10DLC Compliance

A2P Compliance in 2026: What Changed at Full Enforcement and What Still Needs Your Attention

Full enforcement of 10DLC registration requirements took effect in February 2025. This paper covers what has changed, what has not, and where providers and their enterprise customers remain most exposed to delivery disruption and carrier action in 2026.

Author Bryan Bethea, Founder & CEO, 448 Consulting LLC
Published 2026
Reading Time 11 minutes

Where the A2P Ecosystem Stands in 2026

The A2P 10DLC compliance framework has been in development since 2019, when AT&T announced its initial requirements for brand and campaign registration as a condition of business messaging over 10-digit local numbers. The years that followed involved a graduated rollout, repeated deadline extensions, carrier inconsistencies, and significant industry frustration at the pace and clarity of enforcement.

That period is over. Full enforcement across all major US carriers took effect in February 2025, and the compliance landscape that providers and enterprise customers now operate in is fundamentally different from the one that existed even eighteen months ago. Unregistered traffic is filtered. Registered-but-non-compliant campaigns are flagged, throttled, or blocked. The carriers are actively enforcing, not passively warning.

This shift creates a new challenge. Providers who navigated the pre-enforcement period by advising clients to "get registered and you're good" are now discovering that registration is necessary but not sufficient. The compliance questions that matter in 2026 are more nuanced, more specific, and in some areas still evolving in ways that create ongoing exposure even for providers and brands that believe they are fully compliant.

The Core Shift

Before February 2025, compliance was primarily a registration exercise. After February 2025, compliance is an ongoing operational discipline. The difference between these two states is where most current exposure lies.

The 10DLC Framework: A Working Summary

For providers serving enterprise messaging customers, a clear understanding of the framework's structure is the foundation of effective compliance guidance. The framework operates at three levels, each with distinct requirements and enforcement mechanisms.

Brand Registration

Every enterprise sending A2P messages over 10DLC numbers must register its brand identity with The Campaign Registry (TCR). Brand registration captures the legal entity name, EIN, business type, and contact information of the sending organization. Brand registration is a prerequisite for campaign registration, as no campaigns can be submitted under an unregistered brand. Vetting of brand registrations against business identity databases adds a layer of verification, though as discussed elsewhere, this verification is assertive rather than definitively confirmatory of number-level ownership.

Campaign Registration

Each distinct messaging use case must be registered as a campaign. A brand sending appointment reminders, promotional messages, and two-factor authentication codes operates three separate campaigns, each requiring registration with TCR and carrier approval. Campaign registration captures the use case type, message content samples, opt-in process description, and the specific 10DLC numbers used for that campaign. Campaign content must remain materially consistent with the registered samples. Campaigns that drift from their registered use case invite filtering action.

Number-to-Campaign Association

Each 10DLC number used for A2P messaging must be associated with a specific registered campaign. Unassociated numbers sending A2P traffic are treated as unregistered and subject to filtering. Number-to-campaign associations must be maintained accurately as numbers are added, changed, or decommissioned, an operational discipline that many providers and brands have underestimated.

2019 to 2020
Framework Announcement and Initial Implementation
AT&T announces 10DLC requirements. TCR is established. Early registration processes are inconsistent across carriers and CSPs. Industry adoption is uneven.
2021 to 2023
Graduated Rollout and Repeated Deadline Extensions
Carriers begin soft enforcement. Multiple deadlines are extended. The industry develops a pattern of last-minute registration surges before announced enforcement dates. Compliance quality suffers as volume overwhelms review capacity.
2024
Hard Enforcement Announced and Prepared
Carriers announce February 2025 as the final enforcement date with no further extensions. CSPs accelerate customer registration efforts. TCR processes a surge in registration volume. Carrier filtering systems are updated for active enforcement.
February 2025
Full Enforcement Takes Effect
Unregistered A2P traffic is actively filtered across all major carriers. Registered campaigns with content violations begin receiving action. The compliance-as-registration phase ends; the compliance-as-discipline phase begins.
2026 to Present
Active Enforcement and Evolving Standards
Carrier filtering is active and improving. New exposure areas are emerging around content compliance, opt-in documentation, and campaign drift. RCS introduces new compliance considerations. The framework continues to evolve.

What Full Enforcement Actually Changed

The February 2025 enforcement date produced real and measurable changes in how carrier networks handle A2P traffic. Understanding specifically what changed, and what did not, is essential for accurate compliance assessment.

