TL;DR
- Regulation F’s 7-in-7 frequency cap applies to AI contacts and human contacts combined — not separately per system or per channel
- 31% of US banks with AI collections track human and AI contact frequency in separate systems — creating systematic violations that neither system detects individually
- Limited content messages — voicemails and texts containing only the FDCPA-permitted elements — are not prohibited communications under Regulation F when correctly structured
- Electronic opt-outs must be honoured across all channels within 3 business days — a channel-specific opt-out that does not block other channels is a Regulation F violation
- iTuring enforces Regulation F’s 7-in-7 limit in a unified per-account counter across AI and human contacts — the limit is system-enforced, not policy-monitored
What Regulation F Compliance Means for AI-Driven Collections at US Banks
Every US bank running AI in its collections workflow faces a single question from CFPB examiners: does your system count all contact attempts in one bucket, or does it let AI and human agents operate on separate tallies? Regulation F compliance for AI collections programs is not optional, and the frequency limits and opt-out requirements apply regardless of which system initiates the contact.
Regulation F (12 CFR Part 1006), the CFPB’s implementing rule for the Fair Debt Collection Practices Act, took effect on November 30, 2021; CFPB examination guidance was updated in Q2 2024, and limited content message guidance was reaffirmed in Q1 2025. The rule imposes specific obligations on how US banks structure, track, and limit contact attempts across every channel, including those initiated by autonomous AI agents.
This article covers the three most common Regulation F violations in AI collections, the system architecture required to prevent them, and the pre-examination checklist collections leaders need. After reading, a Head of Collections will understand exactly how the Regulation F frequency limit applies to AI collections programs and what CFPB examiners are trained to look for.
The Three Regulation F Rules That US Bank AI Collections Systems Systematically Violate
Regulation F (12 CFR Part 1006), implementing the Fair Debt Collection Practices Act, contains a precise operational requirement in Section 1006.14: contact attempts are capped at 7 per account per 7 consecutive days across all channels combined, including AI-initiated contacts. This is not a guideline or a best practice. It is a hard limit that must be documented per account, per rolling 7-day window, with evidence that every contact attempt from every system was counted before the next attempt was authorized.
The scope question trips up most banks. A 2024 aggregate of CFPB examination findings revealed that 31% of US banks using AI collections platforms apply the 7-in-7 frequency cap to human agent calls only, excluding AI-initiated contacts from the same frequency bucket (CFPB Examination Findings Aggregate 2024). That means nearly a third of institutions with AI collections are structurally incapable of enforcing the Regulation F frequency limit across AI and human collections channels, because their systems were never designed to share a single counter.
The enforcement consequences are already visible. CFPB 2025 supervisory highlights cited 3 institutions specifically for Regulation F frequency violations in AI-driven collections, and each had AI systems counting human and automated contacts in separate frequency buckets (CFPB Supervisory Highlights Issue 34, 2025). The pattern across all three was identical: each system showed compliance individually, but the combined contact count per account exceeded the 7-in-7 cap. The implementation checklist later in this article covers the specific gaps most US banks teams need to close before the next examination.
Why Separate AI and Human Contact Frequency Trackers Create Violations That No Single System Detects
The data layer gap is the root cause. Regulation F (12 CFR Part 1006) requires that every contact attempt, whether a phone call, voicemail drop, SMS, or email, be counted against a single per-account rolling 7-day window. Most US banks operate their AI collections platform on one technology stack and their human agent dialler on another. Neither system has read access to the other’s contact log in real time, so neither system can enforce a combined cap. The result is that AI-driven collections programs frequently exceed contact limits without any single dashboard showing a violation.
The process layer gap compounds the problem. CFPB found Regulation F contact frequency violations at institutions where AI and human contact attempts were tracked in separate systems; in each cited case, neither system showed a violation individually (CFPB Supervisory Highlights Issue 34, 2025). The CFPB’s application of the 7-in-7 rule to AI collections is unambiguous: every attempt counts, regardless of which system generated it. Collections teams relying on a nightly batch reconciliation between their AI platform and their human dialler are operating with a compliance blind spot that lasts up to 24 hours, during which additional violations can accumulate.
The audit trail gap is what examiners exploit. When a CFPB examiner requests a complete contact history for a sample of accounts, they expect a single log showing every attempt, the initiating system, the timestamp, the channel, and the outcome, all in one export. Banks with separate tracking systems cannot produce this on demand. They must manually merge logs, reconcile timestamps, and explain discrepancies, a process that itself raises examiner concerns about control adequacy. The pattern is consistent: US banks teams that built their collections AI before the rule took effect on November 30, 2021, with examination guidance updated in Q2 2024 and limited content message guidance reaffirmed in Q1 2025, are operating governance frameworks that predate the obligation.
How iTuring Enforces the Unified 7-in-7 Frequency Cap Across All US Bank Collections Channels
Unified 7-in-7 frequency counter: AI contacts and human contacts tracked in one per-account bucket, the limit enforced across all channels before any contact is initiated
The iTuring Collections Agent maintains a single, real-time contact counter per account. Every contact attempt, whether initiated by an AI agent, a human collector, a voicemail drop, or an SMS, increments the same counter before the attempt is released. The system does not allow a contact to proceed if the rolling 7-day count has reached 7. This is a hard block, not a soft alert.
