FINRA, SEC, and TCPA compliance for cold calling financial advisors

Financial advisors face FINRA, SEC, and TCPA rules simultaneously. Learn call time limits, consent rules, DNC obligations, and the fines for getting it wrong.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-10

Financial advisor making a cold call in a compliance-focused office setting
Financial advisor making a cold call in a compliance-focused office setting

TL;DR

Financial advisors cold calling prospects answer to three overlapping rule sets: the TCPA (47 USC 227) enforced by the FCC, the FTC Telemarketing Sales Rule, and FINRA/SEC conduct rules. TCPA violations cost $500 to $1,500 per call. FINRA fines reach $310,000 per violation. This article maps every obligation and shows how to build one process that satisfies all three.

Why do financial advisors face more cold calling rules than most industries?

Most outbound sales teams answer to two regulators: the FCC on the TCPA, and the FTC on the Telemarketing Sales Rule. Financial advisors answer to those two plus FINRA, the SEC, and often a state securities division. Each regulator owns a different slice of the risk.

The FCC and FTC care about the mechanics. Did you call at the wrong time? Did you use an autodialer without consent? Did you ignore a Do Not Call request? FINRA and the SEC care about what came out of the rep's mouth. Was the pitch fair, accurate, and supervised? A call that is spotless under the TCPA can still break FINRA Rule 2010 (standards of commercial honor) if the advisor oversells returns. A call that satisfies every FINRA suitability standard can still hand a plaintiff a TCPA suit if you dialed a cell phone with an autodialer and no written consent.

So you need one checklist that covers both worlds at once. Not two checklists sitting in separate folders that never speak to each other.

Most small advisory firms get this backward. They buy a TCPA scrubbing tool, check a box, and assume the securities side is handled. It is not.

Before layering on the regulatory weight, it helps to be clear on what a cold call even is. See what is cold calling in sales.

What does the TCPA actually prohibit for financial advisor calls?

The Telephone Consumer Protection Act, codified at 47 U.S.C. 227, sets the federal floor for all outbound calling, no matter the industry. The statute bars callers from using "an automatic telephone dialing system or an artificial or prerecorded voice" to call a wireless number without the prior express consent of the called party [1]. That single clause drives most TCPA litigation against financial firms.

Here is what it means at the desk. If your team dials cell phones by hand, one at a time, from a plain handset or softphone with no autodialing built in, you sidestep the ATDS restriction. The definition of ATDS has bounced around since the Supreme Court's 2021 decision in Facebook v. Duguid (592 U.S. 395), which held that an autodialer must have the capacity to generate random or sequential numbers, not merely dial from a stored list [2]. Post-Duguid, predictive dialers pulling from a contact list sit in a grayer zone than before. Plenty of compliance attorneys still tell clients to treat any dialer touching cell phones as an ATDS until their own circuit settles the question. That is the safe read.

Time of day is the next lever. Calls to residential lines run only from 8 a.m. to 9 p.m. in the called party's local time. That is the federal floor. Some states clamp down tighter. For the full hours breakdown, see TCPA quiet hours: what times you can and cannot call or text.

Damages are $500 per violation for an unintentional call and $1,500 per violation if the court finds it was willful or knowing [1]. Those numbers apply per call, per text. A campaign of 10,000 bad calls does not produce one $1,500 fine. It produces exposure of up to $15 million.

The FCC's January 2024 one-to-one consent order tightened the written consent rules again. Consent now has to name a single seller, not ride along inside a lead-gen site's blanket authorization [3]. Advisors buying leads from aggregators have to confirm that each lead's consent names their firm by name.

What FINRA rules apply to cold calling and telemarketing?

FINRA has no rule titled "cold calling." Several rules together govern what a registered rep can say and do while soliciting.

FINRA Rule 3230 is the closest thing to a dedicated telemarketing rule. It requires member firms to keep an internal Do Not Call list, honor requests to be added to it within a reasonable time, check the National Do Not Call Registry before calling residential numbers, train personnel on those DNC duties, and document all of it [4]. The rule tracks the FTC's TSR in many spots but binds FINRA-regulated broker-dealers and their reps specifically.

