Compliance & Regulation
CFPB Debt Collection Rules in 2026
The Consumer Financial Protection Bureau (CFPB) continues to reshape the debt collection landscape. Since Regulation F took effect in November 2021, the bureau has progressively refined its expectations for how collectors communicate with consumers, validate debts, and handle disputes. For creditors and their collection partners, staying ahead of these changes is critical to avoiding enforcement actions and maintaining effective recovery programs.
Here's what you need to know about the CFPB's debt collection regulatory framework as it stands in 2026.
The Foundation: Regulation F
Regulation F, codified at 12 CFR Part 1006, replaced decades of informal guidance with specific, actionable rules governing third-party debt collection. The regulation addresses communication practices, validation requirements, and consumer protections with unprecedented specificity.
Key provisions that remain in force include the seven-in-seven rule (no more than seven telephone call attempts in a seven-day period per debt), the requirement to wait at least seven days after a telephone conversation before calling again about the same debt, clear rules for using email and text messages in collection (with consumer consent requirements), enhanced validation notice requirements including itemization of the debt, and specific prohibitions on certain types of threats, misrepresentations, and unfair practices.
2025-2026 Enforcement Trends
The CFPB's enforcement priorities have evolved significantly. Recent actions signal heightened scrutiny in several areas.
Medical debt reporting. The CFPB's 2025 rule prohibiting medical debt from appearing on consumer credit reports has fundamentally changed the medical collection landscape. While the rule doesn't prohibit collecting medical debt, it removes one of the traditional leverage points. Collectors must adapt their strategies accordingly, focusing on patient communication and payment flexibility rather than credit reporting pressure.
Communication frequency and timing. The bureau has brought enforcement actions against agencies that exceeded Regulation F's call frequency limits or contacted consumers at inconvenient times. Robust call management technology and compliance monitoring are essential.
Debt validation accuracy. Several enforcement actions have targeted agencies that provided incomplete or inaccurate validation information. The itemization requirements in Regulation F are detailed and specific — errors in interest calculations, fee disclosures, or payment crediting can trigger violations.
Third-party disclosure. Actions against agencies that disclosed debt information to unauthorized third parties continue. With the proliferation of communication channels, the risk of inadvertent disclosure has increased. Proper consent documentation and communication procedures are critical safeguards.
Impact on Healthcare Creditors
Healthcare providers are disproportionately affected by recent CFPB actions. The medical debt credit reporting prohibition requires significant strategic adjustment. Providers should work with their collection partners to develop recovery approaches that don't depend on credit reporting leverage.
Effective alternatives include early-out collection programs that engage patients before accounts age significantly, flexible payment plans with low or no interest, financial hardship screening and charity care referrals, and omnichannel communication strategies that reach patients on their preferred platforms.
Providers should also ensure their collection partners understand the unique regulatory intersection of HIPAA and FDCPA requirements that governs medical debt collection.
State-Level Developments
Federal regulation is only part of the picture. States have increasingly enacted their own debt collection laws, creating a complex patchwork of requirements. Notable state-level developments in 2025-2026 include expanded licensing requirements in multiple states, stricter communication restrictions (some states now limit total contacts per month below Regulation F levels), medical debt-specific protections including extended validation periods and mandatory payment plan offers, and enhanced penalties for violations including private rights of action.
For creditors operating nationally, compliance requires awareness of every applicable state law — not just federal requirements. Your collection agency partner must maintain licenses and compliance programs in every state where your consumers reside.
Technology and Compliance
Modern compliance requires modern technology. Manual tracking of call frequency, consent records, and communication preferences is no longer viable at scale. Essential technology capabilities include automated call frequency management that prevents Regulation F violations before they occur, consent management systems that track consumer preferences across channels, audit trail generation for every consumer interaction, real-time compliance monitoring and alerting, and secure communication platforms for email and text message collection.
When evaluating collection partners, assess their technology infrastructure as a compliance tool, not just a collection tool. The two functions are inseparable in today's regulatory environment.
Preparing for What's Next
The CFPB's regulatory agenda suggests continued evolution. Areas likely to see additional rulemaking or guidance include artificial intelligence and automated decision-making in collection, data privacy and security requirements beyond existing frameworks, additional consumer protections for specific debt types, and expanded access to consumer complaint data.
Proactive creditors are already preparing by auditing current collection practices, updating vendor management programs, and ensuring their collection partners have the compliance infrastructure to adapt to changing requirements.
