TCPA Compliance for AI Voice Agents in Mortgage and Bank Outreach: A 2026 Field Guide

Why This Stopped Being a Sleepy Topic

Two things changed the calculus on TCPA for AI voice agents. In February 2024, the FCC ruled that AI-generated voices fall inside the TCPA's definition of "artificial or prerecorded voice," which means the prior-express-written-consent bar applies. In February 2026, a class action against Mortgage One landed in the Eastern District of Michigan alleging cold AI voice calls to consumers on the National Do Not Call Registry with no prior express written consent. The plaintiffs' bar is now actively shopping these cases. Statutory damages are $500 to $1,500 per call.

If you run outbound voice AI in a lender, a servicer, or a bank, this is the post we wish someone had handed us before our first deployment. We have shipped AI voice into mortgage origination, servicing, and collections, and the TCPA controls below are what kept the audit trail clean.

The Three Consent Regimes You Have to Hold in Your Head

The TCPA does not have one consent rule. It has three, and an AI voice agent has to know which one applies before it dials.

The first is prior express consent, required for any autodialed or artificial-voice call to a wireless number for a non-marketing purpose. A servicing call about a delinquent loan generally falls here. The consent can come from the borrower providing the number on an application, but the established business relationship by itself is not consent — and a number obtained from a skip trace is not consent.

The second is prior express written consent, required for any telemarketing call made with an autodialer or with an artificial or prerecorded voice. This is the rule that catches most AI voice outreach for new product offers, refis, or HELOC marketing. The consent has to be signed, identify the entity that will call, disclose that automated technology will be used, and not be a condition of purchase. No pre-checked boxes.

The third is the FCC's one-to-one consent rule, which took effect in pieces and is the one most marketers got wrong. Consent has to be for one identified seller — not a list of partners on a lead-gen page — and the contact has to be logically and topically related to the subject of the consent. A borrower who consented to refi outreach did not consent to a HELOC offer from a sister entity.

A clean program maps every campaign to one of these regimes before the dialing logic ever sees the number.

What the AI Voice Layer Has to Do Before the First Ring

Our voice agents run six checks before they dial. Skip any one of these and the call is a TCPA risk.

• Pull the most recent consent record for the number and category. If the consent does not cover this campaign, the call does not happen.
• Check the National DNC Registry and the bank's internal DNC list. A consent does not override an internal stop request.
• Check the wireless-vs-landline status of the number from a recent line-type lookup, because the consent bar is different.
• Check state-level call-window rules. Many states are stricter than the federal 8 a.m. to 9 p.m. window.
• Check the per-number contact-frequency cap. Even where consent is valid, harassment-style cadence triggers UDAAP and FDCPA exposure.
• Check the revocation log. Verbal "stop calling" from a prior call should suppress within hours, not at the next batch.

We persist each check as a structured artifact on the call record. When a plaintiff's lawyer asks for the consent basis on call 47 of a 50,000-call campaign, we can produce the six-row evidence pack in seconds.

Where AI Voice Is Different From Robocall

The FCC's 2024 ruling settled the question that the industry had been trying not to ask: a voice generated by AI is an "artificial voice" for TCPA purposes even when it sounds natural. This means three things in practice.

First, the safe-harbor argument that "a human-sounding agent is not a prerecorded call" is dead. We have seen vendor pitches that lean on the natural-voice quality as a TCPA workaround. It is not one.

Second, identity disclosure rules apply. The agent has to identify itself, the calling entity, and a callback number at the start of the call. We script this as the first 8 seconds of every outbound script and we record the delivery as part of QA.

Third, the revocation rules apply at the speed the borrower expresses them. If the borrower says stop, the agent has to log the revocation, suppress further outreach across all numbers tied to the borrower, and confirm. The agent cannot pivot to a softer rebuttal. The CFPB has been clear on this in UDAAP commentary and the FCC has codified it.

The One-to-One Consent Rule in Practice

The 2024 one-to-one rule killed the broad lead-gen consent that the mortgage and consumer-finance industry had been operating on for a decade. A borrower who fills out a "rate quote" form on a comparison site and consents to "our partners" calling them did not consent to your AI agent calling them. The consent must name your entity.