FINRA Rule 2210 covers communications with the public, including oral solicitations. It leans heavily toward written materials, but examiners have applied its "fair and balanced" and "not misleading" standards to phone scripts. A script that pushes potential returns and stays quiet on risk is a Rule 2210 problem waiting to happen.

FINRA Rule 2010 requires members to "observe high standards of commercial honor and just and equitable principles of trade." It is the catch-all. FINRA reaches for it when conduct is clearly wrong but does not fit a narrower rule. Cold calling behind a deceptive pretext, hiding that you are calling for a broker-dealer, leaning on elderly investors with pressure tactics: all of that has drawn Rule 2010 sanctions.

Fines under FINRA's sanction guidelines run from a few thousand dollars for minor slips up to $310,000 per violation for serious misconduct, and FINRA can suspend or bar individuals on top of the money [5]. Those sanctions run alongside any TCPA exposure, not in place of it.

For the wider baseline before the FINRA specifics, the cold calling overview is a good start.

Key thresholds in FINRA, SEC, and TCPA cold calling compliance Numbers every financial advisor calling team needs to know 1,500 TCPA max fine per willful violation 310k FINRA max fine per violation 31 DNC scrub window (days) 5 Internal DNC retention (yea… FINRA) Source: 47 U.S.C. 227; FINRA Sanction Guidelines; FTC DNC Registry fee schedule, 2024

What SEC rules matter for cold calling by investment advisers (RIAs)?

SEC-registered investment advisers operate under the Investment Advisers Act of 1940. The SEC has nothing as specific as FINRA Rule 3230, but two areas create real obligations for RIA cold calling.

First, the anti-fraud provisions of Section 206 of the Advisers Act. They bar any device, scheme, or artifice to defraud a client or prospective client, and any practice that works as a fraud or deceit. A cold call that misstates the adviser's track record, credentials, or fees is a Section 206 violation whether or not it also breaks the TCPA [6].

Second, the Marketing Rule (Rule 206(4)-1, revised effective November 4, 2022). It governs how advisers advertise and solicit. The text centers on written and digital content, but the SEC has said performance claims made in any medium, phone calls included, fall under the rule. An adviser quoting hypothetical returns or a cherry-picked performance window on a cold call, with no required disclosures, is offside.

The SEC's Division of Examinations (the old OCIE, renamed in 2021) has repeatedly flagged weak supervision of marketing and solicitation in its exam priority letters [8]. If your firm keeps no record of how advisers pitch prospects by phone, that hole shows up in an exam.

State-registered RIAs carry the same TCPA obligations plus their state regulator's rules. Several states, California and Texas among them, run their own solicitation and telemarketing statutes on top of the federal layer.

How does the FTC Telemarketing Sales Rule interact with financial services calls?

The FTC's Telemarketing Sales Rule (TSR), codified at 16 C.F.R. Part 310, covers most outbound telemarketing that offers goods or services. Financial services calls are partly exempt, not fully.

The exemption at 16 C.F.R. 310.6(b) covers calls by financial institutions subject to the Gramm-Leach-Bliley Act [9]. Most broker-dealers and RIAs qualify. But it does not cover every call. If a firm places calls on behalf of a third party, or acts as a telemarketer for another entity, the exemption may fall away. Lead generators dialing for multiple advisers often do not qualify for the financial institution exemption at all.

Here is the trap. Even where the TSR exemption applies, the National Do Not Call Registry still binds financial advisors through a separate path: the TCPA and the FCC's rules require scrubbing the registry before calling residential numbers. The registry is more than a TSR obligation. Skipping registry scrubs because you think you are TSR-exempt is a mistake that has cost firms real money.

For how the TSR meets B2B calling and AI voice tools, see FTC Telemarketing Sales Rule, B2B calls, and AI voice in 2024 and what the telemarketing sales rule is designed to do.

What are the National Do Not Call Registry obligations for financial advisors?

Every firm calling residential numbers in the U.S. must register with the FTC's National DNC Registry and scrub its lists against it before dialing. The FTC charges for access. As of 2024 the fee is $75 per area code per year, the first five area codes are free, and the cap for all area codes is $20,987 [7].