Choosing a Compliance-First Collection Partner
In an environment where a single compliance failure can result in significant penalties and reputational damage, choosing the right collection agency is more important than ever. Look for partners with dedicated compliance teams, proven regulatory track records, and the technology to maintain compliance at scale.
At Midwest Service Bureau, compliance has been foundational to our approach for over 55 years. Our collection programs are designed around regulatory requirements, not adapted to them after the fact.
Have questions about how CFPB regulations affect your collection program? Contact MSB for a compliance-focused consultation.
Building a CFPB-Ready Compliance Program
Organizations that collect debts — whether directly or through third-party agencies — need robust compliance management systems to navigate the current regulatory landscape. A comprehensive compliance program starts with written policies and procedures that address every aspect of Regulation F, from initial communication timing and content to dispute handling and cease-communication requests. These policies must be regularly reviewed and updated as the CFPB issues new guidance, advisory opinions, and enforcement actions that clarify regulatory expectations.
Training is the foundation of effective compliance. Every employee who contacts consumers about debts must understand the communication rules, including the 7-in-7 call frequency presumption, the required content of initial communications, and the procedures for handling disputes and requests for validation. Training should be conducted at onboarding and refreshed at least annually, with additional sessions when regulatory changes occur. Document all training activities with attendance records and assessment results to demonstrate your compliance commitment during regulatory examinations.
Technology plays a critical role in CFPB compliance. Modern collection platforms should automatically enforce call frequency limits, generate compliant communication content, track consumer preferences and cease-communication requests, and maintain comprehensive audit trails. Manual compliance tracking is no longer viable given the complexity and specificity of current regulations. Organizations that rely on spreadsheets and manual processes face significant compliance risk and should prioritize technology upgrades that embed regulatory requirements into their operational workflows.
Managing CFPB Consumer Complaints
The CFPB's consumer complaint database is a powerful regulatory tool that directly influences enforcement priorities. The Bureau analyzes complaint data to identify patterns of potential violations and target supervisory and enforcement resources accordingly. Organizations with high complaint volumes or complaint rates relative to their portfolio size face elevated regulatory scrutiny. Implementing a formal complaint management program that tracks, investigates, and resolves consumer complaints quickly is both a regulatory requirement and a practical risk management strategy.
Best practices for complaint management include acknowledging complaints within 24 hours, completing investigations within 15 business days, documenting corrective actions taken, and analyzing complaint trends to identify systemic issues. When patterns emerge — such as recurring complaints about a specific disclosure or collection practice — treat them as early warning indicators that require process review and potential corrective action. At MSB, our compliance team reviews every consumer complaint, tracks root cause categories, and implements process improvements that reduce future complaint risk while maintaining strong recovery performance.
Looking Ahead: CFPB Regulatory Direction
The CFPB's regulatory direction continues to evolve with changing administration priorities and emerging consumer protection concerns. Regardless of the political environment, the fundamental framework of Regulation F remains in effect, and collection agencies must maintain compliance with its detailed requirements for consumer communications, validation procedures, and dispute handling. Agencies that build their compliance programs around the regulatory text rather than enforcement predictions are best positioned to weather changes in enforcement intensity and focus.
Emerging areas of CFPB interest include the use of artificial intelligence in collection operations, the application of debt collection rules to digital payment platforms and buy-now-pay-later products, and the intersection of data privacy regulations with collection data practices. Organizations that proactively address these evolving concerns — by documenting their AI decision-making processes, monitoring regulatory guidance on new product categories, and implementing comprehensive data governance programs — will be better prepared for future regulatory developments than those that wait for explicit enforcement actions to signal compliance expectations.
Federal-State Regulatory Coordination
The CFPB's authority operates alongside — not instead of — state consumer protection laws and regulatory agencies. Many states have enacted debt collection regulations that exceed federal requirements, and collection agencies must comply with the most restrictive applicable standard for each consumer interaction. States including California, New York, Massachusetts, and Colorado have implemented collection regulations that impose additional communication restrictions, disclosure requirements, and licensing obligations beyond what Regulation F requires. Maintaining compliance across this patchwork of federal and state requirements demands sophisticated compliance management systems and ongoing regulatory monitoring.
The CFPB increasingly coordinates enforcement activities with state attorneys general and financial regulators, sharing complaint data and investigation findings to identify collection agencies with multi-state compliance issues. This coordination means that a compliance failure in one jurisdiction can trigger regulatory scrutiny in multiple states simultaneously. At MSB, our compliance team monitors both federal and state regulatory developments across all 50 states, ensuring our collection practices meet the most current requirements in every jurisdiction where we operate and protecting our clients from the regulatory cascade that can result from compliance lapses in any single state.