FINRA Proposed Rule 3290: Consolidation and Modernization of Outside Activities Oversight

On January 14, 2026, FINRA filed SR-FINRA-2026-001 with the U.S. Securities and Exchange Commission, proposing to adopt FINRA Rule 3290 (Outside Activities Requirements). If approved, Rule 3290 would replace FINRA Rules 3270 (Outside Business Activities) and 3280 (Private Securities Transactions) with a single, consolidated framework governing registered persons’ outside activities.

The proposal represents a meaningful recalibration of FINRA’s approach to outside activities supervision that reflects both the evolution of business models and regulators’ increasing emphasis on risk-based, outcomes-focused oversight.

Summary of the Proposal

Consolidation of Existing Requirements

Rule 3290 would eliminate the current bifurcation between “outside business activities” and “private securities transactions,” instead establishing a unified standard for evaluating outside activities that may present risk to investors or firms.

Under the proposal:

• The distinction between OBAs and PSTs would be removed.
• Firms would no longer be required to analyze activities through two separate regulatory constructs.
• Supervision would be driven by the nature, risk, and impact of the activity rather than its formal classification.

FINRA’s stated objective is to reduce unnecessary complexity and compliance burden while maintaining robust investor protection.

Notice and Firm Assessment Framework

The proposed rule would continue to require prior written notice from registered persons for certain outside activities. However, the focus shifts from broad disclosure to targeted firm assessment.

Firms would evaluate outside activities based on factors such as whether the activity:

• Involves compensation (direct or indirect);
• Is investment-related or securities-related;
• Involves customers or potential customers of the firm;
• Interferes with the registered person’s responsibilities; and
• Creates conflicts of interest or reputational risk.

Only activities that present elevated or identifiable risk would require approval, heightened supervision, or conditions.

Emphasis on Risk-Based Supervision

A central feature of Rule 3290 is its explicit embrace of risk-based supervisory judgment. Rather than requiring uniform treatment of all disclosed activities, the proposal allows firms to:

• Tailor supervisory responses to the risk presented;
• Focus resources on activities that could harm investors or the firm;
• De-emphasize immaterial or low-risk personal activities.

This reflects a clear regulatory expectation that firms will exercise (and document) reasoned supervisory discretion, rather than rely on mechanical checklists.

Exclusions and Scope Considerations

While the proposal contemplates exclusions for certain low-risk activities (e.g., personal investments without compensation or customer involvement), FINRA emphasizes that exclusions will be principles-based, not categorical. Firms remain responsible for evaluating whether an activity, even if generally low risk, presents unique concerns in context.

What This Signals in the 2026 Regulatory Landscape

The Rule 3290 proposal aligns with broader regulatory trends expected to shape 2026:

• Streamlining Without Deregulation
  The proposal does not lower standards. Instead, it reallocates regulatory focus toward activities that meaningfully implicate conflicts, investor protection, and firm oversight.
• Shift Toward “Why” Over “Whether”
  Regulators are increasingly less interested in whether an activity was disclosed and more interested in why a firm permitted it, how it assessed risk, and how it supervises it.
• Consistency with SEC Exam Priorities
  The proposal mirrors the SEC’s emphasis on governance, supervision, and conflict management, particularly where compensation and customer relationships intersect.
• Political Environment Favoring Regulatory Efficiency
  In the 2026 political climate, regulators are under pressure to demonstrate effectiveness without unnecessary regulatory drag. Rule 3290 reflects that balance.

What Compliance Professionals Can Start Thinking About Now

Although Rule 3290 remains in the proposal stage, it sends a clear signal about future expectations. Compliance teams at impacted firms can begin preparing by focusing on the following areas:

1. Reassessing Outside Activity Inventories

Firms should consider whether current OBA/PST tracking captures meaningful risk, or merely volume. Identifying low-value disclosures now can inform future policy refinement.

2. Strengthening Risk Assessment Rationales

Supervisory decisions should be supported by clear, documented reasoning. Firms should ask whether they can readily explain:

• Why an activity is permitted;
• Why it requires (or does not require) heightened supervision; and
• How conflicts are mitigated.

3. Evaluating Policy Flexibility

Policies written narrowly around Rules 3270 and 3280 may require restructuring. Firms can begin assessing whether their frameworks are adaptable to a consolidated, principles-based rule.

4. Training Supervisors for Judgment-Based Oversight

Rule 3290 reinforces the need for supervisors who can identify risk indicators and exercise discretion, not simply process forms.

Conclusion

FINRA’s proposed Rule 3290 is best understood not as a technical rule change, but as a directional shift. It signals a regulatory environment in 2026 that prioritizes risk, judgment, and defensible supervision over exhaustive disclosure for its own sake.

For compliance professionals, the takeaway is clear: firms that invest now in clearer risk frameworks, stronger supervisory reasoning, and flexible policies will be best positioned, both for eventual implementation and for ongoing regulatory scrutiny.

Compliance Risk Concepts is continuing to monitor the proposal closely and will provide further guidance as the rulemaking process advances.