FCC CG Docket 02-278 Compliance Checklist for Outsourced Voice (2026)

The September 2024 declaratory ruling under FCC CG Docket No. 02-278 did not introduce new statutory authority. It clarified how the Commission interprets existing TCPA obligations (47 U.S.C. section 227) in the context of autodialed calls, consent capture, and revoked consent across affiliated entities. For procurement teams using offshore-originated outbound voice vendors in regulated verticals (debt collection, insurance lead-gen, financial services outbound, ACA and Medicare front-end work), the ruling tightened the documentation expectation in ways that most pre-2024 vendor agreements do not reflect. This checklist is designed to be run alongside legal review, not as a substitute for it.

What the September 2024 FCC declaratory ruling actually changed

The ruling sits inside the FCC's ongoing administration of the TCPA under CG Docket No. 02-278, the Commission's long-running consumer-protection proceeding on autodialed and prerecorded calls. The September 2024 declaratory ruling clarified two threshold points. First, that revoked consent must be honored across affiliated entities of a calling brand, not parsed narrowly to the specific number or campaign that received the revocation. Second, that the FCC continues to read the TCPA's restrictions on autodialed calls broadly enough to capture most modern outbound dialer configurations used in regulated verticals.

The verticals most directly affected are the ones where outbound voice is load-bearing for customer acquisition and where consumer trust is regulator-relevant. Debt collection sits inside the FDCPA and CFPB perimeter. Insurance lead-gen, ACA, and Medicare front-end work sit inside the FCC perimeter and, in the Medicare case, also inside CMS Marketing Guidelines. Financial services outbound sits inside the FCC perimeter and the GLBA safeguards regime (15 U.S.C. section 6801 et seq.). Healthcare-adjacent voice work sits inside HIPAA (45 CFR section 164). The ruling did not change any of these underlying frameworks. It tightened how procurement should document that an offshore voice vendor is operating inside them.

The FCC's Consumer and Governmental Affairs Bureau publishes the docket activity and consumer complaint patterns that drive enforcement priority. Procurement teams running quarterly vendor reviews should be watching Bureau output, not just headline rulings, to spot interpretation drift before it becomes an enforcement action.

The 12 compliance checkpoints

Each item below is one verification step. A "fronter" is an offshore agent who pre-qualifies a prospect and warm-transfers the call to the client's licensed US staff for closing, rather than handling the regulated portion of the conversation directly. The checkpoints apply whether the vendor uses fronters or runs end-to-end offshore voice.

1. Confirm location-disclosure language is in the vendor's outbound script verbatim, not paraphrased. Why it matters: paraphrased disclosure language is the most common audit failure pattern after the September 2024 ruling, because regional supervisors edit scripts without compliance review.
2. Verify written consent capture for every dialed contact, traceable to source, timestamp, and method. Why it matters: the TCPA places the burden of proving prior express written consent on the calling brand, and offshore vendor logs are often incomplete on source attribution.
3. Audit revoked-consent propagation across affiliated entities and campaigns. Why it matters: the September 2024 ruling tightened the expectation that revocation flows across the brand's affiliate perimeter, not just the specific campaign that received it.
4. Inspect dialer configuration for autodialer classification under current FCC interpretation. Why it matters: predictive and progressive dialer settings can fall inside the TCPA's autodialer definition depending on configuration, and an offshore vendor's default config may not match the brand's compliance posture.
5. Confirm 100 percent call recording with retention aligned to regulator expectations. Why it matters: in debt and financial services, recordings are the primary evidence in dispute resolution, and offshore retention windows often default below US regulator expectations.
6. Document supervisor monitoring frequency with a written cadence and sampling methodology. Why it matters: side-by-side and silent monitoring at a documented sampling rate is what auditors look for, and "as needed" is not a defensible cadence.
7. Verify agent training records covering TCPA, vertical regulations, and the FCC's 2024 declaratory rulings. Why it matters: training documentation establishes the brand's good-faith reliance defense, and offshore vendors often retain training records only in-country.
8. Require a signed BAA where HIPAA-regulated data is in scope under 45 CFR section 164. Why it matters: any voice work touching protected health information without an executed Business Associate Agreement is a per-incident HIPAA exposure for the covered entity, not the vendor.
9. Require a current SOC 2 Type II report and review the trust services criteria coverage. Why it matters: a SOC 2 Type I or a stale report is not evidence of operating controls, and procurement teams routinely accept stale reports without flagging the gap.
10. Verify geographic call routing transparency and ANI presentation rules. Why it matters: caller ID presentation rules and call routing transparency feed directly into FCC consumer-complaint patterns, and STIR/SHAKEN attestation expectations apply to the calls regardless of origin.
11. Inspect the vendor's consumer complaint log and escalation path. Why it matters: complaint trend data is the earliest warning signal of compliance drift, and brands that read complaint logs quarterly catch issues before regulators do.
12. Confirm the vendor's regulatory horizon-scanning process for FCC, CFPB, FTC, and CMS rule changes. Why it matters: a vendor without an active regulatory watch function will be running on whichever interpretation was current when the contract was signed, which is the central failure mode the September 2024 ruling exposed.

Where the fronter model changes the compliance posture

A fronter, as defined above, is not a closer. The offshore portion of the call is restricted to pre-qualification: confirming intent, verifying basic eligibility against unregulated criteria, and warm-transferring the qualified prospect to the client's licensed US staff to complete the conversation. Regulated handling (rate quotes, plan enrollment, binding adjustments, debt validation, financial product disclosures) sits with the licensed US agents on the receiving end of the warm transfer.

The compliance consequence is straightforward. The offshore surface area is smaller, so the regulatory exposure on the offshore side is smaller. Location disclosure becomes easier to comply with because the disclosure script can be tighter and shorter. Recording, supervisor monitoring, and training cadence still apply, but the regulated content is handled by US licensed staff under the client's existing compliance regime. The fronter model is not a compliance loophole. It is a structural way to keep regulated handling inside the brand's existing licensed perimeter while still capturing the unit-economics benefit of offshore pre-qualification.

CFG runs fronter-only rooms in Jamaica, Trinidad, Saint Lucia, Belize, and Colombia, with a Toronto HQ. CFG agents are not licensed. CFG does not bind insurance, does not enroll Medicare beneficiaries, and does not adjust accounts. The model is built around the warm transfer for exactly this reason.

Documentation procurement should require from any voice vendor

The artifacts list below is the minimum package a procurement team should hold in the vendor file before a 2026 program goes live. Anything less is a procurement gap, regardless of how the vendor presents in interviews.

• Signed BAA where HIPAA-regulated data touches the call, executed before the first dial.
• Current SOC 2 Type II report, dated within the last 12 months, covering relevant trust services criteria.
• Call recording retention policy with retention windows aligned to FCC, FDCPA, GLBA, and HIPAA expectations as applicable.
• Supervisor monitoring cadence document stating sampling frequency, methodology, and escalation triggers.
• Agent training program covering TCPA, the September 2024 CG Docket 02-278 ruling, vertical-specific rules (CMS Marketing Guidelines for Medicare, GLBA for financial services, HIPAA for healthcare-adjacent), with completion records.
• Dialer configuration attestation documenting autodialer status under current FCC interpretation.
• Quarterly compliance re-audit attestation against the 12 checkpoints in this article.

Quarterly compliance review cadence

The FCC's interpretation around the TCPA and CG Docket 02-278 has moved repeatedly across the 2024 rulings. A vendor that was compliant in Q1 of a calendar year may not be compliant in Q4 without remediation. Procurement teams that re-audit only annually are running on stale evidence and are exposed during the months between audits.

A defensible cadence in 2026 looks like this. Quarterly, run the 12-checkpoint review in writing, with the vendor producing artifacts against each item. Monthly, review the consumer complaint log and any rule-change horizon items the vendor has flagged. Annually, run a deeper-dive review with outside counsel and refresh the SOC 2 and BAA documentation. Post-ruling triggers (any new FCC declaratory ruling on the docket, any CFPB or FTC enforcement action on voice, any CMS guidance update for Medicare programs) should trigger an interim review regardless of the calendar.

For buyers running regulated outbound voice today, the practical action is to run the 12-checkpoint review against current vendors this quarter, then build the artifact list into the renewal cycle. The CFG outsourcing calculator models the unit-economics piece. The compliance piece is harder to recover after the fact than the cost piece is.

Sources

1. Federal Communications Commission. Declaratory Ruling, CG Docket No. 02-278. September 2024.
2. Telephone Consumer Protection Act, 47 U.S.C. section 227.
3. Federal Communications Commission, Consumer and Governmental Affairs Bureau. Docket activity and consumer complaint guidance.
4. Federal Communications Commission. Prior 2024 declaratory rulings on autodialed calls and revoked consent under CG Docket No. 02-278.
5. Health Insurance Portability and Accountability Act privacy and security rules, 45 CFR section 164.
6. Gramm-Leach-Bliley Act, 15 U.S.C. section 6801 et seq.
7. Centers for Medicare and Medicaid Services. Medicare Communications and Marketing Guidelines, current edition.

Frequently Asked Questions