Section 2 Function 2: Opens Accounts and Evaluates Customer Profiles

Customer identification, KYC, and AML compliance

30 min read · Lesson 2 of 5

About This Lesson

Every account from Chapter 3 comes with a second job: the firm must know exactly who it is doing business with, and be able to prove it. Two regimes divide the work. Identification and due diligence happen at the front door (CIP, KYC, beneficial ownership), and surveillance runs forever after (CTRs, SARs, and the AML program). The exam tests this chapter with numbers and with one behavioral rule, what you may never tell the customer, so collect the thresholds as you go.

What you'll cover

  • the Customer Identification Program under the USA PATRIOT Act, KYC under FINRA Rule 2090, and the FinCEN beneficial-ownership rule for legal entities
  • special situations: corporate insiders, broker-dealer employees opening outside accounts (Rule 3210), and Regulation S-P privacy duties
  • AML reporting: currency transaction reports, suspicious activity reports, the tipping-off prohibition, and structuring

This is the second chapter of the accounts module.

In this chapter
30 min · 6 concept checks
§1
Customer Onboarding: CIP, KYC & Special Accounts
~14 min · 2 checks
§2
AML Reporting: CTRs, SARs & Tipping-Off
~16 min · 4 checks
Summary
Exam Essentials
Exam-day review
Section 1 of 2 ~14 min · 2 concept checks

Customer Onboarding: CIP, KYC & Special Accounts

Customer Identification Program (CIP)

Under the USA PATRIOT Act, every broker-dealer must implement a written Customer Identification Program (CIP) to verify the identity of every customer who opens a new account. The CIP is the first line of defense against money laundering, terrorist financing, and fraud.

Individual customers
Natural persons
Name
Legal name
Date of birth
Required
Address
Residential street address (P.O. box alone insufficient)
ID number
SSN (U.S. persons) or taxpayer ID / passport (non-U.S.)
Entity customers
Legal entities
Name
Legal entity name
Date of birth
Not required — use date of formation instead
Address
Principal place of business
ID number
Employer Identification Number (EIN) or comparable foreign ID

The firm must verify this information using documentary (e.g., government-issued ID) or non-documentary (e.g., credit reports, public databases) methods. Verification must occur within a reasonable time after account opening — the firm may allow limited activity before verification is complete, but must have procedures to address verification failures.

Know Your Customer (KYC)

Identifying the customer is the floor, not the job. KYC requires the firm to understand the nature of the account and what the customer is likely to do with it. FINRA Rule 2090 frames it as a duty of reasonable diligence: know the essential facts about every customer and every account.

Essential facts include:

  • The customer's financial situation (assets, income, liabilities)
  • Investment objectives and risk tolerance
  • Investment experience and sophistication
  • The purpose and anticipated nature of the account
  • The source of funds being deposited

KYC information is collected at account opening and updated when material changes occur. A job loss, an inheritance, a retirement: each one obligates the firm to refresh the account profile, because stale information is how suitability violations happen.

KYC vs. CIP: CIP verifies who the customer is. KYC is about understanding what the customer does and why the account exists. Both are required, CIP under the PATRIOT Act and KYC under FINRA Rule 2090, and the exam likes to ask which rule imposes which duty.

Beneficial Ownership: The FinCEN CDD Rule

A corporation cannot launder money; the people behind it can. FinCEN's Customer Due Diligence (CDD) Rule therefore requires broker-dealers to identify and verify the beneficial owners of legal entity customers, the actual humans who own or control the entity.

For any legal entity customer (corporations, LLCs, partnerships, trusts), the firm collects information under two prongs:

  • Ownership prong: Every individual who owns 25% or more of the entity's equity
  • Control prong: At least one individual who has significant responsibility to control, manage, or direct the entity (e.g., CEO, CFO, managing member, general partner)

For each beneficial owner, the firm collects the same four CIP data elements: name, date of birth, residential address, and an identifying number (SSN or passport).

