The question of who must be fingerprinted at a FINRA dealer is one that often comes up in questions from clients. The answer can be found in SEC Rule 17f-2 – Fingerprinting of Securities Personnel. The rule specifies who must be fingerprinted at a broker-dealer (and in other areas, like transfer agents).
The rule specifies that everyone must be fingerprinted absent an applicable exception. Specifically, “each of its partners, directors, officers and employees… shall submit, or cause to be submitted, the fingerprints of such persons to the Attorney General of the United States or its designee for identification and appropriate processing.”
Let’s take a deep dive on this…
Introduction: Why FINRA Fingerprinting Matters
Fingerprinting is one of the foundational investor-protection mechanisms built into federal securities law. It allows regulators and employers to identify individuals with prior criminal histories — especially those involving fraud, theft, or other financial crimes — before those individuals gain access to the inner workings of broker-dealers, investors’ assets, or firms’ confidential books and records.
For compliance officers, operations managers, and senior leadership at FINRA member firms, the question of who must be fingerprinted is far from academic. Getting it wrong — either by failing to fingerprint someone who should be, or by misclassifying an exempt employee — can expose a firm to regulatory sanctions, reputational damage, and potential statutory disqualification proceedings.
This guide provides a thorough analysis of the fingerprinting framework under SEC Rule 17f-2 (17 CFR § 240.17f-2), as administered by FINRA, explaining who must be fingerprinted, who qualifies for an exemption, how to submit fingerprints for non-registered individuals, and best practices for maintaining compliance.
The Statutory and Regulatory Foundation
Section 17(f)(2) of the Securities Exchange Act of 1934
The obligation to fingerprint securities industry personnel originates in Section 17(f)(2) of the Securities Exchange Act of 1934 (15 U.S.C. § 78q(f)(2)). Congress enacted this requirement as part of a broad regulatory framework designed to ensure the integrity of the financial markets by screening individuals who have access to securities, investor funds, and sensitive firm records.
The SEC implemented this statutory mandate through Exchange Act Rule 17f-2, which establishes both the fingerprinting requirement and the procedures for claiming permissible exemptions. The rule applies to every member of a national securities exchange, broker, dealer, registered transfer agent, and registered clearing agency.
FINRA as the Designated Examining Authority
For most FINRA member broker-dealers, FINRA serves as the Designated Examining Authority (DEA) and administers the fingerprint processing program on behalf of the SEC. FINRA accepts fingerprint submissions, transmits them to the Federal Bureau of Investigation (FBI) through an FBI-Approved Channel Partner for criminal history record checks, and returns results to member firms. FINRA’s fingerprint plan has been updated multiple times — most recently in 2023 — to reflect evolving FBI processing requirements and technology changes.
SEC Rule 17f-2 requires ALL partners, directors, officers, and employees to be fingerprinted — unless a specific exemption applies. The default is fingerprinting. Exemptions must be affirmatively claimed and documented.
Who Must Be Fingerprinted: The Default Rule
Under Rule 17f-2, a FINRA member broker-dealer must fingerprint each of its partners, directors, officers, and employees and submit those fingerprints to the Attorney General of the United States (or its designee — currently processed through FINRA and the FBI) for identification and appropriate processing. This obligation is broad by design. The default assumption is that anyone who is part of a securities organization must be screened.
According to FINRA’s own FAQ guidance, firms are required to submit fingerprints for:
- All persons applying for registration with FINRA (registered representatives, principals, etc.)
- All persons involved in handling customer funds or securities
- All persons involved in the preparation of the firm’s original books and records (blotters, general ledgers, etc.)
- Any person with regular access to securities, monies, or original books and records of the firm
- Any person with direct supervisory responsibility over those in any of the above categories
This last category is particularly important and frequently misunderstood. A manager who never personally touches securities or financial records but who supervises someone who does is still subject to the fingerprinting requirement.
The Exemptions: A Precise Three-Part Test
Section (a)(1) of Rule 17f-2 provides permissive exemptions — but they are narrow and all three conditions must be satisfied simultaneously. A firm may claim an exemption for a person only if that individual:
- Securities Sales – The person is NOT engaged in the sale of securities.
- Access to Records/Asssets – The person does NOT have regular access to the keeping, handling, or processing of securities, monies, or original books and records relating to securities or monies of the broker-dealer.
- Supervisory Responsibility – The person does NOT have direct supervisory responsibility over someone who does (1) or (2) above.
