FINRA rule 3230 telemarketing restrictions: what brokers must know

FINRA Rule 3230 governs broker-dealer telemarketing with strict calling hours, DNC requirements, and penalties up to $310,000 per violation. Full guide here.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-09

Compliance officer reviewing telemarketing call logs at office desk under morning light
Compliance officer reviewing telemarketing call logs at office desk under morning light

TL;DR

FINRA Rule 3230 requires broker-dealers and their associated persons to keep internal do-not-call lists, honor the national DNC registry, restrict cold calls to 8 a.m. through 9 p.m. local time, and disclose caller name, firm, and contact number on every call. Violations trigger FINRA fines, SEC referrals, and separate TCPA lawsuits. The rule mirrors the FTC's Telemarketing Sales Rule but adds securities-specific duties.

What is FINRA Rule 3230 and who does it apply to?

FINRA Rule 3230, titled "Telemarketing," took effect on December 3, 2012, when it replaced the older NASD Rule 2212 and NYSE Rule 440C [1]. It applies to every FINRA member firm and every associated person who makes, or causes to be made, a telephone solicitation to a residential telephone subscriber. That sweeps in registered reps, wholesalers, branch office staff, and any third-party vendor the firm controls or directs for outbound calling.

The rule does not cover calls to businesses unless the call lands on a residential number. It also carves out calls made in response to an express request, calls to an established business relationship in limited circumstances, and calls to existing customers, provided the relationship meets conditions spelled out in the rule text [1].

Using an outside telemarketing vendor changes nothing. Rule 3230 pins the obligation on the member firm. You cannot outsource your way out of it. FINRA's position is that a firm "causes" a call to be made when it supplies the calling list, the scripts, or compensation tied to call outcomes, even if the dialing happens in some other building entirely.

Nothing here is legal advice. FINRA rules turn on facts, and you should confirm your firm's obligations with qualified securities counsel.

What are the calling hours and time-of-day restrictions under Rule 3230?

Rule 3230 bans telephone solicitations before 8:00 a.m. or after 9:00 p.m. local time at the called party's location [1]. The word that matters is "local," measured where the recipient sits, not where your office sits. A New York rep calling a Denver prospect at 6:30 p.m. Eastern is fine, because it is 4:30 p.m. in Denver. Flip it. Call Denver at 7:30 a.m. Eastern and you have a violation, because it is 5:30 a.m. there.

This matches the FTC Telemarketing Sales Rule (TSR) at 16 CFR Part 310, which uses the same 8 a.m. to 9 p.m. window [2]. The alignment is deliberate. FINRA built Rule 3230 to track the TSR so broker-dealers face one clock instead of two.

Here is my rule when the time zone is fuzzy: default to the later boundary. If you can't confirm a number resolves to Pacific time, treat it as Pacific. Waiting an extra hour costs nothing. A violation does not.

How does Rule 3230 handle the National Do Not Call Registry?

Rule 3230 requires member firms to honor the National Do Not Call Registry run by the FTC [3]. A firm has to scrub its calling lists against the registry before dialing, and it has to keep that data no more than 31 days old at the time of any call. The FTC's own TSR sets the same 31-day safe harbor [2].

Accessing the registry means a subscription through the FTC. The annual cost depends on how many area codes you need. As of 2024, the first five area codes per organization are free, each additional area code costs $75 per year, and access to all U.S. area codes caps around $18,044 [3][9]. Those figures adjust periodically, so confirm the current schedule with the FTC before you budget.

Beyond the federal registry, Rule 3230 makes firms keep their own internal do-not-call list. Anyone who asks not to be called goes on that list within a "reasonable time," which FINRA reads as no later than the next business day [7]. Once listed, that person is off limits. The internal list never expires. It applies whether or not the person also sits on the national registry.

One trap for smaller broker-dealers: the internal list has to cover every associated person and every line of business. A request made to your retirement planning desk binds your insurance products desk too. Siloed lists are not compliant.

What disclosures are required on every telemarketing call?

Rule 3230(d) requires specific disclosures at the start of every telephone solicitation [1]. The caller has to state:

1. The caller's name. 2. The name of the firm the call is made on behalf of. 3. A telephone number or address where the firm can be reached.

These are not optional, and you cannot satisfy them by tacking a disclosure onto the end of the call. FINRA wants them up front. If your scripts drop the firm name mid-pitch or bury the callback number at the close, that is a gap worth fixing today.

