Know Your Customer Obligation

FINRA’s Know Your Customer (KYC) obligation requires your broker-dealer to use reasonable diligence to know and retain the essential facts about every customer at account opening and throughout the account relationship. Operationally, you must define what “essential facts” means for your products, collect and validate those facts, keep them current, and retain evidence that supervision worked. (FINRA Rule 2090)

Key takeaways:

• KYC is an ongoing obligation tied to both account opening and account maintenance, not a one-time form. (FINRA Rule 2090)
• “Essential facts” must be defined in your procedures and mapped to what your firm sells and services, because KYC feeds suitability. (FINRA Rule 2090) (FINRA Rule 2111)
• Exams focus on evidence: completeness, timeliness, updates after material changes, and supervisory controls that catch bad or stale profiles. (FINRA Rule 2090) (FINRA Rule 2111) (Regulatory Notice 12-25)

“Know Your Customer obligation requirement” is easy to describe and easy to fail in practice. FINRA Rule 2090 is short, but it drives a large set of operational decisions: what data you must collect, how you validate it, when you refresh it, and how you prove you did all of that with reasonable diligence. (FINRA Rule 2090)

For a CCO or GRC lead, the fastest path to operationalizing Rule 2090 is to treat it as a control system, not a checklist. You need (1) a firm definition of “essential facts,” (2) intake workflows that prevent accounts from being opened with missing or conflicting information, (3) a maintenance program that triggers updates when facts change, and (4) supervision and surveillance that detect mismatches between stated customer profiles and activity patterns. This work connects directly to suitability obligations under FINRA Rule 2111, because suitability analysis depends on the accuracy and currency of the customer’s investment profile. (FINRA Rule 2111)

The guidance below focuses on what to build, how to run it, and what evidence to retain so you can answer exam questions quickly and consistently.

Regulatory text

Text (excerpt): “Every member shall use reasonable diligence, in regard to the opening and maintenance of every account, to know and retain the essential facts concerning every customer.” (FINRA Rule 2090)

Operator interpretation (what this means for you):

• “Reasonable diligence” means you need documented procedures and controls that are appropriate for your business model, products, and channels, and that operate consistently. Rule 2090 does not prescribe a single method, so your implementation must be defensible and evidenced. (FINRA Rule 2090)
• “Opening and maintenance” makes KYC an ongoing obligation. Your program must include refresh/updates and not rely only on initial onboarding. (FINRA Rule 2090)
• “Know and retain essential facts” means you must both collect/confirm facts and keep records that show what you knew, when you knew it, and how you handled gaps or conflicts. (FINRA Rule 2090)

Plain-English requirement

You must gather enough accurate customer information to service the account appropriately, evaluate recommendations and trading behavior against the customer’s profile, and support supervision. Then you must keep that information current when there are material changes. (FINRA Rule 2090) (FINRA Rule 2111)

Who it applies to (entity and operational context)

• Primary scope: FINRA member broker-dealers and their associated persons involved in account opening, customer updates, recommendations, and supervision. (FINRA Rule 2090)
• Operational contexts where KYC breaks most often:
  • Digital onboarding and self-directed accounts with minimal representative interaction.
  • Complex products or active trading strategies where stale profiles distort suitability and surveillance. (FINRA Rule 2111) (Regulatory Notice 12-25)
  • Introducing/clearing arrangements where responsibilities for data capture vs. retention can be unclear; your WSPs must still specify what your firm does and how it is supervised. (FINRA Rule 2090)

How KYC connects to suitability (why exams care)

Rule 2090 is a prerequisite for a working suitability program because the suitability analysis depends on the customer’s investment profile and essential facts. If the profile is incomplete, inconsistent, or stale, your ability to demonstrate compliance with FINRA Rule 2111 degrades quickly. (FINRA Rule 2111)
For quantitative suitability risks (pattern/frequency of transactions), FINRA has highlighted the need to understand the customer’s situation and objectives when evaluating trading activity. (Regulatory Notice 12-25)

What you actually need to do (step-by-step)

Step 1: Define “essential facts” for your firm (policy + data dictionary)

Create a written definition of essential facts tailored to your offerings and services. At minimum, align to the practical categories FINRA expects you to know, such as:

• Identity and basic CIP-like facts (e.g., name, address, date of birth, government ID)
• Financial background (e.g., income, net worth, source of wealth)
• Investment profile (e.g., objectives, risk tolerance, time horizon)
• Employment status (including potential conflicts)
  This aligns to the plain-language expectations of Rule 2090 implementation. (FINRA Rule 2090)

Operational output: a KYC data dictionary (field, definition, required/conditional, acceptable values, verification method, system of record, and retention location).

