FINRA Rule 2090: Know Your Customer Requirements [2026 Guide]

Documentation has a funny way of feeling excessive until the moment you need it.

Take marriage licenses. They seem like just another piece of paper – until someone questions the relationship’s legitimacy. Then suddenly, that official record becomes the clearest evidence of what’s real.

FINRA Rule 2090 works much the same way. You’ll feel it’s excessive until regulators come knocking.

Well, there’s actually a lot to discuss, so let’s not drag it further. If you have the next 7 minutes, here’s a complete guide covering all you need to know.

Let’s dive in.

What is FINRA Rule 2090?

FINRA Rule 2090 is a "Know Your Customer" requirement that obligates broker-dealers to use "reasonable diligence” in learning essential facts about each customer before doing business.

The exact official text is as follows,

“Every member shall use reasonable diligence, in regard to the opening and maintenance of every account, to know (and retain) the essential facts concerning every customer and concerning the authority of each person acting on behalf of such customer.“

It’s specifically created to protect anyone who opens an account with a broker-dealer, regardless of whether they’re a small individual investor or a large institution.

Who needs to stay compliant with FINRA 2090?

Every FINRA member firm handling securities transactions needs to stay compliant with Rule 2090. Basically, if you’re operating as a broker-dealer in the U.S. markets, this rule applies to you.

Did you know?

FINRA members are broker-dealers registered with the Securities and Exchange Commission (SEC) and are required to join FINRA. These firms buy, sell, or trade securities, and if your firm needs a Central Registration Depository (CRD) number to operate, you're definitely a FINRA member.

Apart from broker-dealer firms, this Know Your Customer rule also applies to:

• Registered representatives: Individual brokers and financial advisors operating under a broker-dealer's license who interact with customers or execute trades are directly responsible for KYC compliance.
• Associated persons: Anyone employed by or affiliated with a member firm who is involved in the securities business, including supervisors, compliance officers, and branch managers overseeing customer accounts.
• Principals and supervisory personnel: Those responsible for establishing, maintaining, and enforcing the firm's KYC procedures, ensuring that due diligence processes meet a reasonable standard.

Unfortunately, firms can’t simply delegate this responsibility through clearing arrangements or third-party services. While outsourcing the process remains possible, the regulatory accountability stays firmly with the member firm.

How to comply with FINRA Rule 2090? ‘The KYC Rule’ obligations explored

FINRA Rule 2090 requires firms to handle four main areas: verifying customer identity, managing account authority, maintaining updated information, and following special instructions.

#1. Identity and account type verification

Firms must gather and verify essential facts about every customer before conducting business. The scope of information required differs based on customer type and the nature of the business relationship.

1. Individual investors: Firms must verify identity (name, address, tax identification) and establish who holds decision-making authority over the account. This includes determining whether the customer acts alone or if others have authorization to trade, transfer funds, or modify account settings.
2. Institutional customers: For entities like banks, investment companies, insurance firms, and pension funds, firms must understand organizational structure, identify who has trading authority within the institution, and document investment policies or restrictions governing the account.

The verification process must comply with overlapping regulatory requirements as well.

🎯 Signzy Advantage: Signzy's identity verification API streamlines Rule 2090 compliance with AI-powered document authentication across 200+ ID types from 180+ countries, real-time OCR in 50+ languages, and deepfake-resistant face matching that validates identities in seconds while reducing manual processing errors.

"Every state we expanded into meant hiring local compliance expertise for their specific ID requirements, which didn't scale. A friend of mine suggested Signzy, which has helped us handle 15 states with the same core team we had when we operated in three. Signzy made multi-state growth actually feasible." — Chief Operating Officer, Regional Securities Firm

#2. Authority management

Firms must keep current records of who can trade, transfer money, or change account settings. This is especially important for accounts where someone acts on behalf of another person. For institutional accounts, firms need to track who delegates authority to whom and keep proof of these authorizations.