Compliance ElementStatusPractical Implication
Brand registration requirement Enforced Unregistered brands cannot send A2P traffic. No grace period or workaround remains available.
Campaign registration requirement Enforced Unregistered campaigns are filtered. Number-to-campaign association must be current and accurate.
Content compliance vs. registered samples Partial Carrier content scanning is active but inconsistent. The most egregious violations are caught; subtler drift may not be flagged immediately but creates accumulating risk.
Opt-in documentation requirements Partial Opt-in process must be described accurately in campaign registration. Actual enforcement of opt-in compliance is complaint-driven rather than proactive. Complaints trigger a full review of campaign history.
Message volume vs. registered use case Partial Anomalous volume spikes relative to registered use case draw carrier attention. Steady-state volume mismatches are less likely to trigger action but contribute to trust score degradation over time.
Toll-free number A2P compliance Enforced Toll-free verification is required for A2P traffic on toll-free numbers. Unverified toll-free messaging is subject to the same filtering as unregistered 10DLC traffic.
RCS business messaging compliance Evolving RCS Business Messaging has its own verification requirements separate from 10DLC. Standards are developing as RCS adoption scales following Apple's iOS 18 implementation.

Where Exposure Remains in 2026

The providers and enterprise customers who believe their compliance work is complete because their brands and campaigns are registered are operating with a significant blind spot. The most consequential compliance exposure in 2026 is not in unregistered traffic, a problem that is largely solved for providers who took enforcement seriously. It is in the operational and content compliance gaps that registration alone does not address.

High Exposure
Campaign Content Drift
Campaigns registered with specific message samples that have evolved over time, including seasonal promotions, updated offers, changed CTAs, and new URLs, are sending content that no longer matches the registered samples. This is the single most common compliance gap found in active campaign audits.
High Exposure
Opt-In Documentation Gaps
Campaign registrations describe an opt-in process that either was never fully implemented or has changed since registration. When a consumer complaint triggers a carrier review, the documented opt-in process is the first thing examined. Gaps here result in campaign suspension.
High Exposure
Number-to-Campaign Staleness
Numbers added to messaging operations after campaign registration was completed that were never associated with a campaign. Numbers that moved between campaigns without updating the association. This is an operational discipline failure that creates filtered traffic with no obvious cause.
High Exposure
Shared Number Misuse
A single 10DLC number being used for multiple use cases, only one of which is registered. The carrier sees traffic inconsistent with the campaign type and flags the number. The provider sees blocked messages with no clear compliance failure.
Medium Exposure
Use Case Misclassification
Campaigns registered under use cases that do not accurately describe the traffic, typically because the registrant chose the use case they thought would be approved rather than the one that accurately described their messaging. These misclassifications accumulate risk over time.
Medium Exposure
CSP Relationship Gaps
Brands that changed messaging providers after initial registration without updating the CSP relationship in TCR. The registered CSP no longer controls the traffic, creating a compliance record that does not reflect operational reality.
The Audit Trigger Problem

Carrier compliance action is often triggered by consumer complaints, not by proactive scanning. A single well-documented complaint about a brand's messaging practices can trigger a full review of that brand's campaign history, surfacing content drift, opt-in gaps, and number association issues that had been accumulating undetected for months.

The Toll-Free Dimension

Toll-free number A2P compliance operates under a parallel but distinct framework from 10DLC. Toll-free verification, required for A2P messaging on toll-free numbers, was brought to full enforcement on the same timeline as 10DLC, and the compliance gaps in the toll-free space mirror those in the 10DLC space with some additional nuances.

The toll-free verification process is administered differently from TCR's 10DLC registration. It operates through the toll-free number administrator with carrier-specific verification processes. Providers whose enterprise customers use toll-free numbers for A2P messaging need to maintain toll-free verification separately from 10DLC campaign registration, as the two frameworks do not automatically align.

A common compliance gap: an enterprise customer is fully registered for 10DLC messaging and fully verified for toll-free messaging, but uses the same message content, opt-in process, and brand assets for both. The verification records for each channel were created at different times, by different teams, and have drifted out of alignment with each other and with current practice. Neither channel is individually non-compliant, but the combined compliance record presents inconsistencies that would not survive a coordinated carrier review.

RCS: The Emerging Compliance Frontier

Apple's implementation of RCS support in iOS 18, released in September 2024, changed the RCS calculus in the United States significantly. Prior to iOS 18, RCS Business Messaging was primarily an Android story, meaningful but limited in reach. With RCS now supported on both major smartphone platforms, the channel has become a serious consideration for enterprise A2P messaging strategy.

RCS Business Messaging has its own verification and compliance framework, operated through the RCS business messaging infrastructure rather than through TCR. Brands that want to send verified business messages over RCS must complete a separate verification process that establishes their business identity, messaging use cases, and sender credentials within the RCS ecosystem.

The compliance implications for 2026 are significant. Enterprise brands that are expanding into RCS messaging are discovering that their 10DLC compliance record, however complete, does not transfer to RCS. They are starting fresh with a new verification process, new content guidelines, and new carrier relationships. Providers who help their enterprise customers navigate this transition are delivering genuine value; providers who are not aware of the distinction are creating compliance exposure for customers who assume their existing compliance posture covers new channels.

