Compliance Requirements for New Forex Brokers: What You Need Before Going Live

Most new forex and CFD brokers treat “going live” as a technical milestone — the MT5 server is provisioned, the website is up, the CRM is wired in, the payment channel works. That’s real progress, but it isn’t the whole launch.

Clients logging in and placing trades is the easy part to demonstrate. The harder question — the one banks, EMIs, liquidity providers, payment partners, platform vendors and regulators each ask in their own way — is whether the broker can operate in a controlled, documented and auditable manner. That question is why compliance belongs in the architecture before the first client deposit, not bolted on afterward. KYC, AML, client classification, risk disclosure, website content, CRM records, MT5 group configuration, bridge and LP connectivity, reporting and incident monitoring are not separate checklists; they are one operating model that has to hold together.

Company and Business Structure

The first layer is corporate structure, and it needs to tell one coherent story. The registered entity, the trading brand on the website and platform, the domain owner, the contracting party in the client agreement, the account that receives deposits and the MT5 server name should all point back to the same business. A broker that signs clients under one company, brands the site as another, takes funds into a third party account and runs its server under yet another name will spend the onboarding process answering avoidable questions.

This isn’t only a legal concern. Banks, EMIs, LPs, bridge providers and platform vendors all read the structure as a signal of how the business is run. When it’s unclear, projects stall even when the technology is finished.

Licence or Registration Positioning

A common and costly mistake is treating a company registration as if it were a financial licence. It isn’t. Depending on jurisdiction and model, a project might sit anywhere along a spectrum — an offshore registered company, a licensed investment dealer or regulated broker, an introducing broker, a proprietary trading firm, a technology provider, a marketing entity, or a group that separates operating, technology and payment functions into distinct entities.

Each position carries different obligations. A regulated broker may face capital requirements, a compliance officer, regulatory reporting, client money rules and product governance. An introducing broker holds no client funds but still needs clean disclosure and referral documentation. A technology provider can supply MT5 hosting, CRM or bridge integration without ever presenting itself as the licensed broker — and should be careful not to.

The positioning also shapes what each counterparty scrutinises: a bank looks at source of funds and transaction flow, an LP at licence status, risk model and execution setup, a regulator at client protection and marketing, and a platform vendor such as MetaQuotes at entity verification and business purpose. There’s no single correct structure. What matters is that the choice is deliberate and documented.

KYC and AML

KYC exists to answer three questions: who is this client, are they eligible to trade, and does the account carry money laundering, sanctions or fraud risk. In practice that means identity and address verification, nationality and date of birth, beneficial ownership checks on corporate accounts, sanctions and PEP screening, source of funds checks where required, risk scoring, document expiry monitoring, periodic review, and clear escalation rules for high risk clients.

The FATF Recommendations remain the global reference for AML/CFT and specifically call for enhanced measures on relationships involving politically exposed persons; in the region, both Hong Kong’s SFC and Singapore’s MAS impose customer due diligence, risk assessment, ongoing monitoring and record keeping obligations on regulated intermediaries.

For a new broker, collecting documents is the easy half. The operational questions are harder: who approves a client, where documents live, whether sales can override KYC status, whether high risk clients need compliance sign off, whether a rejected applicant can still open an MT5 account, and whether KYC records connect to CRM, deposits, withdrawals and trading activity. When CRM, KYC and MT5 sit in disconnected systems, records fragment — and that fragmentation is a frequent reason brokers stumble in LP, payment or regulatory review.

Client Classification and Suitability

Retail, professional, wholesale and eligible counterparty categories are not marketing labels. They determine what protections apply, how much leverage can be offered, what disclosure is required and how a product may be marketed. In major regulated markets, retail CFD clients get materially stronger protection — the FCA’s permanent retail CFD restrictions include leverage caps, margin close out rules, negative balance protection and limits on inducements, and ESMA’s measures similarly centred on leverage limits, negative balance protection and standardised risk warnings.

