FINRA filed its long-anticipated (and just plain long), 579-page proposal to consolidate Rules 3270 (Outside Business Activities) and 3280 (Private Securities Transactions) into a single new FINRA Rule 3290, “Outside Activities Requirements.” This will significantly affect how firms document, supervise (and litigate) outside activities. Here are some Compliance thoughts on how attorneys can advise broker-dealer clients on policy and procedure updates, and how plaintiff or defense can see litigation issues from a bulge-bracket Chief Compliance Officer’s perspective.
Plain English Rule 3290
- Replaces the current OBA/PST framework with a single regime focused on investment-related outside activities and outside securities transactions.
- Retains core prior-notice, assessment, and supervision concepts, but narrows coverage to higher-risk, investment-related outside activities while carving out low-risk categories.
- Defines outside *unaffiliated* investment adviser (IA) activity as an “outside activity” (notice and assessment only), eliminating the current expectation that broker-dealers (BDs) supervise and maintain books/records for unaffiliated IA business.
For litigators, that last point is a major shift in how “failure to supervise” arguments will look when the IA is unaffiliated.
Litigation Angles to Flag from a Compliance/Implementation Perspective
When reps are engaged in selling away or dual-hatted, and a dispute arises, several elements of Rule 3290 are central to liability, defenses, and expert analysis:
- Definition of “investment-related activity.” The proposed definition locks in financial assets – securities, crypto assets, commodities, derivatives, currency, banking, real estate, and insurance – as well as personal securities transactions (“buying away”), some mutual fund/529/variable annuity activity, and representation with another BD, IA, insurer, bank, FCM, CTA, CPO, etc.
- Notice and characterization obligations. Registered persons must give prior written notice of, and the firms must assess and confirm, investment-related outside activities. All associated persons must give prior written notice of outside securities transactions. The firm confirms if the activity involves the rep’s customer, whether it will interfere with responsibilities, and whether it may be viewed as part of the member firm’s business. Plaintiff and defense will argue on the substance and the reasonableness of the firm’s check-and-challenge of what their reps disclose.
- Tiered obligations (acknowledge vs. approve vs. supervise), or “trust and verify, if you can…”
- For outside activities (non-securities, but investment-related), the firm must assess and consider conditions/limitations but has no express duty to approve or supervise.
- For outside securities transactions without selling compensation, the firm must promptly acknowledge in writing and may impose conditions but also has no approval or supervision requirement.
- For outside securities transactions with selling compensation, the firm must make a reasonable determination to approve/approve with conditions/disapprove, notify the person in writing, record approved transactions on its books and records, and supervise “as if executed on behalf of the member.”
One can expect future litigation to turn on which tier applied and whether some activity was a true selling-compensation transaction that should have been on the firm’s blotter, with attendant requirements.
Compliance View on Risk and Defenses
Several structural changes in the proposal directly affect how attorneys and BDs should frame firm liability and customer expectations:
- Shift in customer-focus test. In response to comments, FINRA revised the assessment factor so that firms analyze whether the activity involves the customer of the registered person (not “the firm’s customer” more broadly), and whether customers or the public would view the activity as part of the member’s business. Does this narrow the universe of relationships that can support a “you should have known” argument? Does it provide for a stronger “reasonably designed procedures” defense? TBD…
- Exclusion for affiliate and certain contractual activity. All activity on behalf of an affiliate (including IA, insurance, or banking activity at an affiliate, and IA activity at a dually-registered BD/IA) is excluded from Rule 3290. For non-affiliates, activity performed pursuant to a contract with the member (e.g., bank/insurance networking arrangements) and conducted “on behalf of the member” is treated as within the scope of employment and not as an outside activity. This will matter when the failure to supervise argument arises – if an affiliate or networked entity is “really” outside and unsupervised; the final rule text and supplementary material will be central to those arguments.
- Unaffiliated IA activities – no BD supervision required. FINRA explicitly acknowledges the privacy, data access, regulatory overlap, and litigation risk issues and eliminates the requirement that members supervise or keep records of outside IA activity conducted through unaffiliated IAs. The activity is treated as an outside activity (notice and upfront assessment only). For defense, this supports the old defense that a broker-dealer is not the default supervisor of unaffiliated IA conduct; for plaintiffs, customer harm, conflicts of interest, and red flags become the focus.
Crypto, Real Estate, and “Personal” Investments
The proposal also clarifies several recurring gray areas:
- Crypto assets. “Investment-related activity” includes crypto assets generally, but personal investments in non-security crypto (e.g., bitcoin) are expressly excluded from Rule 3290 – no notice, no approval. If the crypto asset is a security, personal transactions required prior written “notice and acknowledgement,” but no “approval” unless there is selling compensation. This distinction will be important where a claimant alleges undisclosed or harmful crypto activity: the main questions will be whether the item is a security and was the rep being compensated.
- Real estate. The rule carves out personal real estate transactions involving a main home and up to two secondary homes, subject to specific ownership structures. Beyond that, real estate can be squarely within “investment-related activity.” Disputes over rental pools, multi-member LLCs, or partial investment-use properties may turn on how closely they track the new rule’s exclusion language.
- Personal investments in non-securities. Personal investments in non-securities (including non-security crypto) are excluded from coverage, eliminating any notice or approval requirement for those holdings. For attorneys, this narrows the universe of “reportable” behavior and provides a defense against arguments that a firm should have policed the entirety of a rep’s private portfolio.
Compliance P&P Updates for Your BD Clients
For attorneys helping firms update policies and procedures:
- Re-tool outside activity questionnaires, forms, and workflows to track the new investment-related definition, capture crypto/currency/real-estate/insurance activities appropriately, and require the rep to flag actual or potential selling compensation.
- Build explicit characterization and escalation steps into written supervisory procedures and checklists. Compliance then documents how it may (re-)classify activities as outside activity, outside securities transaction, with or without selling compensation, and to see the activity from the customer’s perspective as to whether the investment was “part of the firm.”
- Differentiate clearly between:
- Activity on behalf of the member or an affiliate (excluded from Rule 3290 but still subject to ordinary supervision),
- Contractual non-affiliate networking activity “on behalf of the member,” and
- True outside, non-affiliate investment-related activity.
- Update IA-related provisions to reflect that unaffiliated IA business is notice/assessment only. May limit/remove full BD-style supervision and books/records; but the firm must always address conflicts-of-interest, red-flag escalation, information-sharing limitations, and how the firm will respond to customer complaints arising from unaffiliated IA activity.
If you would like to discuss this or any case where an internal perspective on compliance would be helpful, don’t hesitate to call or book a meeting with Vega.
