FINRA FINRA Know Your Customer Rule

FINRA Rule 2090 requires your broker-dealer to use “reasonable diligence” to know and retain the essential facts about every customer and to confirm the authority of anyone acting for that customer ¹. Operationalize it by hard-blocking account approval until required Rule 4512 data is captured, supervising exceptions, and running a repeatable refresh process so customer facts stay current ².

Key takeaways:

• Treat KYC as an account lifecycle control, not a one-time onboarding form ¹.
• Map “essential facts” to Rule 4512 fields and enforce completeness before trading or recommendations ².
• Document third-party authority (POA, authorized trader) and keep it current; stale authority is a common failure mode ¹.

The finra finra know your customer rule requirement (FINRA Rule 2090) is a supervisory and operational obligation: you must know and retain the essential facts about each customer and the authority of each person acting on the customer’s behalf ¹. In practice, this requirement becomes the data foundation for suitability decisions and account servicing, and it is tested through your account opening controls, your exception handling, and your ability to demonstrate the information was obtained, reviewed, and kept current.

For a CCO or GRC lead, the fastest path to “exam-ready” is to convert Rule 2090’s principle-based language into enforceable workflow gates. That means: (1) defining your firm’s “essential facts” data set using FINRA Rule 4512’s required account information as your baseline, (2) embedding those fields into your digital and paper account-opening process with completion and validation rules, and (3) implementing a refresh trigger model so changes in customer circumstances drive updates and supervisory follow-up ³.

This page gives requirement-level implementation guidance you can put into procedures, onboarding design, supervision checklists, and evidence retention standards without guessing what an examiner will ask you to produce.

Requirement summary (plain-English)

Requirement: For every account you open and maintain, your firm must use reasonable diligence to (a) know and retain the customer’s essential facts and (b) know and retain the authority of anyone acting on the customer’s behalf ¹.

Plain-English interpretation: You need enough accurate, current customer information to service the account properly and support downstream compliance obligations (for example, suitability). You also need documented proof that anyone giving instructions or making decisions for the account is authorized to do so ⁴.

Who it applies to (entity + operational context)

In-scope entities

• FINRA member broker-dealers opening or maintaining customer accounts ¹.
• Associated persons (e.g., registered representatives) involved in opening accounts, making recommendations, or accepting instructions, operating under firm supervision ¹.

In-scope activities

• Account opening: Capturing and validating required customer account information at or prior to opening ².
• Account maintenance: Keeping the customer’s essential facts current through reasonable updates and refresh practices ¹.
• Third-party authority administration: Setting up, verifying, and maintaining powers of attorney, authorized traders, trustees, or other agents ¹.

Regulatory text

FINRA’s Know Your Customer rule states:

“Every member shall use reasonable diligence, in regard to the opening and maintenance of every account, to know (and retain) the essential facts concerning every customer and concerning the authority of each person acting on behalf of such customer.” ¹

What an operator must do with this text:

1. Define “essential facts” in your procedures so staff and systems collect the same baseline set consistently. Use FINRA Rule 4512 required fields as your minimum starting point for customer account information at or prior to account opening ².
2. Prove “reasonable diligence” through controls and records. Examiners expect to see a repeatable process (workflow gates, supervisory review, exception handling) plus retained records showing what you knew, when you knew it, and who approved it ¹.
3. Treat “maintenance” as a live obligation. Your process must detect and address stale profiles and changes in authority, not only collect data once ¹.

What you actually need to do (step-by-step)

Below is a practical control build that maps Rule 2090 into execution.

Step 1: Translate “essential facts” into required data fields

Create a KYC data standard aligned to Rule 4512. At minimum, ensure your onboarding captures the customer account information fields required “at or prior to the opening of an account,” including items like name, address, tax identification number, date of birth, employment status, annual income, net worth, investment objectives, and association with a member firm ².

Implementation detail: Maintain a firm-owned data dictionary:

• Field name (as shown in your CRM/new account form)
• Definition and allowed values (free text vs. controlled list)
• Who provides it (customer vs. rep)
• Validation rules (format checks, completeness)
• “If blank, then…” handling (block, exception, or escalation)

Step 2: Build account-opening workflow gates (hard stops)

Operationalize “reasonable diligence” by preventing accounts from being approved (or trading/recommendations from proceeding) until required fields are complete and internally consistent.

Minimum gating controls:

• Completeness gate: Required Rule 4512 fields must be present before account approval ².
• Consistency checks: Flag mismatches that frequently signal bad data (e.g., employment status vs. source of funds narrative).
• Documentation gate for authority: No third-party trading authority, disbursements, or instruction acceptance until authority documents are collected and validated ¹.

