New York City’s newly finalized Stopping Harassment and Intimidation and Ensuring Lawful Debt (SHIELD) Collection Rule materially tightens debt-collection requirements in the nation’s largest consumer market. This is not a technical adjustment to Regulation F. It is a structural compliance shift that expands dispute rights, caps communications at three per week across channels, and increases substantiation expectations—particularly for medical debt. The SHIELD Rule is effective September 1, 2026.
The rule is enforced by the New York City Department of Consumer and Worker Protection (DCWP), which licenses debt collection agencies, conducts investigations and audits, and has authority to bring administrative enforcement actions, impose penalties, and seek injunctive relief under the City’s Administrative Code. The SHIELD Rule does not create a new private right of action.
For institutions with exposure to New York City consumers, the rule changes the tone and tempo of collection activity. It moves the regulatory center of gravity from front-end disclosures to continuous substantiation, from channel-specific limits to unified engagement controls, and from federal floor compliance to layered municipal oversight.
Below we highlight selected aspects of the new rule. Companies should review the full text carefully in light of their specific business models and operational structures.
Broad Scope of “Debt Collection” Covers Original Creditors
The rule’s obligations are activated when an entity becomes “engaged in debt collection procedures.” That status attaches when a creditor ceases periodic statements, accelerates the balance, or takes or threatens legal action. 6 RCNY § 5-76 (definition of “debt collection procedures”).
This creates a definitional line between ordinary servicing and regulated collection conduct. For institutions operating hybrid servicing and collections models, workflow triggers, account coding, and system flags must clearly distinguish routine administration from collection posture. Misclassification risk quickly could become supervisory risk if DCWP examination authority is engaged.
Continuous Dispute Rights and a 60-Day Verification Clock
Consumers may dispute at virtually any point in the collection lifecycle, and collectors must be prepared to substantiate with greater precision. The rule permits oral, written, or electronic disputes at any time while the collector owns or services the account. Id. § 5-77(f)(6).
For covered accounts beginning September 1, 2026, a first dispute triggers a mandatory cease-collection obligation unless and until verification is provided within 60 days. Id. § 5-77(f)(7). If verification cannot be produced in a timely manner, non-original creditors may not resume collection activity.
This is a material shift for debt buyers and placement models. Documentation sufficiency must be confirmed upstream—before acquisition or placement—not reconstructed reactively after a consumer challenge. Notably, a default judgment alone is insufficient to verify the underlying debt. Id. § 5-77(f)(7)(vi). Litigation outcomes do not substitute for underlying account-level documentation.
Where a consumer disputes amounts added to principal, the rule requires a detailed breakdown of interest, costs, and fees, including the contractual or legal basis for those amounts. 6 RCNY § 5-77(f)(11). The expanded itemization need only be provided once, but it must be complete. Id.
For debt buyers and specialty finance companies with layered post-charge-off accruals, this reinforces the need for clean data lineage and fee documentation at acquisition. Importantly, the most stringent dispute and verification cessation provisions apply to accounts for which a validation notice is required to be sent on or after September 1, 2026, excluding accounts purchased before that date. Id. § 5-77(f)(6)–(8) (applicability provision).
Communication Caps and Aggregation Risk
Three Contact per Week Limit
A three contact per week limit—stricter than and structurally different from the CFPB’s seven-in-seven call attempt cap—requires unified cross-channel tracking. The SHIELD Rule prohibits “excessive frequency,” defined as more than three communications or attempted communications within seven consecutive days per distinct account. 6 RCNY § 5-77(b)(1)(iii).
Attempts count. Limited-content messages count. Electronic messages count. The calculation is per account, not per consumer, and applies across media.
For institutions operating through multiple vendors or platforms, aggregation risk is real. Dialer systems, SMS vendors, email campaigns, and outsourced agencies must operate against a consolidated frequency view. Without centralized controls, contacts that are compliant in isolation can quickly become violations in the aggregate. This is less about call scripting and more about systems architecture and governance.
Oral Cease-and-Desist Requests
The SHIELD Rule permits consumers to request that a collector cease communications orally, not just in writing. Id. § 5-77(b)(4). While limited written follow-up is permitted in certain circumstances, frontline handling of oral opt-out requests must be documented and operationalized immediately.
