Table of Contents
Know Your Customer — universally abbreviated KYC — is the legal and regulatory obligation of broker-dealers and other financial institutions to gather, verify, and maintain essential information about every customer whose account they open or maintain, forming the foundational compliance framework that connects account-opening identity verification with investment suitability determinations and anti-money laundering programme obligations.
KYC is not a single rule but an interlocking system of federal law, FinCEN regulation, and FINRA rules that together require firms to know who their customers are, understand their financial profiles, verify their identities, and monitor their accounts for suspicious activity throughout the entire duration of the relationship.
KYC obligations for broker-dealers arise from three distinct but interconnected regulatory layers, each addressing a different dimension of the firm's obligation to know its customers.
The first layer is FINRA Rule 2090, the Know Your Customer rule, which replaced NYSE Rule 405 as the governing KYC standard on July 9, 2012.
The full text of the rule states that every member shall use reasonable diligence, in regard to the opening and maintenance of every account, to know and retain the essential facts concerning every customer and concerning the authority of each person acting on behalf of such customer.
FINRA Rule 2090 Supplementary Material .01 defines essential facts as those required to effectively service the customer's account, act in accordance with any special handling instructions for the account, understand the authority of each person acting on behalf of the customer, and comply with applicable laws, regulations, and rules. The obligation commences at account opening and continues for the life of the customer relationship — it is not satisfied by a one-time collection at onboarding and then forgotten.
The second layer is the Customer Identification Program requirement under Section 326 of the USA PATRIOT Act of 2001, Public Law 107-56, which requires all financial institutions to establish written CIP procedures governing how they verify the identity of persons seeking to open accounts.
The CIP requirement is implemented for broker-dealers through 31 CFR Part 1023, administered by the Financial Crimes Enforcement Network.
Tax identification data is executionally formalized during onboarding by collecting IRS Form W-9 to certify a United States person's Taxpayer Identification Number or the appropriate IRS Form W-8 series variant to verify a non-resident alien's foreign status and identity markers.
At minimum, the CIP must collect and verify four data elements for every individual customer: full legal name, date of birth, residential address, and a government-issued identification number — for United States citizens, a Social Security number; for non-citizens, a passport number, alien registration number, or other approved government identification.
The CIP must also include procedures for checking customer names against government-maintained lists of known or suspected terrorists, including the Office of Foreign Assets Control Specially Designated Nationals list.
The third layer is FinCEN's Customer Due Diligence Rule — the CDD Rule — published as a final rule in the Federal Register on May 11, 2016 and effective May 11, 2018, which amends Bank Secrecy Act regulations to clarify and strengthen customer due diligence requirements for covered financial institutions including banks, mutual funds, and broker-dealers in securities.
The CDD Rule added four core requirements: identifying and verifying the identity of customers; identifying and verifying the identity of beneficial owners of legal entity customers; understanding the nature and purpose of customer relationships to develop a risk profile; and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and updating customer information.
FINRA Rule 4512, Customer Account Information, works in conjunction with Rule 2090 to specify the information firms must collect and maintain. For each customer, the firm must gather the customer's name, tax identification number, address, telephone number, date of birth, employment status and employer, annual income, net worth, investment objectives, and whether the customer is an associated person of another member firm.
The investment profile information — income, net worth, investment objectives, investment experience, time horizon, liquidity needs, and risk tolerance — is essential not only for KYC compliance but as the foundation for suitability determinations under FINRA Rule 2111 and best interest evaluations under Regulation Best Interest.
Critically, the KYC obligation extends to understanding the authority of each person acting on behalf of the customer. If a third party has power of attorney over the account, or if the customer is a legal entity and an individual is authorised to transact on its behalf, the firm must identify and verify that person's authority and, under the CDD Rule, also identify the beneficial owners of legal entity customers.
The CDD Rule's most consequential addition to the KYC framework is the beneficial ownership requirement for legal entity customers — corporations, limited liability companies, partnerships, trusts, and other non-individual entities. When a legal entity opens an account, the broker-dealer must identify and verify the identity of each natural person who owns, directly or indirectly, twenty-five percent or more of the equity interests of the entity — the ownership prong — and one natural person who has significant responsibility to control, manage, or direct the legal entity — the control prong.
This dual prong structure ensures that both the economic owners and the operational controller of any entity customer are identified and verified, preventing the use of shell companies and nominee arrangements to conceal the true identity of the persons benefiting from the account.
The beneficial ownership information is collected using a standardised certification form provided by FinCEN. Legal entity customers that are themselves publicly traded companies, regulated financial institutions, or government entities are generally exempt from the beneficial ownership requirement because their ownership is publicly disclosed through other regulatory mechanisms.
Beyond the identity verification requirements of the CIP, the CDD framework requires broker-dealers to develop a customer risk profile based on the nature and purpose of the account relationship. A high-net-worth individual who plans to trade equities in a self-directed brokerage account presents a different risk profile than a foreign national operating through a complex ownership structure in a jurisdiction associated with elevated money laundering risk.
