Quantum Automations Quantum Automations
Blog · Portfolio
← Back to Blog
Guide · Voice AI

FCA PECR Compliant Voice Remarketing: Mortgage Leads

Published July 2026
Topic Voice Agents · FCA Compliance
Reading time 10 min
For UK SME founders
On this page
  1. PECR soft opt-in for existing mortgage relationships: the exact conditions it covers
  2. Where soft opt-in ends: why 'lapsed' is the grey zone that needs legal review
  3. FCA Consumer Duty: what it requires in every outbound script for financial products
  4. Identifying vulnerable customers before the call: data signals and screening process
  5. Transfer-to-human trigger design for Consumer Duty escalation
  6. Timing rules: ICO guidance on call windows for financial services outbound
  7. Consent records: the documentation you need to prove compliance three years later
  8. What changed in 2025–2026: FCA Consumer Duty full enforcement and ICO AI-calling investigations
  9. Good / Bad / Ugly: three mortgage remarketing compliance approaches
  10. FAQ

A UK mortgage broker ran an outbound voice agent campaign to 2,400 lapsed customers — people who had enquired six to eighteen months prior but never converted. On day three, their compliance officer flagged that seven calls had reached customers who had previously raised hardship concerns with the firm. The voice agent script had no vulnerability escalation path. The campaign went dark for two weeks while legal reviewed every recording. That pause cost roughly £38,000 in lost pipeline — more than the entire build cost.

The root failure was not the technology. The agent performed exactly as configured. The failure was that nobody had answered three questions before the first dial: which legal basis covers these calls under PECR, what FCA Consumer Duty requires in every outbound script for financial products, and how the agent recognises a vulnerable customer and gets them out of the automated flow immediately. This post answers all three, in the sequence you need to address them.

PECR soft opt-in for existing mortgage relationships: the exact conditions it covers

The "soft opt-in" in PECR comes from Regulation 22, which governs electronic mail — email and SMS. Under Regulation 22(3), a business may market to existing customers without explicit consent if four conditions are met: their contact details were collected during a previous sale or negotiation, the marketing covers similar products or services, the customer was given a clear opportunity to opt out at the point of collection, and every subsequent message includes an easy opt-out. That is the soft opt-in. It applies to email. It does not mention voice calls.

For telephone calls, PECR splits into two distinct rules. Regulation 21 governs live calls made by a human: you must screen against the Telephone Preference Service register before dialling and stop all calls to any registered number. Regulation 19 governs automated calling systems — any technology that dials and delivers a synthesised or recorded message without a human initiating each individual call in real time. Regulation 19 requires explicit prior consent. There is no existing-customer exception.

An AI voice agent using a large language model and text-to-speech to hold a conversation qualifies as an automated calling system under the ICO's current interpretation of PECR. The soft opt-in analogy that mortgage brokers reach for — "we had a prior relationship, so we can call" — works for email campaigns. For automated voice calls to residential numbers, it does not transfer.

Where the existing customer relationship does help: a live human agent calling a non-TPS-registered customer can cite the prior enquiry as context and may have a legitimate interest basis under GDPR — but that requires its own documentation and is a separate legal route from soft opt-in.

Where soft opt-in ends: why 'lapsed' is the grey zone that needs legal review

Even under the more permissive Regulation 21 framework for live calls, "existing customer" has a specific meaning the ICO scrutinises. A person who submitted a mortgage enquiry six to eighteen months ago and never took out a product is not a customer — they are a former prospect. The distinction matters.

Four sub-issues for legal to address before dialling:

  • Scope of original consent. Enquiry-form consent is almost always scoped to follow-up on that specific enquiry, not future product campaigns.
  • Consent expiry. If your privacy policy states a contact period and that period has passed, the consent is spent.
  • Product relevance. If the product the prospect enquired about is no longer on offer, the "similar products" argument weakens substantially.
  • Time elapsed. ICO enforcement decisions show consistently that the longer the gap between consent and outreach, the harder the compliance position becomes.

