Collections compliance for small business

A plain-English walkthrough of the three compliance domains that matter when you follow up on unpaid invoices.

This is general information, not legal advice. Collections law is dense, state-specific, and slow-changing in the ways that matter to regulators while fast-changing in the ways that matter to enforcement. For any specific question about a specific invoice, consult a qualified attorney in the debtor's state.

With that said: most small businesses collecting their own invoices operate in a simpler compliance space than they think. The scariest acronyms — FDCPA especially — usually don't apply directly when you're the original creditor. What does apply is TCPA (phone/SMS rules), state-level consumer protection statutes, and basic common-law fairness.

This guide walks the three domains you actually need to understand, plus the practical workflow rules — call openings, opt-outs, documentation, and industry overlays — that turn the law into a workable script.

FDCPA — usually not you, but know where the line is

The Fair Debt Collection Practices Act (15 U.S.C. § 1692) restricts third-party collectors — licensed collection agencies, debt buyers, and attorneys whose regular business is debt collection. It does not apply to first-party creditors collecting their own debts. If your HVAC company calls a customer about their unpaid service invoice, FDCPA does not bind that call.

Exceptions and overlaps to watch:

• If you use an external agency, the agency is bound by FDCPA and so is your workflow with them.
• Many states have their own FDCPA-style statutes that do apply to first-party creditors. California's Rosenthal Act (Cal. Civ. Code § 1788) is the most famous; others exist in various forms.
• Some industries (medical, some telecom subsectors) have industry-specific overlays that apply regardless of first- or third-party status.

The takeaway: if you're collecting your own invoices on QuickBooks-scale business, FDCPA is a backstop, not your primary compliance concern. Don't let it scare you out of making reasonable collection calls. But do know that the moment you outsource to a third party, the rules shift. See the FDCPA glossary entry for a one-paragraph definition you can hand to a new bookkeeper.

The first-party / third-party distinction, revisited

This distinction matters more than any other line in this guide, so it earns a longer pass.

A first-party creditor is the original party to whom the debt is owed. You sold the service, you issued the invoice, you are owed the money. When you call about that invoice, you are calling about your own receivable. FDCPA does not regulate that call. The fairness norms that apply come from TCPA, state consumer-protection statutes, and the general common law against harassment.

A third-party collector is anyone collecting on a debt that originated with someone else. Agencies, debt buyers, and most collection attorneys fit. The federal FDCPA was written for them. It dictates what they can say, when they can call, who they can talk to, what they must disclose in writing, and how they have to respond to disputes.

Where the line gets blurry for owner-operators:

• The separate legal entity trap. Some owners spin up a separate LLC to "handle collections" for the operating business. The intent is to look more serious to debtors. The legal effect is that the new LLC is now a third-party collector under FDCPA, with all the additional obligations that brings. If you fold collections into a separate entity, you have moved yourself across the line. Talk to an attorney before you do this.
• Common ownership doesn't always save you. Even a wholly-owned subsidiary collecting for the parent has, in some readings, been treated as a third-party collector. Federal courts split on this. Don't assume the corporate veil protects you from FDCPA reach.
• State overrides. California's Rosenthal Act applies its FDCPA-style protections to first-party creditors as well as third-party collectors. If you do business in California, you operate under FDCPA-equivalent rules even when calling about your own invoice. A handful of other states have similar carve-outs in narrower forms — see the compliance reference page for the table.
• The "regularly collects" trigger. The federal FDCPA defines a debt collector partly by whether they "regularly" collect debts owed to others. Doing it once for a friend probably doesn't trigger it. Doing it as a routine service for unrelated businesses certainly does. If you're a bookkeeper or virtual CFO who does collections on the side for clients, you may already be a debt collector under FDCPA whether you wanted to be or not.

The practical posture for a small-business owner-operator: assume you are first-party in your home state, assume California treats you like a third-party collector, and ask an attorney if you ever consider a separate-entity structure. The Syntharra vs. collections agency comparison walks through the operational differences too.

TCPA — this one is yours

The Telephone Consumer Protection Act (47 U.S.C. § 227) applies to basically everyone placing automated calls or texts. If you're using voicemail drops, automated dialers, or SMS reminders, TCPA is the rule you operate inside.

