VICIdial for financial services — FINRA-aware outbound

Financial services has the densest regulatory overlay of any VICIdial vertical — FINRA, state securities regulators, CFPB, TCPA, and state privacy laws all stack. The platform's audit log + per-trunk TCPA + multi-year retention paths fit the compliance posture. Your team handles the supervision + disclosure scripts.

Regulatory layers

| Regulator | Applies to | What it means operationally | | ------------------------- | ----------------------------------------- | -------------------------------------------------------------------------- | | TCPA (federal floor) | All outbound | Prior express consent, DNC scrub, drop SLA, recording disclosures | | FINRA | Broker-dealers + RR-supervised firms | 6-year recording retention, supervisor pre-approval, audit-defensible logs | | State securities | Investment advisers in regulated states | Often 5–7 year retention, registered-rep verification | | CFPB Reg F | Consumer-debt collections / restructuring | 7 calls per 7 days per debt; identify as collector in first sentence | | State privacy (CCPA+) | Consumer data handling | Deletion-on-request paths must be operational |

Per-trunk TCPA scrubbing (BLA)

Financial services teams typically dial multiple programs (advisory follow-up, lending, collections, marketing) — each with different compliance contracts. Server-wide BLA is too coarse:

trunk-advisory-out    → CUSTOM, BLA key A, fail-closed
trunk-lending-out     → CUSTOM, BLA key B, fail-closed
trunk-marketing-out   → INHERIT (server default)

Per-trunk TCPA writes every check to AuditLog with the dialed number + result + cache state — the FINRA examiner asking "show me your scrub log for May 14" gets a CSV in 30 seconds. See /features/tcpa-compliance.

Recording retention

| Operation | Minimum retention | | --------------------------------- | ------------------------------------------ | | FINRA broker-dealer calls | 6 years | | Investment adviser communications | 5 years (federal); 7 years for some states | | Consumer lending / collections | 3–7 years (state-dependent) | | General marketing outreach | 2 years |

Storage math: 100 agents × 4 recorded-hours/day × 250 days/year ≈ 360 GB/year. Six-year retention = ~2.2 TB.

Wire /features/external-backups to push recordings to your own S3 bucket with a 6-year lifecycle policy. Daily snapshots (7-day rolling) are not a 6-year strategy.

VICIdial settings that matter

| Setting | Value | | ---------------------- | --------------------------------------------------- | | Recording Override | ALLFORCE (everything recorded) | | Recording disclosure | Two-party-consent announce in 11 strictest states | | Pre-call DNC | Federal DNC + state DNC + Internal DNC = Y | | Calls per Day per Lead | 1 for advisory; CFPB Reg F caps lending at 7/week | | Local Call Time | 8am-9pm called local (stricter for some states) | | CallerID | Firm's published, attestation A | | Reg F first-sentence | Custom AGI flag: agent script enforces collector ID |

Plan sizing

| Operation | Plan suggestion | | --------------------------- | ---------------------------------- | | Solo RIA + assistant | Starter | | Small RIA, 5–15 agents | Growth | | Mid-size firm, 15–50 | Pro (2 dedicated vCPU, 8 GB) | | Lender / large firm, 50–150 | Business (4 dedicated vCPU, 16 GB) | | Enterprise, 150+ | Scale + custom regions |

Pro plan + signed DPA is the typical entry point for FINRA-regulated firms.

Sub-user roles

Financial services typically wants:

• Owner — firm principal, full control
• Operator — operations head, daily ops
• Compliance Viewer — read-only audit log + recording access for the CCO / compliance officer
• Billing — back-office, no agent management

Every action lands in AuditLog with actor + timestamp. The FINRA exam request is "show us last 90 days of admin changes" — CSV in 30 seconds.

Carrier choice

• Bandwidth — direct US carrier, A-attestation, best wholesale at scale.
• Telnyx — moderate volume sweet spot, multi-region, A-attestation on owned DIDs.
• Avoid aggregator-routed carriers — answer-rate decay over time, harder to attest.

Common mistakes

1. One BLA key for advisory + lending + marketing — different SOWs, different fail-modes. Per-trunk override is mandatory at any meaningful FS shop.
2. No first-sentence Reg F enforcement — CFPB will assess penalties. The script + supervisor-approval flow has to make it agent-impossible to skip.
3. Recording retention via daily snapshots — 7-day rolling is not 6-year retention. Wire External Backups week 1, not "before audit".
4. PHI/PII in CallerID — some firms set CID to "ACME Lending — Credit Card Inquiry". Strip the descriptor.
5. No DPA / BAA in place pre-audit — sign it before you load the first list. Examiners ask for it.

Why teams switch from "email a tech" hosts

• Audit log + recorded SSH sessions — FINRA examiner gets the supporting evidence in one query, not three weeks of correlating ticket threads.
• Per-trunk TCPA — server-wide is too coarse for a multi-program FS firm.
• Sub-users with roles — compliance officer doesn't need agent-config access; they need read-only audit + recordings.
• 6-year retention path — wired week one, not "we'll figure it out".

What VICIfast handles

| Concern | Who | | ------------------------------------- | ------------------------------------------------- | | OS + Asterisk + VICIdial CVE patching | Platform | | Daily snapshots | Platform | | Encryption at rest + TLS | Platform | | BLA AGI hook | Platform (you BYO key per program) | | AuditLog | Platform (every state change + admin action) | | Recording retention | Both (snapshot rollover + your S3 lifecycle) | | FINRA pre-call disclosure | You (agent script + IVR prompt) | | Supervisor approval flow | You (VICIdial campaign config + sign-off process) | | Reg F first-sentence ID | You (script + audit it) |

Get started

Financial services deployments are typically Pro plan or above + a signed DPA. Contact us so we can scope region + plan + send the DPA template to your legal team.