Scrubbing has to happen no more than 31 days before the call. A list scrubbed 45 days ago is stale. People register new numbers on the DNC list all the time, so calling a number that signed up since your last scrub is a violation, full stop.

FINRA Rule 3230 mirrors this and requires member firms to access the registry at least every 31 days. The rule also requires an internal DNC list separate from the national registry. When a prospect tells your rep "please don't call me again," that number goes on your internal list and stays there for at least five years under FINRA's rule.

The TCPA's DNC safe harbor has four conditions: the firm has written DNC procedures, trains personnel on them, has accessed the national registry within 31 days, and did not knowingly call the number [1]. All four have to be true. Three out of four earns you nothing.

Cell numbers on the national DNC list get the same protection as landlines for manually dialed calls. Consent-based calls to cells run through the ATDS analysis described above, which is a separate question.

What is the TCPA established business relationship (EBR) exception and does it help financial advisors?

The TCPA's EBR exemption applies to residential landline calls. If a consumer bought from, inquired with, or applied to your firm within the past 18 months, you may call their residential number even when it sits on the national DNC Registry, as long as they have not asked you to stop [1].

For financial advisors this matters. A prospect who called your office three months ago to ask about your services has an established business relationship under the 18-month rule. An existing client has an EBR that refreshes with each transaction or contact. You can keep calling those residential numbers without re-scrubbing them against the DNC Registry, as long as the 18-month window stays open.

The EBR does not reach cell phones when you are using an ATDS. It is a DNC scrubbing exemption, not a consent substitute for autodialed calls to wireless numbers. Advisors confuse the two constantly and assume an EBR covers all their dialing. It does not.

The EBR also loses to a direct request. If someone with an active EBR tells your rep "take me off your list," that request kills the EBR protection for that number on the spot.

How do TCPA, FINRA, and SEC obligations compare side by side?

The table sums up the main obligations across the three frameworks for a typical outbound financial advisor call to a residential or cell phone prospect.

RequirementTCPA (FCC)FINRA Rule 3230SEC Advisers Act
DNC Registry scrubRequired, every 31 daysRequired, every 31 daysNo separate rule; FCC rules apply
Internal DNC listRequiredRequired, 5-year retentionBest practice; no standalone rule
Call time window8 a.m. to 9 p.m. local8 a.m. to 9 p.m. local (tracks FCC)No separate rule
Cell phone ATDS consentPrior express written consentNo separate rule; TCPA appliesNo separate rule
Script / content rulesNo deceptive practicesRule 2210 fair/balanced, not misleadingSection 206 anti-fraud
Supervision of callersNo standalone ruleRequired; must be documentedRequired; Rule 206(4)-7
Maximum fine per violation$1,500 (willful)$310,000Civil penalties vary; up to $10,000/day for ongoing violations
Private right of actionYesNoLimited

Watch the last row. That is what drives the litigation. The TCPA lets any individual consumer sue in federal or state court without waiting for the FCC to move. FINRA and SEC violations are enforced by the regulators themselves. That gap is why TCPA suits swamp FINRA and SEC enforcement actions for cold calling conduct by a wide margin.

For a broader baseline on cold call compliance before mapping it onto financial services, that article covers the fundamentals.

Autodialed or prerecorded calls to cell phones need "prior express written consent." The FCC's 2012 order (FCC 12-21) set the bar: the consumer signs a written agreement (electronic signatures count under the E-SIGN Act) that clearly authorizes calls from the specific entity using an ATDS, and the form cannot make consent a condition of buying a service [3].

For advisors, the practical path is a clear opt-in on your prospect form, your website contact form, or a lead-gen form. The language has to name your firm, disclose that automated calls may result, and state that consent is not required to receive services. A generic "contact me" checkbox with no ATDS disclosure does not clear the bar.

The FCC's January 2024 one-to-one consent order (FCC 24-17), effective January 2025, goes further. Consent obtained through a comparison shopping site or lead aggregator has to be specific to your firm, not a blanket authorization covering a roster of advisors [3]. If your leads came from a form that said "up to 15 financial advisors may contact you," that consent is likely dead under the new standard.