Why it matters: shell companies exist to hide the true owner. By forcing identification down to the human level rather than stopping at the entity, the CDD rule takes the standard money-laundering vehicle off the road, and the exam rewards you for knowing the 25% ownership prong cold.

Special Account Situations: Insiders and BD Employees

Corporate Insiders

Open an account for an officer, director, or 10%+ shareholder of a publicly traded company and the insider-trading rules walk in with them. The firm should obtain representations that the customer will follow all applicable trading restrictions, blackout periods, pre-clearance requirements, and Rule 10b5-1 plan requirements, and trades by insiders in their own company's securities fall under SEC Section 16 reporting.

Broker-Dealer Employees Opening Accounts at Other Firms

When a registered person at one broker-dealer opens a personal account at another, FINRA Rule 3210 layers on notification duties:

  • The employee must notify both their employing firm and the executing firm of their associated person status
  • The executing firm must notify the employing firm of the account upon request
  • The employing firm may request duplicate confirmations and statements
  • The goal is to detect trading violations, front-running, and undisclosed outside business activities
Regulation S-P: Privacy of Consumer Financial Information

Regulation S-P makes customer financial information the firm's responsibility to protect, and it tests as four requirements:

Initial privacy notice: delivered at account opening, describing what information is collected and how it may be shared.

Annual privacy notice: sent each year the customer relationship continues.

Opt-out right: customers must be given the chance to opt out of having their information shared with non-affiliated third parties, and the firm must honor the request.

Safeguards rule: firms must maintain written security policies protecting customer records from unauthorized access or use.
Concept Check

Under the FinCEN Customer Due Diligence (CDD) Rule, a broker-dealer must identify the beneficial owners of a new corporate account. At minimum, the firm must identify individuals who own what percentage of the corporation?

The FinCEN CDD Rule requires identification of any individual who owns 25% or more of the equity of a legal entity customer (the ownership prong). Additionally, at least one individual with significant control or management responsibility must be identified regardless of ownership percentage (the control prong). The 10% threshold applies to corporate insider trading rules under SEC Section 16, not to AML beneficial ownership.
Concept Check

A registered person at Firm A wants to open a personal brokerage account at Firm B. Under FINRA Rule 3210, which of the following is required?

FINRA Rule 3210 requires an associated person to notify both their employing member firm and the executing firm of their status as a registered person. Pre-approval is not required to open the account — only notification. The employing firm may then request duplicate confirms and statements from Firm B. This allows the employing firm to monitor for trading violations without requiring trade-by-trade pre-clearance.
Section 2 of 2 ~16 min · 4 concept checks

AML Reporting: CTRs, SARs & Tipping-Off

AML Reporting: CTRs and SARs

Two mandatory reports form the backbone of broker-dealer AML compliance. Knowing the thresholds, timing, and what triggers each is heavily tested.

Currency Transaction Report (CTR)
Filed with FinCEN
Triggered by cash transactions exceeding $10,000 in a single day
Multiple transactions by the same person on the same day are aggregated
Filing is automatic — no suspicious activity required
Must be filed within 15 days of the transaction
Suspicious Activity Report (SAR)
Filed with FinCEN
Triggered when a transaction involves $5,000+ and the firm suspects illegal activity
Can be for any amount if the activity is sufficiently suspicious
Must be filed within 30 days of detecting suspicious activity (60 days if no suspect is identified)
Tipping off the customer that a SAR has been filed is prohibited
Smurfing (structuring): Breaking up transactions into amounts below $10,000 specifically to avoid CTR filing is itself a federal crime called structuring. A customer who deposits $9,500 on Monday and $9,000 on Tuesday at the same institution is likely structuring — this activity should trigger a SAR regardless of the individual transaction amounts.
Interactive: AML Three Stages Sorter
Score: 0 / 9
📱 Tap a chip to select it, then tap a stage to place it.
Drag or tap each scenario into the correct money laundering stage
Placement
Getting dirty money into the financial system
Layering
Obscuring the trail through complex transactions
Integration
Re-entering funds as legitimate income
The SAR Tipping-Off Trap

One of FINRA's favorite AML questions tests the prohibition on "tipping off": a registered person is prohibited from telling the customer that a SAR has been filed or is being considered, even when the customer asks point-blank. The correct response to "Did you file a suspicious activity report on me?" is to neither confirm nor deny.