Step 2: Build intake controls that prevent “open with blanks”

Implement controls so accounts do not progress to “approved/open” if required KYC fields are missing, internally inconsistent, or not plausibly aligned to the requested products and permissions.

• Hard stops: missing identity or investment profile fields relevant to your services. (FINRA Rule 2090)
• Soft stops with escalation: unusual entries (e.g., high-risk tolerance with low knowledge/experience) routed to principal review as part of supervision. (FINRA Rule 2090) (FINRA Rule 2111)

Example: If options approval is requested, require options-relevant facts (experience, objectives, risk tolerance) and document the reviewer decision path. This is KYC supporting suitability. (FINRA Rule 2111)

Step 3: Validate and resolve conflicts (reasonable diligence playbook)

Document how you corroborate customer-provided facts and how you resolve discrepancies.

• Define acceptable verification methods by channel (rep-assisted vs. digital). (FINRA Rule 2090)
• Require a discrepancy workflow: what triggers follow-up, who owns outreach, acceptable outcomes (update, restrict, or close), and required notes. (FINRA Rule 2090)

Evidence tip: Examiners often accept risk-based methods, but they expect to see consistency and documentation showing follow-up occurred.

Step 4: Establish “maintenance” triggers and refresh workflow

Since Rule 2090 applies to account maintenance, set specific operational triggers that force review and updating of essential facts:

• Customer-initiated updates (address, employment, objectives).
• Material changes you learn through interactions (new job, liquidity event, retirement).
• Product/permission changes (adding margin/options, increasing risk features).
• Surveillance flags that suggest the profile may be inaccurate (pattern inconsistent with objectives). (FINRA Rule 2090) (FINRA Rule 2111) (Regulatory Notice 12-25)

Control design: Implement a KYC refresh case in your CRM/workflow tool with required fields, reviewer sign-off, and timestamps.

Step 5: Supervisory review and testing

Add supervisory controls that verify KYC completeness and quality:

• Principal review for accounts with higher risk features or inconsistent profiles. (FINRA Rule 2090)
• Supervisory sampling of newly opened accounts for completeness and adequacy of notes.
• Exception reporting for stale profiles, missing fields, or conflicting entries. (FINRA Rule 2090)

Tie your testing to suitability exposure: accounts with frequent trading, complex products, or elevated permissions get more scrutiny because KYC gaps create downstream suitability failures. (FINRA Rule 2111) (Regulatory Notice 12-25)

Step 6: Record retention (retain essential facts and the “why”)

Rule 2090 requires you to retain essential facts. Retain both the data and the audit trail:

• Who entered/changed fields and when.
• What documents or attestations were provided.
• Notes and approvals for exceptions or escalations. (FINRA Rule 2090)

A common gap is storing the final profile but not the decision trail that explains how conflicts were resolved.

Required evidence and artifacts to retain (audit-ready list)

Maintain an evidence set that maps directly to “opening” and “maintenance.” (FINRA Rule 2090)

Core artifacts

• KYC policy/WSP section covering essential facts, reasonable diligence methods, and maintenance triggers. (FINRA Rule 2090)
• KYC data dictionary and required/conditional field matrix by product/channel. (FINRA Rule 2090)
• Account opening checklists or system-enforced workflow screenshots/logic (hard stops/soft stops). (FINRA Rule 2090)
• Sampled account files showing essential facts captured, timestamps, and approvals. (FINRA Rule 2090)
• Discrepancy management tickets (case notes, outreach, outcomes). (FINRA Rule 2090)
• KYC refresh/change logs and documentation of material change handling. (FINRA Rule 2090)
• Supervisory review evidence (queues, sign-offs, exception reports). (FINRA Rule 2090)
• Linkage evidence showing KYC feeds suitability process and surveillance rules. (FINRA Rule 2111) (Regulatory Notice 12-25)

Practical control recommendation

• Maintain documented evidence of compliance with the Know Your Customer obligation, organized by onboarding, maintenance, and supervision so you can produce it quickly during exams. (FINRA Rule 2090)

Daydream can help by structuring this evidence as a requirement-to-artifact map so your team can pull a complete exam package without reconstructing history from multiple systems.

Common exam/audit questions and hangups

Expect questions framed around “show me” requests:

• Show your written definition of “essential facts” and how it varies by product/channel. (FINRA Rule 2090)
• Show how your process prevents account opening with missing or inconsistent information. (FINRA Rule 2090)
• Show evidence you update essential facts after material changes and how you detect those changes. (FINRA Rule 2090)
• Show how KYC data feeds suitability determinations and supervision for trading activity. (FINRA Rule 2111) (Regulatory Notice 12-25)
• Show exception handling: what happens when a customer refuses to provide information or provides conflicting information. (FINRA Rule 2090)

Hangups that slow responses:

• Data lives in multiple systems with no single “system of record.”
• You can produce the profile, but not the workflow trail (who approved, why approved, what was reviewed).