Manually dialed calls to cell phones need only prior express consent, not the stricter written form, and that consent can be oral. An existing client who gave you their cell number for account communications has given that consent implicitly in most circuits. Getting it in writing is still the better move.

Capturing consent at the right moment without turning the script into a legal disclaimer is a craft. See cold calling scripts for how compliant teams handle it.

What records do financial advisors need to keep for cold calling compliance?

Record-keeping is where small advisory firms fail audits and lose lawsuits. Good procedures are necessary. They are not enough. You have to prove you followed them.

Under FINRA Rule 3230, firms must keep records of their DNC procedures, training records, and the dates they accessed the national DNC Registry [4]. FINRA's books and records rules (Rules 4511 and 4513) require most business-related records to be kept at least three years, the first two in an accessible location [11].

Under SEC Rule 204-2 of the Advisers Act, RIAs must keep copies of written communications about recommendations made or proposed to advisory clients, plus solicitation records [10]. The SEC reads this broadly enough to pull in scripts, call logs, and prospecting materials.

The TCPA has no explicit record-keeping mandate in the statute. Litigation reality supplies one. Keep the date and time of each call, the number dialed, the caller ID used, the DNC scrub date for the list, any consent documentation for cell phone calls, and every internal DNC opt-out with the date received. Courts have handed summary judgment to plaintiffs when the firm could not produce this paper.

In practice, a CRM with call logging, a scrub history tied to each list export, and a consent management system for your digital opt-ins covers the major bases. If your reps work from a cold call script, version-control it and date it so you can show exactly what language was live at the time of any disputed call.

LeadCompliant's free compliance checklist includes a record-keeping template built around all three frameworks. Download it before your next FINRA exam cycle if you have not put your procedures in writing yet.

What do real enforcement actions against financial advisors look like?

Reading actual outcomes teaches more than reading the rule text for the hundredth time.

FINRA disciplinary actions on telemarketing and cold calling show up regularly in the regulator's public database. The patterns repeat. Reps who claim to be calling about a prize or survey to slip past a gatekeeper (Rule 2010). Firms that keep no internal DNC list, or cannot show they trained staff on it (Rule 3230). Supervisors who signed off on scripts carrying misleading performance claims.

On the TCPA side, financial services defendants land in class action complaints constantly. The theory almost never changes: the plaintiff alleges the firm used an ATDS to call a cell number on the DNC list or without consent. Settlements involving financial services companies have run from the low hundreds of thousands to well past $10 million, depending on the size of the campaign and whether the conduct was willful. The TCPA's private right of action, with no need to prove actual damages, is why the plaintiffs' bar loves it.

The SEC has brought Section 206 actions against RIAs for solicitation conduct, usually bundled with other fraud charges rather than as standalone cold calling cases [6]. The 2022 Marketing Rule revision raised the heat on how advisers represent performance across all communications, and the SEC has said it will examine for Marketing Rule compliance actively.

AI voice calls are the new front. In February 2024 the FCC declared that AI-generated voices in robocalls are "artificial voices" under the TCPA, which pulls them fully under the prior express written consent requirement for cell phones [3]. Any firm using voice AI to prospect has to treat those calls as robocalls, no exceptions. See AI cold calling for a current read.

How should a small financial advisory firm build a compliant cold calling process?

Small firms, say under 20 reps, often have no dedicated compliance officer and try to survive on a policy document nobody reads. That fails inspections and it fails in court. Here is what actually holds up.

Start with a written calling policy. It should cover call hours by state (some states are tighter than 8 to 9), your ATDS decision (manual dialing only, or if you use a dialer, exactly which system and whether it clears the post-Duguid standard), your DNC scrub schedule, how internal DNC requests get captured and who owns the list, and the consent language required before any cell number gets dialed.

Scrub every list before every campaign. Do not build a master list and scrub it once a quarter. Scrub the specific list for the specific campaign no more than 31 days before you dial. File the scrub certificate with the campaign record.

