Something shifted in 2025 that every ARM professional should understand. The CFPB didn’t disappear. It contracted. The bureau went from roughly 1,700 employees to about 200, and from 27 enforcement actions in 2024 to 1. That’s not a signal to relax compliance. It’s a signal to understand where the pressure moved.
It moved to the states.
State AGs are filling the gap
More than 20 state attorneys general are now running active collections enforcement programs. California, New York, Massachusetts, and Illinois are leading. These offices have different priorities, different interpretations of federal law, and in some cases, stricter local rules than the CFPB ever applied.
What makes this harder than federal enforcement: there’s no single standard. A collections program that’s fully compliant under Reg F can still generate enforcement risk in a state with its own UDAP statute and an ambitious AG office. Your compliance program now needs to account for 50 potential regulators, not one.
FCRA filings are up 37.4% year over year. Consumer complaints related to collections totaled 207,800 in 2024. These aren’t abstract trends. They’re the raw material for regulatory action.
TCPA exposure isn’t going anywhere
The Telephone Consumer Protection Act remains one of the highest-cost compliance risks in collections. The average TCPA settlement in recent litigation runs close to $6.6 million. One case, McLaughlin v. McKesson, set the tone for what class-action TCPA exposure can look like at scale.
Reg F clarified some consent rules, but it didn’t eliminate the risk. It shifted the documentation burden. Collections operations that can’t demonstrate compliant consent acquisition on every account are exposed, regardless of whether the CFPB is actively looking.
The question isn’t whether TCPA litigation is active. It is. The question is whether your program has the audit trail to defend itself.
What your compliance program actually needs in 2026
A compliant collections operation in 2026 has to be built to satisfy 3 different audiences at once: federal regulators, state AGs, and plaintiff attorneys. That’s a harder brief than most programs were designed to handle.
The infrastructure requirements are specific. You need state-by-state licensing coverage. You need real-time communications monitoring, not quarterly audits. You need data security certifications that hold up under scrutiny from HIPAA-adjacent buyers and state data protection laws. And you need documentation practices that can produce an audit trail under subpoena.
TSI maintains 200+ state and federal licenses across all operating jurisdictions. The platform’s Ripple AI monitors 100% of communications in real time, not by sampling. SOC 2 Type II, HITRUST, FISMA ATO, PCI DSS 4.0, and NIST CSF 2.0 certifications cover the security requirements most institutional buyers now demand.
The vendor selection question
If you’re evaluating ARM partners, compliance infrastructure has to be on the scorecard. The right question isn’t whether a vendor claims to be ‘compliance-first.’ That phrase appears in every vendor deck. The right questions are harder.
How many active state licenses does the vendor maintain? Can they show you their real-time monitoring architecture? What happens when a communication goes out that violates Reg F? Do they catch it before it goes out, or after the complaint is filed?
The compliance gap in ARM isn’t usually at the policy level. It’s at the operations level. A well-written compliance manual doesn’t protect you if the contact center doesn’t execute against it consistently, or if the technology can’t detect violations before they generate liability.
What this means for program managers
The 2026 compliance environment rewards operations that built the infrastructure before it was required, not those scrambling to retrofit it. State enforcement cycles are already underway. FCRA litigation is active. TCPA settlements continue to close.
The programs that survive regulatory scrutiny aren’t the ones with the best lawyers. They’re the ones with the most defensible documentation, the most consistent operational practices, and the vendor relationships that extend accountability rather than diffuse it.
That’s the standard the market is now applying. Not whether you have a compliance program. Whether your compliance program actually runs the operation.