KYC and Suitability Under CIRO Rules: A Plain-English Guide

KYC (Know Your Client) and suitability are the single biggest topic on the CIRE — about 17 of the 110 questions, plus another 21 on the closely related Element 7. Together that's a third of the exam.

This guide covers what KYC actually requires, what suitability means under CIRO rules, where the two interact, and the recent changes (Client Focused Reforms, vulnerable client guidance) that show up disproportionately on the exam.

What KYC actually is

Know Your Client is the obligation to gather and document specific information about a client before opening an account or making a recommendation. It's defined in CIRO IDPC Rule 3402.

Mandatory content (from Rule 3402):

• Identity — full name, date of birth, address, ID document
• Investment objectives — capital preservation, income, growth, speculation
• Investment knowledge — basic, fair, good, excellent (or equivalent firm-specific scale)
• Risk profile — both risk tolerance (willingness) and risk capacity (ability)
• Time horizon
• Income and net worth (with source-of-wealth questions)
• Other accounts the client holds
• Personal circumstances — dependants, employment, marital status

It's not optional. Missing fields = a Rule 3402 violation, even if the client refuses to provide them. (If they refuse, you document the refusal and may not be able to make recommendations until the gap is filled.)

Risk tolerance vs. risk capacity

The CIRE tests this distinction relentlessly.

• Risk tolerance is the client's willingness to accept losses. Behavioral. Subjective.
• Risk capacity is the client's ability to absorb losses without derailing financial goals. Mathematical. Objective.

A 30-year-old earning $200,000 with $50,000 saved has high risk capacity (long horizon, surplus income). They might still have low risk tolerance because they panic during drawdowns. The advisor recommends to the lower of the two.

A retired client living on portfolio income has low risk capacity even if they say they're willing to take risk. Recommendation must respect the lower number.

Some firms also assess risk need — the level of return required to meet stated objectives. If risk need exceeds capacity, the conversation isn't "let's increase the allocation to equities." It's "let's revisit objectives."

The suitability obligation

Suitability is also defined in Rule 3402. The advisor has to:

1. Have a reasonable basis to believe each recommendation is suitable based on the client's KYC
2. Put the client's interest first — this is the Client Focused Reforms standard, effective Dec 31, 2021
3. Keep documentation of the suitability assessment

Suitability assessments must be done:

• Before opening the account
• Before each recommendation
• After a material change in the client's circumstances
• After a material change in the recommended security
• Annually for managed accounts

A common CIRE trap: candidates think suitability is only required at recommendation. It's actually triggered by multiple events, including some passive ones (annual review).

KYP — Know Your Product

Separate but related obligation under NI 31-103 13.2.1. KYP requires:

• At the firm level: the firm vets every product on its shelf. Approved-product list.
• At the individual rep level: the rep understands every product they recommend.

You can't recommend a product just because it's on the firm's shelf. You also can't recommend a product the firm hasn't approved. Both legs of the obligation are independent.

CFRs — Client Focused Reforms

Effective December 31, 2021. Changed three things:

1. Conflicts of interest must now be addressed in the client's best interest, with disclosure of remaining conflicts in language the client can understand. (NI 31-103 13.4)
2. KYC content expanded to require risk profile, investment knowledge, and personal circumstances at the level of detail above. The old "low/medium/high risk tolerance" wasn't enough.
3. Suitability language strengthened from "suitable" to "puts the client's interest first."

CFRs show up on the exam as both standalone questions and as the framework underneath suitability questions.

Vulnerable clients (Joint CSA/CIRO Notice 31-368)

Published December 2025 — the newest piece of this puzzle. Tested heavily on early CIRE sittings.

A vulnerable client is one who may have difficulty processing financial information due to age, cognitive decline, illness, language barriers, or recent traumatic events.

The notice introduces:

• Trusted Contact Persons (TCPs) — at account opening, the client may name an emergency contact the firm can reach if the firm suspects financial exploitation, diminished capacity, or can't reach the client. The TCP can confirm contact info and emergency status. The TCP cannot authorize transactions.
• Temporary holds — firms may temporarily hold the disbursement of funds or securities if they reasonably believe the client is being financially exploited, or has diminished decision-making capacity. Initial hold up to 5 business days, with extension protocols.
• Documentation requirements — every TCP designation, every temporary hold, every concern about vulnerability must be documented contemporaneously.

The CIRE tests both the what (TCPs and temporary holds exist) and the boundaries (TCPs can't trade; holds have time limits).

Material changes — when KYC must be refreshed

KYC is not static. It must be refreshed when:

• The client tells you something has changed (job loss, divorce, inheritance, retirement)
• A scheduled annual review reveals changes
• A significant deposit or withdrawal that doesn't fit the documented profile
• Major life events the firm becomes aware of through other channels

The CIRE expects you to know that the client doesn't have to tell you for the obligation to trigger — if you become aware through any reasonable means, you act.

Common CIRE traps on this material

1. Confusing KYC with KYP. KYC is about the client; KYP is about the product. They have separate rules and separate documentation.
2. Thinking suitability only triggers at recommendation. It triggers at multiple events including annual review of managed accounts.
3. Assuming risk tolerance and capacity are interchangeable. They aren't. Recommendation respects the lower of the two.
4. Missing the CFR "client's interest first" language. Older textbook content used "suitable" — current rule requires more.
5. Forgetting that TCPs can't transact. TCPs are an emergency-contact role only.
6. Confusing temporary holds with regulatory holds. Temporary holds under Notice 31-368 are firm-initiated. Regulatory holds (e.g., from CIRO) are different.

How this gets tested

Expect 17 E3 questions (KYC and suitability) on your CIRE sitting plus another 5–7 questions in E7 that involve product recommendations the require suitability analysis. Together, about 22–24 questions turn on this material.

Most are applied scenarios: "Your client tells you X — what's your obligation?" Pure recall questions ("List the four investment objectives") are rare. The exam wants to see you apply the rule to facts.

How to study this

1. Read IDPC Rule 3402 and NI 31-103 Part 13. Both free.
2. Read the Joint CSA/CIRO Notice 31-368 in full. It's only 30 pages and almost every sentence is exam-relevant.
3. Drill 60–80 practice questions on E3 + the E7 suitability subset. Ciroexam's E3 practice set is the obvious place.
4. Flashcard the boundaries — TCPs can / can't, temporary hold limits, CFR effective date, the 5 mandatory KYC content fields.

Test where you stand. Take the free CIRE diagnostic — element-by-element score in 25 minutes.

Related reading

• CIRE vs CSC: Every Difference, Side by Side — the head-to-head comparison if you're moving from CSC studying.
• The CIRE Exam in 2026: complete guide
• How to study for the CIRE in 30 days
• CIRO Proficiency Model: all 9 exams explained