The temptation to reclassify a retail client as professional simply to offer higher leverage is exactly the risk to avoid; misclassification creates regulatory, reputational and legal exposure. A workable suitability process records the client’s trading experience, knowledge, financial background, risk tolerance, product and leverage understanding, their classification under the applicable rules, who approved it and when it was last reviewed. This is a CRM design question as much as a compliance one — the broker needs records, not checkboxes.

Risk Disclosure and Website Content

For CFD brokers, the website is part of the control environment, not just marketing. It should not promise easy profits, guaranteed returns, risk free trading or unrealistic win rates; it should state plainly that leveraged forex and CFD trading can lose money. Adequate disclosure typically covers leverage and margin/stop out risk, gapping, negative balance treatment, execution and slippage, overnight financing, product specific risk, client fund arrangements, complaint channels, the legal entity and jurisdiction, restricted countries, and the usual terms, privacy and AML notices. Some jurisdictions require retail CFD providers to display specific risk warnings or the percentage of retail accounts that lose money — an area ESMA addressed directly through standardised warnings.

Even an offshore broker isn’t exempt from scrutiny here: banks, LPs and payment partners routinely review the public website as part of due diligence, and copy that reads as aggressive or misleading can sink an onboarding.

Payment and Client Fund Handling

Payments are where new broker projects most often stall. The broker needs an unambiguous funds flow — which entity receives deposits, which account holds client money, whether client and company funds are segregated, which methods are accepted, how withdrawals, refunds, chargebacks and suspicious transactions are handled, and how every payment record ties back to a client account and trade.

Receiving client funds through a personal account or an unrelated third party is a serious red flag; convenient early on, it creates lasting problems with banks, auditors, tax authorities and clients. Crypto raises the bar rather than lowering it: accepting USDT, USDC or BTC without documented wallet ownership, transaction hashes, conversion records, source of funds checks and suspicious transaction escalation tends to make banking harder, not easier. As with everything else, a deposit should connect to the client profile, KYC status, trading account, ledger entry and approval workflow.

MT5 Configuration and Compliance Records

MT5 compliance is about more than the licence — configuration itself carries consequences. Account groups, leverage, symbols and contract specs, margin and stop out rules, commissions and swaps, execution and account opening rules, manager and dealer permissions, admin access, log retention, backup and disaster recovery, and reporting all need deliberate governance. A poorly configured environment produces inconsistent client treatment, pricing errors, margin disputes, execution complaints and reporting gaps.

If leverage differs between client groups, there should be a documented reason. If symbols carry different margin settings, they should match the product disclosure and client agreement. If a manager can adjust trades, balances or credits, the permission structure and logs must be controlled. MT5 can support almost any configuration — the real question is whether the broker governs the configuration it chooses.

CRM, KYC and Audit Trail

An audit trail answers one question: what happened, when, by whom and on what approval. A CRM built only around names and emails can’t do that. For a forex or CFD broker it should capture lead source and sales notes, communication history, KYC status, risk rating and classification, IB relationships, account opening and withdrawal approvals, bonus or credit approvals, support tickets and complaints, internal comments, compliance escalations, document history and status changes.

This matters because most broker disputes aren’t really about a single trade. They turn on what the client was told, which risk warning was shown, whether the client was classified correctly, whether a withdrawal was delayed, or whether an agent said something they shouldn’t have. When CRM, KYC files, MT5 logs and payment records live in disconnected systems, reconstructing that story becomes very hard — which is the definition of a weak audit trail.

LP and Bridge Due Diligence

Liquidity and bridge providers assess risk, not just volume. Before connecting a new broker, an LP will typically want company and licence documents, ownership structure, the website and client agreements, target markets and product list, expected volume, jurisdictional restrictions, the risk model and A Book/B Book/hybrid approach, bridge provider and MT5 setup, margin policy, toxic flow controls, a compliance contact and the payment structure. Bridge and aggregation providers ask similar questions, because they need confidence the broker can monitor flow, manage rejects, handle symbol mapping and keep the infrastructure stable.

The practical takeaway: LP onboarding shouldn’t begin after the platform is finished. The business model, legal entity, risk settings and technical architecture need to be aligned before integration starts.