The question to answer in writing before any campaign launches: at what point in your customer journey does an enquiry become an "existing customer" relationship under PECR? Most regulated firms set this threshold at the point a binding agreement is signed. An enquiry that did not convert does not cross that threshold.

If your legal team's answer is "we are uncertain", the compliant route is to collect fresh consent before using a voice agent for outbound contact. That adds a step — typically an email or SMS opt-in campaign — but removes the regulatory ambiguity entirely. The sequencing between re-consent touchpoints and the first outbound dial is covered in the missed-call recovery automation guide.

FCA Consumer Duty: what it requires in every outbound script for financial products

The Consumer Duty (FCA PS22/9, effective 31 July 2023) replaced Treating Customers Fairly with a higher active standard. Firms must demonstrate they are meeting four outcomes — products and services, price and value, consumer understanding, and consumer support — not merely avoid identifiable breaches. For outbound scripts, understanding and support create the most specific requirements.

Consumer understanding requires communications to "support consumers to make informed decisions". In an outbound mortgage call: identify the firm and regulated nature of the call within the first ten seconds; state the purpose before any qualifying questions; avoid urgency framing ("this rate closes today") unless factually accurate; provide a clear opt-out before any product discussion begins.

Consumer support requires that consumers can access help when they need it. A voice agent script cannot be a dead end. If the customer signals confusion, distress, or hardship, the call must route to a qualified human — not a voicemail box, not a callback queue with a four-day wait.

The FCA's finalised guidance FG22/5 on the Consumer Duty is explicit that firms remain responsible for the entire customer experience, including where a third party or automated system delivers that experience. Deploying a voice agent does not transfer the Consumer Duty obligation to the technology vendor.

Identifying vulnerable customers before the call: data signals and screening process

The FCA's finalised guidance FG21/1 on fair treatment of vulnerable customers identifies four drivers of vulnerability: health conditions, negative life events (bereavement, job loss, relationship breakdown), low financial resilience, and low capability (low financial literacy, language barriers). A voice agent cannot discover these flags mid-conversation and act on them in time — the screening must happen at list build, before a single number is dialled.

Three CRM signals to pull before building any outbound list:

  1. Hardship and distress notes. Any record of payment difficulty, a debt management plan, a hardship declaration, or a welfare concern raised during the original enquiry or any subsequent contact.
  2. Previous opt-down or opt-out events. The customer reduced contact frequency, expressed reluctance, or was removed from a prior campaign.
  3. Product and age profile. Customers over 70 who enquired about equity release or later-life products warrant additional caution; FCA supervisory work has focused on this cohort.

Any customer flagging on one or more signals should be removed from automated outbound and either excluded or moved to a human-led queue with a senior adviser available from the start. Log the screening decision and rationale before dialling begins.

This data layer is pre-call infrastructure, not a voice agent feature. We built a comparable pre-call screening pipeline using CRM webhooks and a validation step before list export in our voice AI and document analysis case study.

Transfer-to-human trigger design for Consumer Duty escalation

Every financial services voice agent needs documented transfer triggers. The escalation logic belongs in your call flow design before any script is written. Below is the function schema we use in Retell.ai deployments for regulated outbound campaigns:

{
  "name": "escalate_to_human_adviser",
  "description": "Triggered when a vulnerability signal or regulatory condition is detected. Initiates warm transfer to a qualified mortgage adviser.",
  "parameters": {
    "type": "object",
    "properties": {
      "trigger_reason": {
        "type": "string",
        "enum": [
          "hardship_mentioned",
          "bereavement_mentioned",
          "health_concern_raised",
          "emotional_distress_detected",
          "repeated_confusion",
          "explicit_opt_out",
          "complaint_indicated",
          "regulatory_question_outside_agent_scope"
        ]
      },
      "transfer_queue": {
        "type": "string",
        "enum": [
          "mortgage_adviser_priority",
          "vulnerability_support_team",
          "complaints_handler"
        ]
      },
      "agent_summary": {
        "type": "string",
        "description": "One-sentence call context pre-populated for the receiving adviser before transfer completes"
      }
    },
    "required": ["trigger_reason", "transfer_queue", "agent_summary"]
  }
}

The agent_summary field matters. When the human adviser picks up, they need immediate context — why the call was escalated and what was discussed. A warm transfer without a brief forces the customer to repeat themselves, which is exactly the Consumer Duty support failure the escalation was meant to prevent.