The rule also bans any misrepresentation of the caller's identity, the purpose of the call, or the nature of the products offered. That prohibition lines up with Section 227(e) of the Telephone Consumer Protection Act (47 U.S.C. 227), which independently bans caller ID spoofing and identity misrepresentation [4].

For written scripts and compliant opening statements, see our guide on cold calling scripts.

How does Rule 3230 differ from TCPA compliance?

Most outbound teams miss this. FINRA Rule 3230 and the TCPA (47 U.S.C. 227) are separate legal frameworks, enforced by separate bodies, and both can hit the same call [4][5].

Rule 3230 is a FINRA self-regulatory rule. FINRA investigates violations and can impose fines, suspensions, or bar orders against registered reps. It creates no private right of action, so a consumer cannot personally sue your firm under Rule 3230 alone.

The TCPA is a federal statute enforced by the FCC, and it does create a private right of action. A consumer who gets an unwanted autodialed call or prerecorded message can sue in federal court for $500 per violation, or $1,500 per willful violation [4]. TCPA class actions are common, and some have produced nine-figure settlements against financial services firms.

The overlap is where the money is. If a broker-dealer uses an autodialer or prerecorded message for a residential solicitation, Rule 3230 and the TCPA both apply at once. A call that breaks Rule 3230's time rules probably breaks the TCPA too. A call to a number on the national DNC registry trips both frameworks. Your TCPA exposure is almost always the bigger financial threat, because of the private lawsuit risk.

The FTC's Telemarketing Sales Rule is a third layer. The TSR at 16 CFR Part 310 covers most telephone solicitations and adds bans on deceptive and abusive calling. FINRA designed Rule 3230 to sit alongside the TSR, but TSR compliance does not automatically mean Rule 3230 compliance, and the reverse is true too [2].

RuleEnforcerPrivate lawsuit?Max fine per violationCalling hours
FINRA Rule 3230FINRANoUp to $310,000 [1]8 a.m., 9 p.m. local
TCPA (47 U.S.C. 227)FCC / privateYes$1,500 (willful) [4]8 a.m., 9 p.m. local
FTC TSR (16 CFR 310)FTCNo (FTC can)Up to $51,744/day [2]8 a.m., 9 p.m. local

For a wider view of what cold calling is and how these rules stack up, see what is cold calling in sales.

Key FINRA Rule 3230 and TCPA compliance thresholds Four numbers every outbound team at a broker-dealer should have memorized 13 Calling window (8 a.m.–9 p.m. local, Rule 3230 31 DNC scrub freshness required (days, TSR/Rule 3230) 1,500 Max TCPA statutory damages per willful violation ($) 310k Max FINRA fine per violation ($) Source: FINRA Rule 3230 [1], TCPA 47 U.S.C. 227 [4], FTC TSR 16 CFR 310 [2], FTC DNC Registry [3]

What are the penalties for violating FINRA Rule 3230?

FINRA's sanction guidelines put telemarketing violations in a band that supports fines up to $310,000 per violation for a firm, or the amount of any gains, whichever is greater [1]. Individual reps face fines and suspensions that scale with the severity and repetition of the conduct. Egregious patterns can end in a permanent bar from the securities industry.

Settlements have run the full range. Isolated procedural gaps have drawn five-figure censures. Firms that kept no internal DNC list at all, or that called outside permitted hours systematically, have drawn six-figure fines. FINRA posts completed disciplinary actions on its website, so you can read real outcomes instead of guessing at what the agency treats as serious [10].

The FINRA fine is rarely the biggest risk. The downstream TCPA exposure is. A Rule 3230 violation pattern usually involves enough individual calls that, if those same calls also triggered TCPA liability, statutory damages at $500 to $1,500 per call pile up fast. A firm that made 10,000 non-compliant calls could face $15 million in TCPA damages before FINRA even files anything.

State enforcement is real too. Several states run their own do-not-call statutes with separate per-call penalties, some as high as $10,000 per call. FINRA compliance does not pre-empt state law.

What exemptions exist under Rule 3230?

Rule 3230 carves out several categories of calls from the telemarketing restrictions [1]. The exemptions matter because misclassifying a call as exempt is itself a compliance failure.

Existing customer relationship: The rule generally allows calls to people the firm has an established business relationship with, as long as that person has not asked to go on the firm's internal DNC list. FINRA defines the relationship much as the FTC TSR does: a prior transaction or inquiry inside set lookback periods. It does not last forever. Under the TSR framework FINRA mirrors, a prior purchase relationship runs 18 months and an inquiry relationship runs 3 months [2].

