FINRA rule 3230 telemarketing: what broker-dealers must know

FINRA Rule 3230 requires DNC scrubbing, 30-day opt-out honoring, and 8am-9pm calling windows. See every requirement, penalty, and exam tip for broker-dealers.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-09

Compliance officer reviewing telemarketing call logs at a desk in morning light
Compliance officer reviewing telemarketing call logs at a desk in morning light

TL;DR

FINRA Rule 3230 requires broker-dealers and their associated persons to follow the FTC's Telemarketing Sales Rule when making outbound sales calls. That means scrubbing against the National Do Not Call Registry every 31 days, honoring firm-specific DNC requests within 30 days, calling only between 8 a.m. and 9 p.m. local time, and keeping written telemarketing policies. Violations trigger FINRA discipline on top of FTC and FCC exposure.

What is FINRA Rule 3230 and who does it cover?

FINRA Rule 3230 is the telemarketing rule for FINRA member firms and their associated persons. It took effect December 4, 2014, replacing the older NASD Rule 2212 and NYSE Rule 440A. The rule pulls in the Federal Trade Commission's Telemarketing Sales Rule (TSR, 16 C.F.R. Part 310) by reference and adds a few securities-industry requirements on top. [1]

Coverage is broad. Any broker-dealer registered with FINRA that makes outbound calls to sell or promote financial products or services falls under the rule. That includes registered representatives cold-calling prospects, wholesalers calling financial advisors, and any third-party vendor the firm hires to make calls on its behalf. If your firm directs the calls and benefits from them, you own the compliance obligation. [1]

The rule does not cover every phone call a broker-dealer makes. Calls to service an existing customer's account, calls responding to an inquiry the customer started, and purely informational calls with no sales component are generally outside its scope. The line between a service call and a solicitation call gets blurry fast, though, and FINRA examiners look at substance over label. If the call includes any pitch, it is a solicitation.

One thing to flag: FINRA Rule 3230 applies on top of the Telephone Consumer Protection Act (TCPA, 47 U.S.C. § 227) and FCC regulations. The TCPA governs autodialing and prerecorded messages. Rule 3230 governs telemarketing conduct more broadly. A broker-dealer that uses a predictive dialer to reach cell phones faces both frameworks at once. [2]

What are the specific requirements of FINRA Rule 3230?

The rule breaks into several distinct obligations. Treat each one as its own task and you can build a real program instead of a vague "follow the TSR" gesture.

Do Not Call scrubbing. Firms must check the National Do Not Call Registry before calling any residential number. The FTC requires organizations to access the registry at least every 31 days to keep suppression lists current. [3] FINRA examiners will ask for documentation showing you pulled registry data on a rolling basis, more than once a year.

Firm-specific DNC requests. This is the one that trips up the most teams. When a consumer tells you or any of your representatives not to call again, you must honor that request within a "reasonable time" not to exceed 30 days. You also have to keep a company-specific DNC list and retain it for at least five years. [1] Thirty days is the ceiling, not the target. In practice, honor the request as fast as your process can manage.

Calling-hours restriction. Outbound telemarketing calls may only go out between 8 a.m. and 9 p.m. in the called party's local time zone. [1] Same window the TSR uses. If your dialer lacks time-zone logic, stop calling until it does.

Caller ID and identification. Callers must promptly disclose the firm's name and a phone number or address where the consumer can reach them. You cannot block caller ID or transmit inaccurate caller ID information. This matters because the TCPA separately prohibits misleading caller ID under 47 U.S.C. § 227(e). [10]

Written supervisory procedures (WSPs). FINRA Rule 3110 already requires WSPs for all member activities, but Rule 3230 makes telemarketing a named category examiners specifically test. Your WSPs have to describe how the firm scrubs lists, how it handles opt-out requests, how it trains representatives, and who owns each step. A generic WSP that says "we comply with applicable telemarketing laws" will not satisfy an examiner. [8]

Established business relationship exception. Under the TSR, firms can call customers with an established business relationship (EBR) even if those numbers sit on the National DNC Registry, but only for up to 18 months after the last transaction or three years after the customer's last inquiry. [3] The exception does not override a direct opt-out request. Once they say stop, the EBR is gone.