The risk profile drives the level of due diligence applied. Standard customer due diligence applies to the broad majority of customers presenting normal risk characteristics. Enhanced due diligence is required for customers presenting elevated risk — including politically exposed persons who hold or have held prominent public positions and whose accounts require heightened scrutiny under USA PATRIOT Act Section 312 requirements for foreign correspondent and private banking accounts, and customers in jurisdictions identified as high-risk by FinCEN or the Financial Action Task Force.
Enhanced due diligence under Section 312 of the USA PATRIOT Act requires broker-dealers to apply additional scrutiny to correspondent accounts maintained for foreign banks and to private banking accounts for non-United States persons with deposits of one million dollars or more, including reasonable measures to ascertain the identity of the nominal and beneficial owners of those accounts.
A frequent misconception is that KYC is a one-time event completed when the account is opened. The CDD Rule and FINRA Rule 2090 both make clear that KYC is a continuous obligation throughout the customer relationship. Ongoing monitoring encompasses two dimensions.
The first is transaction monitoring — reviewing customer account activity for transactions that are inconsistent with the customer's known profile, potentially indicative of money laundering, terrorist financing, or other financial crimes. Transactions that appear unusual or suspicious must be reported to FinCEN on a Suspicious Activity Report under the Bank Secrecy Act and 31 CFR Part 1023. The SAR filing obligation is separate from and in addition to the Currency Transaction Report filing requirement for cash transactions exceeding ten thousand dollars.
The second is customer information maintenance — periodically updating the customer profile to reflect material changes in the customer's financial situation, investment objectives, or circumstances. A customer who initially reported conservative investment objectives but subsequently demands highly speculative transactions presents a profile inconsistency that the firm must investigate, update in its records, and consider in the context of both KYC and suitability obligations.
FINRA Rule 2090 and FINRA Rule 2111 operate sequentially. Rule 2090 is the prerequisite — it requires the firm to know who the customer is and what their financial profile looks like. Rule 2111 is the application — it requires the firm to use that information to assess whether any investment recommendation is suitable for that specific customer.
A firm that complies with Rule 2090 by collecting a complete customer profile can still violate Rule 2111 by recommending unsuitable investments. A firm that violates Rule 2090 by failing to collect adequate customer information almost certainly cannot satisfy Rule 2111, because it lacks the foundational information needed to conduct a genuine suitability analysis. KYC and suitability are therefore not alternative obligations but sequential ones — know the customer first, then assess whether the recommendation serves that specific customer's profile.
Regulation Best Interest, effective June 30, 2020, extended this framework further for retail customers by requiring broker-dealers to act in the customer's best interest when making a recommendation, going beyond the reasonable basis of the suitability standard and requiring affirmative consideration of the customer's specific circumstances, needs, and financial interests. The care obligation under Regulation Best Interest — codified at 17 CFR 240.15l-1(a)(2)(ii) — requires the broker to exercise reasonable diligence, care, and skill in making the recommendation, which is impossible without a solid KYC foundation.
Failure to maintain adequate KYC programmes exposes broker-dealers to enforcement action by FINRA, the SEC, and FinCEN simultaneously, and in the most serious cases criminal prosecution by the Department of Justice under the Bank Secrecy Act.
FINRA enforcement for KYC failures typically results in fines, censures, and in severe cases suspensions or bars. FinCEN civil penalties for BSA violations can be substantial — up to the greater of the amount involved in the transaction or one million dollars per violation under 31 U.S.C. 5321 for wilful violations. Criminal penalties under 31 U.S.C. 5322 for wilful violations carry up to ten years imprisonment and fines. Whistleblowers who report FinCEN violations may receive awards between ten and thirty percent of sanctions exceeding one million dollars under FinCEN's whistleblower programme.
KYC is tested on the SIE and every subsequent securities licensing examination as a core regulatory compliance concept appearing in the context of account opening, AML, suitability, and customer information maintenance.
The key points to retain are these.
KYC is the obligation of broker-dealers to know and retain essential facts about every customer, governed by FINRA Rule 2090, which requires reasonable diligence at account opening and throughout the maintenance of every account. The four purposes of essential facts under Rule 2090 Supplementary Material .01 are to effectively service the account, follow special handling instructions, understand the authority of persons acting on behalf of the customer, and comply with applicable laws and rules.
The Customer Identification Program under USA PATRIOT Act Section 326 and 31 CFR Part 1023 requires collection and verification of name, date of birth, address, and government-issued identification number for every customer, plus screening against OFAC and other government lists. The FinCEN CDD Rule effective May 11, 2018 added beneficial ownership requirements — identifying natural persons owning twenty-five percent or more of legal entity customers and one controlling person — plus ongoing monitoring for suspicious transactions and customer information updates. KYC is the prerequisite for suitability under FINRA Rule 2111 and best interest under Regulation Best Interest — the customer profile gathered through KYC is the foundation for every recommendation. Non-compliance exposes firms to FINRA fines, SEC enforcement, FinCEN civil penalties up to one million dollars per wilful violation, and criminal penalties of up to ten years imprisonment under 31 U.S.C. 5322.