All three conditions must be met simultaneously. If a person satisfies conditions (1) and (2) but supervises someone who handles securities, that person must still be fingerprinted under condition (3).
The ‘Original Books and Records’ Trap: The Most Commonly Misapplied Element
Of all the elements in the exemption analysis, the phrase “original books and records relating to securities or monies” is the most frequently misunderstood — and the most common reason firms inadvertently fail to fingerprint employees who are legally required to be screened.
Many compliance officers assume that only registered persons — those with CRD registrations — need to be fingerprinted. In reality, the books-and-records prong sweeps in a wide range of back-office and administrative staff who may never have securities industry registrations but who nonetheless routinely access sensitive financial records.
Who Falls Into This Category?
The following roles typically have regular access to original books and records and therefore cannot claim the exemption:
- Bookkeepers and accounts payable / accounts receivable staff who maintain the general ledger
- Finance and accounting professionals who prepare or access blotters, trial balances, or other primary accounting records
- Technology staff (developers, system administrators) with access credentials to the accounting or order management system
- Operations staff who process trade confirmations, settlements, or customer account adjustments
- Outside contractors or consultants (e.g., an external bookkeeper) who regularly access the firm’s financial systems
Important Distinction: System access is the key. If an employee — regardless of title or registration status — has login credentials or regular access to the firm’s accounting, general ledger, or order management systems, they have ‘regular access to original books and records’ and must be fingerprinted
A useful practical test: if the person can open the general ledger, enter journal entries, view account balances, or modify financial records, they must be fingerprinted. Titles like ‘Office Manager,’ ‘Controller,’ or ‘IT Administrator’ do not create an exemption if the role involves regular access to these systems.
Additional Exemptions Under Rule 17f-2
Prior Fingerprinting Under Another Law or Regulation
Rule 17f-2 also provides that the fingerprinting requirement may be satisfied if the person has already been fingerprinted pursuant to another federal or state law or regulation in connection with their current employment, provided that: (1) those fingerprint cards were submitted to the Attorney General for processing, and (2) the processed records are maintained in accordance with the rule’s recordkeeping requirements. This is useful, for instance, when a firm hires former law enforcement or military personnel who were fingerprinted as part of their prior government service — but the conditions must be met precisely.
Persons for Whom Legible Fingerprints Cannot Be Obtained
Rule 17f-2(a)(1)(iv) incorporates an exemption for individuals from whom a complete set of legible fingerprints cannot be obtained — a relief provision the Commission developed on a case-by-case basis before codifying it. Even in these cases, firms must document the situation thoroughly.
Foreign Nationals and Residents
Citizenship and residency do not create an exemption. Per FINRA’s FAQ, being a foreign national or foreign resident is not a basis for claiming exemption from the fingerprinting requirement. All covered personnel — regardless of nationality — must be fingerprinted unless a specific listed exemption applies. It is worth noting that hardcopy fingerprints for individuals outside the U.S. or its territories must be captured on a FINRA-approved card and mailed directly to FINRA; EFS vendors cannot process fingerprints for overseas individuals.
The ‘Notice Pursuant to Rule 17f-2’ Requirement
Any broker-dealer that claims an exemption under Rule 17f-2(a)(1) must prepare, maintain, and keep current a written statement entitled “Notice Pursuant to Rule 17f-2.” This document must:
- State the name of the organization and its regulatory status (broker, dealer, member, etc.)
- Identify by division, department, class, or position all persons who have satisfied the fingerprinting requirement under an alternative method (e.g., prior government fingerprinting)
- Identify by division, department, class, title, or position all persons claimed to be exempt under the permissive exemptions
- Be updated promptly as personnel changes occur
Failure to maintain an accurate and current Notice is itself a regulatory violation, even if all the underlying exemptions would be valid. FINRA examiners commonly review these notices during examinations to assess whether a firm’s exemption claims are properly documented.
Best Practice: Review your Notice Pursuant to Rule 17f-2 at least annually and upon any significant organizational change — new hires, promotions, restructuring, or system access grants. Treat it as a living document, not a one-time filing.
Fingerprinting Non-Registered Individuals: The NRF Process
One of the most common compliance questions involves employees who must be fingerprinted but who are not registered with FINRA — for example, an outside bookkeeper, a technology contractor, or a back-office employee with access to the general ledger.
For these individuals, FINRA provides a straightforward mechanism: the Non-Registered Fingerprint (NRF) filing. Firms can submit fingerprints for non-registered individuals through FINRA Gateway under “Forms & Filings.” There is no formal departure filing required for an NRF individual unless a statutory disqualification event has occurred.