Regulatory Reporting and Internal Monitoring

What a broker must formally report depends on jurisdiction, licence and product scope — transaction reporting, financial returns, complaint or incident reports and suspicious transaction reports for some; for others, no formal regulatory reporting but still the monitoring that counterparties, payment providers and auditors expect. Either way, the supervisory direction is clear: regulators expect firms to understand operational risk, third party dependency and incident response. The FCA’s operational resilience framework is built around the ability to prevent, adapt to, respond to, recover from and learn from disruption, and in early 2026 the FCA finalised new rules on operational incident and material third party reporting (PS26/2), which take effect in March 2027.

For a broker, monitoring should extend across server uptime, MT5 connectivity, bridge latency and LP connection status, abnormal trading and margin breaches, toxic flow, failed deposits or withdrawals, client complaints, suspicious account activity, data backup, access logs and incident records. Good monitoring is a compliance function as much as a technical one.

Common Compliance Mistakes

The brokers that struggle rarely struggle because the trading platform is weak — they struggle because the operating model wasn’t ready. The recurring failures cluster in a few places. Clients are allowed to deposit and trade before KYC is properly approved. Funds are taken through personal or unrelated accounts, raising immediate questions about ownership, AML, tax and client protection. Website copy overpromises, implying guaranteed income or risk free trading. A company registration gets mistaken for a financial licence. Retail clients are pushed into professional classification to unlock leverage, stripping protections that should apply.

The operational failures rhyme with these. CRM, KYC, MT5 and payment records sit in separate systems, so no clean audit trail exists when one is asked for. Too many staff hold manager permissions and can change settings, balances or trades without control. LP onboarding starts too late, and the broker discovers required documents and risk controls only at the end. There’s no incident response process, so outages and payment delays are handled informally and unrecorded. And often no one actually owns compliance — everyone assumes someone else is handling approvals, monitoring and documentation.

Pre Launch Compliance Checklist

Company and structure — registered company documents, shareholders and directors, business scope, brand and domain ownership, contracting entity, website operator, server-name consistency.

Licence and positioning — licence or registration status, target market, restricted jurisdictions, legal opinion where needed, client agreement, risk disclosure, privacy policy, AML policy.

KYC and onboarding — identity and address verification, sanctions and PEP screening, source of funds checks, client risk rating, client classification, suitability questionnaire, approval workflow, record retention.

Website and marketing — risk warnings, product descriptions, leverage and margin explanations, no guaranteed return language, complaint channel, legal entity disclosure, terms and conditions.

Payment and client funds — corporate bank or EMI account, client fund handling policy, deposit and withdrawal workflow, crypto controls where applicable, transaction records, refund process, suspicious activity escalation.

MT5 and trading setup — groups, leverage, symbols, margin rules, commission, swaps, stop out settings, execution rules, manager permissions, logs, backup, reports.

CRM and audit trail — lead records, sales notes, KYC status, IB records, deposit and withdrawal records, client communications, support tickets, complaints, compliance escalation, document history.

LP, bridge and infrastructure — LP due diligence package, bridge setup, symbol mapping, liquidity routing, A Book/B Book/hybrid model, toxic flow monitoring, server monitoring, incident logs, disaster recovery plan.

How EBS FinTech Supports the Technical Side

EBS FinTech works on the technical implementation and infrastructure layer, helping brokers stand up a controlled, scalable environment before launch. That can include MT5 Main Label setup, MT4/MT5 hosting, server deployment and maintenance, CRM and KYC integration, LP and bridge integration, account group configuration, reporting setup, infrastructure monitoring and operational support through launch.

EBS FinTech provides technical implementation and infrastructure; company formation, licensing strategy, regulatory interpretation and legal compliance opinions belong with qualified lawyers, licensed compliance consultants or regulated service providers in the relevant jurisdiction. A sound broker project needs both — professional legal and compliance advice on one side, and infrastructure that can actually support the operating model on the other.

Scroll to Top