Practical TCPA rules for collections:

• Call window: 8 a.m. to 9 p.m. in the debtor's local time zone, federal baseline. Some states tighten this — see the state-by-state notes below.
• Prior express consent: required for any automated call to a mobile phone using an automated dialing system. A phone number provided in the course of a business relationship usually constitutes consent for calls about that business relationship, but the safest posture is explicit consent on the invoice or at onboarding.
• Opt-outs: honor instantly and document them.
• Reassigned numbers: the number on the customer's file two years ago may belong to a stranger today. The FCC's reassigned-numbers database exists for a reason; periodic scrubs are good hygiene, especially for older AR.

The TCPA glossary entry has a one-paragraph version you can paste into a staff handbook.

State call-window and recording rules

Federal TCPA is a baseline; most states overlay additional rules. Call-window hours sometimes tighten, Sunday/holiday restrictions apply in some states, and call-recording consent rules split the country:

• One-party consent (majority of states): one party on the call — you — can consent to recording without telling the other party.
• Two-party/all-party consent (11 states, commonly listed: CA, CT, FL, IL, MD, MA, MT, NH, PA, WA, OR): every party on the call must consent to being recorded.

The practical workflow: open every call with "this call may be recorded." That one sentence satisfies the two-party consent rule in most states, creates an auditable record, and costs nothing.

See the compliance reference page for a state-by-state call-window table and the TCPA/FDCPA statute citations.

State-by-state overview — the big four

You will almost certainly do business in at least one of California, New York, Texas, or Florida. A directional sketch of each:

• California. The strictest of the four. Rosenthal Act applies FDCPA-style rules to first-party creditors. Two-party recording consent under Cal. Penal Code § 632. Tight call-window practices and aggressive private-right-of-action enforcement. If your customer is in California, default to the most conservative call cadence and assume every call may be reviewed in litigation. Rosenthal grants statutory damages for violations even where no actual harm is shown.
• New York. Adds licensing requirements for third-party collectors operating in the state and additional disclosure rules. First-party creditors have a lighter touch but still need to be careful about communications that imply a third-party identity. New York City has its own additional licensing and consumer-protection layer. Worth asking an attorney before scaling outbound there.
• Texas. Generally one of the more business-friendly states for collections, but the Texas Finance Code Chapter 392 mirrors many FDCPA provisions and applies broadly. One-party recording consent. Call-window and harassment rules track federal baselines closely.
• Florida. Two-party recording consent (Fla. Stat. § 934.03). The Florida Consumer Collection Practices Act applies to first-party creditors as well as third-party collectors — closer in shape to California than to Texas. If you operate primarily in Florida, structure your scripts and recording disclosures accordingly.

For the other 46 states, the rule of thumb is: federal TCPA, plus a state consumer-protection statute that mirrors FDCPA in some form, plus a recording-consent regime (one or two-party). The compliance reference page has the call-window table; for anything else, default to "see state statute" and book an hour with a local attorney before you scale outreach into a new state.

A clean call-open script

Most compliance violations happen in the first five seconds of a call. Get the open right and you've solved 80 percent of the problem.

The compliant opening sequence has four elements, in this order:

1. Identify the business. "This is [Acme Plumbing]."
2. Disclose the recording. "This call may be recorded for quality and compliance."
3. Identify the agent (human or AI). "I'm an automated assistant calling on behalf of Acme" — if you're using an AI voice agent. A human agent simply gives a name.
4. State the purpose. "I'm calling about invoice number 1042, currently 14 days past due."

Put together, a Syntharra-style opening line sounds like:

"Hi, this is Acme Plumbing. This call may be recorded. I'm calling on behalf of Acme as an automated assistant about invoice number 1042. Is this a good time to talk?"

Twenty-two words. Satisfies two-party recording consent in every state that requires it. Satisfies AI-disclosure rules in jurisdictions that have them. Identifies the business and the invoice. Asks permission to continue, which both shows respect and gives the customer a chance to defer the conversation rather than get defensive.

A few notes on the sub-elements:

• The AI disclosure goes on the opening line, not buried later. If your vendor's script saves the AI disclosure for "if asked," your vendor is wrong. Many state AI-call statutes require disclosure at the start, full stop.
• Don't use a confidential-debt opener with third parties. Federal FDCPA prohibits third-party collectors from disclosing the existence of a debt to anyone other than the debtor. First-party creditors have more latitude, but it's still prudent practice. If a spouse or coworker answers, identify yourself and the business but don't volunteer the invoice details until you have the right person on the line.
• Voicemails are calls. Same disclosure rules apply to a voicemail you leave as to a live call. The Foti decision and its progeny tightened this for FDCPA-bound parties; first-party creditors are looser, but the safe script is to leave a name, business, and callback number — and skip the invoice details unless the voicemail box is clearly the debtor's.

SMS reminders — what's different

SMS lives under the same TCPA umbrella as automated calls but with a few extra rules:

• Prior express written consent for marketing texts. For transactional account-status texts (a payment-due reminder to a customer), express consent is generally enough — but the safer line is to capture explicit text-opt-in at onboarding ("Text reminders OK? Y/N").
• STOP keyword compliance. The carrier-level standard (and the FCC's expectation) is that any SMS short-code or 10DLC system must process STOP, UNSUBSCRIBE, CANCEL, END, and QUIT as opt-outs without further action. If your SMS vendor doesn't process these automatically, get a new vendor.
• Frequency disclosure. Best practice is to tell the customer what cadence to expect ("Reminders sent before invoice due dates and once if past due"). Reduces surprise complaints, which are a leading source of TCPA suits.
• No SMS outside call-window hours. The same 8 a.m.–9 p.m. local-time rule applies. A 6 a.m. text to a small-business owner who used to do their bookkeeping at dawn is still a TCPA violation, no matter how routine you think it is.

The Syntharra cadence is voice-first and uses SMS sparingly as a complement. For pure-SMS reminder strategies, the collections email templates tool and the reduce-DSO guide cover the email-and-SMS playbook in more detail.

What happens when a customer says "stop"

One rule, zero exceptions: when a customer says stop calling, stop. Remove them from automated outreach immediately, confirm in writing, and keep the record forever. Do-not-call violations are both a TCPA liability and a reputational one.

A few clarifications on what "stop" means and doesn't mean:

• "Stop" applies to the channel and the contact context. If a customer says "stop calling me about this," that's a clear instruction to halt automated voice outreach about this debt. A subsequent live call from the owner about a different account is a different conversation; defaulting to the strict reading (no further automated outreach at all) is the safest call.
• "Stop" does not erase the debt. The customer still owes the money. You can still send written notices via mail, you can still pursue legal remedies, and you can still report the account through any channel where the customer hasn't opted out. What you cannot do is keep dialing or texting after they've told you to stop.
• Cross-channel propagation matters. A "stop" via SMS should propagate to voice and email. A consumer who has to opt out three times across three channels is a consumer who's about to file a complaint. Build a single "do not contact" flag in your system that all outreach channels respect.
• Document the request, the timestamp, and the channel. The plaintiff's bar in TCPA cases routinely subpoenas phone records to demonstrate that calls continued after a stop request. Your defense is your log: what they said, when, and what you did about it.

The Syntharra DNC layer is global and instant — opt-out from any channel propagates across all clients within seconds, and the audit log shows the timestamp and the channel.

Documentation and audit trails

Compliance work that isn't documented may as well not have happened. The defensive posture for a small business is to keep, for every collection contact attempt:

• Call logs: date, time, duration, outcome, agent identity. Who placed the call, when, and what happened.
• Call recordings: for every call placed, retained at least as long as the debt is open and ideally seven years past closure to align with general business records retention.
• SMS receipts: the carrier-level delivery receipt and the message body. STOP responses captured with timestamps.
• Email threads: sent and received, including bounce notifications. Don't auto-delete past-due correspondence at 90 days; that's exactly when you might need it.
• Signed agreements and invoices: the underlying contract, the invoice, and any payment-plan amendments the customer agreed to. Acknowledged debts are much easier to collect on than disputed ones.
• Opt-out log: the centralized record of every "stop" request, the channel it came in on, and the propagation timestamp.

