State Broker-Dealer Registration and Conduct

To meet the state broker-dealer registration and conduct requirement, you must register the firm and each in-scope agent in every state where you “transact business” as a broker-dealer, then operate under each state’s added conduct and supervision rules on top of SEC/FINRA obligations. Build a state-by-state licensing matrix, hard controls that block unregistered activity, and an evidence trail that matches how you solicit, sell, and supervise. (Uniform Securities Act § 401)

Key takeaways:

• Registration is state-by-state and stacks on top of SEC and FINRA registration. (Uniform Securities Act § 401)
• “Transacting business” risk is operational: marketing, solicitation, order-taking, and customer location drive where you must be registered. (Uniform Securities Act § 401)
• The fastest path to operationalization is a jurisdictional coverage map, CRD workflows, and preventative controls that stop activity before it occurs.

State “blue sky” broker-dealer requirements are easy to misunderstand because they don’t replace federal or FINRA rules; they add another layer. The operational failure mode is also predictable: the business expands distribution, digital marketing, or remote sales coverage faster than licensing, and the compliance program finds out later through an exam request, a customer complaint, or a terminated rep’s U5.

The Uniform Securities Act framework makes the baseline clear: it is unlawful to transact business in a state as a broker-dealer unless registered under that state’s securities act, and states can impose conduct and supervision obligations that go beyond federal baseline expectations. (Uniform Securities Act § 401) Practically, your job is to (1) know where you are doing broker-dealer business, (2) register the firm and agents where required through CRD, and (3) implement supervisory and conduct controls that actually work in those jurisdictions.

This page translates that requirement into an execution checklist a CCO or GRC lead can stand up quickly, including a state-by-state decision workflow, evidence to retain, and exam-ready questions to pressure test your program.

Regulatory text

Regulatory excerpt (provided): “It is unlawful for any person to transact business in a state as a broker-dealer unless the person is registered under the state's securities act, and broker-dealers must comply with state-specific conduct, supervision, and net capital requirements.” (Uniform Securities Act § 401)

Operator interpretation (what you must do):

1. Do not conduct broker-dealer activity in a state unless the firm is registered in that state. Your controls must prevent “we’ll register later” activity. (Uniform Securities Act § 401)
2. Register individuals (agents) where required. Firm registration without properly registered agents still creates exposure. (Uniform Securities Act § 401)
3. Run your supervisory and conduct program to the strictest applicable state standard. States may add enhanced supervision, state-specific disclosures, and heightened suitability expectations; you need a method to identify and implement those deltas. (Uniform Securities Act § 401)

Plain-English requirement

If your firm (or anyone acting for your firm) solicits, takes orders, recommends securities, or otherwise does broker-dealer business connected to a given state, you should assume state registration may be required for both the broker-dealer entity and the individual agent. State rules sit on top of SEC and FINRA registration, and they can vary materially between jurisdictions. (Uniform Securities Act § 401)

Who it applies to

Entities

• Broker-dealers (including firms already registered with FINRA/SEC that operate across state lines). (Uniform Securities Act § 401)
• Firms adjacent to broker-dealer activity that may inadvertently “transact business” (for example, financial institutions distributing securities products through broker-dealer channels). (Uniform Securities Act § 401)

Operational contexts that commonly trigger state exposure

• Remote sales teams and hybrid work (agents physically located in one state, customers in another).
• Digital acquisition (state-targeted ads, webinars, landing pages, and inbound lead flows).
• Referral programs and third-party finders where the line between referral and solicitation gets blurry.
• New product launches where distribution changes faster than licensing.

What you actually need to do (step-by-step)

Step 1: Define “where we transact business” for your firm

Build a practical decision rule that the business can follow. Start with a conservative baseline:

• Customer location and solicitation location: track where prospects/customers are located and where the agent is located when soliciting.
• Activity types: recommendations, order-taking, account opening, and compensated solicitation should be treated as broker-dealer activity triggers.

Artifact: “State Transacting Business Decision Standard” (one page) that defines triggers and who decides edge cases. Tie it to a documented escalation path to Compliance/Legal. (Uniform Securities Act § 401)

Step 2: Create a state-by-state registration and conduct matrix

You need a living matrix that answers, per state:

• Is the firm registered/approved to do broker-dealer business?
• Are agents registered, and which agents are approved for that state?
• Are there state deltas you must operationalize (extra disclosures, heightened suitability expectations, supervision requirements)? (Uniform Securities Act § 401)

How to keep it real: Don’t treat this as a spreadsheet that no one updates. Assign an owner, set a change-control process, and require the matrix to be referenced in go-to-market approvals.

