From compliance
Guides implementation of customer identification, due diligence, beneficial ownership collection, enhanced due diligence, risk rating, and KYC monitoring under FINRA Rule 2090, CIP, and FinCEN CDD Rule.
npx claudepluginhub joellewis/finance_skills --plugin complianceThis skill uses the workspace's default tool permissions.
Guide the implementation of customer identification, due diligence, and ongoing monitoring requirements under federal and FINRA rules. This skill covers CIP, CDD, beneficial ownership, enhanced due diligence, and profile maintenance — enabling a user or agent to design compliant onboarding and customer monitoring processes.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
Guide the implementation of customer identification, due diligence, and ongoing monitoring requirements under federal and FINRA rules. This skill covers CIP, CDD, beneficial ownership, enhanced due diligence, and profile maintenance — enabling a user or agent to design compliant onboarding and customer monitoring processes.
9 — Compliance & Regulatory Guidance
prospective
Every FINRA member must use reasonable diligence, with regard to the opening and maintenance of every account, to know and retain the essential facts concerning every customer and concerning the authority of each person acting on behalf of the customer. "Essential facts" are those required to: (a) effectively service the account, (b) act in accordance with any special handling instructions, (c) understand the authority of each person acting on behalf of the customer, and (d) comply with applicable laws, regulations, and rules.
Required under USA PATRIOT Act Section 326 and implementing regulations (31 CFR 1020.220 for banks; similar requirements apply to broker-dealers under SEC Rule 17a-8 and FINRA rules). The CIP must include:
FinCEN's CDD Rule (31 CFR 1010.230, effective May 2018) requires covered financial institutions to:
The 25% beneficial ownership threshold applies to legal entities (corporations, LLCs, partnerships). Certain entities are exempt: publicly traded companies, regulated financial institutions, government entities, and others listed in the rule.
Higher-risk customers require additional scrutiny beyond standard CDD:
EDD measures include: senior management approval for account opening, source of wealth/funds verification, more frequent account reviews, enhanced transaction monitoring, and ongoing negative media screening.
Documentary methods: Unexpired government-issued photo ID (driver's license, passport, state ID), documents showing formation of a legal entity (articles of incorporation, partnership agreement, trust instrument).
Non-documentary methods: Credit bureau inquiries, public database verification (Lexis-Nexis, etc.), financial statement verification, references from other financial institutions. Required as a backup when documentary verification is unavailable, inconclusive, or the customer is not physically present (e.g., online account opening).
Firms must use non-documentary methods in at least the following situations: (1) the customer opens an account without appearing in person, (2) the firm is not familiar with the documents presented, (3) other circumstances that increase risk.
KYC is not a one-time event. Customer profiles must be updated when:
FINRA does not mandate a specific refresh cycle, but firms typically establish risk-based review schedules (e.g., annual review for high-risk accounts, every 3 years for standard risk).
Investment advisers have a fiduciary duty to understand their clients, which creates KYC-like obligations independent of FINRA rules. Form ADV Part 2A describes the adviser's services and client relationships. The SEC expects advisers to gather sufficient information to fulfill their fiduciary duty of care — including financial situation, investment objectives, risk tolerance, and any constraints. FinCEN's 2024 final rule (31 CFR Part 1032, effective January 1, 2026) extends BSA/AML requirements — including CIP and CDD — to SEC-registered investment advisers.
Scenario: A wealth management firm opens a revocable living trust account for a family trust. The account opening team collects the trust agreement and identifies the grantor/trustee but does not collect beneficial ownership information on the trust beneficiaries. The trust holds $2M in investable assets. Compliance Issues: Potential CDD Rule violation. While revocable living trusts are generally exempt from the beneficial ownership requirement (since the grantor maintains control), irrevocable trusts and other legal entity structures require beneficial ownership identification. The team must correctly classify the trust type. Additionally, FINRA Rule 4512 requires identification of all persons authorized to transact in the account. Analysis: The firm should have a clear trust classification workflow that determines: (1) whether beneficial ownership requirements apply based on the trust type, (2) who has authority to act on the account, and (3) what documentation is required. For revocable trusts, identifying the grantor/trustee as the beneficial owner and control person is typically sufficient, but the firm should verify the trust is truly revocable and document the determination. The trust agreement must be reviewed — not just collected.
Scenario: A long-standing client retires at age 65 after 20 years at the firm. Her account profile still lists her investment objective as "aggressive growth," risk tolerance as "high," and annual income at $250,000. Post-retirement, her income drops to $80,000 (Social Security and pension) and she begins taking regular distributions from the account. No profile update is triggered. Compliance Issues: Stale KYC data leading to potential suitability violations. The client's investment profile has materially changed — time horizon has shifted, income has declined, liquidity needs have increased (regular distributions), and risk capacity has decreased. Continued aggressive growth recommendations based on outdated profile data would likely violate suitability obligations. Analysis: The firm should have systems that flag material life events (age milestones, distribution patterns, income changes) as triggers for KYC refresh. A representative who knows a client has retired but does not update the profile is failing the "reasonable diligence" standard of Rule 2090. Best practice: establish automated triggers (client turns 65, regular withdrawals begin, account balance drops significantly) and require profile confirmation at each periodic review.
Scenario: A broker-dealer receives an account application from a newly formed LLC registered in Delaware with a single listed owner who is a citizen of a jurisdiction flagged in a FinCEN advisory. The stated purpose is "general investing." The LLC provides articles of organization but limited information about the source of funds. Compliance Issues: Multiple red flags requiring enhanced due diligence: newly formed entity, high-risk jurisdiction connection, limited transparency on source of funds, Delaware LLC (common in layering structures). Standard CDD is insufficient. Analysis: The firm must: (1) complete standard CDD including beneficial ownership (25% owners and one control person), (2) escalate to enhanced due diligence given the risk factors, (3) verify source of funds and source of wealth, (4) conduct OFAC screening on all identified individuals, (5) obtain senior management approval before opening, (6) establish enhanced ongoing monitoring. The firm should also consider whether the limited information provided is itself a red flag warranting a SAR filing or account refusal. Simply accepting "general investing" as a purpose statement for a high-risk entity is insufficient.