Important

10DLC registration and RCS Business Messaging verification are separate, non-transferable compliance frameworks. A fully compliant 10DLC operation provides no compliance standing in the RCS ecosystem. Enterprise brands expanding to RCS must treat it as a new compliance exercise.

The Compliance Audit: What Good Practice Looks Like

Providers who are genuinely serving their enterprise messaging customers' compliance needs in 2026 are conducting regular campaign audits that go beyond confirming registration status. The audit framework that identifies real exposure addresses the following elements.

Registration Status Verification
All brands confirmed registered. All active campaigns confirmed registered. All active numbers confirmed associated with a campaign. This is the baseline: necessary but not sufficient.
Content Compliance Audit
Active message content compared against registered campaign samples. URLs, CTAs, offers, and messaging themes reviewed for material drift from the registered description. Sample refresh submitted where drift is identified.
Opt-In Process Documentation Review
Actual opt-in process compared against the process described in campaign registration. Documentation of opt-in records reviewed for completeness and accessibility. Updated registration submitted where the process has changed.
Number Inventory Reconciliation
All numbers actively sending A2P traffic confirmed as associated with a registered campaign. Numbers no longer in active use confirmed as decommissioned or disassociated. Number-to-campaign associations reviewed for accuracy.
Use Case Accuracy Review
Campaign use case classifications reviewed against actual traffic patterns. Misclassified campaigns identified and corrected before carrier action forces the issue.
Cross-Channel Alignment
Compliance records for 10DLC, toll-free, and RCS (where applicable) reviewed for consistency. Brand identity, opt-in processes, and message content aligned across all channels in active use.
CSP Relationship Verification
TCR CSP relationships confirmed as accurate for all registered brands. Brands that have changed messaging providers updated to reflect current operational reality.

What Providers Should Be Telling Their Enterprise Customers

The most valuable thing a CPaaS or UCaaS provider can do for its enterprise messaging customers in 2026 is move the compliance conversation from "are you registered?" to "are you operationally compliant?" These are different questions, and the gap between them is where most current enforcement action originates.

Enterprise customers who have been through registration and believe their compliance work is complete need to understand that compliance is now an ongoing discipline, not a one-time exercise. Message content evolves. Opt-in processes change. Numbers are added, moved, and retired. Each of these operational events has a compliance implication that must be managed proactively or discovered reactively. The reactive discovery scenario involves filtered traffic, carrier inquiries, and potential campaign suspension.

Registration got brands into the compliant messaging ecosystem. Ongoing operational discipline is what keeps them there. The providers who understand this difference are the ones building durable enterprise relationships in 2026.

— Bryan Bethea, Founder & CEO, 448 Consulting LLC

Providers who build compliance audit services, covering periodic reviews of campaign content, opt-in documentation, number associations, and cross-channel consistency, are delivering something enterprise customers genuinely need and are creating a recurring engagement model that benefits both parties. The compliance audit is not a one-time deliverable; it is a relationship.

Looking Ahead: What the Framework May Become

The A2P compliance framework is not static. Several developments in 2026 and beyond are worth monitoring for their potential impact on the compliance obligations of providers and their enterprise customers.

Consumer Opt-Out Enforcement

Carrier attention to opt-out compliance, specifically whether brands are honoring STOP requests promptly and comprehensively, is increasing. Brands with high opt-out rates relative to their registered use case, or with documented failures to honor opt-out requests, are drawing carrier scrutiny. Opt-out compliance is increasingly being treated as a content compliance issue, not just a best practice.

AI-Generated Content Disclosure

The FCC and carriers are beginning to develop positions on AI-generated messaging content. Brands using AI to generate message content at scale may face additional disclosure obligations or content review requirements as these policies develop. This is an early-stage consideration in 2026 but one worth monitoring.

RCS Standards Maturation

As RCS adoption scales, the RCS compliance framework will mature and likely become more formal. Providers who are tracking RCS compliance developments now, and helping enterprise customers establish RCS verification before enforcement pressure arrives, will be better positioned than those who wait for formal requirements.

Cross-Channel Identity Standards

The question of establishing verified enterprise identity across SMS, RCS, toll-free, and voice channels, currently fragmented across separate compliance frameworks, is attracting attention from industry and regulatory bodies. Unified identity standards that span channels would significantly change the compliance landscape for enterprise messaging. Providers should watch this space as the foundation of what may become the next major framework evolution.

A2P Compliance Questions?

448 Consulting helps providers and enterprise customers navigate the evolving A2P compliance landscape, from campaign audits to CSP relationship management to emerging channel compliance. The first conversation is complimentary.

Schedule a Consultation