Let's start with the number that should get your attention: $500 to $1,500. That's the penalty per violation under the Telephone Consumer Protection Act (TCPA). Per message. Per call. If you send 1,000 non-compliant texts to your database, you're looking at potential liability of $500,000 to $1.5 million.
This isn't theoretical. TCPA lawsuits against mortgage companies happen regularly. And with more LOs adopting automated marketing and AI-powered outreach, the compliance risks are growing. Here's what you need to know to protect yourself.
Disclaimer
This article is educational guidance, not legal advice. TCPA regulations are complex and evolving. Consult with a compliance attorney for advice specific to your business and jurisdiction.
TCPA Basics for Loan Officers
The TCPA regulates how businesses can contact consumers via phone calls, text messages, and fax. For loan officers, the key rules revolve around three areas: consent, identification, and opt-out handling.
Consent Is Everything
The most important concept in TCPA compliance is consent — and there are different levels:
- Express written consent — required for marketing messages sent via autodialer or pre-recorded voice. This means the consumer signed (or e-signed) a clear disclosure agreeing to receive marketing communications from you. A web form with proper disclosure language typically satisfies this.
- Express consent (not written) — sufficient for non-marketing, informational messages. If a borrower gives you their phone number during the loan process, you can send them status updates about their loan without written marketing consent.
- No consent — you cannot send automated marketing messages to people who haven't given express written consent. Period. That purchased lead list? Unless it comes with documented consent, you're taking a risk.
What Counts as "Marketing"?
This is where it gets nuanced. A text saying "Your appraisal came back, call me to discuss" is a transactional message — you're communicating about an existing business relationship. A text saying "Rates just dropped! Now's a great time to refinance" is marketing.
The line between the two matters. Transactional messages have more relaxed consent requirements. Marketing messages require the full express written consent.
The Rules for Text Message Marketing
Text messaging is the most powerful outreach channel for loan officers — and the most regulated. Here's what compliant text marketing looks like:
- Get written consent before texting. Your web forms, landing pages, and intake processes need clear disclosure language: "By providing your phone number, you consent to receive marketing text messages from [Your Company]. Message and data rates may apply. Reply STOP to opt out."
- Honor opt-outs immediately. When someone texts STOP, UNSUBSCRIBE, or any reasonable opt-out keyword, remove them from all automated messaging immediately. Not within 24 hours. Immediately.
- Identify yourself. Every marketing text should clearly identify who it's from. "Hi, this is [Name] with [Company]" at the beginning of the message.
- Respect quiet hours. Don't send marketing messages before 8 AM or after 9 PM in the recipient's local time zone. Your automation system should handle time zone logic automatically.
- Keep records. Document consent — when it was given, how it was given, and what the consumer agreed to. If challenged, you need proof.
The Lead Source Consent Gap
One of the biggest compliance risks for LOs: buying leads from third-party sources where consent was given to the lead provider, not to you. Make sure your lead sources provide documented consent that specifically covers your company's outreach — or obtain your own consent as the first step in your follow-up process.
AI and Automated Outreach: Special Considerations
If you're using AI-powered conversations or automated follow-up sequences, you need to pay extra attention to compliance:
- AI conversations still need consent. The fact that AI is having the conversation doesn't change the consent requirements. If it's automated outreach for marketing purposes, you need express written consent.
- Bot disclosure may be required. Some state laws require you to disclose when a consumer is interacting with an automated system rather than a human. Check your state's regulations.
- Auto-responders need opt-out handling. If your AI or automation sends messages, it must recognize and process opt-out requests. "STOP" should work regardless of whether a human or AI is on the other end.
- Frequency matters. Sending 10 automated texts in a week to someone who didn't respond to the first one isn't just bad marketing — it could be considered harassment under TCPA.
Email Marketing Compliance (CAN-SPAM)
While TCPA primarily covers calls and texts, email marketing has its own rules under CAN-SPAM:
- Include a clear unsubscribe mechanism in every marketing email
- Honor unsubscribe requests within 10 business days
- Include your physical business address
- Don't use deceptive subject lines
- Clearly identify the message as an advertisement
Email compliance is generally less risky than text/call compliance, but violations still carry penalties of up to $50,120 per email.
Do Not Call (DNC) List Compliance
If you're making outbound calls — cold or warm — you need to scrub your call lists against the National Do Not Call Registry. This applies to:
- Purchased lead lists
- Database contacts you haven't spoken to in over 18 months (the "established business relationship" exception expires)
- Any contact who has specifically asked to be placed on your internal DNC list
Maintain your own internal DNC list and check it before any outbound campaign. Your CRM should support DNC flagging natively.
Building a Compliance-First Marketing System
Compliance doesn't have to slow you down. When it's built into your systems from the start, it actually simplifies your marketing:
- Consent capture at every entry point. Every web form, landing page, and intake process includes proper disclosure language. Consent is documented automatically in your CRM.
- Automated opt-out processing. STOP handling is built into your messaging system — no manual intervention required.
- Time zone-aware sending. Your automation respects quiet hours based on each contact's location.
- Audit trails. Every message sent, every consent recorded, every opt-out processed — all logged and accessible if you ever need to prove compliance.
- Regular list hygiene. Quarterly database cleanup removes invalid numbers, processes bounces, and updates consent records.
"I used to worry constantly about compliance with my automated texting. Once I switched to a platform that handled consent tracking, opt-out processing, and quiet hours automatically, I stopped worrying and started marketing more confidently."
The Bottom Line
TCPA compliance isn't optional, and ignorance isn't a defense. But it also isn't as scary as it sounds when you have the right systems in place. The loan officers who get in trouble are typically the ones blasting purchased lists with no consent documentation, ignoring opt-out requests, or using tools that don't have compliance features built in.
Build compliance into your process from day one, and it becomes invisible — just a background feature of a well-run marketing operation.
Need a marketing platform with compliance built in? See how Empower LO handles it — or talk to our team about setting up compliant automated marketing for your business.