A UK mortgage broker ran an outbound voice agent campaign to 2,400 lapsed customers — people who had enquired six to eighteen months prior but never converted. On day three, their compliance officer flagged that seven calls had reached customers who had previously raised hardship concerns with the firm. The voice agent script had no vulnerability escalation path. The campaign went dark for two weeks while legal reviewed every recording. That pause cost roughly £38,000 in lost pipeline — more than the entire build cost.
The root failure was not the technology. The agent performed exactly as configured. The failure was that nobody had answered three questions before the first dial: which legal basis covers these calls under PECR, what FCA Consumer Duty requires in every outbound script for financial products, and how the agent recognises a vulnerable customer and gets them out of the automated flow immediately. This post answers all three, in the sequence you need to address them.
PECR soft opt-in for existing mortgage relationships: the exact conditions it covers
The "soft opt-in" in PECR comes from Regulation 22, which governs electronic mail — email and SMS. Under Regulation 22(3), a business may market to existing customers without explicit consent if four conditions are met: their contact details were collected during a previous sale or negotiation, the marketing covers similar products or services, the customer was given a clear opportunity to opt out at the point of collection, and every subsequent message includes an easy opt-out. That is the soft opt-in. It applies to email. It does not mention voice calls.
For telephone calls, PECR splits into two distinct rules. Regulation 21 governs live calls made by a human: you must screen against the Telephone Preference Service register before dialling and stop all calls to any registered number. Regulation 19 governs automated calling systems — any technology that dials and delivers a synthesised or recorded message without a human initiating each individual call in real time. Regulation 19 requires explicit prior consent. There is no existing-customer exception.
An AI voice agent using a large language model and text-to-speech to hold a conversation qualifies as an automated calling system under the ICO's current interpretation of PECR. The soft opt-in analogy that mortgage brokers reach for — "we had a prior relationship, so we can call" — works for email campaigns. For automated voice calls to residential numbers, it does not transfer.
Where the existing customer relationship does help: a live human agent calling a non-TPS-registered customer can cite the prior enquiry as context and may have a legitimate interest basis under GDPR — but that requires its own documentation and is a separate legal route from soft opt-in.
Where soft opt-in ends: why 'lapsed' is the grey zone that needs legal review
Even under the more permissive Regulation 21 framework for live calls, "existing customer" has a specific meaning the ICO scrutinises. A person who submitted a mortgage enquiry six to eighteen months ago and never took out a product is not a customer — they are a former prospect. The distinction matters.
Four sub-issues for legal to address before dialling:
- Scope of original consent. Enquiry-form consent is almost always scoped to follow-up on that specific enquiry, not future product campaigns.
- Consent expiry. If your privacy policy states a contact period and that period has passed, the consent is spent.
- Product relevance. If the product the prospect enquired about is no longer on offer, the "similar products" argument weakens substantially.
- Time elapsed. ICO enforcement decisions show consistently that the longer the gap between consent and outreach, the harder the compliance position becomes.
The question to answer in writing before any campaign launches: at what point in your customer journey does an enquiry become an "existing customer" relationship under PECR? Most regulated firms set this threshold at the point a binding agreement is signed. An enquiry that did not convert does not cross that threshold.
If your legal team's answer is "we are uncertain", the compliant route is to collect fresh consent before using a voice agent for outbound contact. That adds a step — typically an email or SMS opt-in campaign — but removes the regulatory ambiguity entirely. The sequencing between re-consent touchpoints and the first outbound dial is covered in the missed-call recovery automation guide.
FCA Consumer Duty: what it requires in every outbound script for financial products
The Consumer Duty (FCA PS22/9, effective 31 July 2023) replaced Treating Customers Fairly with a higher active standard. Firms must demonstrate they are meeting four outcomes — products and services, price and value, consumer understanding, and consumer support — not merely avoid identifiable breaches. For outbound scripts, understanding and support create the most specific requirements.
