Lead buyers see 'non-FCRA' stamped across data sheets every day, usually without anyone in the room stopping to define what it actually means. The shorthand hides a meaningful legal line that shapes how a compliant mortgage lead program is built, documented, and audited. This is the 2026 working guide for marketing, compliance, and procurement teams purchasing non-FCRA mortgage and refinance leads — what the phrase actually means, where the data comes from, what permissible use looks like, and why documentation matters more than most teams realize.
Key Takeaways
Non-FCRA = data usable for marketing outreach but NOT for credit/insurance/employment/housing eligibility decisions under the Fair Credit Reporting Act.
Compliant sourcing means public records (county recorder filings, tax rolls, deeds), modeled attributes, and consented first-party — NOT resold credit bureau data.
TCPA liability on phone outreach is the single largest downside risk; per-record consent artifacts are the only defensible position under current FCC TCPA rulings.
Documentation is the difference between a clean regulatory inquiry and a class action — retain the sourcing statement, the FCRA disclaimer, the targeting log, and the suppression history for every campaign.
What 'Non-FCRA' Actually Means
The Fair Credit Reporting Act regulates 'consumer reports' — records that bear on a consumer's credit worthiness, character, or mode of living when used (or expected to be used) for credit, insurance, employment, housing, or government-benefits eligibility decisions. The FTC's FCRA legal library lays out the permissible-purpose framework in full. Data that falls outside that definition — public-records filings, modeled attributes, consented marketing signals — can be used for outreach without triggering FCRA obligations. The legal distinction is not about the data fields themselves; it's about what the data is used for. A spreadsheet of homeowners and their loan origination dates is non-FCRA when used to send a refinance offer. The same spreadsheet becomes a consumer report the moment it is used to decide who gets approved.
Where the Data Comes From
Compliant non-FCRA mortgage data comes from three clean sources. The first is public records: county recorder mortgage filings, property tax records, deed transfers, and lien histories — the same public-records layer behind GSDSI's 155M-record Real Estate Property Data product. The second is modeled attributes derived from census and survey data, where the field is a probability or bucket rather than a copied credit-bureau value. The third is consented first-party signals: the consumer opted into marketing contact through a form, a publisher's quote-request workflow, or an opt-in landing page. A lead file that includes credit scores, delinquency flags, or tradeline details is not non-FCRA regardless of how the vendor markets it — it is a consumer report, and using it as if it weren't exposes the buyer to civil liability, CFPB enforcement, and class-action plaintiff attention.
Permissible Use and Red-Line Cases
Permissible use for compliant buyers centers on marketing: outreach to homeowners whose loan attributes or property signals suggest they may benefit from refinancing, equity extraction, or — in the case of investor-lead programs — a new purchase. The trigger for contact must be the consumer's own observable behavior or public-records footprint, not a credit-based eligibility inference. Two concrete examples clarify the line:
Permissible: 'This borrower has an FHA loan from 2021 at 7.1% and their property has gained 30% in value' — the signal is public records plus AVM.
Not permissible: 'This borrower's FICO is 720 and they have $40K in credit card debt' — that is a credit-bureau inference, and using it to prioritize outreach turns marketing into an eligibility decision.
Permissible: 'This consumer filled out a refinance-interest form on a publisher page 90 seconds ago' — real-time consumer consent with full artifact.
Not permissible: 'This borrower's tradeline was flagged as a potential refi candidate by a credit-bureau-derived model' — the model itself carries the FCRA taint.
Documentation Matters More Than You Think
When the CFPB or a state attorney general asks a lender or broker to substantiate their lead-acquisition practices, the burden of proof is on the buyer, not the data vendor. The CFPB's mortgage servicing and origination enforcement history shows regulators expect documented evidence, not verbal assurances. Compliant teams maintain a written data-sourcing statement from each vendor, retain contract language that explicitly disclaims FCRA applicability, log the targeting criteria used for each campaign, and preserve suppression records for opt-outs, Do-Not-Call registrations, and state-specific lists. Teams that have been through a regulatory inquiry will tell you the difference between a clean file and a messy one is not the underlying practice — it is the paperwork. A companion deep-dive on the underwriting-side analogue is available in how real estate data powers modern mortgage underwriting.
Real-Time Leads Change the Compliance Posture
Real-time lead flow shifts the evidentiary picture. Static lead lists are a single point of purchase; real-time leads come with consumer-consent artifacts attached — timestamp, IP address, consent language shown, TCPA consent where applicable. These artifacts become the evidentiary backbone for any downstream dispute. Buyers purchasing real-time mortgage leads should confirm that the consent artifact is passed through with the lead record, not stored only at the aggregator — because if the aggregator ever goes dark, the buyer still owns the compliance burden. For shops building out their mortgage lead stack alongside broader financial-services compliance frameworks, see the financial services solution portfolio. That's the boring, procedural piece of non-FCRA mortgage marketing that separates the shops that survive regulatory scrutiny from the ones that don't.
Frequently Asked Questions
Is 'non-FCRA' a legal designation or vendor marketing language?
It's a descriptive status, not a formal designation. A dataset is non-FCRA when its contents and intended use fall outside the FCRA's definition of a 'consumer report' used for a 'permissible purpose.' Vendors mark files 'non-FCRA' as shorthand. The buyer still owns the determination — if the data is used to make an eligibility decision for credit, insurance, employment, or housing, FCRA applies regardless of how the file was labeled at purchase.
Can non-FCRA mortgage leads include credit scores?
No. Credit scores, tradeline details, delinquency flags, and similar credit-bureau-derived attributes make the file a consumer report under FCRA regardless of how it is marketed. A compliant non-FCRA mortgage lead file contains public-records attributes (loan origination date, original amount, property value, lien position) and consented first-party signals — not bureau-sourced credit fields.
What documentation should a mortgage lead buyer retain for each campaign?
Five artifacts: (1) vendor data-sourcing statement, (2) contract language disclaiming FCRA applicability, (3) targeting-criteria log showing the campaign used non-credit signals, (4) suppression records (DNC, state-specific opt-outs, internal opt-outs), and (5) for phone outreach, the consumer consent artifact per record. These make the difference between a clean inquiry and an enforcement action.
How does TCPA interact with non-FCRA mortgage leads?
Non-FCRA status addresses the data itself; TCPA addresses the outreach method. Calling a consumer's mobile phone without documented prior express written consent creates $500–$1,500 per-call statutory exposure independent of FCRA. For any mortgage lead program that includes phone outreach, the consent artifact (language shown, timestamp, IP) must be preserved inline with the lead record — that is the only defensible position if the consumer disputes the call.