Full transfer-to-human architecture, including timeout handling and fallback when no adviser is available, is in the voice agent transfer-to-human guide.

Timing rules: ICO guidance on call windows for financial services outbound

The ICO's rules on unsolicited direct marketing calls prohibit contact before 8am or after 9pm. That is the legal floor, not a recommendation. Financial services outbound carries specific sensitivities that justify tighter constraints, and the FCA's consumer support outcome implicitly requires that contact attempts are made when customers can engage thoughtfully rather than when they are under time pressure or stress.

Window ICO legal minimum FCA consumer support best practice Recommended default
Monday–Friday 08:00–21:00 09:00–17:30 09:30–17:00
Saturday 08:00–21:00 10:00–14:00 10:00–13:00
Sunday 08:00–21:00 Avoid Do not dial
Bank holidays 08:00–21:00 Avoid Do not dial
Monday 08:00–09:30 Permitted Caution Avoid

Avoid the first and last 30 minutes of any permitted window. Calls during commute windows or early evenings produce higher opt-out rates, more complaints, and worse call quality. A narrower window with a higher answer rate beats maximum coverage with a high abandonment rate. For the qualification flow and booking logic that sits beyond the compliance layer, the 2025 AI voice agent appointment playbook covers script design for outbound scheduling campaigns.

Consent records: the documentation you need to prove compliance three years later

If the ICO or FCA opens an investigation, the questions they ask are: when did you decide this customer could be called, what was the legal basis for that decision, and what documentation supports it? "We believed they were an existing customer" is not a document.

The compliance record for each number should include: the original consent event (form, click, or verbal) with timestamp; the privacy policy version in force at that time; the TPS screen result and date (screens older than 28 days before the call are insufficient); the vulnerability pre-screen result and data sources checked; call disposition (connected, unanswered, opted out, transferred); and if transferred, the escalation reason code and receiving adviser identifier.

Store records in a format that cannot be altered after creation — append-only database logging or object storage with object lock enabled. FCA SYSC 9 and Consumer Duty demonstration obligations effectively require six years of retention for mortgage activity. Build that into the data architecture before the campaign launches, not after the first complaint arrives.

The broader UK compliance infrastructure — including GDPR lawful basis documentation and PECR consent log architecture — is covered in our UK compliance guide.

What changed in 2025–2026: FCA Consumer Duty full enforcement and ICO AI-calling investigations

The Consumer Duty's extension to closed products and legacy loan books came into full force in July 2024 — firms can no longer treat lapsed mortgage enquiries as outside the duty's scope because no active product exists. In Q1 2025, the FCA issued a portfolio letter to mortgage lenders and brokers flagging concerns about outbound contact practices and vulnerability identification in automated campaigns. The letter referenced call recording reviews where escalation paths were absent or non-functional.

In parallel, the ICO updated its guidance on automated decision-making and AI-generated communications and opened several investigations into companies using AI voice agents for financial services outbound without adequate consent records. No enforcement notices had been published at the time of writing, but the direction is clear: AI-calling is treated as a distinct risk category, not a faster version of traditional outbound. The "we didn't realise this counted as an automated calling system" defence is no longer viable.

Legal review of the PECR basis is now a documented pre-launch step, not an optional checkbox.