Key points about the NRF process:
- NRF filings are handled through CRD (Web CRD), FINRA’s Central Registration Depository
- The NRF process does not trigger a registration or create a CRD registration record in the traditional sense — it is purely a fingerprint submission mechanism
- Summer interns need not be fingerprinted unless they sell securities or have regular access to securities, money, or original books and records
- The same set of fingerprints previously submitted cannot be reused — new prints must be collected and submitted each time
Recordkeeping Requirements
Rule 17f-2 imposes specific recordkeeping obligations. Firms must maintain all fingerprint cards, records, and associated information — including any criminal history information returned by the FBI — for a period of not less than three years after the termination of that person’s employment or relationship with the organization. FINRA’s internal records policy extends this to at least five years.
Firms may satisfy their recordkeeping obligations by allowing FINRA (as the designated examining authority) to maintain these records on the firm’s behalf, provided FINRA has an effective fingerprint plan on file with the SEC — which it does. This arrangement is standard practice for FINRA member broker-dealers.
Criminal History Results: What Happens After Fingerprint Processing
After the FBI processes submitted fingerprints, the results are returned to FINRA. FINRA then reviews any Criminal History Record Information (CHRI) to identify individuals who may be subject to statutory disqualification under the Exchange Act. Statutory disqualification is a serious status that can bar an individual from associating with a FINRA member without FINRA’s specific approval — a process that is time-consuming and uncertain.
This is why firms should never treat fingerprinting as a formality. The process exists precisely to uncover the criminal histories that would trigger disqualification, and failing to fingerprint a required individual means the firm may unknowingly employ a statutorily disqualified person — itself a serious regulatory violation.
Quick Reference: Fingerprint or Exempt?
| Role / Situation | Fingerprint Required? |
| Registered representative (broker) | Yes — always |
| Principal / supervisor of registered reps | Yes — always |
| Officer or director of the firm | Yes — always |
| Bookkeeper with general ledger access | Yes — books and records access |
| IT admin with access to accounting systems | Yes — books and records access |
| Outside consultant accessing firm systems | Yes — books and records access |
| Receptionist with no system access | Likely Exempt — verify all 3 conditions |
| HR administrator (no books/records access) | Likely Exempt — verify all 3 conditions |
| Summer intern (administrative only) | Likely Exempt — verify no access |
| Summer intern (trading floor / records access) | Yes — must fingerprint |
| Foreign national employee | Yes — citizenship is not an exemption |
| Employee already fingerprinted by government | May satisfy requirement if conditions met |
The Case for Universal Fingerprinting: A Practical Recommendation
Given the relatively low cost of fingerprinting — typically a modest per-person processing fee — and the potentially severe consequences of a compliance failure, many well-run broker-dealers adopt a policy of universal fingerprinting for all employees and associated persons, regardless of whether the individual technically qualifies for an exemption.
The rationale is straightforward:
- The cost of fingerprinting is minimal compared to the cost of a regulatory examination finding, a corrective action plan, or a formal disciplinary proceeding
- Personnel roles evolve — someone hired as a receptionist may quickly gain system access, rendering an original exemption invalid if not monitored
- A universal fingerprinting policy eliminates the administrative burden of maintaining and updating exemption documentation
- It demonstrates proactive compliance culture to FINRA examiners
- It protects the firm from employing a statutorily disqualified individual in any capacity
For firms that do choose to claim exemptions, robust procedures must be in place to monitor personnel changes and reassess exemption eligibility as roles evolve. A person hired into an exempt role who is later promoted to a supervisory position, or who is granted access to financial systems, must be promptly fingerprinted.
Conclusion
The fingerprinting requirement under SEC Rule 17f-2 is deceptively simple in concept but nuanced in application. The fundamental rule is clear: everyone must be fingerprinted. The exemptions are narrow and all three conditions must be satisfied simultaneously to avoid the requirement. The most common compliance errors stem from underestimating the reach of the “original books and records” standard, failing to maintain proper exemption documentation, and not updating procedures when employee roles change.
For broker-dealers looking to minimize compliance risk, a policy of universal fingerprinting — combined with an NRF submission process for non-registered personnel — represents the gold standard. For firms that elect to use exemptions, disciplined procedures, current Notice documentation, and regular internal audits are essential.
Questions about your firm’s specific fingerprinting obligations, exemption claims, or NRF procedures? Please contact Mitchell Atkins, CRCP at FirstMark Regulatory Solutions: 561-948-6511