#3. Account monitoring systems

The obligation to know your customer continues throughout the entire account relationship. Firms satisfy this through systematic processes covering:

• Activity monitoring: Firms track trading patterns and transaction behavior to identify activity that falls outside the customer's established profile or stated investment objectives, triggering reviews when discrepancies emerge.
• Profile updates: Customer circumstances change over time, requiring firms to refresh financial information, investment goals, and authorization structures at intervals appropriate to the account type and activity level.
• Red flag detection: Monitoring systems must identify warning signs of potential problems, including unauthorized trading, account takeover attempts, elder financial abuse, or other suspicious activity requiring investigation.
• Regulatory baselines: SEC Rule 17a-3 requires update attempts at least every 36 months for accounts with suitability determinations, though firms may need more frequent updates based on their business model and customer base.

Update frequency depends on multiple factors, including the firm's operations, customer relationship nature, product complexity, and account activity levels.

🎯 Signzy Advantage: Signzy's transaction monitoring capabilities enable continuous compliance through real-time AML screening, behavioral pattern analysis, and automated anomaly detection that flags suspicious activity while reducing false positives by up to 2x, helping firms maintain accurate customer profiles throughout the relationship lifecycle.

#4. Special handling requirements

Some accounts need specific treatment for tax reasons, trading limits, or risk controls. Firms must document these requirements and make sure they are consistently followed. This applies to regular accounts with special instructions and specialized account types that have unique rules.

What documents are needed to comply with Rule 2090?

Rule 2090 itself requires firms to "know and retain" essential facts about customers but does not specify detailed recordkeeping requirements. The actual documentation requirements come from FINRA Rule 4512 (Customer Account Information) and SEC Rule 17a-3, which work together with Rule 2090.

• Customer name and residence
• Whether the customer is of legal age
• Name(s) of associated person(s) responsible for the account
• Signature of partner, officer, or manager accepting the account
• Tax identification or social security number
• Name and contact information for the trusted contact person (for non-institutional accounts)
• For institutional accounts: records identifying person(s) authorized to transact business on behalf of the customer
• For discretionary accounts: dated signature of each person authorized to exercise discretion
• Updated customer information is retained for at least six years after each update, or the original information is retained for six years after account closure.

What happens when you don't comply with FINRA Rule 2090?

FINRA Rule 2090 non-compliance fines range from hundreds of thousands to millions of dollars based on severity. In 2019, five major firms (JPMorgan, Citigroup, LPL Financial, Morgan Stanley, and Merrill Lynch) paid a combined $1.4 million for failures in custodial account supervision.

Apart from penalties, individuals can be temporarily barred from securities activities, while firms may face operational restrictions during investigations and remediation.

Common mistakes firms make with Rule 2090 compliance

❌ Inadequate authority verification for institutional accounts: Firms fail to properly document who within an institution has trading authority, relying on verbal confirmations or outdated corporate resolutions.

❌ Failing to track custodial account transitions: Firms allow custodians to continue controlling UTMA/UGMA accounts after beneficiaries reach the age of majority due to a lack of systematic age-tracking mechanisms.

❌ Incomplete documentation of special handling requirements: Firms record special instructions informally or rely on individual representatives' memories rather than systematically documenting requirements in compliance systems.

❌ Delegating responsibility without maintaining accountability: Firms using clearing arrangements assume vendors handle Rule 2090 obligations, forgetting that regulatory accountability remains with the member firm.

❌ Relying on outdated information without verification attempts: Firms keep customer profiles unchanged for years beyond the 36-month requirement, assuming customers will proactively report changes.

❌ Only focusing on Rule 2090: Rule 2090 works hand in hand with other FINRA regulations to build a complete compliance framework (violation consequences differ from rule to rule). The most important connection is with Rule 2111, the Suitability Rule, which we'll explore next.

What is FINRA Rule 2111 (The Suitability Rule)?

Rule 2111 requires broker-dealers to have a reasonable basis to believe that a recommended transaction or investment strategy is suitable for the customer based on their financial situation, investment objectives, and risk tolerance.