Good / Bad / Ugly: three mortgage remarketing compliance approaches

Approach Verdict Why
TPS screen within 28 days, documented PECR basis per number, pre-call CRM vulnerability screen, Consumer Duty-compliant script, warm transfer with agent summary logged, six-year record retention in write-once storage Good Adds three to five days of compliance prep; manageable and repeatable
TPS screen completed, live callers not AI agents, hardship script section present, escalation only if customer explicitly raises concern Bad Reactive on vulnerability; Consumer Duty requires proactive identification, not waiting to be told
AI voice agent, no TPS screen, no consent documentation, no escalation path, campaign launched because "they enquired so they know us" Ugly ICO enforcement risk, FCA Consumer Duty breach, campaign suspension, and reputational exposure that outlasts the pipeline loss

The "Bad" scenario is where most campaigns we review actually sit. The TPS screen happened. There is a hardship line somewhere in the script. But there is no pre-call vulnerability screening, no documented PECR basis per number, and the escalation function only fires if the customer explicitly says "I am struggling financially." That does not meet Consumer Duty standards for proactive consumer support — the FCA has been explicit about this in supervisory feedback.

The move from Bad to Good does not require a legal team on retainer — it requires a documented process reviewed by a solicitor once, then executed consistently before each campaign launches.

FAQ

Does PECR soft opt-in cover outbound calls to existing mortgage customers who have not consented explicitly?

The PECR soft opt-in (Regulation 22) applies only to electronic mail and SMS — it does not extend to telephone calls. For automated AI voice calls, Regulation 19 requires explicit prior consent with no existing-customer exemption. For live calls made by a human agent, Regulation 21 permits contact if the customer is not registered with the TPS and has not opted out — but that same exception does not apply to AI-generated voice calls. Mortgage brokers frequently assume the existing enquiry relationship covers automated outbound; the ICO's interpretation is that it does not. Obtain specific legal advice on your customer journey before treating any lapsed prospect as consented for AI voice outreach.

What does FCA Consumer Duty actually require in a voice agent script for financial products?

FCA PS22/9 requires that scripts meet the consumer understanding and consumer support outcomes. The call must identify the firm and the regulated nature of the contact within the first ten seconds, state the purpose before any qualifying questions, avoid artificial urgency, and include a clear opt-out before any product discussion. Critically, the script must include proactive screening for vulnerability signals — hardship, distress, confusion, or health concerns — and route the caller to a qualified human adviser immediately when those signals appear. The adviser receiving the transfer must have call context, not just a warm line. These requirements apply whether the caller is human or an AI voice agent.

How long do we need to retain call recordings for FCA compliance purposes?

SYSC 9 requires records sufficient to demonstrate regulatory compliance for a minimum of five years for mortgage firms. Consumer Duty compliance evidence — vulnerability screening decisions, escalation logs, opt-out records — should also be retained for five years minimum. Most solicitors advising mortgage firms recommend six years for all call recordings indexed by customer reference, to cover both FCA requirements and potential civil complaint timelines. Use append-only or write-once storage so records cannot be retrospectively altered; both the FCA and ICO examine record integrity when investigating complaints. Where a complaint has been raised or is reasonably foreseeable, retain all records until the complaint is fully resolved plus the applicable limitation period.

Can we use an AI voice agent for initial outbound contact, or does the FCA require a human caller for financial services?

The FCA does not prohibit AI voice agents for initial outbound contact — the Consumer Duty rules are technology-neutral. The obstacle is PECR Regulation 19: AI voice agents are automated calling systems and require explicit prior consent before dialling residential numbers. If you have valid documented consent, an AI voice agent can make first contact for mortgage products, provided the script meets all Consumer Duty outcomes and includes vulnerability detection with warm-transfer capability. The FCA has not published AI-specific prohibitions on initial outbound, but firms carry the full burden of demonstrating every Consumer Duty outcome is met on every call — and the ICO has opened investigations into AI-calling campaigns where consent records were absent.

Related Reading

Compliance & Consent for AI Calling: UK SMEs

Plain-English guide to UK AI calling compliance: PECR, GDPR lawful basis, TPS screening, recording notices, and consent

Voice Agent Transfer-to-Human: Designing Handoffs That Don't Lose Deals

A field guide for designing transfer-to-human flows in voice agents — warm transfer vs cold, context passing, CRM write,

Need a compliance-ready mortgage remarketing voice agent?

30-minute audit. We map your stack, your constraints, and where AI will pay back fastest.

Take the Quantum Leap →
© 2026 Quantum Automations Group Ltd
Home Blog Portfolio Privacy Terms Security