Prior express written consent. If a customer gave written consent to be called, that consent overrides the EBR timing limits. The consent must be clear and conspicuous, and it must specifically authorize the type of calls you are making. A blanket consent buried in account-opening paperwork is not automatically valid under TCPA standards, and FINRA examiners increasingly look at consent documentation during cycle exams. [2]

How does FINRA Rule 3230 interact with the National DNC Registry?

The National Do Not Call Registry is run by the FTC and enforced jointly with the FCC. Consumers register their home and mobile numbers at donotcall.gov. Once registered, a number is protected from most commercial telemarketing calls 31 days after registration. Numbers stay on the registry permanently unless the consumer removes them. [6]

For FINRA member firms, the job is to access the registry regularly, scrub call lists against it before each campaign, and document that you did. The FTC sells access in state-by-state files, and the cost scales with the number of area codes you need. Firms calling nationally typically pay a few hundred dollars a year for full access, though the FTC's fee schedule changes from time to time. [6]

Scrubbing is not a one-time event. If your list ages past 31 days, you re-scrub before using it again. Most firms set up automated scrubbing that pulls updated registry data on a monthly schedule. That is the right approach. Manual spreadsheet scrubbing works for tiny lists but creates audit-trail problems and human-error risk.

The registry covers residential telephone subscribers, and it covers mobile numbers that consumers register. Mobile-number DNC compliance is a separate but overlapping concern, because the TCPA also restricts autodialed and prerecorded calls to cell phones regardless of registry status. If you are calling mobile numbers at all, read up on mobile phone do not call list rules before you dial.

What Rule 3230 adds beyond the basic TSR is the expectation that you can show your scrubbing process to FINRA examiners on request. Keep records of when you pulled registry data, which list version you used, and how you applied it to your call file. Those records should live for at least five years to match the firm-specific DNC list retention requirement. [1]

FINRA Rule 3230 key compliance thresholds Numbers every broker-dealer telemarketing team needs to know 30 Max days to honor opt-out request 31 DNC Registry re-scrub inter… (days) 18 EBR exception window after last transaction (months) 5 Internal DNC list retention (years) Source: FINRA Rule 3230, FTC TSR (16 C.F.R. Part 310), FTC civil penalty schedule 2024

What penalties can a broker-dealer face for violating Rule 3230?

The exposure here is layered, and that is what makes it expensive.

On the FINRA side, violations of Rule 3230 are disciplinary matters. FINRA can impose fines, suspensions, and bars. Fines in telemarketing cases have ranged from a few thousand dollars for record-keeping failures to six figures for systemic DNC violations. FINRA's sanction guidelines for supervisory failures start at $5,000 and scale up based on whether the conduct was intentional, how long it ran, and how many customers were affected. [4] In egregious cases, FINRA has barred registered representatives entirely.

On the FTC side, the TSR carries civil penalties of up to $53,088 per violation as of 2024 (the FTC adjusts this figure for inflation each year). [5] Each illegal call is a separate violation. If a firm made 1,000 DNC calls, the math gets ugly fast.

On the FCC and TCPA side, 47 U.S.C. § 227 provides a private right of action. Consumers can sue for $500 per violation or actual damages, whichever is greater. If a court finds the violation was willful or knowing, that jumps to $1,500 per call. [2] TCPA class actions are common, and broker-dealers are not immune. Several financial services firms have settled TCPA class actions for millions of dollars.

State attorneys general can bring enforcement actions too. States like Florida run their own telemarketing laws with separate penalty structures. If you call into Florida, check the Florida do not call list requirements as well, because Florida's state DNC registry operates alongside the federal one and has its own registration fee for telemarketers.

FINRA discipline plus FTC civil penalties plus TCPA class-action exposure is what turns Rule 3230 compliance into a business-continuity issue rather than a paperwork exercise.

How do you build a FINRA Rule 3230 compliant telemarketing program?