Tooling note: Most teams end up stitching together CRD status, HR rosters, and sales territory data. Daydream can reduce the manual work by acting as the system of record for third-party and distribution-channel compliance artifacts, mapping “where we operate” to “where we’re registered,” and generating exam-ready evidence packages from the same underlying controls.

Step 3: Operationalize CRD workflows with hard stops

States generally expect registration through the CRD system for broker-dealers and agents. (Uniform Securities Act § 401) Operationalize this with:

• Pre-hire / onboarding licensing gates: no customer-facing access until required state eligibility is confirmed.
• Territory assignment controls: sales ops cannot assign a state unless the agent is registered there.
• Marketing geo-controls: state targeting and distribution lists must align to approved states.

Hard-stop examples (high impact):

• CRM rule: cannot move an opportunity to “proposal” unless the state is marked “approved.”
• Account-opening workflow: blocks submission for non-approved state combinations.
• Call recording / dialer: prevents outbound campaigns into non-approved states.

Step 4: Implement state-specific conduct and supervision deltas

The requirement is not only “be registered.” States may impose additional conduct and supervision requirements, including enhanced supervision obligations, specific disclosure requirements, and heightened suitability standards. (Uniform Securities Act § 401)

Practical approach:

• Pick a standard taxonomy for deltas: disclosures, suitability, supervision, advertising/communications review, complaint handling, books and records.
• Map deltas to supervisory procedures: update WSPs with a “State Addendum” section per topic.
• Train to the delta: role-based training for agents, principals, marketing reviewers, and customer service.

Step 5: Register and control third parties that create state exposure

Third parties can create “transact business” risk through referral, solicitation, call center support, or marketing distribution. Treat these as distribution-channel controls, not generic vendor risk.

• Require contract clauses that prohibit solicitation into non-approved states.
• Require lead source transparency: where did the lead come from, and what state is the lead in?
• Monitor for “shadow solicitation” by affiliates or marketing partners.

Step 6: Ongoing monitoring and change management

Your program breaks during change. Put simple triggers in place:

• New state expansion plans (business review required).
• New remote work states for agents.
• Marketing campaign launches and new channels.
• M&A, acquisitions, or onboarding new producing teams.

Monitoring outputs:

• Exceptions log (who, what state, what happened, remediation).
• Periodic reconciliation between CRD status and active sales activity by state.

Required evidence and artifacts to retain

Keep evidence that proves both registration status and preventative controls:

Registration and licensing

• CRD filings/confirmations for firm state registrations. (Uniform Securities Act § 401)
• Agent registration rosters by state, with effective dates and any conditions. (Uniform Securities Act § 401)
• Internal approvals for state expansions and agent state coverage.

Supervision and conduct

• Written Supervisory Procedures (WSPs) with a state addendum/delta mapping. (Uniform Securities Act § 401)
• Training materials and completion logs tied to state deltas.
• Advertising/communications reviews, including state-targeted campaign approvals.

Operational controls

• CRM/account-opening hard-stop configurations (screenshots, configuration exports, change tickets).
• Territory assignment rules and access controls.
• Exception logs and remediation evidence.

Third party controls

• Contracts/SOWs for marketing/referral partners with state-scope restrictions.
• Due diligence notes confirming how third parties source and target leads.

Common exam/audit questions and hangups

Expect examiners/auditors to test whether your program prevents unregistered activity, not whether you can describe it.

Common questions

• “Show me how you determine which states require registration for your activities.” (Uniform Securities Act § 401)
• “Provide a list of states where the firm is registered and the agents registered in each.” (Uniform Securities Act § 401)
• “How do you block a rep from soliciting in a state where they are not registered?”
• “What state-specific conduct requirements have you identified, and where are they documented in WSPs?” (Uniform Securities Act § 401)
• “Show evidence for review/approval of state-targeted advertising.”
• “What happens when an agent moves to a new state or begins covering a new territory?”

Hangups that trigger deeper review

• Manual spreadsheets with no owner or change control.
• “We rely on reps to know where they’re registered.”
• No link between licensing status and the systems reps actually use (CRM, dialer, account opening).