Train every rep before their first call. FINRA Rule 3230 requires it. The training does not have to be fancy. A 30-minute session covering what to say when someone asks not to be called again, what caller ID must show, which performance claims are allowed, and when to hand off to a supervising principal covers most firms. Take attendance.

Assign a supervising principal (a registered principal, under FINRA rules) to review scripts before use and approve any deviations. For RIAs, the chief compliance officer should review scripts under the written compliance policies Rule 206(4)-7 already requires.

B2B calls to businesses carry lighter TCPA rules, but not none. FINRA rules apply no matter who picks up, because you are a registered member firm either way. See B2B cold calling rules for how the framework shifts.

LeadCompliant's one-time compliance kit includes a DNC scrub log template, a consent capture form with FCC-compliant language, and a supervisor call review checklist built for financial services teams. A reasonable place to start if you are building from zero.

Pick a cadence for reviewing your procedures. Every time the FCC issues a significant order, and it has issued several in the past three years, your written policy may need a revision. Assign someone to track FCC and FINRA updates quarterly. That person needs a calendar reminder and access to FINRA's rule pages and the FCC's announcements, not a law degree.

Frequently asked questions

Do TCPA rules apply to FINRA-registered broker-dealers and RIAs?

Yes. The TCPA is a federal statute that applies to any person or entity making outbound calls or texts in the United States. Registration with FINRA or the SEC creates no exemption. Financial firms carry TCPA exposure alongside their FINRA and SEC duties, which means a compliant FINRA call can still be an illegal TCPA call if you used an autodialer on a cell phone without written consent.

Can a financial advisor call a cell phone without prior written consent?

Yes, if the call is made manually, with no ATDS or prerecorded voice. Prior express written consent is required only for autodialed or prerecorded calls to wireless numbers under 47 U.S.C. 227. Manual, live-agent calls to cell phones do not trip the ATDS consent requirement. DNC Registry rules still apply to those numbers, so a manual call to a listed cell can still violate the DNC rules.

What is FINRA Rule 3230 and what does it require for cold calling?

FINRA Rule 3230 is the telemarketing rule for broker-dealers. It requires firms to check the National DNC Registry before calling residential numbers, keep an internal DNC list, honor opt-out requests, train personnel on DNC duties, and document those procedures. Firms must access the registry at least every 31 days. Failure brings fines and sanctions separate from any TCPA liability.

What times can financial advisors call prospects?

The TCPA and FTC TSR both restrict residential calls to 8 a.m. to 9 p.m. in the called party's local time. FINRA Rule 3230 tracks that federal standard. Some states are stricter, restricting calls to 9 a.m. to 8 p.m. or similar. Apply the stricter of the federal and state rules for each state where the prospect sits.

How long does a financial advisor have to honor a Do Not Call request?

Under FINRA Rule 3230, a firm must honor an internal DNC request promptly and keep the number on its internal DNC list for at least five years. The TCPA's safe harbor also requires documented internal DNC procedures and prompt honoring of requests. Calling a number after receiving a DNC request is one of the most common fact patterns in TCPA litigation.

Does the established business relationship exception apply to financial advisor calls to cell phones?

No, not for autodialed calls. The TCPA's EBR exception exempts residential landline numbers on the National DNC Registry when the firm has done business with the consumer in the past 18 months. It does not substitute for the prior express written consent required for autodialed or prerecorded calls to cell phones. Advisors wrongly assume their existing client relationships cover cell phone dialing.

Are AI-generated voice calls treated the same as robocalls under the TCPA?

Yes. As of the FCC's February 2024 ruling, AI-generated voices in outbound calls count as 'artificial voices' under the TCPA. They require prior express written consent before calling a cell phone, exactly like traditional prerecorded robocalls. Financial firms using voice AI to prospect need written consent from every wireless number they plan to reach with that technology.

Can financial advisors buy leads from third-party aggregators and call them legally?

Yes, but the consent on those leads has to satisfy FCC standards. After the January 2024 one-to-one consent order (effective January 2025), consent obtained through a lead aggregator's comparison form must name your specific firm. Blanket consent authorizing contact by multiple advisers no longer works for autodialed or prerecorded calls to wireless numbers. Confirm the exact consent language the lead source used before dialing.

