In 2009, a man named Allen Stanford was arrested at his girlfriend's home in Virginia. He'd been running a $7 billion Ponzi scheme through certificates of deposit issued by an offshore bank in Antigua—a bank he happened to own. Stanford had been knighted by Antigua, sponsored international cricket tournaments, and cultivated an image of tropical respectability. Sophisticated investors handed him billions.
How did no one catch this earlier? Among other failures, the answer involves inadequate customer identification, insufficient due diligence, and a system that didn't ask enough questions about where the money was really going.
Every rule in this chapter exists because someone, somewhere, got burned. The paperwork you'll encounter when opening customer accounts isn't bureaucratic busywork—it's the financial industry's scar tissue from decades of fraud, money laundering, and exploitation.
Prefer listening? This podcast-style episode covers both sections of Chapter 10 - perfect for commutes or multitasking. Browse all audio
A deeper dive into CIP, KYC, and suitability - covers AML thresholds, the three suitability components, and Reg BI's four obligations in greater detail.
The New Account Form
Opening a brokerage account requires collecting specific information. The exam tests your knowledge of what's required versus what's merely helpful.
Required Information
The following must be obtained when opening a customer account:
- Name and residence (a P.O. Box alone is insufficient)
- Date of birth
- Social Security Number or Tax ID
- Citizenship or resident alien status
- Employment status and employer information
- Whether associated with another FINRA member firm
Suitability Information
Beyond basic identification, firms must gather information to make suitable recommendations:
- Financial situation — income, net worth, liquid net worth
- Investment objectives — growth, income, capital preservation, speculation
- Investment experience — knowledge level with different products
- Risk tolerance — how much volatility can they stomach?
- Time horizon — when will they need the money?
- Liquidity needs — how quickly might they need access to funds?
Customers can refuse to provide suitability information. If they do, the firm can still open the account, but the representative cannot make recommendations. Without knowing the customer's situation, there's no basis for determining what's suitable.
What's NOT Required
Test Tip: The exam loves to ask what's NOT required on new account forms. Remember: A customer signature is NOT required to open an account. Neither is the customer's investment knowledge level (though it's useful for suitability). Watch for questions that try to trick you into thinking a signature is mandatory.
Principal Approval
A principal must approve each new account. The timing depends on the type of trade:
- Solicited orders (recommended by the rep): Principal approval required before the first transaction
- Unsolicited orders (initiated by the customer): Principal approval must occur promptly after the transaction
Customer Identification Program (CIP)
The USA PATRIOT Act was passed in response to the September 11, 2001 terrorist attacks. Among its many provisions, it requires financial institutions to implement a Customer Identification Program (CIP).
Before the USA PATRIOT Act, opening a brokerage account was surprisingly casual. The 9/11 Commission found that some of the hijackers had opened accounts at major financial institutions with minimal verification. The CIP requirements exist to make the financial system a less hospitable place for terrorists and money launderers.
CIP Requirements
Firms must:
- Obtain identifying information — name, date of birth, address, identification number
- Verify identity — using documentary methods (government-issued ID) or non-documentary methods (checking databases, references)
- Compare against government lists — check if the customer appears on any terrorist watch lists
- Maintain records — keep identification records for 5 years after the account is closed
CIP records must be kept for 5 years after the account is closed—not 5 years from account opening. If an account is open for 20 years, you're keeping those records for 25 years total.
Know Your Customer (KYC)
Know Your Customer (KYC) goes beyond basic identification. It requires firms to use reasonable diligence to understand the customer's investment profile and to keep that information current.
KYC means understanding:
- The customer's financial situation
- Their investment experience and objectives
- Whether recommendations are suitable
- Any red flags that might indicate problematic activity
KYC evolved from the same regulatory wave that produced the Bank Secrecy Act and was dramatically strengthened after 9/11. But the core concept emerged from decades of scandals where brokers made recommendations to customers they knew nothing about—or worse, deliberately ignored red flags about suspicious customers to keep earning commissions. When firms don't know their customers, bad actors can use the financial system for laundering, fraud, or market manipulation.
Anti-Money Laundering (AML)
The Bank Secrecy Act established the framework for detecting and preventing money laundering in the United States. Financial institutions must implement AML programs that include:
The Bank Secrecy Act was passed in 1970 when Congress realized organized crime families were using banks to launder cash from drug trafficking and illegal gambling. By requiring cash transaction reports, Congress hoped to create a "paper trail" that law enforcement could follow. Within two years, the BSA was invoked in the Watergate investigation—the scandal that gave "money laundering" its permanent place in our vocabulary. The $10,000 CTR threshold has remained unchanged since 1970 (worth about $80,000 in today's dollars), which is why regulators focus so heavily on "structuring"—criminals breaking transactions into smaller amounts to avoid reporting.
- Written AML procedures
- Designation of an AML compliance officer
- Employee training
- Independent testing of the program
Suspicious Activity Reports (SARs)
A Suspicious Activity Report (SAR) must be filed when a firm detects potentially suspicious activity.
| Requirement | Details |
|---|---|
| Threshold | $5,000 or more in suspicious activity |
| Filing deadline | Within 30 calendar days of detection |
| Filed with | FinCEN (Financial Crimes Enforcement Network) |
| Customer notification | PROHIBITED — do NOT tell the customer |
Test Tip: Never tell a customer that a SAR has been filed. This is called "tipping off" and is prohibited. If a customer asks why certain transactions are being questioned, do not mention the SAR.
Currency Transaction Reports (CTRs)
Banks (not broker-dealers directly, but the banks they work with) must file Currency Transaction Reports (CTRs) for cash transactions exceeding $10,000.
Monetary Instrument Logs (MILs)
A Monetary Instrument Log (MIL) must be maintained when a customer uses cash between $3,000 and $10,000 to purchase negotiable instruments such as:
- Cashier's checks
- Money orders
- Traveler's checks
| Report/Log | Threshold | What Triggers It |
|---|---|---|
| MIL | $3,000 - $10,000 | Cash purchase of negotiable instruments |
| SAR | $5,000+ | Suspicious activity |
| CTR | $10,000+ | Cash transactions (banks) |
Regulation S-P: Privacy Rules
Regulation S-P governs how financial institutions handle customer privacy. The "S-P" stands for "Safeguarding Personal" information.
Regulation S-P exists because of a trade-off Congress made in 1999. The Gramm-Leach-Bliley Act tore down the Depression-era walls between banks, securities firms, and insurance companies—allowing them to merge and cross-sell products. Great for consumers, but terrifying for privacy advocates: now your bank could share your financial information with affiliated brokerage and insurance arms. Consumer groups demanded protection. The result was Title V of the Act, which the SEC implemented as Regulation S-P in 2000. Every privacy notice you receive exists because Congress let the financial industry consolidate—and privacy was the price of admission.
Privacy Notice Requirements
Firms must provide customers with:
-
Initial Privacy Notice — delivered at account opening, explaining:
- What information is collected
- How it will be used
- With whom it may be shared
- Annual Privacy Notice — provided every year the account remains open
Opt-Out Rights
Customers have the right to opt out of having their information shared with non-affiliated third parties. However, they cannot opt out of information sharing with:
- Affiliated companies (within the same corporate family)
- Third parties processing transactions
- Regulatory agencies
Regulation S-P also includes the Safeguards Rule, requiring firms to protect customer information from unauthorized access. This means implementing security measures for both physical records and electronic data.
Trading Authorizations
Power of Attorney
A customer can grant another person authority over their account through a power of attorney:
| Type | Also Called | Authority Granted |
|---|---|---|
| Limited Power of Attorney | Trading Authorization | Trade in the account (no withdrawals) |
| Full Power of Attorney | Full Trading Authorization | Trade AND withdraw funds |
Discretionary Accounts
A discretionary account gives the representative authority to make trading decisions without consulting the customer for each transaction. This is a significant grant of trust—and one that has been abused.
Discretionary authority has been at the heart of numerous scandals. In the churning cases of the 1990s, some brokers made hundreds of trades per year in elderly clients' accounts—not because the trading strategy required it, but because each trade generated commissions. One notorious case involved 300 trades in a widow's account in a single year. That's why discretionary accounts have strict requirements.
Requirements for Discretionary Authority
- Written authorization from the customer is required
- The authorization form must be approved by a principal
- Each discretionary order must be identified as such when entered
- All discretionary orders must be reviewed by a principal on the day entered
What's NOT Discretionary
Test Tip: If a customer gives a representative authority over time and/or price only, this is NOT considered discretionary. Why? The customer has still decided what to buy or sell—they've just given the rep flexibility on execution. Example: "Buy 100 shares of Apple sometime today when you think the price is right" = NOT discretionary.
Discretion over asset, action, or amount = Discretionary account required
Discretion over time and price only = NOT discretionary (good for same day only)
Accounts for Employees of Other Firms
When opening an account for someone employed by another FINRA member firm, special rules apply to prevent conflicts of interest and ensure proper oversight.
Requirements
- Written notification — The employing firm must be notified in writing before or promptly after opening the account
- Duplicate statements — Upon request from the employer, duplicate account statements and confirmations must be sent to the employing firm
- Employer may refuse — The employing firm can instruct you not to open the account for their employee
Firms want to know if their employees are trading elsewhere. An employee with accounts at multiple firms might be front-running, manipulating markets, or engaging in other problematic behavior that would be harder to detect without consolidated oversight.
Summary & Key Points
New Account Requirements
- Required information: Name, address, DOB, SSN/TIN, citizenship, employment status
- Customer signature is NOT required to open an account
- Principal approval: Before first solicited trade; promptly after unsolicited trade
Customer Identification & AML
- CIP records: Maintained for 5 years after account closure
- SAR threshold: $5,000 suspicious activity, filed within 30 days, never tell the customer
- CTR threshold: $10,000 cash (banks)
- MIL threshold: $3,000-$10,000 cash for negotiable instruments
Privacy & Trading Authorizations
- Reg S-P: Initial and annual privacy notices; opt-out rights for non-affiliate sharing
- Discretionary authority: Requires written authorization and principal approval
- Time and price discretion: NOT considered discretionary
- Employee accounts: Require notification to employer; duplicate statements on request
Key Terms
- CIP: Customer Identification Program under USA PATRIOT Act
- KYC: Know Your Customer — understanding the client's profile
- SAR: Suspicious Activity Report — $5,000+ threshold
- CTR: Currency Transaction Report — $10,000+ cash
- MIL: Monetary Instrument Log — $3,000-$10,000 cash
- Regulation S-P: Privacy rules for customer information
- Discretionary Account: Rep can decide asset, action, or amount