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Defining “state coverage” only by office location.
   Avoidance: build rules based on customer location, solicitation activity, and agent location; document them and enforce them in workflows. (Uniform Securities Act § 401)

2. Mistake: Treating state registration as a one-time project.
   Avoidance: add change triggers (new campaigns, new states for remote work, new products) and require compliance sign-off.

3. Mistake: Firm registered, agents not registered.
   Avoidance: maintain a single roster that ties agent identity, role, and state approvals to system access.

4. Mistake: WSPs mention “comply with states” with no operational delta mapping.
   Avoidance: maintain a state delta register tied to procedures, training, and marketing review checklists. (Uniform Securities Act § 401)

5. Mistake: Third parties drive solicitation without compliance scope limits.
   Avoidance: contract restrictions, lead-source controls, and monitoring for state-targeted outreach.

Enforcement context and risk implications

The statutory baseline is strict: transacting business as a broker-dealer in a state without registration is unlawful. (Uniform Securities Act § 401) Even without citing specific public cases here, the risk pattern is consistent:

• Regulatory risk: state securities regulators can open investigations based on complaints or examinations; multi-state footprints compound exposure.
• Customer harm framing: if suitability/disclosures are implicated, registration failures get treated as supervision failures, not paperwork issues.
• Operational risk: unregistered activity forces remediation (customer outreach, reversals, disciplinary action, rep terminations) and disrupts revenue.

Practical execution plan (30/60/90-day)

Use this as a fast operational rollout. The durations are labels for sequencing, not promises.

First 30 days (stabilize and stop the bleeding)

• Name a single owner for state registration coverage and agent state eligibility.
• Inventory: where customers are located, where agents sit, where you market.
• Draft and publish the “Transacting Business Decision Standard.” (Uniform Securities Act § 401)
• Stand up an exceptions log and a single intake channel for state-coverage questions.
• Put interim controls in place: manual pre-approval for any new state outreach.

Days 31–60 (build repeatable workflows)

• Build the state-by-state registration and conduct matrix; link it to CRD status artifacts. (Uniform Securities Act § 401)
• Implement system gates in CRM/account opening/territory assignment for state approval.
• Update WSPs with a state delta register and ownership.
• Add third-party contract language for state scope and solicitation restrictions.

Days 61–90 (harden supervision and evidence)

• Roll out role-based training on state deltas and escalation paths. (Uniform Securities Act § 401)
• Run a reconciliation: actual activity by state vs registered coverage; remediate gaps.
• Test evidence production: can you produce an exam packet per state within a business day?
• Automate reporting dashboards for state exposure, exceptions, and registration status drift (Daydream can centralize artifacts and produce audit-ready packages without rebuilding binders each cycle).

Frequently Asked Questions

Do we need state registration if we’re already registered with FINRA/SEC?

Often yes. State broker-dealer registration requirements layer on top of FINRA and SEC registration, and you should plan for state-by-state coverage where you transact business. (Uniform Securities Act § 401)

What counts as “transacting business” in a state for broker-dealer purposes?

The Uniform Securities Act framework makes registration depend on transacting business in the state, so treat solicitation, recommendations, and order-taking tied to that state as likely triggers. Document your internal decision standard and require escalation for edge cases. (Uniform Securities Act § 401)

Do individual agents have to be registered in each state too?

Yes, you should expect agent registration obligations in each applicable state, not only firm registration. Your controls should tie agent state approvals to CRM/account-opening access. (Uniform Securities Act § 401)

How do we handle remote reps who move states mid-year?

Treat a rep move as a change-management event. Require HR-to-Compliance notification, pause new outreach in the new state until eligibility is confirmed, and keep evidence of the review and any CRD actions. (Uniform Securities Act § 401)

Our marketing third party runs geo-targeted ads. How does that affect state registration?

Marketing and lead-gen can create state exposure if they generate or support solicitation into states where you are not registered. Contract for state-scope limits, require campaign approvals tied to your state matrix, and monitor inbound lead states before sales follow-up.

What evidence do examiners actually want to see?

They typically want proof of state registrations, agent registrations, and the supervisory controls that prevent unregistered activity, plus documentation of state-specific conduct deltas in procedures and approvals. Keep CRD confirmations, rosters, WSP addenda, and system control evidence. (Uniform Securities Act § 401)