⚠️ Confused by A2P 10DLC? Get instant answers from our AI Compliance Expert.

Chat Now
API Docs
Sign in
Get Started
a
M
Sign In
Try for Free

Bank SMS Compliance: TCPA and FINRA Rules You Need to Know

by | Feb 12, 2026 | How to, lead generation, SMS, SMS Marketing, Text Messaging

Banks love SMS for its effectiveness. Regulators love SMS for its audit trail.

What regulators don’t love: banks that text customers without proper consent, at inappropriate hours, or without required disclosures.

The penalties for getting it wrong are severe—$500 to $1,500 per violation under TCPA alone. A single misconfigured campaign reaching 10,000 customers could cost $5-15 million in penalties.

This guide covers everything banks need to know about SMS compliance: TCPA requirements, FINRA recordkeeping, state regulations, and practical implementation.

Table of Contents

  1. Why Compliance Matters
  2. TCPA Requirements for Banks
  3. FINRA Recordkeeping Rules
  4. Consent Collection and Documentation
  5. Time-of-Day Restrictions
  6. Opt-Out Handling
  7. Message Content Requirements
  8. State-Specific Regulations
  9. How CloudContactAI Handles Compliance
  10. Audit Trail and Reporting

Why Compliance Matters

SMS compliance isn’t optional—it’s existential.

Financial penalties: – TCPA: $500-$1,500 per violation (per message, per recipient) – State laws: Additional penalties vary by jurisdiction – Class actions: Average TCPA settlement exceeds $6 million

Operational consequences: – Carrier filtering: Non-compliant senders get blocked – Reputation damage: Regulatory actions become public – Business disruption: Cease-and-desist orders halt campaigns

Real-world examples: – A major bank paid $32 million to settle TCPA claims over collection texts – A credit union faced $9 million in penalties for texting without consent – Regional banks have been sued for texting customers who changed phone numbers

The good news: compliance is achievable. The rules are clear. Platforms can automate most requirements. You just need to understand what’s required.

TCPA Requirements for Banks

The Telephone Consumer Protection Act (TCPA) is the primary federal law governing SMS communications.

The rule: You must have prior express consent before sending automated text messages to mobile phones.

What qualifies as consent: – Written consent (paper or electronic) – Clear disclosure that texts will be sent – Voluntary agreement (not buried in terms)

For transactional messages (payment reminders, account alerts): – Prior express consent is sufficient – Can be obtained at account opening or loan origination

For marketing messages (promotional offers, cross-sells): – Prior express written consent required – Must be separate from other terms – Must include clear disclosure of what messages will contain

Documentation requirements: – Timestamp of consent – Method of consent (form, checkbox, verbal recorded) – Disclosure language presented – Phone number consented

Autodialer Restrictions

The rule: Calls or texts made using an “automatic telephone dialing system” (ATDS) require prior express consent.

What counts as ATDS: – Systems that dial from a list automatically – Systems with capacity to generate random numbers – Most SMS platforms qualify

Practical implication: Assume your platform is an ATDS and obtain proper consent for all automated messages.

Called Party

The rule: Consent applies to the current subscriber of the phone number, not the original consenter.

The problem: Phone numbers get reassigned. The person who gave you consent may no longer have that number.

Solutions: – Use number verification services – Include “wrong number? Reply STOP” in messages – Promptly remove numbers that bounce or report wrong person – Re-verify numbers periodically for long-term accounts

FINRA Recordkeeping Rules

If your bank has a broker-dealer or is FINRA-regulated, additional rules apply.

SEC Rules 17a-3 and 17a-4

The rule: Firms must make and preserve records of “communications relating to its business.”

Application to SMS: – All business text messages must be retained – Retention period: Generally 3-6 years depending on content – Records must be accessible for regulatory examination

FINRA Rule 4511

The rule: Members must make and preserve books and records as required under FINRA rules, SEC rules, and the Exchange Act.

