Talk to us — call +1 (629) 348-4774

FDCPA Compliance Checklist for 2026: A Practical Guide for Collections Teams

2026-03-17

FDCPA Compliance Checklist for 2026: A Practical Guide for Collections Teams

The Fair Debt Collection Practices Act remains the bedrock of federal collections regulation, but the law collectors actually need to follow in 2026 looks quite different from the original 1977 statute. Between Regulation F, evolving CFPB enforcement priorities, and an increasingly aggressive plaintiffs’ bar, staying compliant requires more than good intentions. It requires a system.

This checklist is built for collections managers, compliance officers, and agency owners who want a practical reference they can actually use – not a legal treatise that gathers dust on a shelf. We will walk through every major compliance obligation, flag the areas where agencies most commonly trip up, and point out where state law adds requirements beyond what the FDCPA demands.

A note before we start: this is guidance, not legal advice. Your compliance program should be reviewed by counsel who knows your specific business and the jurisdictions you operate in.

Regulation F Communication Rules

Regulation F, which took effect in November 2021, remains the controlling interpretation of the FDCPA for most practical purposes. If you built your compliance program around the original statute alone, you are behind.

The 7-in-7 Call Frequency Presumption

Reg F established a safe harbor for telephone call frequency: a collector is presumed not to have violated the harassment provisions if they place no more than seven calls within seven consecutive days per debt, and do not call within seven days after having a telephone conversation with the consumer about the debt.

What this means in practice:

  • Track call attempts per account, not per phone number. If a consumer has three numbers on file, seven calls spread across those numbers still counts as seven calls on that one debt.
  • The seven-day clock on the post-conversation cooling period starts from the date of the actual conversation, not from the date you left a voicemail.
  • Calls to different debts held by the same consumer are counted separately. If you hold four accounts for one person, the limit applies per account. But be careful – high-volume calling to the same consumer across multiple debts can still be challenged as harassment even if each individual debt is within the safe harbor.
  • The presumption is rebuttable in both directions. Staying under seven does not guarantee compliance if other facts suggest harassment. Going over seven does not automatically mean you violated the law, but the burden shifts to you.

Checklist items:

  • [ ] Call tracking system counts attempts per debt, not per consumer or per phone number
  • [ ] System automatically enforces the seven-day post-conversation cooling period
  • [ ] Supervisory reports flag accounts approaching the frequency threshold
  • [ ] Policy addresses multi-debt scenarios for a single consumer

Electronic Communication Rules

Reg F brought text messages and emails explicitly into the regulatory framework. This was a significant development that many agencies still have not fully adapted to.

Email requirements:

  • Every email must include a clear and conspicuous way to opt out of electronic communications
  • The opt-out mechanism must be functional for at least 35 days after sending
  • You must honor opt-out requests within a reasonable period (the CFPB has indicated five days is the outer limit of reasonable)
  • Emails to an employer-provided email address are generally prohibited unless the consumer has used that address to communicate with you about the debt

Text message requirements:

  • Same opt-out requirements as email
  • Messages must identify the collector and indicate the communication is from a debt collector
  • Messages must not reveal the existence of the debt to anyone other than the consumer

Checklist items:

  • [ ] Every email contains a functioning opt-out mechanism
  • [ ] Opt-out links remain active for at least 35 days
  • [ ] System processes opt-outs within five business days
  • [ ] Text messages include proper identification and mini-Miranda language
  • [ ] Electronic communications are never sent to employer-provided addresses without prior consumer-initiated use
  • [ ] Audit trail captures delivery status, opt-out requests, and opt-out processing timestamps

This is one area where collection software earns its keep. Catchpole, for instance, tracks communication frequency across all channels and enforces opt-out rules automatically – the kind of guardrail that prevents a busy collector from accidentally blowing past a limit during a heavy dialing day.

Validation Notices

The validation notice remains one of the most litigated areas of the FDCPA. Reg F introduced a model validation notice (Model Form B-1) that provides a safe harbor if used correctly.

Required Content

Your initial communication or written notice sent within five days must include:

  • The debt collector’s name and mailing address
  • The consumer’s name and mailing address
  • The name of the creditor to whom the debt is owed
  • The account number (which may be truncated)
  • The itemization date and an itemization of the current amount owed, breaking out principal, interest, fees, payments, and credits
  • The current amount of the debt
  • Information about consumer protections, including the right to dispute
  • A tear-off or detachable dispute form (if using paper notices)

Itemization Requirements

The itemization date must be one of the following:

  • The last statement date
  • The charge-off date
  • The last payment date
  • The transaction date (for single-transaction debts)
  • The judgment date

From that itemization date, you must show how the balance reached the current amount. This means tracking interest accrual, fees added, payments received, and credits applied.

