Collections Compliance Center

Third-Party Collections and Co-Liability: You May Be Responsible for What Your Collector Does

One of the most persistent misconceptions in collections management is that outsourcing creates a clean legal firewall. The assumption is straightforward: a third-party collector violates the law, the collector bears the liability, and the hiring business walks away unaffected. Courts and regulators have been steadily dismantling this assumption. An evolving body of case law, supported by CFPB enforcement actions, has established that businesses can be held co-liable — sometimes even vicariously liable — for the FDCPA and CFPA violations committed by collection agencies they hire.[27][28]

Understanding where this liability originates, when it attaches, and how to structure BPO relationships to minimize it is not just a legal exercise — it is a core business risk management decision. This page explains the legal landscape in plain terms and provides a practical framework for protecting your business through contract structure, oversight practices, and partner selection.

The Legal Foundation: How Co-Liability Arises

Vicarious Liability Under the FDCPA

The FDCPA applies directly to “debt collectors” — entities whose principal purpose is debt collection or who regularly collect debts owed to others. Original creditors are generally excluded from direct FDCPA liability. However, courts have recognized that vicarious liability can still attach to creditors under certain conditions.[29][4]

The key legal theory: if a creditor exercises sufficient control over a third-party debt collector’s operations, a court may find that an “agency relationship” exists — and under agency law, the principal (the creditor) can be held responsible for the agent’s (the collector’s) conduct.[30]

In practice, the control threshold has been applied broadly. In McAdory v. M.N.S. & Associates, the Ninth Circuit held that a debt buyer that purchased consumer debt and outsourced collection to a separate agency could be held liable under the FDCPA as a “debt collector” — even though the debt buyer had no direct communication with the consumer whatsoever. The court reasoned that the company’s principal purpose was debt collection, regardless of whether it made any calls itself.[31][32]

The CFPB’s Theory of Vicarious Liability

The CFPB has pursued a parallel and potentially broader liability theory under the Consumer Financial Protection Act (CFPA). In a 2023 enforcement action, a New York federal court declined to dismiss a CFPB lawsuit against debt buyer defendants based on vicarious liability for violations committed by their third-party collection vendors. The court held that:[28]

  • Companies can be “covered persons” under the CFPA even if their third-party vendors, not they themselves, actually conducted the collections[28]
  • Company owners and officers can be personally liable if they had actual knowledge of the underlying unlawful conduct[28]
  • CFPA deceptive acts liability does not require the same elements as common law fraud[28]

This enforcement posture signals that the CFPB views the company that benefits from a collections program as responsible for ensuring that program is conducted lawfully — regardless of who makes the calls.

When Does Co-Liability Attach?

Co-liability risk is highest when one or more of the following conditions are present:

Condition Risk Level Why
Creditor provides detailed scripts or call guides that the collector must follow verbatim High Implies direct control over collector conduct
Creditor has real-time access to collector call logs and can direct remediation High Suggests principal-agent relationship
Creditor agreement requires collector to act exclusively on creditor’s behalf Medium-High Exclusivity can imply control
Collector uses creditor’s brand name or presents itself as creditor on calls High Consumer may not know a third party is involved
Creditor knew of prior violations and continued the relationship Critical Knowledge of unlawful conduct is a core CFPB liability theory[28]
No written compliance requirements or audit rights in the BPO contract High Absence of oversight can constitute negligent entrustment

The Structural Firewall: How to Limit Your Exposure

While co-liability risk cannot be eliminated entirely, it can be significantly reduced through three mechanisms:

1. Contract Structure

The BPO agreement should include:

  • Explicit compliance warranties: The BPO represents and warrants ongoing compliance with the FDCPA, Regulation F, TCPA, and applicable state laws
  • Indemnification clause: The BPO indemnifies the client for any claims, settlements, or regulatory penalties arising from the BPO’s violations
  • Audit rights: The client has the right to inspect call recordings, compliance reports, agent training records, and complaint logs upon reasonable notice
  • Immediate notice provision: The BPO must notify the client within 24–48 hours of any CFPB complaint, regulatory inquiry, or lawsuit naming either party in connection with the collections program
  • Termination for cause: The agreement specifies that documented compliance violations are grounds for immediate termination without penalty