Practical requirements: – Capture all SMS communications (sent and received) – Store in a manner that prevents alteration – Index for searchability – Produce on regulatory demand

Supervision Requirements (FINRA Rule 3110)

The rule: Firms must establish written procedures for supervision of associated persons’ communications.

Application to SMS: – Pre-approval of message templates – Review of ad-hoc communications – Training on compliant messaging – Escalation procedures for issues

CloudContactAI provides: – Complete message archives with timestamps – Export functionality for regulatory requests – Template approval workflows – User activity logging

Proper consent collection prevents most compliance issues.

At Account Opening

Recommended language (for loan documents):

SMS/Text Message Consent: By providing your mobile phone number, you consent to receive automated text messages from [Bank Name] regarding your account, including payment reminders, account alerts, and service notifications. Message frequency varies. Message and data rates may apply. Reply STOP to opt out at any time. Reply HELP for assistance.

Best practices: – Separate checkbox (not buried in general terms) – Clear description of message types – Frequency disclosure – Opt-out instructions included – Copy retained with loan documents

Requirements: – Clear, conspicuous disclosure – Affirmative action required (checkbox, button click) – Cannot be pre-checked – Timestamp and IP address logged

Sample digital consent flow: 1. Customer enters phone number 2. Checkbox appears: “I agree to receive text messages about my account” 3. Link to full terms visible 4. Customer checks box and submits 5. System logs: phone, timestamp, IP, consent version

When acceptable: Call center interactions where written consent isn’t practical

Requirements: – Clear verbal disclosure of what texts will contain – Clear affirmative response from customer – Call recording retained – Log entry noting consent obtained

Time-of-Day Restrictions

Federal baseline: No calls/texts before 8:00 AM or after 9:00 PM (recipient’s local time)

Key considerations:

Time Zone Detection

  • Determine recipient’s time zone from phone number area code
  • Account for area code portability (people move)
  • When uncertain, use most restrictive interpretation

Queuing Logic

  • If message triggers at 6:00 AM recipient time, queue for 8:00 AM
  • Don’t stack queued messages (send one, not all at once)
  • Consider business hours for B2B communications

State Variations

  • Some states have stricter windows
  • Washington: No calls before 8 AM or after 8 PM
  • When in doubt, use stricter standard

CloudContactAI automatically: – Detects time zone from phone number – Queues messages outside allowed windows – Applies state-specific restrictions where applicable

Opt-Out Handling

Opt-out compliance is non-negotiable.

Requirements

Immediate processing: – Opt-outs must be honored promptly – Best practice: Within minutes, not days – No “confirmation” messages after opt-out (just acknowledge and stop)

Standard opt-out keywords: – STOP – UNSUBSCRIBE – CANCEL – END – QUIT

Acknowledgment message:

You have been unsubscribed and will not receive further text messages from [Bank Name]. Reply HELP for assistance or contact us at [Phone].

Implementation

Automated processing: 1. System detects opt-out keyword in reply 2. Immediately updates contact record 3. Sends single acknowledgment 4. Blocks all future automated messages 5. Logs opt-out with timestamp

Cross-channel considerations: – Does SMS opt-out affect email? (Usually no) – Does it affect manual texts from relationship managers? (Should it?) – Document your policy clearly

Opt-back-in: – Customers can re-consent later – Must be explicit new consent – Document the re-consent

Message Content Requirements

What you say matters as much as how you say it.

Required Elements

Every automated message should include: – Sender identification (bank name) – Opt-out instructions – Contact information for questions

Collection messages additionally need: – Accurate amount (if stated) – No false or misleading statements – Required disclosures per Regulation F (if applicable)

Prohibited Content

Never include: – False threats (“We will sue you tomorrow”) – Misleading urgency (“Pay in 1 hour or else”) – Inaccurate amounts – Confidential information visible on lock screen – Third-party references without consent

Character Limits and Segmentation

Best practice: Keep messages under 160 characters when possible

Why it matters: – Single segment = lower cost – Multi-segment messages may display inconsistently – Shorter messages have higher read rates

Sample compliant message (153 characters):

[BankName] Payment of $487.52 due 2/15. Pay: link.bank.com/pay. Questions? Reply or call 800-555-1234. Reply STOP to opt out.