If you use Daydream to manage compliance workflows, treat Rule 4512 field completion and “authority verified” as system-enforced prerequisites for account status changes. That gives you cleaner evidence than ad hoc email approvals.

Step 3: Require principal approval with a KYC completeness checklist

Rule 2090 is routinely operationalized through supervisory review at account opening. Put a principal sign-off step in the workflow requiring explicit confirmation that:

• Rule 4512 customer account information is complete ².
• Any third-party authority is supported by appropriate documentation and scope ¹.
• Any missing items have an approved exception rationale and remediation date (your internal standard).

Practical checklist items (keep it short):

• Customer identity and basic profile fields completed per Rule 4512 ².
• Investment objectives and financial profile captured and reviewed for plausibility ⁵.
• Trusted contact / authorized person documentation present where applicable (authority validated) ¹.
• Exceptions logged, risk-rated, and assigned for follow-up.

Step 4: Implement an “account maintenance” refresh model

Rule 2090 explicitly applies to the “opening and maintenance” of every account ¹. You need a defined refresh approach with triggers.

Use two update pathways:

1. Event-driven refresh: Update customer facts when circumstances change materially (job change, retirement, liquidity event, change in goals), or when your staff becomes aware of changes through servicing interactions ¹.
2. Periodic refresh: Run a recurring outreach and attestation process to confirm key profile fields remain accurate. Regulatory Notice 12-25 frames KYC as the basis for suitability and related determinations, which break down when profiles are stale ⁵.

Operational design choices you must document:

• What fields are in scope for periodic reconfirmation (e.g., objectives, risk tolerance, income/net worth bands).
• How you handle non-responses (freeze certain activity, restrict recommendations pending update, or escalate to supervisor per firm policy).
• How changes flow into downstream controls (suitability, surveillance scenarios, concentration alerts).

Step 5: Manage third-party authority like a privileged access program

Rule 2090 requires reasonable diligence around “the authority of each person acting on behalf of such customer” ¹. Treat this as identity-and-access management for brokerage instructions.

Minimum authority controls:

• Authority type taxonomy: POA, authorized trader, trustee, corporate officer, guardian, etc.
• Scope control: Trading authority vs. disbursement authority vs. address changes; document what the person can do.
• Verification and recording: Capture the authority document, record effective date, expiration (if any), and verification notes ¹.
• Ongoing validation: Reconfirm authority upon key events (customer death, change in legal structure, suspicious activity flags).

Step 6: Monitoring, testing, and remediation

Build a QA/testing loop that proves the process works:

• Sample new accounts for completeness of Rule 4512 fields and evidence of principal approval ².
• Sample accounts with third-party authority to confirm documentation is present, legible, and consistent with activity ¹.
• Track exceptions through closure, not just identification.

Required evidence and artifacts to retain

Expect FINRA exam document requests to focus on what you collected, how you approved it, and how you maintain it ⁶. Build an evidence package that includes:

Account-level artifacts ⁷

• New account form / account opening record with required customer information fields ².
• Customer investment profile questionnaire and any supporting notes used to understand objectives and risk tolerance ⁵.
• Principal approval record (ticket, workflow approval, or signed checklist).
• Third-party authority documents (POA, trading authorization, corporate resolutions) plus verification notes ¹.
• Evidence of periodic updates or outreach attempts and any customer responses ¹.

Firm-level artifacts (program evidence)

• Written supervisory procedures covering KYC collection, review, exception handling, and maintenance ¹.
• Data standards / required fields list mapped to Rule 4512.
• Training materials for reps and operations on KYC and authority validation.
• QA testing results and remediation logs.

Common exam/audit questions and hangups

Build your playbook around questions exam teams routinely ask for KYC/Rule 4512/Rule 2090 reviews ⁶:

1. “Show me your required KYC fields and where they live.” Examiners want a trace from rule requirement to system screens and stored records.
2. “How do you prevent incomplete accounts from being opened?” “We tell reps to fill it out” is weak; workflow gating is stronger ².
3. “How do you know customer information is current?” Have a documented refresh approach and proof of execution ¹.
4. “How do you validate authority for third parties?” Provide the document, the verification steps, and evidence the scope matches observed activity ¹.
5. “How do you handle exceptions?” Demonstrate logging, approval, follow-up, and closure, with supervisory visibility.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Treating KYC as a one-time onboarding artifact	Rule 2090 applies to maintenance; stale facts undermine suitability and servicing 4	Add event-driven triggers + periodic refresh workflow; retain outreach evidence
Optional fields that are “required in policy”	Exams test actual control effectiveness, not policy language	Put required Rule 4512 fields behind system hard stops 2
Poor authority hygiene (missing, outdated, or unclear POA scope)	Rule 2090 explicitly covers authority of persons acting for the customer 1	Centralize authority records, require verification notes, and block privileged actions until confirmed
Free-text investment objectives with no structure	Hard to supervise, hard to test, inconsistent across reps	Use controlled categories plus narrative field; require principal review for outliers
Exceptions that never close	Creates silent population-wide KYC gaps	Time-bound exceptions, automated reminders, and escalation to a principal

Enforcement context and risk implications (without over-claiming)

Public enforcement cases were not provided in the source catalog for this requirement, so this page does not cite specific disciplinary actions. Still, the risk pattern is clear from the rule design and related guidance: weak KYC controls tend to surface during reviews of recommendations and supervision because suitability and best-interest analyses depend on accurate customer facts ⁵. Operationally, treat KYC defects as a root cause category that can cascade into suitability findings, supervision findings, and customer harm.

Practical 30/60/90-day execution plan

First 30 days: Stabilize onboarding and evidence

• Inventory current KYC fields, forms, and systems; map each to Rule 4512 requirements ².
• Implement interim hard stops or manual checklists for missing required fields at account opening ².
• Define and standardize third-party authority document requirements and acceptable verification steps ¹.
• Start a KYC exception log with owner, rationale, and closure criteria.

Days 31–60: Operationalize supervision and refresh

• Add principal approval checkpoints with a short KYC completeness checklist ¹.
• Build a refresh trigger register (life events, returned mail, objective change) and a procedure for updating customer facts ¹.
• Launch targeted training for reps and operations tied to the exact fields and workflows ⁶.
• Design your evidence pack structure so each account has a consistent “KYC packet.”

Days 61–90: Test, tune, and scale

• Run QA sampling on new accounts for Rule 4512 completeness and principal approvals; document findings and remediation ².
• Run QA sampling on accounts with third-party authority to confirm scope matches activity ¹.
• Implement periodic refresh outreach (cadence and scope per firm policy) and start capturing execution evidence ¹.
• If you use Daydream, configure dashboards for: missing-field rates, open exceptions, refresh completion, and authority validations. Use that to drive supervisory follow-up.

Frequently Asked Questions

What counts as “essential facts” under FINRA Rule 2090?

Rule 2090 is principle-based, so you should define “essential facts” in procedures using Rule 4512’s required customer account information as your baseline data set ⁸. Add any additional facts your products and services require to service the account appropriately.

Do I need to update KYC information after account opening?

Yes. Rule 2090 applies to the opening and maintenance of every account, so you need a process to keep information current and to retain updated facts ¹. Many firms combine event-driven updates with a periodic reconfirmation workflow.

How should we handle customers who refuse to provide net worth or income?

If a Rule 4512-required field is missing, document your reasonable efforts to obtain it and apply a controlled exception process with supervisory approval and follow-up ². Align any resulting trading or recommendation restrictions to your written procedures.

Is KYC the same as CIP under AML rules?

They are related in onboarding execution, but this requirement page addresses FINRA Rule 2090 and the customer account information obligations in Rule 4512 ⁶. Coordinate with your AML program so identity collection and verification steps do not diverge across processes.

What evidence should I be ready to hand a FINRA examiner?

Maintain new account documents, KYC questionnaires, principal approvals, third-party authority documentation, and evidence of periodic updates or outreach attempts ⁶. Also retain your written supervisory procedures and QA testing results.

How do we prove “reasonable diligence” in a way that holds up in an exam?

Show system or procedural controls that prevent incomplete onboarding, require supervisory review, and create a traceable record of updates over time ¹. Diligence is demonstrated through repeatable execution and retained artifacts, not narrative assurances.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. FINRA Rule 2090, 2012

2. FINRA Rule 4512, 2012

3. FINRA Rule 4512, 2012; Source: Regulatory Notice 12-25, 2012

4. FINRA Rule 2090, 2012; Source: Regulatory Notice 12-25, 2012

5. Regulatory Notice 12-25, 2012

6. FINRA Rule 2090, 2012; Source: FINRA Rule 4512, 2012

7. customer/account

8. FINRA Rule 4512, 2012; Source: FINRA Rule 2090, 2012