Day‑0 Compliance: The 12 Documents That Stop “We’ll Fix It Later” From Killing Your Brokerage Launch

Launching a brokerage (or prop firm) is usually framed as a tech and liquidity problem. In reality, your first operational failure is often a missing policy: someone approves a high-risk client, accepts a third-party deposit, or can’t explain a withdrawal hold.

This post is a Day‑0 “document pack” checklist: the minimum set of policies and procedures you should have written, owned, and operationalized before you take your first client. Requirements vary by jurisdiction—treat this as general guidance and confirm with your legal/compliance advisors.

1) Your “Day‑0” policy pack: what it is (and what it isn’t)

A Day‑0 pack isn’t a 200-page binder built for an auditor you won’t see for 12 months. It’s a usable operating system: documents your team can follow on day one, with clear decision points, escalation paths, and evidence trails.

Aim for:

• Short + enforceable: if a procedure can’t be followed in your CRM/backoffice, it’s not a procedure.
• Named owners: every policy needs an accountable role (e.g., MLRO/Compliance Officer, Head of Operations).
• Controls + proof: each rule should produce an artifact (case note, approval log, screenshot, report export).

A practical benchmark: if you can’t answer “who approved this, why, and where is it recorded?” your Day‑0 pack isn’t complete.

2) Client onboarding & KYC procedures (the workflow document you’ll use daily)

This is the policy your support and onboarding teams will touch most. It should define what you collect, when you verify, and when you block—not just list documents.

Include:

• Customer acceptance policy: who you do/don’t onboard (jurisdictions, prohibited categories, age, entities you can’t service).
• KYC/verification steps: identity, address, and (where applicable) source of funds/wealth—plus what triggers re-checks.
• Corporate onboarding: UBO thresholds, director verification, corporate document list, and how you handle complex ownership.

Make it concrete with examples:

• “If the client’s country is high-risk or the client is a PEP → Enhanced Due Diligence (EDD) case → MLRO approval required before deposits.”
• “If address can’t be verified → account stays read-only; no withdrawals until resolved.”

Operational tip: your onboarding policy should map 1:1 to CRM statuses (e.g., New → KYC Pending → KYC Approved → EDD → Rejected), so your team isn’t improvising.

3) AML/CFT, sanctions & transaction monitoring (the rules that protect your banking)

AML/CFT documentation is often “copied and pasted” at launch—and that’s a fast way to lose payment rails later. Your Day‑0 goal is a risk-based program that matches how you actually take deposits, route trades, and pay withdrawals.

Your core AML/CFT set typically includes:

• AML/CFT Policy: scope, governance, roles (MLRO), risk-based approach, and reporting obligations.
• Sanctions/PEP screening procedure: when you screen (onboarding, periodic, before payout), what lists/tools you use, and how you resolve matches.
• Transaction monitoring procedure: what you monitor (deposit/withdrawal behavior, third-party activity, rapid in/out, unusual volumes), alert handling, and case documentation.

Don’t forget the “money movement” edge cases:

• Third-party deposits/withdrawals (usually restricted or tightly controlled)
• Chargebacks and disputed card deposits
• Crypto deposits (if offered): confirmations, wallet risk scoring, and source-of-funds expectations

Write escalation rules in plain language: what gets frozen, what gets reviewed, and who can override.

4) Client money, payments & withdrawals (where most disputes start)

Even if your jurisdiction doesn’t impose a specific client money regime, you still need internal rules for segregation, reconciliations, and withdrawal controls—because clients, PSPs, and banks will ask.

Your Day‑0 pack should include:

• Client funds handling policy: segregation approach (if applicable), permitted accounts, and who has access.
• Deposits & withdrawals SOP: cut-off times, verification steps, name matching, and approval thresholds.
• Reconciliation procedure: daily/weekly cadence, discrepancy handling, and evidence storage.

Add “friction points” upfront so they’re defensible later:

• When you can request additional source-of-funds evidence
• When you can delay a withdrawal (e.g., compliance review, chargeback risk, sanctions match)
• How you handle negative balances, fees, and reversal scenarios

Practical control: define a two-person rule for high-value withdrawals (maker/checker), even if you’re small. It’s cheaper than one bad payout.

5) Trading conduct, risk disclosures & platform governance (align policy with your actual execution)

This section prevents the gap between what you say and what your platform does. Whether you’re a broker (execution, leverage, margin) or a prop firm (challenge rules, payouts), you need written rules that match your dealing/risk setup.

Broker-focused documents to consider:

• Order execution & best execution policy (where applicable): execution venues, slippage handling, rejected orders, and how you review execution quality.
• Margin/leverage & stop-out policy: margin call thresholds, liquidation rules, weekend/holiday margin changes.
• Conflicts of interest policy: how you manage dealing conflicts, incentives, and IB relationships.

Prop firm-focused documents to consider:

• Challenge rules & evaluation policy: pass/fail criteria, drawdown definitions, prohibited strategies (if any), and dispute handling.
• Payout policy: profit split, payout schedule, review checks, and what can trigger a hold.

Operational tip: if you use a risk backoffice (e.g., exposure monitoring, A/B book routing, dealing rules), document who can change risk settings and how changes are approved and logged.

6) Data protection, record keeping & audit readiness (make “proof” automatic)

Early-stage firms underestimate how quickly they’ll need to produce evidence: a bank onboarding questionnaire, a PSP audit, a regulator query, or a client complaint.

Minimum Day‑0 documents:

• Privacy notice + data protection policy: what you collect, why, retention periods, and data subject rights (check local regulations, especially if you serve EU/UK clients).
• Record keeping & retention policy: what you store (KYC, comms, transactions, approvals), where, and for how long.
• Access control & incident response procedure: role-based access, admin activity logging, breach escalation, and customer notification steps.

Make it operational:

• Define where “system of record” lives (CRM, ticketing, backoffice).
• Require case notes for overrides (KYC approvals, withdrawal exceptions, pricing/execution disputes).
• Schedule a monthly export/reporting routine so you can answer questions fast.

7) Complaints, marketing, and third parties (the overlooked risk multipliers)

These policies don’t feel urgent—until they are. A single affiliate campaign or influencer post can create compliance exposure if your marketing rules aren’t clear.

Day‑0 essentials:

• Complaints handling procedure: intake channels, timelines, categorization, investigation steps, and final response templates.
• Marketing & promotions policy: approval workflow, required risk warnings, prohibited claims, and affiliate/IB content rules.
• Third-party/vendor due diligence: onboarding PSPs, liquidity providers, KYC vendors, call centers—plus periodic reviews and contract minimums.

Two “launch week” controls that save pain:

• A single marketing approval queue (no ad goes live without sign-off and archived evidence).
• A vendor register with owners, renewal dates, and the data each vendor touches.

The Bottom Line

A Day‑0 document pack is less about paperwork and more about repeatable decisions: who you onboard, how money moves, how risk is controlled, and how you prove it.

Start with a tight set of policies that map to real workflows in your CRM, payments, and risk stack—then review and iterate as volumes grow and regulations change.

If you want your Day‑0 processes to be enforceable in the systems your teams actually use, Brokeret can help you operationalize onboarding, controls, and reporting—start here: /get-started.