer who says "stop calling me" during a phone conversation has issued a telephone-channel opt-out the institution applies portfolio-wide. A consumer who replies "STOP" to a text message has issued a text-channel opt-out under the email-and-text procedures. A consumer who writes asking to cease all communication about a particular debt has invoked the cease-and-desist right under 1006.6(c) and the ledger reflects a debt-level stop on every channel for that debt. The agent classifies the inbound and updates the ledger at the moment the opt-out arrives, not at the moment the operations team processes the case the next day.

For text and email specifically, the procedures in 1006.6 impose obligations the agent has to follow when communicating through those channels, including a clear and conspicuous opt-out instruction in each communication and treating any reasonable indication of an opt-out as an opt-out. The agent renders the opt-out instruction in every text and every email automatically. The agent classifies inbound text and email replies through a model trained on opt-out language patterns that recognizes "stop," "STOP," "remove me," "no more emails," "do not text," and equivalents, and treats anything ambiguous as an opt-out rather than rejecting it.

The consent ledger is the artifact the institution will produce when a CFPB complaint alleges the consumer told the institution to stop and the institution kept going. The ledger has to show what the opt-out said, in the consumer's words, with the timestamp, the channel, the scope the institution applied (per-debt for a 1006.6(c) cease-communication, portfolio-wide for a medium-only opt-out), and the consequent change to outbound policy. A consent ledger that records "Y/N" on a checkbox without the consumer's words is a ledger that loses the dispute.

The Validation Period at 1006.34 and What the Agent Can Say During It

12 CFR 1006.34(a)(1)(i) requires a debt collector to provide a validation notice to the consumer in writing within five days of the initial communication or in the initial communication itself, and the consumer has thirty days from receipt of the notice to dispute the debt. The validation notice content is specified at 1006.34(c) and includes the debt-collector and consumer information, the itemization of the current amount of the debt, information about consumer protections, and consumer-response information.

The interaction with the AI voice agent is that the agent's first telephone conversation with the consumer is an "initial communication" for 1006.34 purposes, and the agent has to be aware of whether the validation notice has been sent and received. If the agent is the first communication, the agent has to either include the validation information in the conversation (operationally difficult on a voice channel) or arrange for the written notice to be delivered within five days. The architecture we run has the agent's first outbound call to a consumer trigger the validation-notice generation on the same day, with the timestamp the notice was produced and the timestamp it was confirmed mailed by the print vendor, so the five-day clock is verifiable.

During the validation period, the consumer has the right to dispute the debt in writing, and the debt collector has to cease collection of the debt or the disputed portion until the verification is provided. The agent classifies any consumer statement during the validation period that constitutes a dispute and routes the case to the verification workflow, with collection activity paused per the rule. The disputes that arrive verbally are not the same as written disputes for 1006.34 purposes (the rule's verification obligation runs from a written dispute), but the institution that pauses on verbal disputes during the validation period as a matter of practice is the institution that does not generate the close-call cases the CFPB likes to test in supervisory reviews.

The Case File When the CFPB Complaint Arrives

The per-account record we keep for every collection touch is the artifact the institution produces when a consumer complaint or a CFPB inquiry lands. Per particular debt, the file contains the coverage flag at the loan level with the basis for the flag and the date it was set; the rolling 7-in-7 ledger with every placed call entry including the timestamp, the originating queue, the number dialed, the disposition (voicemail, no-answer, connect, hang-up), and the duration; the post-conversation wait timer with each conversation's start and end and the resulting quiet window; the consent ledger by channel with the opt-out events in the consumer's words; the limited-content-message rendering log with the consumer's name, the natural person named, the callback number, and the audio file; the time-of-day computation with the consumer's address of record, the timezone applied, and the local-time check that produced the queue decision; the validation notice with the production date, the mail-confirmed date, and the five-day check; and any verbal-dispute classifications during the validation period with the conversation transcript and the collection-pause action.

A program that produces this per account in a sampled inquiry is a program that defends the practice. A program that has to reconstruct any part of it from three systems and a manager's recollection is a program whose response to the inquiry is more expensive than the inquiry itself was supposed to be.

The Failure Mode We Engineered Against

The pattern that produced the worst outcome on the first program we ran this design on was that the institution's outbound dialer queue and a separately licensed third-party collector's dialer queue both worked the same account population on overlapping nights, and neither queue read from the other's ledger. The institution's queue placed three calls in a day; the third-party queue placed five; the consumer received eight placed calls, well above the seven-call presumption, and complained to the CFPB. The institution's defense that its own program ran inside the cap was not the relevant defense, because the consumer was treated as a single person by the rule and the program's third-party arm was acting in the institution's economic interest. The CFPB's April 2024 Supervisory Highlights and other recent collections-focused issues have made the per-consumer aggregation question explicit: an institution that engages multiple collection actors against the same consumer for the same debt is the institution on the hook for the aggregate touch count.

What we changed is that the agent's ledger pulls in placed-call events from every collection actor working the account on the institution's behalf, including the third-party collector, the early-stage in-house collector, and any voice-AI service the institution itself runs. The placed-call entries from the third party flow into the same per-debt ledger the AI agent reads from before placing each new call. A third-party arm that cannot or will not write its placed-call events into the institution's ledger is a third-party arm the institution should not be engaging on its consumer base, because the aggregate exposure is the institution's regardless of which entity placed which call.

The other change is that the limited-content message is the default voicemail. The institutions we work with that handled this manually had three or four different voicemail scripts, and a meaningful percentage of voicemails left by humans went outside the limited-content shape and exposed the institution to a third-party-disclosure claim from a family member who heard it. The AI agent renders one script. The institution's voicemail-compliance QA score is what it is because the script does not deviate, and the supervision the QA team applies is to the script and the rotation of named persons rather than to the per-call delivery.

The Trade-Off

A collections program that runs this way places fewer outbound calls per account in any given week than a program that runs at the ceiling, leaves more voicemails that contain less substantive content than a human-rendered voicemail does, honors opt-outs that arrive in any channel within the same business day, and pauses collection activity during the validation period on disputes the rule treats softly. The return is that the program does not generate the complaint patterns that produce the CFPB's worst kind of attention, does not lose the CFPB complaint that comes in when the complaint comes in, and produces the per-debt audit file that handles supervisory review without an emergency. The agent is the place this discipline is mechanically enforceable, because the discipline is about ledgers and clocks and per-debt state, and those are the kind of constraint software keeps better than people do.

We have written separately on the TCPA layer that sits on top of this rule for prior-express-consent and revocation, on the broader debt collection playbook that places this Reg F engineering in the larger context, and on the QA program that has to sample against the rule rather than against the institution's internal targets. The rules stack and the architecture is the place the stack stays consistent.