Frequent implementation mistakes (and how to avoid them)

1. Treating KYC as a one-time onboarding form
   Fix: implement maintenance triggers and a refresh workflow with supervision and timestamps. (FINRA Rule 2090)

2. Collecting data you don’t supervise against
   Fix: align KYC fields to the surveillance and suitability checks you actually run under FINRA Rule 2111; remove vanity fields or define how they are used. (FINRA Rule 2111)

3. No documented definition of “essential facts”
   Fix: publish a data dictionary and required/conditional rules by product, permissions, and channel. (FINRA Rule 2090)

4. Exception handling is informal (rep notes in email, undocumented phone calls)
   Fix: require a case/ticket for discrepancies and refusals, with standardized outcomes and required approvals. (FINRA Rule 2090)

5. Stale profiles for active traders
   Fix: connect KYC refresh to surveillance flags related to trading activity, including patterns relevant to quantitative suitability considerations. (FINRA Rule 2111) (Regulatory Notice 12-25)

Enforcement context and risk implications

No public enforcement cases were provided in the supplied sources for this page, so this section is limited to rule-based risk context. KYC failures under Rule 2090 tend to cascade into suitability failures under FINRA Rule 2111 because recommendations and supervision rely on accurate customer facts. For active trading concerns, FINRA’s discussion of quantitative suitability highlights why a weak understanding of the customer profile increases regulatory exposure when activity appears inconsistent with the customer’s stated situation and objectives. (FINRA Rule 2111) (Regulatory Notice 12-25)

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Publish a firm definition of “essential facts” and a KYC data dictionary. (FINRA Rule 2090)
• Map KYC fields to products, permissions, and channels; identify where you have missing collection points. (FINRA Rule 2090)
• Inventory systems of record and decide where the authoritative profile lives. (FINRA Rule 2090)
• Draft discrepancy and refusal handling procedures with required documentation. (FINRA Rule 2090)

Days 31–60 (build controls and supervision)

• Implement hard/soft stops in onboarding workflows for required fields and contradictions. (FINRA Rule 2090)
• Stand up a KYC refresh workflow with defined triggers and reviewer sign-offs. (FINRA Rule 2090)
• Update supervisory procedures to include sampling and exception reporting for KYC completeness and staleness. (FINRA Rule 2090)
• Ensure KYC feeds suitability workflows and review points under FINRA Rule 2111. (FINRA Rule 2111)

Days 61–90 (test, evidence, and tune)

• Run a targeted QA review of account files to confirm essential facts are captured and retained with audit trails. (FINRA Rule 2090)
• Tune surveillance/escalations for patterns that suggest profile mismatch, aligned to suitability expectations and quantitative suitability considerations. (FINRA Rule 2111) (Regulatory Notice 12-25)
• Package evidence: procedures, data dictionary, workflow controls, samples, and supervisory reports into an exam-ready binder format. (FINRA Rule 2090)

Frequently Asked Questions

Does FINRA Rule 2090 require KYC updates after the account is opened?

Yes. The rule explicitly covers both the opening and maintenance of every account, so you need a process to update essential facts when material changes occur. (FINRA Rule 2090)

What counts as “essential facts” for KYC?

The rule does not list fields, so your procedures must define essential facts based on your business and what you offer. In practice, firms commonly include identity, financial background, investment profile, and employment status as part of meeting the reasonable diligence standard. (FINRA Rule 2090)

How does KYC relate to suitability reviews?

Suitability depends on the customer’s investment profile and other essential facts. If those facts are missing or stale, suitability determinations and supervision become difficult to defend under exam. (FINRA Rule 2111)

What evidence should we retain to prove “reasonable diligence”?

Keep the customer profile data plus the workflow trail: timestamps, approvals, discrepancy follow-up, and refresh history. Examiners typically want to see both the “what” (facts) and the “how/why” (controls and decisions). (FINRA Rule 2090)

How should we handle a customer who refuses to provide KYC information?

Your procedures should define escalation, permissible account limitations, and required documentation when essential facts are missing. The key is consistent handling and retention of notes showing your follow-up and decisioning. (FINRA Rule 2090)

Do self-directed accounts still need KYC?

Rule 2090 applies to the opening and maintenance of every account. Even in self-directed channels, you still need essential facts, a way to keep them current, and supervision controls that address the risks of stale or inaccurate profiles. (FINRA Rule 2090)