FINRA Rule 2090: Know Your Customer Requirements

Documentation has a funny way of feeling excessive until the moment you need it.

Take marriage licenses. They seem like just another piece of paper – until someone questions the relationship’s legitimacy. Then suddenly, that official record becomes the clearest evidence of what’s real.

FINRA Rule 2090 works much the same way. You’ll feel it’s excessive until regulators come knocking. 

Well, there’s actually a lot to discuss, so let’s not drag it further. If you have the next 7 minutes, here’s a complete guide covering all you need to know.

Let’s dive in. 

Summary of FINRA Rule 2090

FINRA Rule 2090, commonly known as the “Know Your Customer” rule, requires financial firms to exercise “reasonable diligence” when onboarding or retaining any customers. It’s specifically created to protect anyone who opens an account with a broker-dealer, regardless of whether they’re a small individual investor or a large institution.

The exact official text is as follows,

“Every member shall use reasonable diligence, in regard to the opening and maintenance of every account, to know (and retain) the essential facts concerning every customer and concerning the authority of each person acting on behalf of such customer.“

Simply put, Rule 2090 establishes that member firms must know who their customers are – not just at account opening but throughout the entire relationship. This means gathering, verifying, and maintaining information about:

• The customer’s true identity
• Their financial circumstances and investment goals
• Anyone authorized to act on the account
• Special handling instructions or restrictions
• Other relevant details that affect account servicing

Who needs to stay compliant with FINRA 2090

Every FINRA member firm handling securities transactions needs to stay compliant with Rule 2090. Full stop. If you’re operating as a broker-dealer in the U.S. markets, this rule applies to you.

FINRA members are broker-dealers registered with the Securities and Exchange Commission (SEC) and are required to join FINRA. These firms buy, sell, or trade securities – and if your firm needs a Central Registration Depository (CRD) number to operate, you’re definitely a FINRA member.

This Know Your Customer rule’s compliance runs deeper than most firms initially realize. 

Category	Description	Who’s Included
Primary Member Firms	Direct FINRA members registered with SEC, holding CRD numbers and handling securities transactions.	Broker-dealers executing trades Investment banking firms Securities trading firmsClearing firms Dual-registered BD/RIAs (broker side)
Market Service Providers	Entities providing critical market functions to member firms or their customers	Third-party clearing providers Foreign broker-dealers in U.S. markets Securities custodians Market makers Trade execution services
Front-Line Personnel	Staff directly handling or influencing customer accounts	Trading desk staff Account managers Customer service reps Sales traders Investment banking personnel
Control Functions	Teams overseeing compliance and risk	Compliance officers Branch managers Risk management teams Internal audit staff AML monitoring teams

Note that the above-given list is non-exclusive. 

Unfortunately, firms can’t simply delegate this responsibility through clearing arrangements or third-party services. While outsourcing the process remains possible, the regulatory accountability stays firmly with the member firm.

Essential Requirements for Rule 2090 Compliance

The rule sets out four primary areas that firms must address to maintain compliance.

1. Identity and Account Type Verification

When dealing with broker-dealers, “customers” come in two main types:

• Individual investors (like regular people investing their money)
• Institutional investors (like banks, investment companies, insurance companies, etc.)

The rule requires firms to understand essential facts about both types of customers. For individual investors, this means knowing things like their financial goals, risk tolerance, and who can make decisions on their account. 

For institutional customers, it means understanding who has trading authority, what their investment policies are, and any special handling requirements they might have.

2. Authority Management

The rule explicitly requires firms to “know the authority of each person acting on behalf of such customer.” This means maintaining current records of who can place trades, move money, or make account changes. 

For institutional accounts, firms must track authority chains showing delegation paths and maintain evidence of authorization testing.

3. Account Monitoring Systems

Firms need systematic monitoring that flags activity outside established parameters. This includes tracking trading patterns against stated objectives, monitoring authority limits, and identifying changes that require profile updates. The key requirement here focuses on real-time monitoring rather than periodic reviews.

Moreover, this obligation continues as long as you maintain the customer relationship. When circumstances change (and they always do), you need to stay on top of those changes.

For example, if a customer suddenly starts making trades that don’t match their established pattern, wouldn’t you want to understand why? That’s precisely what Rule 2090 is pushing firms to consider. You need to trigger Enhanced Due Diligence and may even report the incident.

4. Special Handling Requirements

When customers need specific account handling – whether for tax purposes, trading restrictions, or risk management – firms must document and systematically enforce these requirements. The rule calls explicitly out maintaining these instructions as part of “essential facts”.

Relationship Between Rule 2090 and Other FINRA Requirements

FINRA Rule 2090’s KYC obligations don’t operate in isolation. These requirements interweave with other FINRA rules to create a comprehensive customer protection framework.

• FINRA Rule 2111 (Suitability): While 2090 establishes what you must know about customers, 2111 dictates how to use that knowledge. Information collected under 2090 directly feeds into three suitability obligations – reasonable basis, customer-specific, and quantitative suitability determinations.
• FINRA Rule 3110 (Supervision): Requires firms to establish supervisory systems monitoring 2090 compliance. The information gathered through KYC processes must integrate into daily supervision of account activity, trading patterns, and customer interactions.
• FINRA Rule 4512 (Customer Account Information): Works hand-in-hand with 2090. While 2090 defines what information firms need to know, 4512 specifies how to record and maintain that information. Think of it as 2090 providing the “what” and 4512 providing the “how” of customer documentation.
• FINRA Rule 3310 (AML Compliance): Uses 2090’s customer information as a foundation for suspicious activity monitoring. KYC documentation helps establish regular patterns of activity, making it easier to spot potential money laundering red flags.

Apart from what we listed above, other requirements that are linked to Rule 2090 include FINRA Rule 2020 (Fair Dealing) and FINRA Rule 2165 (Financial Exploitation). 

Best Practices for Rule 2090 Compliance 

Collecting data, record-keeping, etc., are baseline requirements. So, let’s not label them as best practices.

With that in mind, here are some best practices you can take note of: 

1. Set up automated customer profile consistency checks: Create systems that flag discrepancies between stated investment objectives and actual trading patterns. For example, if a customer’s profile indicates conservative investments but shows frequent options trading, trigger automatic reviews.
2. Use monitoring and alert systems: Establish automated systems to track customer activity patterns and flag unusual behaviors that might require additional due diligence or updated customer information.
3. Implement dual verification for customer authority levels: For business accounts, verify both the entity’s trading authority and the individual representative’s authorization levels. Document corporate resolutions and authorization limits within your compliance system.
4. Create clear escalation procedures for potential issues: Develop straightforward protocols for handling red flags, customer information discrepancies, or potential compliance violations.
5. Develop risk-based customer assessment frameworks: Create systems to evaluate customer risk levels based on factors like investment patterns, financial capability, and transaction history. This helps tailor the monitoring intensity and review frequency.
6. Establish detailed procedures for trusted contact persons: Beyond basic contact information, maintain verification procedures for trusted contacts, including regular verification of their continued authority and relationship with the customer.
7. Implement tiered review schedules based on customer activity: Set up different review frequencies based on trading patterns, account size, and complexity. High-activity or complex accounts might need quarterly reviews, while more straightforward accounts might need annual reviews.

Fortunately, most of these practices can be efficiently managed through online verification solutions, particularly API-driven platforms that offer scalability and consistent accuracy. As verification needs grow, APIs can adapt without requiring major system overhauls.

Signzy offers an all-in-one platform with a range of APIs that can help you with ID verification, KYC, PEP, and more. This can streamline your compliance workload without developing infrastructure from scratch.