Start with the list scrubbing infrastructure. Before any outbound campaign, your system cross-references your call file against three inputs: the National DNC Registry, your firm-specific internal DNC list, and any state DNC registries for the states you call into. [9] These are separate databases, and each one needs its own subscription or data pull.

Next, build the opt-out workflow. Every time a consumer says "don't call me again" or anything close, that number lands in your internal DNC database the same business day. Assign one person to own that process. Suppression systems fail when nobody owns them. The 30-day maximum in Rule 3230 is a hard deadline, and the practical standard FINRA expects is much faster. [1]

Time-zone controls need to be automatic, not manual. A rep who forgets to check time zones during an eight-hour shift is an enforcement risk. If your CRM or dialer does not tag every record with the called party's time zone and enforce the 8 a.m. to 9 p.m. window, fix that before you call.

For WSPs, write the actual steps, not principles. "We will comply with FINRA Rule 3230" is not a procedure. "The compliance manager pulls updated DNC registry files on the first business day of each month, applies them to the master call list in Salesforce using the DNC filter script, and logs the pull date" is a procedure. [8]

Training matters more than most teams think. FINRA's examination findings consistently name inadequate training as a factor in telemarketing violations. Reps need to know the calling-window rules, how to handle an opt-out in real time, and what to say when the customer asks who is calling. Annual training with a sign-off log is the floor.

If you use third-party lead vendors or outsource calls, your firm is still on the hook. Rule 3230 does not let you contract away liability. Do due diligence on vendors, get contractual representations about their DNC compliance, and audit them periodically. [1]

For teams that want a ready-made framework, LeadCompliant's compliance kit includes DNC scrubbing checklists and a telemarketing policy template you can adapt for your WSPs.

Does FINRA Rule 3230 apply to calls to businesses or only to consumers?

The TSR's DNC provisions mainly protect residential telephone subscribers. Business-to-business calls are generally outside the scope of the National DNC Registry requirement under the TSR. [9] FINRA Rule 3230 follows the same framework.

That said, business calls in financial services are often not clean. A wholesaler calling a financial advisor's direct line at an RIA firm is probably a B2B call. A registered rep calling a small-business owner at home to pitch a retirement account is a consumer call, even if that person sometimes uses the line for business. The test is whether the number is used primarily as a residential line.

There is also the TCPA angle. The TCPA's restrictions on autodialed calls to cell phones apply whether the called party is a consumer or a business owner. The FCC has not carved out a blanket B2B exception to the cell-phone rules. [2] So even if you have no DNC-registry obligation for a given B2B call, you may still have TCPA obligations if you are using an autodialer.

Rule of thumb: treat any call to a number that might be a home number as a consumer call. If you are not sure, err toward the more protective standard.

How does FINRA Rule 3230 differ from the TCPA?

These two frameworks are related but not the same, and confusing them is a real compliance risk.

The TCPA (47 U.S.C. § 227) is a federal statute enforced by the FCC. It restricts autodialed calls and prerecorded messages to cell phones without prior express consent, prohibits calls to numbers on the National DNC Registry, and governs text messages. [2] The TCPA has a private right of action, so any consumer can sue directly without waiting for a government agency to act.

FINRA Rule 3230 is a self-regulatory organization (SRO) rule that FINRA enforces against its member firms. It incorporates the FTC's Telemarketing Sales Rule, which operates under the FTC Act. The TSR sets conduct standards: calling hours, DNC scrubbing, disclosure requirements, and firm-specific opt-out lists. [1] There is no private right of action under the TSR itself. Enforcement comes from the FTC or state attorneys general.

Here is the practical difference. The TCPA is where class-action plaintiffs' lawyers live. A broker-dealer using a predictive dialer to call cell phones without proper consent can face a class action under the TCPA, with liability of $500 to $1,500 per call across thousands of class members. Rule 3230 violations lead to FINRA disciplinary proceedings, which are serious for the firm's registration status but do not create direct consumer lawsuits.

The overlap is heavy. Both frameworks require DNC scrubbing, both require identifying the caller, and both prohibit calling at unreasonable hours. Run afoul of one and you likely run afoul of the other. Build your program to the stricter of the two requirements in each category and you will be in good shape on both fronts.