2. Ongoing Oversight — Without Crossing Into Control

The challenge in preventing co-liability is balancing oversight with legal independence. Exercising too much control over how a collector makes calls can inadvertently establish an agency relationship. The right approach is to monitor outcomes and compliance metrics rather than dictating operational procedures:

  • Review compliance score reports and complaint ratios regularly
  • Conduct periodic audits of call recordings — but focus on compliance, not call handling style
  • Establish performance benchmarks that include compliance KPIs alongside recovery rates
  • Avoid providing word-for-word scripts or call-handling instructions beyond required disclosures

3. Know-Your-Vendor Due Diligence

Before placement, conduct structured due diligence:

  • Verify FDCPA/Regulation F compliance infrastructure (7-in-7 controls, MVN workflow, opt-out systems)
  • Request references from current clients and ask specifically about complaint rates and regulatory history
  • Confirm adequate Errors & Omissions (E&O) insurance with limits sufficient to cover potential FDCPA class-action exposure
  • Ask for a written compliance program document — any reputable BPO will have one

How to evaluate a BPO partner → Use the full 20-point BPO evaluation checklist to structure your vendor due diligence

What the CFPB’s Supervisory Approach Means for 2025–2026

The CFPB’s supervisory priorities have included third-party service provider oversight as a focus area. Supervisory Highlights publications have flagged inadequate compliance management systems and insufficient oversight of collection vendors as recurring examination findings. Even in a period of CFPB institutional transition — the bureau withdrew 67 guidance documents in 2025 as part of a shift toward regulatory restraint — the core FDCPA and CFPA statutory enforcement authority remains intact and active.[33][34]

For businesses, this means that even if the CFPB’s enforcement posture fluctuates, the underlying legal risk of third-party co-liability is rooted in statutory and case law that is unaffected by agency rulemaking changes.

How Redial BPO’s Contract and Compliance Structure Protects Clients

Redial’s client agreements are designed with the co-liability framework in mind:

  • Compliance warranty: Redial warrants compliance with the FDCPA, Regulation F, and TCPA in every client agreement
  • Indemnification: Redial indemnifies clients for violations arising directly from Redial’s collection practices, with E&O insurance backing the commitment
  • Client portal access: Clients have access to account-level compliance reporting, dispute records, and complaint tracking in real time
  • 48-hour CFPB complaint protocol: When a complaint is filed related to Redial’s activity, Redial delivers full documentation to the client within 48 business hours
  • Independent compliance posture: Redial maintains its own compliance program, legal review process, and agent training independent of any single client, reducing the risk that any client relationship is characterized as a control relationship

“The right BPO contract doesn’t just define what they do — it defines what happens when something goes wrong. Redial’s agreements are built to protect clients at every level of the liability chain.”