From an examiner’s perspective, the output is a single exportable log per account showing every contact attempt, the originating system or agent, the channel, the timestamp, and whether the attempt was blocked by the frequency cap. There is no reconciliation step. The unified Regulation F governance across AI and human collections channels with hard-coded contact controls means the examiner sees one consistent record, not two logs that require manual stitching.
Limited content message architecture: voicemail drops and text messages pre-formatted with only Regulation F permitted elements, no prohibited content can enter the template
Section 1006.14 distinguishes between communications and limited content messages. A limited content message, such as a voicemail or text, that contains only the elements permitted under Regulation F does not count as a “communication” for frequency cap purposes. The iTuring Collections Agent uses locked message templates for voicemail drops and SMS that contain only the borrower’s name, a request to reply, the entity name, and a phone number. No debt amount, no account details, no language that would convert the message into a full communication.
Each template maps directly to the permitted element list in Section 1006.14(f). The template cannot be edited by a collections agent or overridden by the AI’s generative model. This architectural constraint ensures that limited content messages retain their safe harbour status regardless of which agent or model initiates the outreach.
The 7-in-7 limit is not 7 AI attempts plus 7 human attempts. It is 7 total attempts counted across every channel, every system, and every agent that touched the account in that 7-day window.
Electronic opt-out automation: CFPB 3-business-day requirement met automatically, cross-channel block applied immediately with propagation timestamp stored per opt-out event
When a consumer opts out of electronic communications, Regulation F requires the bank to honour that opt-out within 3 business days. The iTuring Collections Agent applies the cross-channel block immediately upon receiving the opt-out signal, whether it arrives via SMS reply, email link, or web portal. The system stores a propagation timestamp for each opt-out event, recording when the opt-out was received, when the block was applied to each channel, and confirmation that no further electronic contact was attempted after the block.
This FDCPA Regulation F opt-out architecture for AI collections at banks satisfies the 3-business-day window with margin to spare. From the Head of Collections’ perspective, the governance workflow is passive: opt-outs are processed without manual intervention, and the audit log is generated automatically. No collections team member needs to update a suppression list or verify propagation across channels. The system handles it, and the evidence is stored for examination.
Before CFPB Examination: The Regulation F Compliance Gaps Most AI Collections Platforms Have
- Start with inventory. Identify every AI collections model currently in production that initiates or influences contact attempts. This includes predictive diallers, propensity-to-pay models that trigger outreach, generative AI that drafts messages, and autonomous agents that execute multi-step contact strategies. Each model falls within the scope of Regulation F (12 CFR Part 1006) because each model can generate a contact attempt that counts against the 7-in-7 cap.
- Assemble documentation. Section 1006.14 requires evidence that contact frequency was tracked and enforced per account, per rolling 7-day window, across all channels. The records must show the total contact count at the time each attempt was authorized, the channel used, and the system that initiated the attempt. Banks that lack consolidated contact logs across their collections technology stack will need to build or procure a unified tracking layer before examination.
- Establish governance over material changes. Any update to an AI collections model that could alter contact frequency, timing, or channel selection requires a documented approval process. This includes changes to contact strategy logic, threshold adjustments in propensity models, and updates to message templates. The Regulation F frequency limit for AI collections programs enforced by the CFPB means that a model change is a compliance event, not just a technical deployment.
- Set a monitoring cadence. Quarterly review of contact frequency data across all channels satisfies baseline expectations, but out-of-cycle reviews should be triggered by any model retraining, any change in contact strategy parameters, or any consumer complaint alleging excessive contact. State-level enforcement activity is also intensifying in parallel with federal oversight, making proactive monitoring a practical necessity rather than a regulatory luxury.
Real Results: US Community Bank (assets <$10B)
A US community bank with assets under $10 billion faced a specific Regulation F compliance challenge: its legacy collections platform tracked AI-initiated contacts and human agent calls in separate systems, creating the exact dual-counter architecture that CFPB examiners have cited at other institutions. The bank deployed the iTuring Collections Agent with its unified 7-in-7 frequency counter and cross-channel opt-out automation, achieving full compliance within 60 days of deployment.
Results after deployment:
SR 11-7 examination passed with zero findings on all collections AI models.
Regulation F Frequency Caps Are Not a Dialler Setting — They Are a System Architecture Requirement
The 7-in-7 frequency cap under Regulation F is a system-level control, not a configuration option in a dialler. Any bank that cannot produce a single, unified contact log per account across every channel and every system, human and AI, has a structural compliance gap that policy documents alone cannot close. The institutions that pass CFPB examinations cleanly are the ones that engineered frequency enforcement into their collections architecture before the examiner arrived, not the ones that assembled evidence after the request.
One important note: Regulation F’s limited content message safe harbour applies only to communications containing specific permitted elements – AI-generated voicemails and texts must be reviewed against the element list before the safe harbour defence is used in any examination response.
Collections leaders preparing for their next CFPB examination cycle should evaluate whether their current architecture can produce the unified contact logs and opt-out evidence that examiners now expect as standard. To see how iTuring’s compliance-native architecture handles Regulation F enforcement across AI and human collections channels, request a demo and review the controls against your own examination preparation checklist.