Checklist items:

  • [ ] Validation notice matches or substantially follows Model Form B-1
  • [ ] Itemization date is one of the five permitted dates
  • [ ] Balance breakdown shows the path from itemization-date balance to current balance
  • [ ] Notice includes all required consumer rights disclosures
  • [ ] Notice is sent within five days of initial communication (or included in that communication)
  • [ ] System prevents collection activity during the 30-day validation period if the consumer disputes
  • [ ] Disputed debts are flagged and collection activity is properly paused

Time-Barred Debt

Collecting on debts past the statute of limitations is one of the fastest ways to generate lawsuits and regulatory action. The rules here are strict, and they vary significantly by state.

Federal Requirements

  • You may not sue or threaten to sue on time-barred debt
  • If you collect on time-barred debt, you must not misrepresent the legal status of the debt
  • Some courts have held that simply filing suit on time-barred debt constitutes an FDCPA violation regardless of intent

State Requirements

Several states have gone further:

  • New York requires a specific disclosure when collecting on time-barred debt, telling the consumer that the creditor cannot sue and that a partial payment may restart the clock
  • California prohibits collecting on debt past the statute of limitations entirely in many consumer contexts under the Rosenthal Act amendments
  • New Mexico requires written disclosure that the debt is time-barred before any collection activity
  • Wisconsin, Mississippi, and North Carolina have passed or strengthened time-barred debt disclosure requirements in recent years

Statute of Limitations Tracking

The statute of limitations varies by state and by type of debt. Common timeframes:

  • Written contracts: 3 to 10 years depending on state
  • Oral agreements: 2 to 6 years
  • Open-ended accounts (credit cards): 3 to 6 years in most states
  • Promissory notes: 3 to 15 years

Be aware that the applicable statute of limitations may be determined by the consumer’s state of residence, the state where the contract was formed, or the state specified in a choice-of-law provision. This analysis is not always straightforward.

Checklist items:

  • [ ] Every account includes the date of last activity or default for SOL calculation
  • [ ] System calculates and displays SOL status based on applicable state law and debt type
  • [ ] Accounts past SOL are flagged and restricted from litigation workflows
  • [ ] Required state-specific disclosures are automatically applied for time-barred debt
  • [ ] Collectors are trained on which states prohibit collection on time-barred debt entirely
  • [ ] Policy addresses partial payment and its effect on SOL tolling by state

Required Disclosures in Every Communication

Beyond the validation notice, ongoing communications have their own disclosure requirements.

The Mini-Miranda Warning

Every communication must disclose:

  • That the communication is from a debt collector
  • That it is an attempt to collect a debt
  • That any information obtained will be used for that purpose

This applies to letters, emails, text messages, phone calls, and voicemails. For initial communications, additional language is required regarding the consumer’s right to dispute.

Voicemail Requirements Under Reg F

Reg F addressed the long-standing voicemail dilemma. Collectors may leave limited-content voicemails that include:

  • A business name that does not indicate the call is about debt collection
  • A request to return the call
  • The name of a natural person the consumer can contact
  • A phone number

This avoids third-party disclosure issues while still allowing meaningful voicemails. However, your full mini-Miranda obligation kicks in the moment the consumer returns the call and you begin a conversation.

Checklist items:

  • [ ] Mini-Miranda language included in all communications across all channels
  • [ ] Voicemail scripts comply with limited-content message requirements
  • [ ] Initial communication contains enhanced disclosure language
  • [ ] Scripts are reviewed and updated when regulations change
  • [ ] System templates enforce required disclosures (collectors cannot send communications that omit them)

Cease and Desist Handling

When a consumer requests that you stop contacting them, you generally must comply. But the rules have nuance.

  • A written cease and desist request must be honored. You may send one final communication acknowledging the request and advising of any specific actions you intend to take (such as referring the account for legal review).
  • Verbal cease requests should be treated with the same weight as written ones from a risk management perspective, even though the FDCPA technically requires written requests. Several state laws do not make this distinction.
  • Cease requests apply to the consumer who made them, not necessarily to co-debtors on the same account.
  • A cease request does not prevent you from taking legal action. It prevents further collection communications.

Checklist items:

  • [ ] Cease requests are logged immediately upon receipt, regardless of channel
  • [ ] System blocks all outbound communications to consumers with active cease requests
  • [ ] One final acknowledgment communication is sent where permitted
  • [ ] Co-debtor accounts are handled separately
  • [ ] Cease request records are retained for the full retention period

State-Level Compliance Variations

The FDCPA sets a floor, not a ceiling. Many states impose additional requirements that override or supplement federal law. A compliance program built only around the FDCPA will fail in most states.