The Collections Crisis Report

How SMBs Can Recover More Revenue Without the Compliance Risk

Related Resources

References

  1. Debt Collection: The Complete 2026 Guide | Sedric – Regulation F implements the FDCPA and provides detailed rules (definitions, communications, disclosu…
  2. Fair Debt Collection Practices Act (FDCPA): Avoid Violations – Tratta – Civil penalties of up to $500,000 for repeat offenders; Statutory damages of up to $1,000 per violat…
  3. Debt Collectors and the Law | The Maryland People’s Law Library – Third-Party Debt Collectors: companies hired to collect debt on behalf of another entity, like a cre…
  4. The Limits on Direct and Vicarious Liability Under the FDCPA – insideARM – Consumers and their attorneys are constantly seeking to expand the pool of potential FDCPA defendant…
  5. Countdown to Compliance with “Regulation F” of the Fair Debt … – Reg F thus requires debt collectors to provide consumers a convenient way to opt-out of electronic c…
  6. FDCPA – Regulation F | JPAinfo
  7. A Step-By-Step Guide of the CFPB’s New Rule: Regulation F … – Many have been preparing for the effective date of Regulation F, which is November 30th. This new Ru…
  8. What is the 7-in-7 rule with credit card debt collectors? – CBS News – If you have debt in collections, understanding how the 7-in-7 rule works could come in handy. Here’s…
  9. When and how often can a debt collector call me on the phone? – Understand your rights under the Fair Debt Collection Practices Act to avoid harassment and inconven…
  10. The Mini Miranda and Fair Debt Collections Act | FDCPA Regulations – The “Mini Miranda” script read by debt collectors will usually say, “This is an attempt to collect a…
  11. Debt Collectors must say this by law (Mini Miranda explained) – ⚖️ ATTORNEY ADVERTISING. Prior results do not guarantee a similar outcome.
  12. How Do I Get Compensated Under FDCPA? – The FDCPA limits the amount of money that you can receive for a violation to $1,000 per lawsuit. Eve…
  13. Is There A Time Limit To File An FDCPA Lawsuit? | Jibrael Law – Consumers may recover up to $1,000 per lawsuit in FDCPA cases filed within one year of the violation…
  14. Comprehensive New FDCPA Regulation F Takes Effect November 30 – Regulation F requires debt collectors to provide notice in any electronic communication to a consume…
  15. Digital Communications, Regulation F, and the Fair Debt Collection … – Learn about key features of Reg F, including consumer communication preferences, call limits, and sa…
  16. The FCC Issues Final Rule Formally Eliminating the One-to-One … – The Federal Communication Commission (FCC) has recently issued a final rule under the Telephone Cons…
  17. FCC Extends Limited Waiver for Part of the TCPA Consent Revocation …
  18. The FCC’s “Prior Express Written Consent” Rule is Changing This … – A year ago, the Federal Communications Commission (FCC) adopted new rules designed to address allege…
  19. UPDATED Text & Call Consent Revocation Rules Not Revoked … – by: Justine Young Gottshall , Tatyana Ruderman & Brian Schaller
  20. 12 CFR Part 1006 – Fair Debt Collection Practices Act (Regulation F) – Regulation F is implemented by the Consumer Financial Protection Bureau.
  21. A Closer Look at the CFPB’s Proposed Debt Collection Rules – This safe harbor would apply when a debt collector maintains procedures that are “reasonably adapted…
  22. Consumer Complaint Program – Consumer Complaint Program
  23. CFPB Reports on Consumer Complaint Trends | Insights & Resources – 45% of debt collection complaints involved consumers who “did not recognize” the debt. Consumers pri…
  24. Your company’s role in the complaint process – Learn more about each step and how these responses are used to identify problems in the marketplace.
  25. [PDF] Consumer Response 101 – files.consumerfinance.gov.
  26. Learn how the complaint process works – Your complaint goes through several steps that help you get a response and help us identify problems…
  27. Creditors May Now Face Vicarious Liability for the Actions of a Debt … – An emerging body of case law is expanding the way the courts treat illegal or unethical actions by a…
  28. NY Federal Court Rules CFPB Vicarious Liability Suit Can Proceed – In August, a New York federal district court
  29. Consumer Debt Collection & Consumers’ Legal Rights – Justia – Third-party debt collectors may be authorized to file suit on the creditor’s behalf, or to report un…
  30. Select language – Explore millions of resources from scholarly journals, books, newspapers, videos and more, on the Pr…
  31. Ninth Circuit Finds Debt Assignee Can Be Liable Under the FDCPA … – The United States Court of Appeals for the Ninth Circuit recently held that a company that “buys and…
  32. Ninth Circuit Holds That Debt Buyers That Outsource Direct … – In 1977, Congress enacted the FDCPA, which allows consumers to sue “debt collectors” for certain vio…
  33. Supervisory Highlights – Consumer Financial Protection Bureau – Fall Supervisory Highlights. Topics: compliance management systems, third-party service provider ove…
  34. CFPB Withdraws Guidance Documents: A Shift Toward Regulatory … – The CFPB has announced the withdrawal of 67 guidance documents, including interpretive rules, policy…

Ready to fix your collections compliance posture?

Talk to a Redial collections compliance specialist for a structured review of your operations.

Get a Free Collections Assessment

Tell us about your goals in a quick 30-minute call, and we’ll show you how Redial can help.

Schedule a meeting

Prefer to start with a form?

Tell us about your needs, and we’ll set up a call to walk you through a custom quote.

Request a free quote