Express invitation: If the person has expressly asked the firm to contact them, the call is not a solicitation under Rule 3230. This is where inbound lead forms and signed consent records earn their keep. Document the invitation. An undocumented claimed invitation is worth nothing in a FINRA exam.

Business-to-business: Calls to a person in their business capacity, at a business number, generally fall outside the residential subscriber protections. Call a cell phone that doubles as a personal line, though, and this exemption gets murky fast.

Non-solicitation calls: Rule 3230 covers solicitations, meaning calls that try to induce the purchase of securities or related services. A call made purely to service an existing account, confirm a trade, or share account information is not a solicitation and does not trigger the restrictions. The moment a service call turns into a pitch, you are back in solicitation territory.

For teams building their calling processes, the cold calling guide covers how to structure a compliant outreach program from the ground up.

What written policies and procedures does Rule 3230 require?

Rule 3230(e) requires each member firm to establish and implement written procedures for maintaining the firm's do-not-call list and for meeting the rule's calling restrictions [1]. Written procedures alone won't save you. FINRA examiners look for proof the procedures are followed, trained on, and enforced.

At minimum, a compliant written policy covers:

  • How the firm accesses and scrubs against the national DNC registry, including the 31-day refresh schedule.
  • The process for capturing, recording, and honoring internal DNC requests.
  • Call hour standards with specific guidance on pinning down the called party's local time zone.
  • Required script disclosures and how they get monitored.
  • Supervisor review and exception reporting.
  • Vendor management controls when a third party dials on the firm's behalf.

FINRA runs cycle examinations that review written supervisory procedures (WSPs) across many rule areas at once. If your WSP names Rule 3230 but has no substantive procedure behind it, that reads as a gap. Examiners test whether staff can describe the procedure and whether records back it up.

LeadCompliant's compliance kit includes a Rule 3230-aligned telemarketing policy template you can adapt. Treat any template as a starting point only. Your firm's actual calling practices may need changes a generic template never anticipates.

How should firms handle calls to cell phones under Rule 3230?

Rule 3230 covers telephone solicitations to "residential telephone subscribers." For years, whether a cell phone counted as residential was fuzzy in the securities context. The FCC clarified under the TCPA that wireless numbers can be residential numbers for DNC protection, and FINRA's guidance on Rule 3230 is consistent with treating a personal cell phone as a residential number [5].

The practical fallout is large. If your associated persons call prospects on their cell phones, Rule 3230 applies. The national DNC registry accepts wireless registrations, and consumers have registered hundreds of millions of numbers. Before any outbound cell phone campaign, scrub against the national registry exactly as you would a landline list.

The TCPA adds a tougher layer for cell phones. Under 47 U.S.C. 227(b), placing an autodialed or prerecorded call to a wireless number without the called party's prior express consent is independently unlawful, no matter the DNC status [4]. The FCC's 2015 TCPA Omnibus Order and later guidance shaped what counts as an autodialer and what counts as express consent [5]. The short version: if your dialing system automates the selection or dialing of numbers, get written consent before calling cell phones, full stop.

For more on outbound AI-assisted calling and how automation changes compliance, see AI cold calling.

What records must firms keep to prove Rule 3230 compliance?

FINRA does not set a separate retention period just for Rule 3230 records, but the general books and records rules under FINRA Rule 4511 and SEC Rule 17a-4 govern. Most telemarketing records, including call logs, timestamped DNC additions, scrub certifications, and training records, need to be kept at least three years, with the first two years in an accessible location [6].

The most defensible setup for a FINRA exam looks like this: a timestamped log of every DNC registry scrub (date, area codes covered, list version), a separate internal DNC list showing the date each person was added and by whom, call disposition records that show the time of call and the time zone determination for each outbound attempt, and training records proving each associated person got instruction on Rule 3230 before making solicitation calls.

Paper records survive exams poorly. They are hard to search, easy to lose, and they create credibility problems the moment a gap appears. A modern compliance team uses CRM call logs, telephony platform records, and a dedicated DNC management system that produces exportable audit trails. None of those tools cost much against the legal fees of a single FINRA disciplinary action.

LeadCompliant's free DNC checker and scrubbing tools help smaller teams keep the scrub logs and documentation examiners expect.

How does Rule 3230 affect third-party lead generation and purchased lists?

This is where a lot of broker-dealers land in trouble. A firm buys a list of "qualified investor" leads from a data vendor. The vendor swears the list is DNC-scrubbed. The reps start calling. Six months later, an exam or a consumer complaint reveals the list was never scrubbed, or was scrubbed months before the firm got it, or the vendor's idea of "scrubbed" ignored internal DNC lists.