For a detailed look at what the do not call list covers under the federal framework, that resource breaks down the FTC and FCC rules side by side.

What does FINRA look for when examining telemarketing compliance?

FINRA's telemarketing exam falls under its broader supervisory systems review. Examiners typically request a sample of outbound call records, the firm's internal DNC list, documentation of when and how the firm accessed the National DNC Registry, and the relevant sections of the WSPs. [4]

Common findings from FINRA examinations in this area:

  • No written supervisory procedures specific to telemarketing (a real section, not a sentence pointing to "applicable laws")
  • Failure to access the DNC Registry on a rolling 31-day basis
  • Internal DNC lists that are incomplete because opt-out requests were not systematically recorded
  • No training records showing that registered reps understood the calling-hours rules
  • Third-party telemarketing vendors with no due diligence file

FINRA's 2023 Report on its Examination and Risk Monitoring Program listed telemarketing supervision as a continuing area of focus, with attention to firms that ramped up outbound prospecting after market volatility. [4] If your firm increases calling during market disruptions, that is exactly when examiners are watching.

One thing FINRA has said clearly: the fact that a registered representative made a call, rather than the firm's marketing department, does not insulate the firm. Associated persons are covered. If a rep is cold-calling from a personal cell phone without going through the firm's scrubbed list, the firm still has a supervisory problem under Rule 3110 and a potential Rule 3230 violation.

Are there exceptions or safe harbors under FINRA Rule 3230?

There are a few, and they are narrower than most people assume.

The established business relationship exception. A firm can call a customer on the National DNC Registry if there is an EBR: a transaction within the past 18 months or an inquiry within the past three years. [3] This exception evaporates the moment the customer tells you not to call. An EBR is not a license to ignore opt-outs.

Prior express written consent. If the consumer gave clear, written authorization to be contacted, the DNC Registry restriction does not apply. [3] For broker-dealers, this consent often gets captured at account opening, but it needs to be genuinely informed and specific. The FTC has challenged broad consent language consumers could not reasonably have understood.

Personal relationship exception. A call made by someone with a personal relationship to the recipient, outside a business context, sits outside the TSR's scope. In practice, this does not help broker-dealers much, because their calls are always commercial.

The error safe harbor. The TSR provides a limited safe harbor if a seller can show it has an established and implemented DNC compliance program and the call was an error. [3] The requirements are specific: a written policy, registry access within the required window, and a call made in error despite those systems. This is not a "we tried our best" defense. FINRA expects firms to rely on actual programs, not error safe harbors.

If you are pulling the ftc do not call list data properly, documenting your scrubbing, and training your reps, the safe harbor can back you up on the occasional miss. Without that foundation, it is not available to you.

How should you handle do-not-call requests from prospects and customers?

The process matters as much as the rule. When someone says "put me on your do not call list" or "don't call me again," your rep needs to know exactly what to do in the next 60 seconds.

The immediate step is to verbally confirm the request and offer a phone number or address the consumer can use to confirm it in writing if they want. [1] You are not required to send a written confirmation, but offering one is good practice and builds a cleaner record.

The record-keeping step happens the same business day. The number goes into the firm's internal DNC list with the date and the name of the rep who took the call. Who enters it, where they enter it, and who verifies the entry are all questions your WSP should answer.

Within 30 days, the number has to be fully suppressed from all future calling. [1] It cannot appear on a dialing list, it cannot be handed to a different rep who does not know about the request, and it cannot be reset because the customer opened a new account. The suppression follows the number, not the customer relationship.

Retention of these records is five years minimum under Rule 3230. [1] Store them somewhere your compliance team can pull them on short notice during an exam.

For firms with high call volume, manual logging does not hold up. Wire your opt-out capture directly into your CRM or dialing platform so a suppression flag is automatic, not dependent on a rep remembering a data-entry step. This is not optional sophistication. It is the baseline the rule assumes you have.

If you want to understand how the broader dnc registry interacts with firm-specific lists, that article covers the two-list system in detail.

What records do broker-dealers need to keep for Rule 3230 compliance?