State-Specific Regulations

Federal law sets the floor. States can (and do) add requirements.

California (CCPA and more)

  • Stricter consent requirements
  • Broader definition of personal information
  • Additional disclosure obligations

Florida (FTSA – Florida Telephone Solicitation Act)

  • Written consent required for automated messages
  • Separate from federal TCPA requirements
  • Significant litigation activity

Washington

  • Stricter time-of-day restrictions (8 PM cutoff)
  • Additional consent requirements

Other Notable States

  • Maryland, Connecticut, Pennsylvania have specific telemarketing rules
  • New York financial regulations add requirements for banking

Practical approach: – Default to strictest standard – Track where customers are located (billing address or phone area code) – Update policies as laws change

How CloudContactAI Handles Compliance

Compliance should be built into your platform, not bolted on.

Automatic Time Zone Handling

  • Detects recipient time zone from phone number
  • Queues messages outside allowed windows
  • Applies state-specific restrictions

Opt-Out Processing

  • Recognizes standard opt-out keywords
  • Immediately updates contact status
  • Sends acknowledgment
  • Blocks future messages
  • Logs everything
  • Records consent source and timestamp
  • Flags contacts without documented consent
  • Supports re-consent workflows

Message Archiving

  • Every message logged with full metadata
  • Timestamp, content, delivery status, recipient
  • Searchable and exportable
  • WORM-compliant storage options

Template Controls

  • Pre-approved templates reduce risk
  • Variable validation prevents errors
  • Character count warnings
  • Compliance checklist before send

Audit Reports

  • On-demand compliance reports
  • Consent documentation export
  • Opt-out history
  • Message delivery logs

Audit Trail and Reporting

When regulators ask, you need answers fast.

What to Retain

For every message: – Recipient phone number – Message content (as sent) – Timestamp (send and delivery) – Delivery status – Campaign/template identifier – User who triggered (if manual)

For every contact: – Consent record (source, date, language) – Opt-out record (if applicable) – Preference history

Retention Periods

Requirement Retention Period
TCPA litigation lookback 4 years
FINRA records 3-6 years
State requirements Varies (up to 7 years)
Best practice 7 years

Reporting Capabilities

Compliance dashboard should show: – Messages sent by time of day – Opt-out rates by campaign – Consent coverage (% of contacts with documented consent) – Delivery failures (potential wrong numbers)

On-demand exports: – Full message history for specific contact – Campaign message logs – Consent documentation – Opt-out history

The Bottom Line

SMS compliance for banks isn’t complicated—it’s just detailed. Get consent. Respect opt-outs. Send at appropriate times. Keep records. That’s 90% of it.

The remaining 10% is staying current as regulations evolve, handling edge cases, and ensuring your platform enforces the rules you’ve set.

Choose an SMS platform that treats compliance as a feature, not an afterthought. The cost of getting it wrong is too high.

Need a compliant SMS platform for your bank?

CloudContactAI was built with financial services compliance in mind: – Automatic time zone and opt-out handling – Complete message archiving for FINRA – Consent tracking and documentation – State-specific rule enforcement

Start your free 14-day trial →

FAQ

Do payment reminders require written consent like marketing messages? No. Transactional messages (payment reminders, account alerts) require prior express consent, which can be verbal or written. Marketing messages require prior express written consent with additional disclosures.

What if a customer gave consent but their number was reassigned? You’re responsible for reaching the right person. Use number verification services, honor “wrong number” replies immediately, and consider periodic re-verification for long-term accounts.

Can we text customers who haven’t explicitly opted in but gave us their mobile number? Risky. Simply having a mobile number doesn’t equal consent to text. Best practice is explicit consent with clear disclosure.

How do we handle customers in multiple states? Apply the rules of the state where the customer is located (billing address or phone area code). When uncertain, use the most restrictive standard.

What records do we need if we’re audited? Consent documentation, message logs (content, timestamp, recipient, delivery status), opt-out records, and your written compliance policies.