CFPB Reg F: The 2026 Operator's Guide

Featured image for 'CFPB Reg F: The 2026 Operator's Guide' — Sedric branded [sedric-rebrand-v2]
Sedric Team
Communications
Share article on
Linkedin logoX logo

CFPB Regulation F is the Consumer Financial Protection Bureau's implementing regulation for the Fair Debt Collection Practices Act, in force since November 30, 2021. Where the FDCPA sets the statutory floor, Reg F sets the operational ceiling — prescribing the specific format of the validation notice, the precise 7-in-7 call-frequency limit, the rules on emails and texts, and the recordkeeping requirements that govern third-party debt collection in the United States. This guide is the practitioner's operator manual for Reg F in 2026.

Why Reg F Matters

For thirty-plus years, FDCPA compliance was a debate about statutory interpretation. Courts split, agencies guided, and operators built compliance programs around their best understanding of "reasonable" practice. Reg F collapsed that ambiguity. The Bureau wrote down the rules — call frequency, notice format, channel restrictions — in operationally testable form. CFPB exam teams now have a checklist; consumer plaintiffs' attorneys have a testable framework; collection operators have clear standards.

The Bureau's 2024-2025 supervisory cadence has heavily emphasised Reg F compliance, with particular focus on three areas: validation notice adequacy, call-frequency-rule observance, and electronic-communication consent management.

Who Is Covered

Reg F covers third-party debt collectors as defined by the FDCPA — agencies, debt buyers, and attorneys collecting consumer debt on behalf of another. First-party creditors collecting their own debt are not directly covered, though many adhere to Reg F standards through CFPB UDAAP supervision and operational consistency.

The Reg F Architecture

The five subparts of CFPB Regulation F (12 CFR Part 1006) — communications, prohibitions, required disclosures, recordkeeping, limited-content messages.

Reg F sits at 12 CFR Part 1006. Its operational core is in five subparts:

  • Subpart B — Communications. Restrictions on with whom, when, and how a collector communicates.
  • Subpart C — Prohibitions. Codifications of harassment, false-representation, and unfair-practice bans.
  • Subpart D — Required disclosures. Validation notice contents and delivery requirements.
  • Subpart E — Recordkeeping. Documentation and retention requirements.
  • Subpart F — Limited-content messages. The safe-harbour voicemail format.

The Validation Notice

The Reg F validation notice anatomy under § 1006.34 — annotated for sponsor identification, itemisation date, account info, balance breakdown, consumer rights, and 5-day delivery.

The validation notice is the centre of Reg F. § 1006.34 specifies what must appear, in what order, and within what timeline:

  • Delivery within 5 days of the initial communication (with limited exceptions).
  • Itemisation of the debt from a specified itemisation date.
  • Current balance.
  • Account information including creditor name and account number.
  • Information about the consumer's right to dispute.
  • Specific dispute-prompt language.
  • A "Notice of Important Information" form (Form B-1, B-2, or B-3, depending on context).

The Bureau's most common Reg F enforcement finding is validation-notice defects — missing fields, incorrect formatting, late delivery, or itemisation errors. Software that auto-generates and tracks the notice is the standard operational response.

The 7-in-7 Call Frequency Rule

§ 1006.14(b) caps debt-collection calls at:

  • Seven calls per debt per consecutive seven-day period.
  • A seven-day quiet period after a consumer call is answered.

The rule is per-debt, not per-consumer. A consumer with multiple debts in collection can receive multiple call streams simultaneously, each subject to its own 7-in-7 window. Compliance requires per-debt call tracking at the dialler / CRM layer, not just per-consumer.

Email and Text Restrictions

§ 1006.6 permits email and text only under specific conditions:

  • The consumer has consented (typically opt-in at the creditor or servicer level, transferring to the collector).
  • OR the safe-harbour conditions for limited-content messages are met.
  • Each electronic communication includes a reasonable and simple way to opt out.
  • The collector has a process to track and honour opt-outs.

Failure-to-honour-opt-out is one of the fastest-growing consumer-complaint categories at the CFPB Consumer Complaint Database.

Limited-Content Messages

§ 1006.2(j) defines a "limited-content message" — a voicemail that the Bureau treats as not constituting a communication for FDCPA-third-party-disclosure purposes, provided specific content rules are met:

  • Business name (without indicating the collector is in debt collection).
  • A statement that the message is for the consumer.
  • Request that the consumer reply by telephone or electronic media.
  • Telephone number(s) and (optionally) date / time of expected availability.
  • No additional content beyond these elements.

The format is rigid; including any debt-related content (account number, amount, creditor name) makes the message a regular communication and defeats the safe harbour.

Recordkeeping

§ 1006.100 requires retention of evidence of compliance, including:

  • 3 years from the last collection activity for most records.
  • Phone-call recordings (where the collector records calls) retained for the longer of 3 years from creation or 3 years from last collection.
  • Documentation of consumer consents to email / text communications.
  • Documentation of consumer cease-communication requests and opt-outs.

How Sedric Helps

Sedric encodes the Reg F rulebook as a structured library — every rule provision mapped to a testable condition. The platform monitors 100% of calls, messages, and digital interactions in real time, flagging Reg F violations against the specific section. The agent-assist surface prompts the mini-Miranda, the validation-notice cue, and the call-frequency caution in real time, so violations are prevented rather than just detected.

FAQ

Is Reg F different from the FDCPA?

Reg F is the CFPB's implementing regulation for the FDCPA. The FDCPA is the statute; Reg F operationalises it. Modern compliance requires both.

Does Reg F apply to first-party creditors?

Not directly — Reg F applies to third-party debt collectors. First-party creditors face parallel CFPB UDAAP and state UDAP obligations, and many adopt Reg F standards voluntarily.

What's the most common Reg F examination finding?

Validation-notice defects. Missing fields, late delivery, incorrect itemisation, and absent dispute-prompt language are the most cited findings.

How does the 7-in-7 rule interact with multiple debts?

The cap is per-debt, not per-consumer. A consumer with multiple debts in collection can receive multiple call streams, each subject to its own limit. Per-debt tracking is the operational requirement.

How long do I retain the validation notice?

3 years from the last collection activity, under § 1006.100. Many firms retain longer to align with state UDAP retention or class-action discovery windows.

The Bottom Line

Reg F made third-party debt collection in the United States rule-mapped and testable. The firms that handle it well operate to the regulation prescriptively — validation notice auto-generated and timestamped, call frequency enforced at the dialler, communications-media consent tracked end-to-end, and 100% call monitoring producing the audit trail the CFPB expects to find on first request.

See Sedric in action

Sedric is the AI compliance platform for regulated marketing and communications. Every flag is mapped to the specific rulebook provision, every override is logged with reasoning, and the audit trail is the format regulators expect on first request. Book a 30-minute demo and we will walk through your specific compliance footprint.

Run compliance on autopilot

Convert your static procedures into active AI controllers that protect your brand 24/7.