Record retention under Rule 3230 connects to FINRA's broader books-and-records rules, chiefly Rule 4511 and SEA Rule 17a-4. The practical answer: keep everything for at least five years, with the first two years in an easily accessible location. [7]

Specifically for telemarketing, the records you need include:

  • Your internal DNC list, including the dates entries were added and by whom
  • Evidence of each DNC Registry data pull: the date, which files you downloaded, and which call list the suppression was applied to
  • Call logs showing which numbers were dialed, when, and by which representative
  • Scripts or talking points used in telemarketing campaigns
  • Consent documentation for any number where the firm relied on prior written consent to call a registered number
  • Training records showing that each associated person completed telemarketing compliance training and when
  • Third-party vendor agreements and any audit or due diligence records for those vendors

FINRA examiners can request any of these during a cycle exam or a cause exam triggered by a customer complaint. The firms that handle exams well are the ones whose compliance staff can pull the records in an afternoon, not the ones who spend two weeks reconstructing documentation.

For teams that struggle with where to start, the do not call list report article explains how to document DNC compliance in a way that holds up to scrutiny, and LeadCompliant's free checklist tool can help you audit your current process against the Rule 3230 requirements before an examiner does it for you.

Frequently asked questions

Does FINRA Rule 3230 apply to text messages and emails?

Rule 3230 focuses on telephone solicitations, so voice calls are the primary target. Text messages fall more squarely under the TCPA and FCC regulations than Rule 3230 itself. Emails are generally governed by the CAN-SPAM Act. FINRA's broader supervisory expectations still mean any outbound communication that promotes securities products needs documented compliance procedures. If you are texting prospects, treat it as a TCPA matter first.

Can a broker-dealer call a number on the National DNC Registry if the customer is an existing client?

Yes, under the established business relationship (EBR) exception. A firm can call an existing customer on the National DNC Registry for up to 18 months after the last transaction or three years after the customer's last inquiry. The exception disappears immediately if the customer tells you not to call. After that, no EBR exception applies, and the number goes on your internal DNC list within 30 days.

How often do broker-dealers need to scrub their call lists against the DNC Registry?

At minimum every 31 days. The FTC requires organizations to download updated registry data at least monthly and apply it before each campaign. FINRA examiners verify this by checking the dates of your registry data pulls against your call records. A list that is 45 days old when you use it creates exposure even if you scrubbed it diligently when it was fresh.

What is the penalty for a FINRA member firm that ignores do-not-call requests?

Penalties come from multiple directions. FINRA can fine the firm and suspend or bar associated persons. The FTC can assess civil penalties up to $53,088 per violation under the TSR. Consumers can sue directly under the TCPA for $500 per call, or $1,500 per call if the violation was willful. A pattern of ignored opt-outs is exactly the kind of systemic failure that draws the largest FINRA fines and attracts class-action lawyers.

Do independent contractors working with a broker-dealer have to follow Rule 3230?

Yes. Rule 3230 covers associated persons of FINRA members, which includes registered representatives operating as independent contractors affiliated with the firm. The firm has supervisory responsibility for their telemarketing activity under Rule 3110. A rep calling from a personal cell phone without using the firm's scrubbed call list still creates a compliance problem for the firm, not only the individual.

What calling hours does FINRA Rule 3230 require?

Outbound telemarketing calls may only go out between 8 a.m. and 9 p.m. in the called party's local time zone. This matches the Telemarketing Sales Rule window that Rule 3230 incorporates. The called party's time zone controls, not the caller's. A firm calling from New York to a customer in Los Angeles has to wait until 8 a.m. Pacific time, which is 11 a.m. Eastern.

How long must a broker-dealer keep its internal do-not-call list?

FINRA Rule 3230 requires firms to keep their company-specific DNC list for at least five years. This matches FINRA's general books-and-records retention standards. The list should include the date each number was added, the name of the person who recorded the opt-out, and any notes about the nature of the request. FINRA examiners can ask for this list at any time.

Does FINRA Rule 3230 apply to calls made outside the United States?