Consumer understanding requires communications to "support consumers to make informed decisions". In an outbound mortgage call: identify the firm and regulated nature of the call within the first ten seconds; state the purpose before any qualifying questions; avoid urgency framing ("this rate closes today") unless factually accurate; provide a clear opt-out before any product discussion begins.
Consumer support requires that consumers can access help when they need it. A voice agent script cannot be a dead end. If the customer signals confusion, distress, or hardship, the call must route to a qualified human — not a voicemail box, not a callback queue with a four-day wait.
The FCA's finalised guidance FG22/5 on the Consumer Duty is explicit that firms remain responsible for the entire customer experience, including where a third party or automated system delivers that experience. Deploying a voice agent does not transfer the Consumer Duty obligation to the technology vendor.
Identifying vulnerable customers before the call: data signals and screening process
The FCA's finalised guidance FG21/1 on fair treatment of vulnerable customers identifies four drivers of vulnerability: health conditions, negative life events (bereavement, job loss, relationship breakdown), low financial resilience, and low capability (low financial literacy, language barriers). A voice agent cannot discover these flags mid-conversation and act on them in time — the screening must happen at list build, before a single number is dialled.
Three CRM signals to pull before building any outbound list:
- Hardship and distress notes. Any record of payment difficulty, a debt management plan, a hardship declaration, or a welfare concern raised during the original enquiry or any subsequent contact.
- Previous opt-down or opt-out events. The customer reduced contact frequency, expressed reluctance, or was removed from a prior campaign.
- Product and age profile. Customers over 70 who enquired about equity release or later-life products warrant additional caution; FCA supervisory work has focused on this cohort.
Any customer flagging on one or more signals should be removed from automated outbound and either excluded or moved to a human-led queue with a senior adviser available from the start. Log the screening decision and rationale before dialling begins.
This data layer is pre-call infrastructure, not a voice agent feature. We built a comparable pre-call screening pipeline using CRM webhooks and a validation step before list export in our voice AI and document analysis case study.
Transfer-to-human trigger design for Consumer Duty escalation
Every financial services voice agent needs documented transfer triggers. The escalation logic belongs in your call flow design before any script is written. Below is the function schema we use in Retell.ai deployments for regulated outbound campaigns:
{
"name": "escalate_to_human_adviser",
"description": "Triggered when a vulnerability signal or regulatory condition is detected. Initiates warm transfer to a qualified mortgage adviser.",
"parameters": {
"type": "object",
"properties": {
"trigger_reason": {
"type": "string",
"enum": [
"hardship_mentioned",
"bereavement_mentioned",
"health_concern_raised",
"emotional_distress_detected",
"repeated_confusion",
"explicit_opt_out",
"complaint_indicated",
"regulatory_question_outside_agent_scope"
]
},
"transfer_queue": {
"type": "string",
"enum": [
"mortgage_adviser_priority",
"vulnerability_support_team",
"complaints_handler"
]
},
"agent_summary": {
"type": "string",
"description": "One-sentence call context pre-populated for the receiving adviser before transfer completes"
}
},
"required": ["trigger_reason", "transfer_queue", "agent_summary"]
}
}
The agent_summary field matters. When the human adviser picks up, they need immediate context — why the call was escalated and what was discussed. A warm transfer without a brief forces the customer to repeat themselves, which is exactly the Consumer Duty support failure the escalation was meant to prevent.
Full transfer-to-human architecture, including timeout handling and fallback when no adviser is available, is in the voice agent transfer-to-human guide.
Timing rules: ICO guidance on call windows for financial services outbound
The ICO's rules on unsolicited direct marketing calls prohibit contact before 8am or after 9pm. That is the legal floor, not a recommendation. Financial services outbound carries specific sensitivities that justify tighter constraints, and the FCA's consumer support outcome implicitly requires that contact attempts are made when customers can engage thoughtfully rather than when they are under time pressure or stress.
| Window | ICO legal minimum | FCA consumer support best practice | Recommended default |
|---|---|---|---|
| Monday–Friday | 08:00–21:00 | 09:00–17:30 | 09:30–17:00 |
| Saturday | 08:00–21:00 | 10:00–14:00 | 10:00–13:00 |
| Sunday | 08:00–21:00 | Avoid | Do not dial |
| Bank holidays | 08:00–21:00 | Avoid | Do not dial |
| Monday 08:00–09:30 | Permitted | Caution | Avoid |
Avoid the first and last 30 minutes of any permitted window. Calls during commute windows or early evenings produce higher opt-out rates, more complaints, and worse call quality. A narrower window with a higher answer rate beats maximum coverage with a high abandonment rate. For the qualification flow and booking logic that sits beyond the compliance layer, the 2025 AI voice agent appointment playbook covers script design for outbound scheduling campaigns.
Consent records: the documentation you need to prove compliance three years later
If the ICO or FCA opens an investigation, the questions they ask are: when did you decide this customer could be called, what was the legal basis for that decision, and what documentation supports it? "We believed they were an existing customer" is not a document.
The compliance record for each number should include: the original consent event (form, click, or verbal) with timestamp; the privacy policy version in force at that time; the TPS screen result and date (screens older than 28 days before the call are insufficient); the vulnerability pre-screen result and data sources checked; call disposition (connected, unanswered, opted out, transferred); and if transferred, the escalation reason code and receiving adviser identifier.
Store records in a format that cannot be altered after creation — append-only database logging or object storage with object lock enabled. FCA SYSC 9 and Consumer Duty demonstration obligations effectively require six years of retention for mortgage activity. Build that into the data architecture before the campaign launches, not after the first complaint arrives.
The broader UK compliance infrastructure — including GDPR lawful basis documentation and PECR consent log architecture — is covered in our UK compliance guide.
What changed in 2025–2026: FCA Consumer Duty full enforcement and ICO AI-calling investigations
The Consumer Duty's extension to closed products and legacy loan books came into full force in July 2024 — firms can no longer treat lapsed mortgage enquiries as outside the duty's scope because no active product exists. In Q1 2025, the FCA issued a portfolio letter to mortgage lenders and brokers flagging concerns about outbound contact practices and vulnerability identification in automated campaigns. The letter referenced call recording reviews where escalation paths were absent or non-functional.
In parallel, the ICO updated its guidance on automated decision-making and AI-generated communications and opened several investigations into companies using AI voice agents for financial services outbound without adequate consent records. No enforcement notices had been published at the time of writing, but the direction is clear: AI-calling is treated as a distinct risk category, not a faster version of traditional outbound. The "we didn't realise this counted as an automated calling system" defence is no longer viable.
Legal review of the PECR basis is now a documented pre-launch step, not an optional checkbox.
Good / Bad / Ugly: three mortgage remarketing compliance approaches
| Approach | Verdict | Why |
|---|---|---|
| TPS screen within 28 days, documented PECR basis per number, pre-call CRM vulnerability screen, Consumer Duty-compliant script, warm transfer with agent summary logged, six-year record retention in write-once storage | Good | Adds three to five days of compliance prep; manageable and repeatable |
| TPS screen completed, live callers not AI agents, hardship script section present, escalation only if customer explicitly raises concern | Bad | Reactive on vulnerability; Consumer Duty requires proactive identification, not waiting to be told |
| AI voice agent, no TPS screen, no consent documentation, no escalation path, campaign launched because "they enquired so they know us" | Ugly | ICO enforcement risk, FCA Consumer Duty breach, campaign suspension, and reputational exposure that outlasts the pipeline loss |
The "Bad" scenario is where most campaigns we review actually sit. The TPS screen happened. There is a hardship line somewhere in the script. But there is no pre-call vulnerability screening, no documented PECR basis per number, and the escalation function only fires if the customer explicitly says "I am struggling financially." That does not meet Consumer Duty standards for proactive consumer support — the FCA has been explicit about this in supervisory feedback.
The move from Bad to Good does not require a legal team on retainer — it requires a documented process reviewed by a solicitor once, then executed consistently before each campaign launches.