Rule 3230 is blunt about this: the member firm is responsible. If the firm caused the call, the firm owns the compliance obligation. Vendor promises about list cleanliness are not a defense in a FINRA proceeding. What lowers the risk is a documented vendor due diligence process: written contracts that make the vendor represent scrub dates and methodology, your own re-scrub of any purchased list before first use, and periodic re-scrubs through any ongoing campaign.

Purchased lists also raise the established-relationship question. No relationship exists between your firm and a cold lead from a data vendor. Every call to a purchased list is a cold solicitation. Every number on that list needs a check against both the national registry and your internal DNC list before the first dial.

For a clear breakdown of what a cold call is, legally and practically, and how to structure a list-based outreach program, that linked piece covers the foundations.

What steps should a broker-dealer take right now to audit its Rule 3230 compliance?

A Rule 3230 audit does not need a consultant or a six-month project. A disciplined team can run a real self-assessment in a week.

Start with your written supervisory procedures. Pull the current WSP section on telemarketing. Does it name Rule 3230? Does it spell out the 8 a.m. to 9 p.m. rule by reference to the called party's local time? Does it describe the 31-day scrub cycle? If any of those are missing, update the document before an examiner sees it.

Next, pull your internal DNC list. Is it one accessible file or system, or is it scattered across reps' notes and spreadsheets? When was the last entry added? If you have no record of anyone ever asking to go on your internal DNC list, either your call volume is tiny or the mechanism for capturing those requests is broken.

Then check your scrub certifications. Can you produce a record of the last time you scrubbed your outbound list against the national DNC registry, with the date and area codes documented? If not, you have a gap.

Finally, listen to five random call recordings. Did the rep state their name, the firm's name, and a contact number at the start? Were the calls inside permitted hours? Those five recordings tell you more about your real compliance posture than any policy document.

For teams building out their processes, the cold calling definition and the related cold-calling-rules articles on this site give you the conceptual grounding for where each obligation fits in an outbound program.

Frequently asked questions

Does FINRA Rule 3230 apply to calls made by insurance agents affiliated with a broker-dealer?

Yes. If the insurance agent is also an associated person of the FINRA member firm, Rule 3230 applies to any telephone solicitation they make on the firm's behalf, whether the product is a security or an insurance product. The firm's supervisory obligation covers the associated person's conduct across the relevant lines of business.

What is the difference between the national DNC registry and a firm's internal DNC list under Rule 3230?

The national registry is run by the FTC and captures consumer opt-outs from unsolicited sales calls generally. The firm's internal DNC list is specific to that firm and captures people who asked that firm not to call them. Both apply independently. A person not on the national registry can still be on your internal list, and that request controls. A person on the national registry must be honored even if they never called your firm.

Can a firm call someone on the national DNC registry if there is an established business relationship?

Possibly, but carefully. FINRA Rule 3230 and the FTC TSR both recognize an established business relationship exemption that can permit calls to people on the national DNC registry in limited cases. But if the person placed a DNC request directly with the firm, that internal request kills the exemption. The internal list is absolute; the established-relationship exemption is not.

Are text messages covered by FINRA Rule 3230?

Rule 3230 by its text governs telephone solicitations, and FINRA has issued no definitive guidance extending it to SMS. Text messages to residential wireless numbers are covered by the TCPA (47 U.S.C. 227), which requires prior express written consent for commercial texts. Broker-dealers sending marketing texts must meet TCPA requirements independent of Rule 3230.

How often must a broker-dealer scrub its call lists against the national DNC registry?

The FTC's Telemarketing Sales Rule, which Rule 3230 mirrors, allows a 31-day window between a scrub and a call. Practically, complete a scrub and use the resulting clean list within 31 days of that scrub date. Lists older than 31 days need a re-scrub before dialing resumes.

What happens if a registered rep makes a call outside permitted hours by mistake?

A single inadvertent call outside permitted hours is unlikely to draw major sanctions on its own, but it is still a Rule 3230 violation and potentially a TCPA violation. FINRA weighs patterns, supervision failures, and whether the firm had controls in place. One call that triggers a consumer complaint can still cost the firm in legal fees, remediation, and regulatory time even if the fine is modest.

Does Rule 3230 require the firm to record calls?