Call-center scripting, CRM logging functionality, and vendor oversight protocols must reflect this change. Failure to capture and implement oral cease requests presents avoidable enforcement exposure.
Electronic Communications and Revocable Consent
Electronic outreach is governed by a structured revocable-consent framework. Collectors may send one electronic message solely to obtain consent, but may not use electronic channels to collect without satisfying consent requirements. Id. § 5-77(b)(5). Opt-out requests, including “stop” responses, apply to the specific medium used. Id.
For digital-first lenders and fintech platforms, this is foundational. Consent capture, retention, revocation tracking, and channel-specific suppression logic must be embedded into system architecture—not handled manually.
Medical Debt as a Regulatory Priority
Medical debt receives especially forceful treatment. The rule prohibits a debt collector engaged in debt collection procedures from furnishing medical debt to a consumer reporting agency. 6 RCNY § 5-77(f)(10)(i).
Once a consumer disputes one account tied to a discrete hospitalization or related treatment within a defined period, related accounts must also be treated as disputed unless expressly carved out. Id. § 5-77(f)(10)(iv). Where collecting for a covered medical entity, collectors must integrate financial assistance policy disclosures and corrective measures into their workflows. Id. § 5-77(j).
Healthcare systems, specialty finance providers, and their servicing partners will need NYC-specific credit reporting suppression logic and dispute segmentation controls.
Time-Barred Debt and Prescriptive Disclosures
The SHIELD Rule builds a structured regime for time-barred debt. Before contacting a consumer about an expired obligation, a collector must deliver a written notice containing mandated language and wait 14 days before further collection activity. 6 RCNY § 5-77(i).
The disclosure must also warn that payment may restart the statute of limitations for certain categories of debt. This is a compliance-intensive framework requiring disciplined statute-of-limitations tracking and message control. Oral communications trigger additional redisclosure requirements.
Pre-Reporting Notice and Timing Gates
Before furnishing negative information to a consumer reporting agency, collectors must send a clear written notice and wait 14 consecutive days, monitoring for undeliverability. 6 RCNY § 5-77(e)(10).
Although there is a limited exemption for entities complying with FCRA § 623(a)(7), the rule introduces another timing gate into the lifecycle of a delinquent account. Reporting strategies will need to incorporate this pause.
Language Access and Translation Controls
The SHIELD Rule embeds language access obligations directly into the validation and communication framework. If a collector communicates in a non-English language to collect a debt, it must provide a translated validation notice in that language. Where a validation notice is sent in a non-English language, the collector must accept and respond to disputes and related communications in that same language, unless the consumer elects otherwise.
These provisions extend beyond courtesy translation. They require template control, quality assurance review, and bilingual dispute-handling capacity. Inaccurate or partial translation is expressly treated as a deceptive practice. Id. § 5-77(d)(18).
Institutions using third-party vendors or call centers must ensure contractual controls around language capabilities, documentation retention, and translation accuracy. Digital collection platforms and public-facing collection websites must include clear and conspicuous disclosures regarding available language access services. Id. § 5-77(h).
Record Retention and Audit Readiness
The rule requires retention of collection-related records until three years after the last collection activity on the debt, with additional retention obligations for operational materials. Id. § 2-193(d); § 5-77(k).
This is an examination-ready framework designed to support supervisory review. Institutions should revisit data storage protocols, vendor contracts, and litigation hold alignment to ensure consistency with the new retention timeline.
* * * * * *
This development signals more than a local rule change. NYC is layering municipal requirements on top of the federal FDCPA and Regulation F floor, using its licensing and recordkeeping authority as enforcement leverage.
Related Articles
Why New York City’s Consumer Regulator Belongs on National Compliance Radar
New York Broadens Attorney General Authority and Embraces Enforcement-Driven Regulation.
Final Debt Collection Rule Issued by CFPB
Comprehensive Risk Management in the Age of Regulation F
State Attorney General Investigations: What Consumer Financial Services Companies Need to Know
A Primer on State Consumer Financial Regulation: What Businesses Need to Know Now
The Biden/Chopra CFPB’s 2025 Guidance Compendium: A Last Gasp or Lasting Legacy?