Rule 3230 applies to FINRA members regardless of where the call originates, if the call is directed to a U.S. residential subscriber. A call center operating offshore on behalf of a U.S. broker-dealer that calls U.S. numbers falls under the rule. The National DNC Registry scrubbing requirement applies to U.S. residential numbers. The firm cannot avoid the obligation by routing calls through a foreign call center.

What disclosures must a caller make under FINRA Rule 3230?

The caller must promptly disclose the firm's name and a phone number or address where the consumer can contact them. Callers cannot block or misrepresent caller ID information. If the call uses a recorded message, the TSR requires the message to identify the seller, describe the goods or services, and provide a way to opt out. These disclosures happen at the start of the call, not after a sales pitch.

Can a firm rely on a third-party lead vendor's DNC compliance and avoid liability?

No. FINRA Rule 3230 does not let firms outsource liability to vendors. The member firm is responsible for making sure calls placed on its behalf comply with the rule. That means doing due diligence on lead vendors, requiring contractual representations about their DNC compliance, and auditing vendor processes periodically. If a vendor supplies a list with registered DNC numbers and the firm calls them, the firm bears the enforcement risk.

How does a small broker-dealer with limited staff manage FINRA Rule 3230 compliance practically?

Focus on three things: a current DNC Registry subscription with documented monthly pulls, an internal DNC list with a named owner who enters opt-outs the same day they happen, and written procedures in your WSP that describe both processes step by step. For very small teams, low-cost DNC scrubbing tools can automate the list-matching step. The record-keeping burden is the same regardless of firm size, so build the documentation habit from day one.

Are there state-level telemarketing rules that apply on top of FINRA Rule 3230?

Yes. Many states run their own do-not-call registries with separate registration requirements for telemarketers. Florida, Indiana, Pennsylvania, and others have state DNC lists that apply alongside the federal registry. Some states set shorter calling-hour windows or extra disclosure requirements. Broker-dealers calling into multiple states have to layer state requirements on top of Rule 3230, not treat federal compliance as enough. Check each state where you actively prospect.

What is the difference between FINRA Rule 3230 and the old NASD Rule 2212?

NASD Rule 2212 was the predecessor rule that predated FINRA's consolidation of NASD and NYSE Regulation. Rule 3230 replaced it in December 2014 and widened its scope to cover all FINRA member firms, including former NYSE members who had been subject to NYSE Rule 440A. The substantive requirements track the TSR, but Rule 3230 is clearer about supervisory procedures and record-keeping than the older rule was.

Sources

  1. FINRA, Rule 3230 (Telemarketing): FINRA Rule 3230 requirements including firm-specific DNC list retention of five years, 30-day opt-out window, calling-hour restrictions, and coverage of associated persons
  2. Federal Trade Commission, Telemarketing Sales Rule (16 C.F.R. Part 310): TSR requirements for 31-day registry scrubbing intervals, established business relationship exception (18 months/3 years), prior express written consent exception, and the error safe harbor conditions
  3. FINRA, Reports on FINRA's Examination and Risk Monitoring Program: Telemarketing supervision identified as continuing examination focus area; common findings including inadequate WSPs and failure to train associated persons
  4. Federal Trade Commission, Telemarketing Sales Rule (16 C.F.R. Part 310) civil penalty provisions: FTC civil penalty ceiling per TSR violation as adjusted annually for inflation
  5. Federal Trade Commission, National Do Not Call Registry: National DNC Registry operated by the FTC; numbers remain registered permanently; registry accessible for organizations to scrub call lists
  6. FINRA, Rule 4511 (General Requirements for Books and Records): FINRA Rule 4511 requires books and records retention for at least six years (FINRA standard) with first two years in accessible location; applies in conjunction with Rule 3230 record-keeping
  7. FINRA, Rule 3110 (Supervision): FINRA Rule 3110 requires written supervisory procedures for all member firm activities including telemarketing; firms must supervise associated persons' telemarketing conduct
  8. Federal Trade Commission, Complying with the Telemarketing Sales Rule: TSR compliance guidance covering DNC scrubbing requirements, B2B call scope, and required caller disclosures

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit