KYC & Client Records: Your Practical Guide to Documenting, Filing and Retaining Files

Introduction — Hook + Friendly definition

You already know KYC (Know Your Client) matters — but do you know exactly what records you must create, how they must be maintained, and why regulators will insist on them during a review? KYC is more than a questionnaire; it is the foundation of suitability and the central piece of a complete client file.

Definition (exact): "KYC (Know Your Client) | Documented information about a client’s identity, financial circumstances, investment objectives, risk tolerance and relevant investment experience used to support suitability."

This article breaks down what to document, how to file and how long to keep client records so you can demonstrate compliance with NI 31-103 and the Client-Focused Reforms (CFRs).

Core Concepts (Recall) — Must-know facts

• Registrants must create and retain a complete account file that includes: KYC information, account opening documentation and signed relationship disclosure, order memoranda, trade confirmations, client statements and periodic performance reports, position records and any pledging or loan documentation.
• Maintain complete, time-stamped and linked client files that show KYC, suitability documentation, order memoranda, trade confirmations, statements and performance reports.
• Order memoranda must be created contemporaneously at order entry and preserved with timestamps and audit trails (IIROC guidance emphasizes this).
• The typical statutory retention period in Canada is commonly seven years from the end of the client relationship, consistent with the Client-Focused Reforms and NI 31-103.
• Electronic systems must preserve immutable timestamps, searchable indexing and exportable formats so records can be reconstructed and produced promptly.

Detailed Analysis (Understand) — The Why and the How

Why records matter

• Robust record-keeping creates an audit trail that supports suitability decisions, client communications and dispute resolution. Failures increase compliance, supervisory and client-service risk.
• Regulators (IIROC/CSA) expect registrants to be able to reconstruct who did what and when; that reconstruction depends on linked documents (KYC → order memorandum → confirmation → statement).

How to build a compliant file

• Create documents at the right time (order memoranda contemporaneous with order entry). Keep them linked and indexed so a reviewer can follow the decision chain. IIROC guidance identifies specific elements essential for reconstruction and supervision; see CIRO guidance on the Content of Books and Records.
• Preserve electronic audit trails. Systems must keep timestamps, user IDs and immutable logs so trade history and supervisory notes are reconstructable.
• Implement a practicable retention schedule and legal-hold procedures aligned with CFRs and NI 31-103. The CFRs increase obligations on documenting KYC, suitability, conflicts and relationship disclosure; see the Client Focused Reforms — Publication of Final Amendments to NI 31-103.

Key terms (exact definitions)

• "Order memorandum | A contemporaneous record of an instruction or order (including time of entry, terms and communications) enabling reconstruction of why and how an order was placed and executed."
• "Trade confirmation | Written confirmation sent to a client that sets out executed trade details; personnel identifiers may be coded with names available on request."
• "Position record | The ledger or system record showing securities and other investments held for a client and the location of those holdings."
• "Retention schedule | A firm policy specifying how long each document type must be retained, triggers for retention periods and procedures for disposal or legal hold."
• "Audit trail | A chronological record showing who did what and when, enabling reconstruction of transactions, decisions and supervisory reviews."
• "CFRs (Client‑Focused Reforms) | Amendments to NI 31‑103 and related instruments that enhance obligations on KYC, KYP, suitability, conflicts and relationship disclosure."

Resources and templates

• Use firm templates and practical forms to standardize files; CIRO provides useful Forms and Templates. Review the RULES and practical attachments such as ATTACHMENT D for implementation detail.

Practical Application — Real-world scenarios for professionals

1. Dealer onboarding example: You store the signed account opening form, completed KYC questionnaire and the client’s signed margin agreement together in the client file. That makes the suitability and margin authorization immediately available when reviewing later trades.

2. Margin account reconciliation: Keep the client’s signed margin agreement, record the dollar balance and security positions subject to margin, and ensure the client statement clearly shows money balances and the segregation or custody status of securities so internal records and client statements reconcile.

3. Regulatory production drill: If IIROC or CSA requests records, produce a time-ordered trade history, confirmations and the KYC file in a coordinated package that shows supervisory review. Your electronic system should enable quick export and searchable retrieval.

4. Aggregated reporting: If you provide portfolio-level reporting with client consent, retain the underlying trade‑level and valuation records explaining the aggregated figures so a regulator can review calculations and valuations.

Key Takeaways — Summary for the CIRE exam and practice

• Treat record-keeping as evidentiary, not clerical: contemporaneous order memoranda and supervisory notes are critical.
• Keep files linked: KYC → order memorandum → confirmation → statement → position record.
• Retain records commonly seven years from the end of the client relationship and document legal-hold procedures.
• Ensure electronic systems preserve timestamps, audit trails, searchable indexing and exportability.
• Document remediation, supervisory actions and training required by the CFRs to show controls are effective.

Follow these practices and you'll turn a pile of documents into a defensible, compliant client file — and be well prepared for both regulatory review and the CIRE exam.