Retention period is debatable, but seven years is a reasonable common-denominator. That window covers most state statutes of limitations on contract debts (see the statute-of-limitations glossary entry) and survives the longest meaningful audit windows. For deeper detail on how Syntharra stores and segregates this data, see the security page.

Industry overlays

Some industries layer additional federal regimes on top of the general collections rules. A directional pass:

• Healthcare (HIPAA). Patient identifiers and treatment information are protected health information (PHI). When a medical practice or dental office collects past-due balances, the fact that someone is a patient and what they were treated for are PHI. Voicemails left at home, calls with family members who answer, and SMS body content all need to consider PHI exposure. The safe pattern: leave a callback number and a business name without revealing the appointment or treatment context. See the medical collections industry page and dental collections industry page for industry-tailored notes.
• Higher education (FERPA). Student account balances are education records under FERPA. Disclosure to anyone other than the student (or to the parent of a dependent under 18) is generally restricted. Most colleges centralize collections precisely because the FERPA exposure on a single misrouted call is meaningful.
• Financial services (GLBA). Banks, credit unions, lenders, and certain financial intermediaries operate under the Gramm-Leach-Bliley Act, which adds privacy and safeguarding requirements on customer non-public personal information. Voice and SMS scripts that mention account balances, payment history, or other NPI need to satisfy GLBA's Privacy Rule and Safeguards Rule.
• Telecom and utilities. Industry-specific service-disconnection notice rules layer on top of general collections rules. Most are state utility-commission overlays rather than federal.

If you're in a regulated industry, the right move is an hour with a regulatory attorney before you build outbound at scale. The categories above are starting points, not legal opinions.

AI voice agents and identification

If you use an AI voice agent to place collection calls, several jurisdictions now require the agent to identify itself as AI on the opening line. "This is [business name], with an automated assistant calling about invoice [number]." The Syntharra voice flow does this by default as a compliance-layer constant, not a prompt. See the AI voice agents guide for the full category shape.

A short summary of why this matters operationally:

• The disclosure must be on the opening line, not on request. Several state statutes are explicit about "at the start of the call."
• The disclosure should be in plain language. "Automated assistant" or "AI" both work; "interactive voice response system" is technically accurate but may not satisfy the spirit of the requirement.
• The disclosure must be deterministic. Generated by the compliance layer, not the LLM. An LLM that occasionally forgets to disclose is a TCPA lawsuit waiting to happen — which is why Syntharra's compliance layer hardcodes the disclosure as a Retell dynamic-variable injection rather than a model output.

What the compliance layer buys you (and doesn't)

Following the rules in this guide will, in practice, prevent the failure modes that hurt small businesses most:

• TCPA class-action lawsuits, where statutory damages stack at $500 to $1,500 per call.
• State Attorney General investigations, which are fed almost entirely by consumer complaints and can result in consent decrees that constrain your business going forward.
• Better Business Bureau and online-review damage from customers who feel harassed.
• Lost customer relationships from heavy-handed outreach to people who would have paid with one polite call.

What it does not prevent:

• Customers who don't have the money. No script and no compliance posture changes the fact that an insolvent debtor can't pay. The right path there is the when-to-send-to-collections decision tree.
• Disputes about the underlying work. If the customer believes the invoice is wrong, no amount of polite calling resolves that — the conversation has to be about the dispute, not the debt.
• Relationship damage from over-frequency. Following the law and following good taste are not the same thing. Three compliant calls in a week may technically be fine and still feel like harassment to the customer.

Compliance is the floor, not the ceiling. The pillar guide on how to collect unpaid invoices walks the relational and tactical layer that sits on top.

Honor every opt-out

One rule, zero exceptions, restated because it bears restating: when a customer says stop calling, stop. Remove them from automated outreach immediately, confirm in writing, and keep the record forever. Do-not-call violations are both a TCPA liability and a reputational one. The Syntharra DNC layer treats opt-outs as global and instant; it should be the floor for any system you build or buy.

Compliance is a cost of doing business, but it's a low cost when the workflow is built around it from the start. Treat the call-open script, the opt-out propagation, the documentation regime, and the AI disclosure as constants — not things you remember to do — and the rest of the system can move fast without breaking anything that matters.