FCC Proposes Major TCPA Overhaul: What Financial Institutions Need to Know
- East West General Counsel
- Oct 9
- 5 min read
A practical guide to the proposed regulatory changes that could reshape customer communications and compliance strategies
If you're a general counsel, compliance officer, or legal operations leader at a financial institution, you've probably spent more time than you'd like thinking about TCPA compliance. The Telephone Consumer Protection Act has been a thorn in the side of banks and credit unions for years—a 1991 law struggling to keep pace with how we actually communicate in 2025.
Good news: that might be about to change.
The FCC's Draft Proposal: A Long-Awaited Update
The Federal Communications Commission just released a draft notice of proposed rulemaking that could represent the most significant modernization of TCPA rules in years. If approved at the October 28 meeting and finalized after public comment, these changes would address several pain points that have plagued financial institutions' customer communication strategies.
The American Bankers Association has been advocating for these updates for years, and it looks like their persistence may finally pay off.
Four Key Proposed Changes to TCPA Consent Rules
1. Eliminating the "Revoke All" Rule
Currently, if a customer revokes consent for one type of communication—say, marketing texts—your institution must stop all autodialed or prerecorded calls and messages, including critical fraud alerts.
This all-or-nothing approach, established in a 2024 FCC order, has created operational headaches and potentially left customers vulnerable during fraud events.
The proposed change:Â Allow consumers to selectively opt out of specific communication types while maintaining others. This means a customer could stop marketing messages while still receiving time-sensitive security alerts.
Why it matters for your organization:Â Better customer protection, clearer communication channels, and reduced regulatory risk when sending fraud notifications.
2. Designated Revocation Methods
Under current rules, businesses must honor consent revocations made through "any reasonable means"—a vague standard that's created significant compliance challenges. What counts as "reasonable"? A verbal statement to a call center agent? An email? A social media DM? The ambiguity has led to processing errors and potential violations.
The proposed change:Â Allow callers to specify the exclusive means by which consumers may revoke consent.
Why it matters for your organization:Â Clearer processes mean fewer errors, more efficient compliance operations, and better documentation for regulatory examinations.
3. Removing the "Provided Number" Restriction
Here's a scenario every bank has faced: You detect fraudulent activity on a customer's account. You need to reach them immediately. But the phone number in your system—the one they provided during account opening five years ago—is disconnected. You have their current number from a recent loan application, but can you legally use it under the fraud alert exemption?
Currently, the answer is often no due to the "provided number" condition.
The proposed change:Â Eliminate this restriction, allowing financial institutions to use the most current contact information available when placing fraud alert calls.
Why it matters for your organization:Â Faster fraud response times, better customer outcomes, and more effective use of existing exemptions.
4. Eliminating Internal Do-Not-Call Lists for Telemarketing
When a consumer requests no more telemarketing calls, current rules require businesses to maintain an internal do-not-call list.
The proposed change:Â Delete this requirement.
Why it matters for your organization:Â Reduced administrative burden and elimination of duplicative compliance requirements.
Combating Call Spoofing: The Other Half of the Proposal
While the TCPA modernization gets most of the attention from financial services compliance teams, the FCC's proposal also includes significant anti-spoofing measures that could help your institution's legitimate calls get through to customers.
Enhanced STIR/SHAKEN Authentication
The FCC proposes requiring terminating providers to transmit verified caller information when a call receives "A-level attestation"—the highest authentication level under the STIR/SHAKEN framework. The ABA has raised concerns that bad actors have been obtaining this high-level verification, undermining consumer trust in the system.
Rich Call Data Requirements
The proposal seeks comment on requiring providers to use "rich call data" (RCD) to display verified caller names and potentially company logos on IP networks. Think of it like the blue checkmark on social media—a signal that the call is legitimate.
Why this matters: If your customers can clearly see that it's really you calling, they're more likely to answer—especially important for time-sensitive communications.
International Call Protections
The proposal would require voice service providers to implement measures ensuring consumers know when calls originate outside the U.S. and would prohibit spoofing of U.S. numbers for international calls.
What Financial Institutions Should Do Now
While these are still proposed rules, general counsel and compliance leaders should start preparing:
1. Review your current consent management processes. How do you handle partial revocations? What systems would need updating if the "revoke all" rule is eliminated?
2. Evaluate your fraud alert protocols. Map out how removing the "provided number" restriction could improve your fraud response capabilities.
3. Assess your documentation practices. If designated revocation methods become permissible, what would your preferred channels be, and how would you communicate them clearly to customers?
4. Monitor the public comment period. If the FCC votes to issue the NPRM on October 28, you'll have an opportunity to submit comments. Consider whether your institution's experience could inform the final rules.
5. Coordinate with your compliance and customer experience teams. These changes touch multiple departments—now is the time to start cross-functional planning.
The Balancing Act: Consumer Protection Meets Operational Reality
What makes this proposal interesting from a legal and regulatory perspective is that it attempts to balance two sometimes competing interests: protecting consumers from unwanted communications while enabling legitimate businesses to reach customers when it matters most.
The TCPA was designed to stop dinner-time telemarketing calls and protect consumer privacy. But in 2025, the regulatory framework also needs to account for the reality that timely communication can prevent fraud, protect accounts, and serve customers' best interests.
How Fractional General Counsel Can Help Navigate Regulatory Change
Regulatory changes like these TCPA updates create both opportunities and compliance obligations. For financial institutions—especially smaller banks, credit unions, and fintech companies—keeping pace with evolving telecommunications regulations while managing day-to-day legal needs can stretch resources thin.
This is where fractional general counsel services can provide strategic value. Rather than hiring a full-time executive or relying entirely on outside counsel for routine matters, a fractional GC can:
Monitor regulatory developments and assess their impact on your specific business model
Coordinate with compliance teams to update policies and procedures
Provide practical guidance on implementation without the overhead of a full-time position
Serve as a strategic partner during comment periods and advocacy efforts
Whether you're evaluating these proposed TCPA changes or navigating other regulatory complexities, having experienced legal counsel who understands both financial services and telecommunications law—without requiring a full-time commitment—can be the difference between reactive compliance and strategic positioning.
Timeline and Next Steps
October 28, 2025:Â FCC votes on whether to issue the notice of proposed rulemaking
Following approval:Â Public comment period opens (typically 30-60 days)
Post-comment period:Â FCC reviews feedback and potentially issues final rules
Implementation:Â Effective dates would be specified in final rules (often 30-180 days after publication)
The timeline from proposal to implementation typically takes several months, giving financial institutions time to prepare—but the planning should start now.
Final Thoughts
After years of operating under TCPA rules that often seemed disconnected from operational reality, these proposed changes represent a meaningful step toward modernization. They acknowledge that not all automated communications are unwanted spam, and that consumers benefit when legitimate businesses can reach them efficiently, especially in fraud situations.
For general counsel at financial institutions, this is an opportunity to be proactive rather than reactive. Start the internal conversations now, engage in the comment process if it makes sense for your organization, and position your institution to take advantage of these updated rules once they're finalized.
The regulatory landscape is always evolving. The question is whether your legal strategy evolves with it.
Need help navigating TCPA compliance or other regulatory changes affecting financial institutions? Let's talk about how fractional general counsel services can provide the strategic legal support your organization needs, right-sized for your budget and growth stage.