A second reliable trap: the CTR threshold applies to cash transactions specifically. Wires, checks, and electronic transfers never trigger a CTR, though they can trigger a SAR if suspicious. And structuring, breaking transactions below $10,000 to dodge the CTR, is itself a crime and triggers a SAR obligation regardless of transaction size.
Concept Check

A broker-dealer receives a $12,000 cash deposit from a customer. Which of the following actions is the firm required to take?

A CTR is required for cash transactions exceeding $10,000 in a single day and must be filed with FinCEN within 15 days. The CTR is automatic — no suspicion is required. A SAR is not automatically required simply because a transaction exceeds $10,000; a SAR is required only if the activity is suspicious. Filing both is not correct unless there are also suspicious circumstances.
Concept Check

A customer makes three separate cash deposits of $4,000 each at the same broker-dealer on the same day, using different teller windows. How should the firm treat these transactions for CTR purposes?

Multiple cash transactions by the same person at the same institution on the same day are aggregated for CTR purposes. Three $4,000 deposits = $12,000 total, which exceeds the $10,000 threshold and requires a CTR. The activity also looks like potential structuring, which could additionally warrant a SAR — but the primary required filing here is the CTR based on the aggregated amount.
Concept Check

A registered representative notices that a long-time customer has begun making frequent small wire transfers to foreign accounts, a pattern inconsistent with the customer's known business activities. The rep files a SAR. The customer later calls and directly asks whether the firm has reported any activity on their account. The rep should:

Federal law prohibits tipping off a customer that a SAR has been or may be filed. The rep must neither confirm nor deny the filing — this applies to everyone at the firm, including compliance staff. Confirming a SAR could allow the subject to destroy evidence or evade law enforcement. Denying the filing would be a false statement. The only correct response is to avoid the topic entirely.
Concept Check

A broker-dealer is required to file a Suspicious Activity Report (SAR) when it detects a suspicious transaction. The SAR must be filed within how many days of detecting the suspicious activity?

FinCEN requires broker-dealers to file a SAR within 30 calendar days of detecting a suspicious transaction. If no suspect can be identified, the filing deadline extends to 60 calendar days. Importantly, the broker-dealer must NOT notify the customer that a SAR has been filed — this prohibition on tipping off the subject is a key compliance rule. Currency Transaction Reports (CTRs), by contrast, must be filed within 15 days for cash transactions over $10,000.
Summary Exam Essentials — high-yield review

Chapter Summary

Ch 4 Exam Essentials — Customer Identification, KYC, and AML

  1. CIP minimum requirements: Name, date of birth, address, and identifying number (SSN for U.S. persons; passport/tax ID for foreign persons) must be collected before or shortly after account opening.
  2. CTR vs. SAR: CTR — cash transactions over $10,000 filed within 15 days; no suspicious activity required. SAR — suspicious transactions; filed within 30 days (60 if no suspect). Never tip off the customer.
  3. Three stages of money laundering: Placement (introducing dirty cash), layering (moving funds to obscure trail), integration (re-entering economy as legitimate funds).
  4. Beneficial ownership: FinCEN CDD rule requires identifying each natural person owning 25%+ of a legal entity customer, plus one control person. Applies to corporations, LLCs, and partnerships.
  5. Reg S-P (privacy): Firms must provide initial and annual privacy notices to retail customers; customers may opt out of sharing with non-affiliated third parties. Safeguard customer information.
Previous Next
Practice what you just learned

Test yourself with exam-style questions on this topic.

Practice Questions