The operational fix is to require every inbound lead's consent record to include the named entity, the timestamp, the IP address, a copy of the page text the borrower saw, and the specific topic of consent. We refuse to dial a lead without these fields. Lead-gen vendors that cannot provide them are off the list.

This is where most TCPA programs we audit fail. The lead vendor passes a Boolean consent flag. The bank trusts the flag. The plaintiff's lawyer asks to see the consent capture and there is nothing behind the flag. We rebuild the entire lead-intake plumbing to capture the artifact, not the flag.

What "Reasonable Time" for Revocation Actually Means

The FCC clarified in 2024 that revocation is effective on any reasonable method, and the institution has 10 business days to honor it across systems. We treat 10 business days as the outside boundary, not the standard. Our agents honor a verbal stop within 30 minutes across all numbers tied to the borrower in our CRM, and we replicate to the lender's DNC log within four hours. Plaintiffs' counsel routinely pulls call records from days 4 through 10 looking for the second call. There should not be one.

State Overlays That Bite

The TCPA is a federal floor, not a ceiling. The states that have caught lenders we work with:

• Florida's mini-TCPA (FTSA) had a private right of action with statutory damages until it was narrowed in 2023, and class certifications still happen on calls placed before the amendment.
• Washington's CEMA prohibits commercial calls without specific prior consent and has been used aggressively against AI voice.
• Oklahoma's TCPA-like statute (OTPSA) was signed in 2022 and tracks the broader interpretation.
• New York and Maryland have call-window rules tighter than federal.
• California's CIPA wiretap statute is a separate exposure for any call that is recorded without a clear two-party disclosure.

The AI agent has to know the state of the recipient before it dials and apply the strictest rule that applies. We persist the state determination, the rule applied, and the disclosure delivered as part of the call record.

The Documentation That Defends a Program

When the demand letter arrives — and at the volume regulated lenders dial, one will — the file you can produce in 48 hours decides whether you settle or fight. The audit pack we ship by default:

• Per-call: consent record reference, DNC checks, line-type result, state determination, time-window check, disclosure delivery audio with timestamp, revocation handling if any, agent script version, prompt version
• Per-campaign: consent regime applied, the consent capture page text, the lead vendor contract, the suppression-list refresh cadence
• Per-quarter: a sampling audit by an independent reviewer of 1% of calls against the controls above
• Per-incident: the revocation propagation log showing the suppression worked across systems within hours, not days

Programs that can produce this file rarely see a case go past the demand letter. Programs that cannot are the ones funding the plaintiff's bar.

The Mortgage One Lessons

Without prejudging the litigation, the public complaint in the Mortgage One case alleges three things worth taking as design constraints. The calls used an AI voice without the artificial-voice consent required by TCPA. The numbers were on the National DNC Registry and there was no established business relationship that would carve them out. The disclosure at the start of the call did not identify the seller in a way that supported one-to-one consent.

Each of these is preventable with the six pre-dial checks above and the documentation pack below them. None of it requires throttling the program. It requires building the controls in the dialing layer, not bolting them on after.

The 30-Day Hardening Plan

For a lender already running outbound AI voice, a workable hardening plan:

• Week 1. Pull every active campaign and map it to one of the three consent regimes. Pause any campaign that cannot map.
• Week 2. Audit the consent capture for every lead source. Reject sources that cannot produce the full artifact (named entity, page text, timestamp, IP).
• Week 3. Stand up the per-call audit log with the six pre-dial checks. Replay the last 30 days of calls against the new controls.
• Week 4. Tune revocation propagation to honor verbal stops within hours. Add the state-overlay rule engine. Run a tabletop exercise on the demand-letter response.

By day 30, the program is defensible. The week-one campaign pause is the part most lenders avoid and the part that prevents the case from being filed in the first place.

What to Ask a Voice AI Vendor

If you are evaluating a platform, the questions that predict whether the vendor will keep you safe:

• Show me the per-call consent record format. What fields, what evidence, what retention.
• How does the agent learn that a revocation happened on a different channel? What is the propagation latency?
• How do you handle the one-to-one consent rule for inbound leads? What artifact do you require from the lead vendor?
• What is the state-overlay engine? How does it know the state of the recipient before the dial?
• Show me a sample audit pack for a real campaign with the identifying data redacted.

A vendor that has done the work has these answers on the first call. A vendor that does not is the one whose calls end up in a class action.