Licensing

Most states require debt collectors to be licensed. Requirements vary widely:

  • Some states require a surety bond (amounts range from $5,000 to $100,000)
  • Many require designated compliance officers
  • Annual renewal is standard, with late fees and potential suspension for missed deadlines
  • Some states (California, New York, Texas) have increased licensing scrutiny in recent years

State-Specific Communication Rules

  • California (Rosenthal Act): Applies FDCPA-like restrictions to original creditors, not just third-party collectors. Adds restrictions on time-barred debt collection.
  • New York: Requires specific disclosures about interest accrual and partial payment effects. The NYC Department of Consumer and Worker Protection enforces additional municipal requirements.
  • Massachusetts (940 CMR 7.00): Among the strictest in the country. Limits contact to two attempts per week, prohibits contact at the consumer’s workplace under most circumstances, and restricts communication with third parties more tightly than the FDCPA.
  • Texas: Requires specific licensing through the Secretary of State. The Texas Finance Code adds prohibitions beyond the FDCPA, including restrictions on collecting unauthorized charges.
  • Colorado: Recent amendments require specific disclosures about consumer rights and impose additional restrictions on medical debt collection.
  • Connecticut, Illinois, Oregon, Washington: Each has enacted enhanced consumer protection provisions in recent legislative sessions that add to or modify FDCPA requirements.

Checklist items:

  • [ ] Licensing current and compliant in every state where you collect
  • [ ] State-specific disclosure requirements mapped and implemented
  • [ ] Communication frequency limits adjusted for states with stricter rules than Reg F
  • [ ] State-specific prohibitions documented and enforced (e.g., California’s time-barred debt rules)
  • [ ] Compliance team monitors legislative changes in active collection states

Audit Trail and Record Retention

Compliance is only as good as your ability to prove it. When a complaint comes in – whether from a consumer, the CFPB, a state AG, or a plaintiffs’ attorney – you need documentation.

What to Retain

  • Every communication sent and received (letters, emails, texts, call recordings, voicemails)
  • Timestamps for all collection activity
  • Validation notices and proof of delivery
  • Dispute records and dispute resolution documentation
  • Cease and desist requests and system responses
  • Consent records for electronic communications
  • Payment records and account histories
  • Collector notes and account activity logs

Retention Periods

The FDCPA itself does not specify a retention period, but practical considerations dictate:

  • The FDCPA statute of limitations for consumer lawsuits is one year
  • State statutes of limitations for UDAP claims range from one to six years
  • CFPB examination lookback periods typically cover three to five years
  • Most compliance professionals recommend retaining records for a minimum of five years

Catchpole maintains a full audit trail for every account interaction – every call, every text, every email, every note – with timestamps and user attribution. When a dispute or complaint arrives, you can pull the complete history in seconds instead of scrambling through disconnected systems.

Checklist items:

  • [ ] All communications logged with timestamps and user attribution
  • [ ] Records retained for minimum five years
  • [ ] Audit trail is immutable (records cannot be edited or deleted)
  • [ ] System supports rapid export for regulatory examinations
  • [ ] Regular audits verify that logging is functioning correctly

Building a Living Compliance Program

A checklist is a starting point, not a destination. The agencies that avoid enforcement actions and litigation are the ones that treat compliance as an ongoing operational function rather than an annual checkbox.

Quarterly Reviews

  • Review call recordings and written communications for disclosure compliance
  • Test opt-out mechanisms to confirm they still function
  • Verify that state licensing is current and renewals are calendared
  • Check that SOL calculations are accurate against current state law

Ongoing Training

  • New collector onboarding must include FDCPA and Reg F training before they touch an account
  • Annual refresher training for all collectors
  • Immediate training updates when regulations change
  • Document all training with attendance records and content covered

Technology as a Compliance Layer

The right collection platform does not replace a compliance program, but it makes one dramatically easier to maintain. When communication limits, required disclosures, and opt-out handling are enforced at the system level, you reduce your exposure to the kind of individual collector mistakes that generate lawsuits. Catchpole was built with this principle in mind – compliance guardrails are not an add-on module but part of the core workflow, from the first contact attempt through final resolution.

Putting It Into Practice

Print this checklist. Walk through it with your compliance officer and your operations manager. Identify the gaps. The agencies that get into trouble are rarely the ones that set out to break the rules – they are the ones that did not have a system in place to follow them consistently, account after account, collector after collector, day after day.

If your current tools make compliance harder than it needs to be, it might be time to look at platforms purpose-built for compliant collections. Catchpole offers a free trial so you can see how built-in compliance features work with your actual workflow – no commitment required.