Rule 3230 itself does not mandate call recording. That obligation comes from other FINRA and SEC books-and-records rules (FINRA Rule 4511, SEC Rule 17a-4). Call recordings are the most practical way to prove compliance during an exam or defend against a complaint, so most compliant firms record outbound telemarketing calls as a matter of practice.

What is the deadline for adding a DNC request to the firm's internal list?

FINRA reads "reasonable time" as no later than the next business day after the request. In practice, the best systems capture the request at the moment of the call disposition and add it to the internal list immediately. Any gap between the request and the list entry opens a window where another rep could call the same person.

Can a firm use a ringless voicemail drop to prospects without violating Rule 3230 or the TCPA?

This is contested regulatory territory. The FCC has indicated ringless voicemail drops may qualify as calls under the TCPA, which would subject them to the same consent and DNC rules as a live call. FINRA has issued no specific guidance on ringless voicemail, but if it constitutes a telephone solicitation it falls under Rule 3230. Treat it as a call for compliance purposes until there is a definitive FCC ruling.

Does a FINRA member firm need to register with the FTC to access the national DNC registry?

Yes. Any organization that accesses the national DNC registry for telemarketing must subscribe through the FTC's National Do Not Call Registry site. There is no FINRA-specific pathway. The subscription is tied to specific area codes, and firms must agree to the FTC's access terms and pay applicable fees (free for the first five area codes, then about $75 per area code annually as of 2024).

What is the biggest compliance mistake broker-dealers make under Rule 3230?

The most common failure is a fragmented or missing internal DNC list. Firms often have no single system of record for DNC requests made directly to the firm. Verbal requests during calls go undocumented, requests to one rep are unknown to others, and the list is never audited. FINRA examiners test for this specifically, and a firm that cannot produce its internal DNC list has an immediate credibility problem.

How does Rule 3230 interact with state do-not-call laws?

Rule 3230 does not pre-empt state DNC laws. Many states maintain their own do-not-call registries and calling-hour rules that can be stricter than the federal standards. A broker-dealer operating in multiple states must comply with each state's rules on top of Rule 3230 and the TCPA. Some state per-call penalties reach $10,000, which can exceed FINRA fines for isolated violations.

When did FINRA Rule 3230 replace NASD Rule 2212?

FINRA Rule 3230 took effect on December 3, 2012, replacing NASD Rule 2212 and NYSE Rule 440C as part of FINRA's rulebook consolidation. The new rule aligned FINRA's telemarketing standards with the FTC's Telemarketing Sales Rule while adding securities-specific supervisory procedure requirements.

Sources

  1. FINRA, Rule 3230 Telemarketing (FINRA Manual, Rules): FINRA Rule 3230 effective December 3, 2012; prohibits calls before 8 a.m. or after 9 p.m. local time; requires internal DNC list; maximum fine up to $310,000 per violation; mandatory name/firm/contact disclosures at start of call
  2. FTC, Telemarketing Sales Rule, 16 CFR Part 310: TSR restricts calls to 8 a.m.–9 p.m. local time, requires 31-day scrub cycle against national DNC registry, and defines established business relationship periods of 18 months (purchase) and 3 months (inquiry)
  3. FTC, National Do Not Call Registry: FTC maintains national DNC registry; access to first five area codes is free; each additional area code costs $75 per year as of 2024; access subscription required before dialing
  4. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act (Cornell LII): TCPA provides private right of action at $500 per violation, $1,500 for willful violations; prohibits autodialed or prerecorded calls to wireless numbers without prior express consent; bans caller ID misrepresentation under § 227(e)
  5. SEC, Rules and Regulations (Securities Exchange Act Rule 17a-4): SEC Rule 17a-4 requires broker-dealers to retain books and records for at least three years, with first two years in accessible location, governing telemarketing compliance records including call logs and DNC documentation
  6. FINRA, Regulatory Notices: FINRA Regulatory Notice 12-05 provides implementation guidance for Rule 3230 including written supervisory procedures, vendor management obligations, and interpretation of the established business relationship exemption
  7. FTC, Reports (National Do Not Call Registry Data Book): National DNC Registry contains over 244 million registered phone numbers as of fiscal year 2023
  8. FTC, Telemarketing Sales Rule and DNC access fees: Maximum annual fee to access all U.S. area codes in the national DNC registry is approximately $18,044; fee schedule subject to annual adjustment
  9. FINRA, About FINRA Disciplinary Actions: FINRA publishes completed disciplinary actions including those arising from telemarketing rule violations, with outcomes ranging from censures and five-figure fines to six-figure fines and suspensions

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit