Regulation F Compliance Guide: The 2026 Reference for Collections Agencies

Regulation F — the CFPB's modernization of the FDCPA — went effective November 30, 2021. Four-plus years in, it remains the single most operationally consequential regulation in US third-party collections. Enforcement has tightened every year since, and the plaintiff's-bar playbook has standardized around the rule's specifics.

This guide is the complete 2026 operational reference: what Reg F actually requires, how it changes daily workflows, what enforcement has clarified, and the checklist every agency should be running against.

This is educational content. For specific legal questions, consult a collections attorney.

Table of Contents

• What Regulation F Is
• The 7-in-7 Call Frequency Rules
• The Model Validation Notice
• Email and SMS Rules
• Time-Barred Debt Disclosures
• Limited-Content Messages (LCMs)
• Where Enforcement Has Tightened
• Operational Checklist
• Frequently Asked Questions

What Regulation F Is

Regulation F is a rule issued by the Consumer Financial Protection Bureau (CFPB) to implement the FDCPA. It doesn't replace the FDCPA — it operationalizes and modernizes it. Both apply.

The authoritative text lives at the CFPB's Regulation F page.

Reg F accomplished four things:

1. Modernized communication rules — explicit treatment of email and SMS
2. Introduced call frequency caps — the 7-in-7 rule
3. Standardized the validation notice — a model form with safe-harbor language
4. Set clearer rules for time-barred debts, language access, and limited-content messages

The rule applies to "debt collectors" as defined by the FDCPA — primarily third-party collectors. Original creditors collecting their own debts generally aren't subject to Reg F, but may be subject to UDAAP, state laws, or mini-FDCPA statutes with similar rules.

The 7-in-7 Call Frequency Rules

The most operationally consequential rules in Reg F. Two separate limits apply:

Limit 1: 7 calls in 7 days per debt. A collector may make no more than 7 call attempts to a consumer about a particular debt within any 7-consecutive-day period. "Attempts" include connecting calls, voicemails, no-answers, and busy signals.

Limit 2: 7-day cooldown after telephone conversation. After the collector has a telephone conversation with a consumer about a particular debt, no further calls may be made to that consumer about that debt for 7 days from the conversation.

Important mechanics:

• The limits apply per debt, not per consumer. Multiple debts = multiple counters.
• "Telephone conversation" means a live conversation between a collector and the consumer. A consumer voicemail left for the collector doesn't count.
• The limits don't apply to calls the consumer initiates (inbound calls are fine).
• The limits don't apply to calls the consumer has consented to more frequently, though consent must be documented and revocable.

Practical implementation:

Most agencies implement the rule at the per-consumer level, not per-debt, because edge cases with multi-debt consumers create violation risk. A compliance-aware dialer enforces the rule at the platform level — the dialer blocks call attempts that would exceed the cap, rather than relying on agents to self-police.

Manual tracking at any volume doesn't work. Agencies running 500+ calls per agent per day hit violation territory within 72 hours of going live without platform enforcement.

The Model Validation Notice

Reg F introduced a standardized validation notice with specific required content. Using the exact model form creates a safe harbor — the collector is presumed compliant on disclosure adequacy.

Eight required content elements:

1. Debt collector's name and consumer's name + address
2. Itemization date (reference point for breakdown)
3. Itemized breakdown: amount on itemization date, interest, fees, payments, credits
4. Current debt amount
5. Creditor history: current creditor, original creditor (if different)
6. Account number or similar identifier
7. Consumer protection notice: dispute rights, validation rights, attorney representation rights
8. Response options: "I want to dispute," "I want the name of the original creditor," etc.

Format requirements:

• The notice can be delivered in writing, electronically, or orally (with electronic/oral requiring additional safeguards)
• If in writing, reasonable size type, reasonable design
• Spanish translation is available and recommended for agencies with significant Spanish-speaking consumer bases
• State-required additions (California Rosenthal Act, New York, Massachusetts, etc.) are layered on top

Operational risk:

Agencies that modify the model notice — even trivially — lose the safe harbor and invite disclosure-inadequacy lawsuits. The rule of thumb: use the model form verbatim, only adding state-required additions.

Email and SMS Rules

Reg F explicitly permits email and SMS debt collection communications with guardrails:

Email requirements:

• Reasonable procedure to ensure no third-party disclosure
• Opt-out mechanism in every email
• Subject line cannot disclose that the message concerns a debt

Email Safe Harbor: An email is presumed not to result in third-party disclosure if sent to an address:

• The consumer has used to communicate with the creditor about the debt, or
• The consumer has provided to the collector and confirmed, or
• Meets a defined "reliable use" test

SMS requirements:

• Consumer consent or reasonable procedure to verify the number belongs to the consumer
• Opt-out instructions in every message (standard: "Reply STOP to opt out")
• 8 AM–9 PM time-of-day rules apply (consumer's local time)

Cross-channel opt-outs:

A consumer can request to restrict a specific channel ("don't email me") while permitting others. Systems must track channel-level preferences and honor them immediately.

TCPA overlay:

SMS debt collection also implicates the TCPA, CTIA rules, and carrier 10DLC registration requirements. See the TCPA compliance checklist for collections for the telephony-side rules.

Time-Barred Debt Disclosures

Debts beyond the statute of limitations ("time-barred") can't be sued on — but can often still be collected. Reg F requires specific disclosures when collecting or threatening suit on time-barred debts.

Required disclosures:

• If the statute of limitations has expired, the collector generally cannot threaten or file suit
• In states where a partial payment revives the statute, collectors must disclose that fact before accepting payment
• Specific disclosure language is required in validation notices for debts the collector knows are time-barred

Risk:

Filing a collection lawsuit on a time-barred debt without proper disclosures is one of the most common FDCPA/Reg F violations in enforcement actions. Automated statute-of-limitations tracking by state + original charge-off date is essential for any agency handling aged debt portfolios.

Limited-Content Messages

A Limited-Content Message (LCM) is a voicemail that contains only specific permitted content and can be left without triggering the full disclosure requirements of a "communication."

Permitted LCM content:

• Business name that doesn't identify collector as a debt collector
• Consumer's name
• Request that consumer reply
• Optional: telephone number and best-time-to-reach window

Excluded content:

• Any reference to a debt, creditor, or collection
• Any financial information

LCMs enable voicemail drops that don't count as third-party disclosure if someone other than the consumer hears them. They're heavily used in modern collections workflows — voicemail drops are one of the highest-ROI contact strategies, and LCMs make them compliant.

Where Enforcement Has Tightened

Post-effective-date enforcement trends through 2024–2026:

1. 7-in-7 violations are the most common enforcement action. CFPB consent decrees repeatedly cite dialer configurations that allowed calls above the cap. Regulators now expect platform-enforced limits, not manual agent training.

2. Validation notice deviations. Agencies that modified the model form have faced repeated class actions. The plaintiff's bar has standardized around specific deviation patterns.

3. Electronic communication disclosures. Missing or inadequate opt-out language in emails and SMS is a common violation in 2024–2026 enforcement.

4. Cross-channel opt-out failures. Agencies honoring opt-outs on email but continuing SMS, or vice versa, have faced penalties.

5. Attorney representation flags not cascading. When a consumer notifies any channel of attorney representation, all collection contact must stop. Failures here often stem from incomplete data sync across teams or systems.

Operational Checklist

Working against this list monthly is the simplest audit structure.

Call controls

• [ ] 7-in-7 call attempt counter enforced at the dialer level
• [ ] Post-conversation 7-day cooldown enforced automatically
• [ ] Time-of-day restrictions enforced by consumer local time
• [ ] Cease-communication flag blocks all outbound contact
• [ ] Attorney representation flag cascades across all channels

Disclosure controls

• [ ] Mini-Miranda delivered on every call (scripted or auto-played)
• [ ] Validation notice matches Reg F model form verbatim
• [ ] State-specific disclosures auto-applied by consumer state
• [ ] Time-barred debt disclosures auto-applied where applicable
• [ ] Spanish translations available for relevant consumer populations

Electronic communication controls

• [ ] Opt-out language in every email
• [ ] Opt-out language in every SMS
• [ ] Subject lines never reveal debt nature
• [ ] Email safe-harbor tracking documented
• [ ] SMS consumer-consent tracking documented
• [ ] Channel-specific opt-out honored within 24 hours

Recording and audit controls

• [ ] 100% call recording
• [ ] AI QA scoring on script adherence and disclosure delivery
• [ ] Auditable consumer-contact log with timestamps
• [ ] Manager review of flagged calls within 48 hours

Team controls

• [ ] Every new collector FDCPA/Reg F certified pre-production
• [ ] Annual recertification
• [ ] Incident-driven retraining when violations occur

People Plus Platform

Reg F violations are primarily a combination of two things: inadequate platform controls and inadequate agent training. Neither alone is sufficient. Strong platform controls catch mechanical violations (time-of-day, 7-in-7). Strong training catches disclosure violations and conversational errors.

For agencies scaling collections floors, ScaleOps BPO provides nearshore collectors trained on FDCPA, Reg F, and state-specific collections rules before production. Pairing trained agents with platform-enforced compliance is how modern agencies cut violation rates by 70%+ inside the first quarter.

Frequently Asked Questions

Does Regulation F replace the FDCPA?

No. Reg F implements and operationalizes the FDCPA — both apply. Collectors must comply with the FDCPA statutory requirements and the additional specifics Reg F added.

Does the 7-in-7 rule apply per consumer or per debt?

Per debt under the letter of the rule. Most agencies operate at the stricter per-consumer level to avoid edge-case violations when consumers have multiple debts with the same agency.

Can a consumer waive the 7-in-7 limit?

Yes, with documented consent — the consumer can permit more frequent calls. Consent must be revocable. Most agencies avoid this path operationally because documentation and revocation tracking add risk.

Are emails and texts considered "communications" under Reg F?

Yes. Emails and texts that discuss the debt are communications under the rule and trigger disclosure + opt-out requirements. LCM-style voicemails are the main exception — they're expressly not "communications" when the content meets LCM criteria.

What happens if I modify the model validation notice?

You lose the safe harbor. The collector becomes exposed to litigation over whether the modified notice adequately disclosed the required content. The plaintiff's bar actively looks for deviations. Recommendation: use the model form verbatim, add state-required items separately.

Does Reg F apply to original creditors?

Generally no. Reg F applies to debt collectors as defined by the FDCPA. Original creditors collecting their own debts are typically exempt. However, CFPB UDAAP authority, state laws, and some state mini-FDCPA statutes may apply to original creditors.

The Bottom Line

Regulation F isn't optional. It's operational. Agencies that treat it as a legal checklist underperform the ones that treat it as a platform architecture. Platform-enforced call frequency, automated disclosure templating, cross-channel opt-out cascading, and 100% call recording are the table stakes for a modern collections agency in 2026.

See how platform-enforced Reg F compliance works → or book a walkthrough to see an agency running end-to-end Reg F compliance on OPSYNC.