What records should a financial advisory firm keep for cold calling compliance?

Keep call logs with date, time, number dialed, and caller ID. Retain DNC scrub certificates tied to each campaign with the scrub date. Store all consent documentation for cell phone contacts. Log every internal DNC request with the date received. Retain scripts with version dates and supervisor approval records. FINRA requires most records for at least three years, with the first two in an accessible location.

What are the penalties for TCPA violations for financial services firms?

The TCPA provides statutory damages of $500 per violation for unintentional calls and $1,500 per violation for willful or knowing violations under 47 U.S.C. 227(b)(3). It carries a private right of action, so any recipient can sue without waiting for the FCC. Class actions against financial services firms have settled from hundreds of thousands to over $10 million when large call campaigns are involved.

Does B2B calling change the TCPA analysis for financial advisors?

Somewhat. TCPA cell phone consent requirements hinge on whether the number is wireless, not whether the recipient is a business or a consumer. Calling a business owner's personal cell for a B2B pitch still implicates the ATDS consent rules. FINRA and SEC conduct rules apply regardless of whether you are calling a retail prospect or an institutional counterpart.

The FCC's one-to-one consent order (FCC 24-17) took effect January 2025. It requires written consent for autodialed or prerecorded calls to wireless numbers to be specific to the individual seller, not a group of sellers on a comparison or lead-gen site. Advisors relying on aggregator leads must confirm the consent form names their firm before treating the lead as lawfully contactable by autodialer.

Do state-registered RIAs face different cold calling rules than SEC-registered advisers?

State-registered RIAs answer to their state securities regulator rather than the SEC for adviser conduct rules, but TCPA, FCC, and FTC rules apply uniformly regardless of registration tier. Some states, California, Texas, and Florida among them, run additional telemarketing statutes with their own call hour limits, DNC requirements, and registration obligations layered on top of federal rules.

What caller ID rules apply to financial advisor outbound calls?

The TCPA requires caller ID to transmit a number that, when called back, reaches the calling entity or a representative. FINRA Rule 3230 requires callers to identify the firm's name and phone number at the start of the call. Spoofing caller ID to display a false number is a separate federal crime under the Truth in Caller ID Act. Calls must display a legitimate, reachable number for your firm.

Sources

  1. Cornell Law School LII, 47 U.S.C. 227 (Telephone Consumer Protection Act): TCPA prohibits ATDS calls to wireless numbers without prior express consent; damages $500 unintentional, $1,500 willful; EBR exemption for residential DNC; 8 a.m. to 9 p.m. call hour restriction
  2. Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): ATDS must have capacity to generate random or sequential numbers; dialing from a stored list alone does not qualify
  3. FINRA, Rule 3230 (Telemarketing): FINRA Rule 3230 requires DNC registry scrub every 31 days, internal DNC list, opt-out honoring, and personnel training
  4. FINRA, Sanction Guidelines: FINRA fines range up to $310,000 per violation for serious misconduct; suspension and bar also available
  5. SEC, Investment Advisers Act of 1940 Section 206 and Marketing Rule (Rule 206(4)-1): Section 206 prohibits fraudulent or misleading statements to prospective clients in any medium; Marketing Rule revised effective November 4, 2022
  6. FTC, National Do Not Call Registry: DNC Registry access fee is $75 per area code per year as of 2024; first five area codes free; maximum $20,987 for all area codes
  7. SEC, Division of Examinations (formerly OCIE): SEC Division of Examinations has flagged inadequate supervision of marketing and solicitation activities in exam priorities
  8. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR financial institution exemption at 16 C.F.R. 310.6(b); DNC Registry obligations remain binding through FCC rules even where TSR exemption applies
  9. SEC, Rule 204-2 under the Investment Advisers Act (Books and Records): RIAs must retain written communications relating to recommendations and solicitation records under Rule 204-2
  10. FINRA, Rules 4511 and 4513 (Books and Records): FINRA requires retention of business-related records for at least three years, first two years in accessible location

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit