Why Compliance Comes First in the Project Plan
The instinct of technology-led teams at community banks is to start an investment program build with the user experience: what will the account opening flow look like, how will portfolio reporting be presented, will there be a mobile app. These are legitimate questions that will eventually need answers. But the sequence matters. An investment program that launches with a polished member interface and a compliance framework that was assembled under time pressure is a program that will generate examiner findings, member complaints, and operational remediation costs within 18 months.
Community banks considering investment product programs face a compliance surface area that is broader than many technology vendors represent in their sales conversations. The regulatory framework is not a single rule set — it is a layered system that includes federal securities law, federal banking law, state securities law, FinCEN anti-money laundering regulations, FINRA rules, and the bank's own supervisory framework from the OCC or state banking regulator. Each layer has distinct documentation requirements, and the intersection of those requirements is where complexity lives.
This piece walks through the primary compliance obligations that a community bank compliance officer needs to address before, during, and after launching an investment program. It is organized around the four regulatory categories that generate the most examiner attention in practice: securities law compliance, BSA/AML integration, KYC and CIP documentation, and CRA investment credit considerations.
Securities Law: The Bank-Affiliated Broker-Dealer Framework
The Securities Exchange Act of 1934, as amended by the Gramm-Leach-Bliley Act in 1999, established a specific exemption framework that allows banks to engage in securities activities without registering as broker-dealers, subject to defined limits. Section 3(a)(4)(B) of the Exchange Act and the implementing rules at 17 CFR Part 247 (jointly adopted by the SEC and Federal Reserve) specify which securities activities a bank may conduct under the bank exemption and which activities trigger broker-dealer registration requirements.
For most community banks, the practical choice is between two models: the networking arrangement, in which the bank refers customers to a third-party registered broker-dealer and receives a referral fee, or the bank-affiliated broker-dealer model, in which a separately chartered broker-dealer affiliated with the bank holds FINRA membership. A third model — the investment adviser arrangement under the Investment Advisers Act of 1940 — applies if the bank or its affiliate is providing discretionary portfolio management rather than brokerage execution.
The networking arrangement is by far the more common choice for community banks under $2 billion in assets. Under FINRA Rule 3160, banks participating in networking arrangements must ensure that their investment activities are clearly distinguishable from FDIC-insured deposit taking, both physically (dedicated investment space, not the teller line) and in communications (required disclosures that investments are not bank deposits, not FDIC insured, not guaranteed by the bank, may lose value). The FINRA/banking agency joint statement on retail nondeposit investment product sales (originally 1994, periodically reaffirmed) remains the authoritative guidance document for these disclosures.
Regulation Best Interest (Reg BI, SEC Rule 15l-1, effective June 2020) applies to broker-dealers and their associated persons making recommendations of securities to retail customers. If the bank's networking arrangement partner is a FINRA member broker-dealer making recommendations to bank customers, those recommendations must meet the Reg BI care obligation, conflict of interest obligation, and disclosure obligation — and the bank's compliance program needs to address how it monitors the third party's compliance with those obligations. The bank is not directly regulated under Reg BI, but it is accountable to its prudential regulator for the adequacy of its third-party oversight program.
BSA/AML Integration: The Monitoring Architecture Problem
The Bank Secrecy Act compliance framework for investment account cash flows requires careful integration planning with the bank's existing transaction monitoring system. Investment accounts create cash flow patterns that can superficially resemble the structuring or layering patterns that BSA/AML monitoring systems are designed to flag: repeated transfers of amounts just below reporting thresholds, movement of funds between multiple account types, periodic liquidations of securities positions.
The compliance officer at a community bank with approximately $840 million in total assets, preparing for the launch of an investment program, discovered during pre-launch testing that their transaction monitoring system was generating alerts on every transfer between a customer's checking account and their new investment account. The monitoring system had been configured to flag any transfer to or from an "external" account type above a defined threshold. The investment accounts, despite being held at an affiliated clearing firm, were being classified as external by the monitoring system. Reclassifying investment account transactions required changes to the monitoring system's account type mapping, documentation of the exception logic, and a review by the BSA officer before the revised configuration could be deployed to production.
This is a solvable problem, but it requires a formal change management process rather than a quick configuration fix. The revised monitoring rules need to be documented, approved by the BSA officer or BSA/AML committee, and retained as part of the bank's AML policy documentation. FinCEN's examination manual for securities broker-dealers provides a useful framework for thinking about investment account-specific transaction monitoring, even for banks using the networking arrangement model.
KYC and CIP Documentation for Investment Accounts
The Customer Identification Program requirements under 31 CFR §1020.220 establish minimum identity verification requirements for new account openings. For a community bank that already has an established CIP for deposit accounts, the question is whether the same CIP documentation can be relied upon for investment account opening, or whether a new CIP collection is required.
The answer depends on the investment account structure. Under a networking arrangement with a FINRA member broker-dealer, the broker-dealer's own CIP requirements (under SEC/FINRA rules 17a-8 and FINRA Rule 4512) apply to the investment account opening. Those requirements overlap substantially with the bank's CIP requirements — name, date of birth, address, taxpayer identification number — but the broker-dealer must independently satisfy itself that CIP was performed, either by completing its own CIP procedures or by relying on the bank's CIP under an explicit reliance agreement documented per 31 CFR §1020.220(d)(2). That reliance agreement must be in writing, the relied-upon party must be subject to AML program requirements under the BSA, and the relying party must obtain a certification from the relied-upon party confirming this.
FINRA Rule 4512 also requires brokers to collect and maintain suitability information that goes beyond identity: investment objectives, financial situation, risk tolerance, time horizon, and investment experience. This information, collected at account opening and maintained on a regular basis, forms the basis for the "customer-specific suitability" determination required under FINRA Rule 2111 (for suitability) and the enhanced obligations under Reg BI. The investment platform's account opening workflow must collect and store this information in a format that can be retrieved for examination and for any future suitability review.
CRA Investment Credit and Community Development Finance
The Community Reinvestment Act, as implemented by the OCC, Federal Reserve, and FDIC in their 2023 final rule, creates investment credit considerations for community banks that are distinct from those for credit unions. Banks subject to CRA examination can receive investment credit for qualified investments in community development entities, CDFI loan funds, and qualified opportunity zones — categories that overlap with certain fixed-income investment products that might be offered through a community bank investment program.
Fractional investment in community development bonds or CDFI-issued notes through an investment platform can, in some circumstances, generate CRA investment credit. However, the documentation requirements are specific: the investment must demonstrate primary purpose community development benefit, which the bank must be able to demonstrate to examiners with contemporaneous records, not reconstructed after the fact. Compliance officers should work with their CRA officer to evaluate which investment product categories in a proposed program would qualify for investment credit and ensure that the investment platform's reporting infrastructure can generate the required documentation.
We are not saying CRA investment credit is the primary justification for an investment program — it is not. We are saying that for community banks in CRA assessment areas with meaningful low-to-moderate income populations, the investment program represents an opportunity to contribute to CRA performance in the investment test category that is often underutilized by community institutions. It is a legitimate planning consideration, not a rounding error.
Building the Compliance Documentation Package
Examiners from the OCC, Federal Reserve, FDIC, and state banking regulators have become more sophisticated in reviewing investment program compliance at community banks over the past decade. The documentation that examiners expect to see includes: a written investment program policy approved by the board of directors; the networking arrangement or broker-dealer affiliation agreement; the required consumer disclosures (FINRA/banking agency joint statement format); the CIP reliance agreement; the BSA/AML transaction monitoring procedures specific to investment account cash flows; and a written supervisory plan for monitoring the third-party broker-dealer's compliance with its obligations to bank customers.
This documentation package takes time to assemble properly. Banks that have moved through investment program launches most smoothly are those that assigned the compliance documentation work to a named compliance officer in advance of the technology integration, rather than treating the documentation as something to complete after the platform is technically functional. A platform that is ready to process transactions but lacks a complete compliance documentation package cannot legally onboard customers — and the cost of a delayed launch is real, both in opportunity cost and in vendor relationship management.
Nothing in this article constitutes investment, regulatory, or legal advice. Regulatory guidance cited reflects publicly available materials; institutions should consult qualified legal and compliance counsel for guidance specific to their charter type, regulatory status, and business model.