Customer Screening and Privacy
Every time a new client sits across your desk, you are not merely evaluating a portfolio; you are acting as the immediate gatekeeper to the United States financial system. The regulatory framework treating customer screening and privacy is born from a fundamental premise: anonymous capital is dangerous capital. Whether an individual is moving millions of dollars across borders or simply opening a small brokerage account for a dependent, the securities industry demands precise identification, diligent screening, and strict safeguarding of their subsequent data. As a registered representative, you must balance two seemingly contradictory roles—aggressively uncovering the truth about your client’s identity and affiliations, while simultaneously acting as an absolute fortress protecting that same information from the outside world.
We begin with the basic mechanics of bringing a human being into the financial system. For decades, the industry operated on intuition, but modern finance demands rigid, verifiable frameworks. When opening an account, you are subject to two parallel rulesets: the industry-specific standards of FINRA and the federal anti-money-laundering mandates of the U.S. government.
Know-Your-Customer (KYC)
FINRA Rule 2090 governs the Know-Your-Customer obligations for broker-dealers. The core of this rule is a simple but exacting standard: the broker-dealer must use reasonable diligence to ascertain and retain the essential facts concerning every customer.
What makes a fact "essential"? Under the Know-Your-Customer rule, essential facts include the information required to effectively service the customer account and to understand the authority of each person acting on behalf of the customer. You must know who actually holds the power to trade, wire funds, and alter the account. If a corporation opens an account, you must ascertain the corporate resolution detailing exactly which human beings are authorized to act.
Customer Identification Program (CIP)
While KYC ensures you know enough to service the client, the USA PATRIOT Act steps in to ensure you know who the client is to protect the nation. The Act requires financial institutions to establish a written Customer Identification Program (CIP). A Customer Identification Program must verify the identity of any person seeking to open an account.
Customer Identification Program rules dictate that, strictly prior to opening an account, a broker-dealer must obtain four specific pieces of data:
- The customer's full name
- The customer's date of birth
- A physical address
- An identification number
The Address Requirement: A post office box is not an acceptable physical address for Customer Identification Program verification purposes for standard domestic customers. You cannot prove physical residency with a locked steel drawer in a post office. However, the law accommodates those serving the country: an Army Post Office (APO) box or a Fleet Post Office (FPO) box is an acceptable physical address for military personnel under Customer Identification Program rules.
The Identification Number: For a U.S. citizen, the identification number for Customer Identification Program purposes is a taxpayer identification number (TIN) or Social Security number (SSN).
For a non-U.S. citizen opening an account, they must provide a taxpayer identification number, a passport number, an alien identification card number, or other government-issued ID.
The SSN Exception: What if a domestic client has just applied for a Social Security Number but hasn't received it yet? A broker-dealer may open an account for a customer who has applied for an SSN if the customer provides a receipt of the application.
The Lifespan of Records
Information is useless to regulators if it is discarded immediately. Broker-dealers must retain records on a strict timeline:
- Records of the documents used to verify a customer's identity (e.g., a scan of a driver's license) must be retained for five years after the record is made.
- Records of the identifying information obtained from a customer (the data itself) must be retained for five years after the account is closed.
Once you know who the client is, you must ensure they are legally permitted to interact with the U.S. financial system.
Within a reasonable time after account opening, a broker-dealer must determine whether a customer appears on any federal list of known or suspected terrorists. The primary list is the Specially Designated Nationals and Blocked Persons list (SDN), maintained by the Office of Foreign Assets Control (OFAC).
U.S. persons are strictly prohibited from conducting financial transactions with individuals or entities on the Specially Designated Nationals list. If a customer's name appears on this list, you do not simply reject their business and ask them to leave. The regulations require aggressive action:
- A broker-dealer must block the transaction.
- A broker-dealer must freeze the assets of the individual.
- A broker-dealer must report transactions blocked under Office of Foreign Assets Control regulations within 10 business days.
Certifying Residency for Taxation
A secondary but equally vital part of international screening is tax status. The IRS requires broker-dealers to accurately apply tax withholding based on residency.
- U.S. persons opening U.S. brokerage accounts must complete IRS Form W-9 to certify the provided taxpayer identification number is correct.
- Foreign persons opening U.S. brokerage accounts must complete IRS Form W-8BEN to certify foreign status for tax withholding purposes.
The financial system is vulnerable not just to external actors, but to those operating from within. As you screen a customer, you must aggressively probe their employment and affiliations.
Associated Persons and Rule 3210
FINRA Rule 3210 governs accounts opened by associated persons of a broker-dealer at another financial institution. If a registered representative works at Firm A but wants to open an account at Firm B, there is an inherent risk of insider trading, front-running, or hiding risky behavior.
Therefore, an associated person must obtain prior written consent from their employing broker-dealer before opening a securities account at another broker-dealer.
The responsibilities flow in both directions. When the executing broker-dealer (Firm B) opens the account, they must notify the employing broker-dealer (Firm A) in writing of the associated person's intention to open an account. Furthermore, the executing broker-dealer must transmit duplicate trade confirmations and duplicate account statements to the employing broker-dealer upon written request.
The Beneficial Interest Rule: You cannot sidestep Rule 3210 by opening the account in a family member's name. The requirement to obtain employer consent applies to any account in which the associated person has a beneficial interest. Under the rules, an associated person is legally presumed to have a beneficial interest in an account held by a spouse or an account held by a dependent child.
Who else does this apply to? Regulators hold themselves to the exact same standard. Employees of the Financial Industry Regulatory Authority (FINRA) must follow the same account opening consent rules as associated persons of a broker-dealer.
Exemptions to Rule 3210: Why do we monitor outside accounts? To prevent market manipulation and improper trading. If a product cannot be manipulated by an individual rep, the monitoring is unnecessary. Therefore, prior written consent from an employing broker-dealer is not required if the account is limited exclusively to transactions in:
Corporate Insiders
During the account opening process, a broker-dealer must identify whether a new customer is a corporate insider of a publicly traded company.
A corporate insider is strictly defined as a director, an officer, or an owner of more than 10 percent of a publicly traded company's voting stock. Insiders possess material, non-public information, and the SEC restricts their trading activities to level the playing field for the public.
Two critical restrictions apply to corporate insiders:
- No Shorting: Corporate insiders are prohibited from executing short sales on the stock of the company the insider is affiliated with. (An insider betting against their own company creates a perverse incentive to drive the company into the ground).
- No Short-Swing Profits: Corporate insiders are prohibited from retaining short-swing profits. Short-swing profits are defined as profits realized by an insider from the purchase and sale of a company's stock within a six-month period. If an insider captures a profit in this window, the funds must be returned to the corporation.
Once you have meticulously extracted a client's identifying data, affiliations, and tax records, you possess a highly sensitive dossier. Regulation S-P governs the treatment of this nonpublic personal information (NPI) by financial institutions.
To comply, Regulation S-P requires financial institutions to establish written policies and procedures to protect customer records and information. Nonpublic personal information under Regulation S-P includes obvious identifiers like a customer's Social Security number, but it also fundamentally includes a customer's account balances and transaction history.
Consumers vs. Customers
To understand when and how privacy disclosures must be delivered, you must understand the legal distinction Regulation S-P makes between a "consumer" and a "customer."
| Entity | Definition | Privacy Notice Requirement |
|---|---|---|
| Consumer | An individual who obtains a financial product or service for personal, family, or household purposes (e.g., someone who uses a broker-dealer's ATM once). | Only required to receive an initial privacy notice if the firm intends to share the consumer's information with nonaffiliated third parties. |
| Customer | A consumer who has an ongoing relationship with the financial institution (e.g., someone who opens a brokerage account). | A broker-dealer must provide a privacy notice at the time the customer relationship is established, and provide an updated privacy notice on an annual basis. |
The Right to Opt Out
If a broker-dealer wishes to monetize or share a client's data, the rules are rigid. A broker-dealer may not disclose nonpublic personal information to nonaffiliated third parties unless the customer is provided with a reasonable opportunity to opt out.
Regulation S-P establishes a reasonable opportunity to opt out as 30 days.
Furthermore, the opt-out mechanism for information sharing must be easy for the customer to use. What does "easy" mean in a regulatory context?
- A check-off box on a reply form is considered a reasonable opt-out method.
- A toll-free telephone number is considered a reasonable opt-out method.
- Requiring a customer to write a physical letter is not considered a reasonable opt-out method under Regulation S-P. You cannot build intentional friction into a privacy right.
Exceptions to the Opt-Out Rule
There are two vital operational exceptions where nonpublic personal information can be shared without offering the client an opt-out window:
- Internal Affiliates: Regulation S-P allows broker-dealers to share nonpublic personal information with affiliated third parties (e.g., a bank sharing data with its affiliated brokerage arm) without providing an opt-out opportunity.
- Transaction Execution: A broker-dealer is permitted to disclose nonpublic personal information to nonaffiliated third parties if the disclosure is necessary to complete a customer-requested transaction (e.g., passing clearing data to a third-party clearinghouse to settle a trade). The system must be allowed to function mechanically.
Mastering these protocols ensures that when a client sits at your desk, you successfully act as both the investigator who protects the integrity of the market, and the vault that protects the integrity of the client.