Unlike Rule 2090, which is about knowing who your customer is, Rule 2111 is about ensuring what you're recommending actually makes sense for them.

The rule operates on three levels:

1. Reasonable-basis suitability: Understanding the product itself, including its features, risks, and potential returns, so you can recommend it to at least some customers.
2. Customer-specific suitability: Matching the investment to the individual client's profile based on their financial situation, objectives, and risk tolerance gathered under Rule 2090.
3. Quantitative suitability: Ensuring the volume and frequency of recommended transactions aren't excessive, even if each individual transaction might be suitable on its own.

Compliance hinges on conducting a thorough suitability analysis before making recommendations, documented through internal processes that demonstrate the registered representative considered the customer's profile against the investment's characteristics and risks.

What’s the relationship between FINRA Rule 2090 and FINRA Rule 2111?

Rule 2090 is the prerequisite; Rule 2111 is the application. You can't determine suitability under 2111 without first satisfying the "Know Your Customer" obligation under 2090. It's a sequential dependency where customer knowledge enables suitability analysis.

Rule 2090 requires firms to gather and maintain essential facts about customers, while Rule 2111 requires firms to use that information to evaluate whether recommendations align with the customer's profile.

A firm could theoretically comply with 2090 by knowing its customers but still violate 2111 by recommending unsuitable investments, whereas failing 2090 almost guarantees you can't properly satisfy 2111 since you lack the foundational information needed for a reasonable suitability determination.

What’s the relationship between FINRA Rule 2090 and other FINRA requirements?

FINRA Rule 2090’s KYC obligations connect with other FINRA rules to create a comprehensive customer protection framework.

• FINRA Rule 3110 (Supervision): Requires firms to establish supervisory systems to monitor 2090 compliance. The information gathered through KYC processes must integrate into the daily supervision of account activity, trading patterns, and customer interactions.
• FINRA Rule 4512 (Customer Account Information): Works hand-in-hand with 2090. While 2090 defines what information firms need to know, 4512 specifies how to record and maintain that information. Think of it as 2090 providing the “what” and 4512 providing the “how” of customer documentation.
• FINRA Rule 3310 (AML Compliance): Uses 2090’s customer information as a foundation for suspicious activity monitoring. KYC documentation helps establish regular patterns of activity, making it easier to spot potential money laundering red flags.

Other requirements that are linked to Rule 2090 include FINRA Rule 2020 (Fair Dealing) and FINRA Rule 2165 (Financial Exploitation).

How to maintain strong FINRA Rule 2090 compliance? Best practices explored

FINRA Rule 2090 compliance failures stem from reactive rather than proactive approaches. The practices below represent systematic approaches that prevent violations before they occur.

✔️ Embed automated monitoring into transaction processing

Customer profiles drift from reality over time. People retire, inherit money, change risk appetites, and develop cognitive decline. Their accounts continue operating under outdated assumptions while the firm remains unaware. Most firms collect information at account opening and then passively wait for problems to surface during examinations.

The fix requires embedding consistency checks directly into transaction processing rather than relying on periodic manual reviews.

"Account opening used to take us 3-4 days minimum because we'd manually verify every ID. Now it's same-day for 90% of customers, sometimes within an hour. And we're actually catching more fake documents than before. Signzy completely changed how we operate." — Director of Compliance Operations, Multi-State Broker-Dealer

✔️ Build escalation procedures around clear triggers and ownership

Effective escalation requires three elements:

1. Unambiguous triggers specifying which account behaviors or information gaps require escalation,
2. Clear ownership assigning named individuals rather than departments at each level
3. Consequences for non-escalation that exceed the consequences of raising false alarms.

The system should make escalation the path of least resistance when representatives encounter authorization questions, suspicious patterns, or missing information.

✔️ Apply risk-based monitoring that reflects actual risk

Treating all accounts identically wastes resources on low-risk customers while under-monitoring high-risk ones.

For example, a retiree with $50,000 in dividend stocks trading twice yearly does not need quarterly reviews. An institutional account with multiple authorized traders executing complex derivatives across jurisdictions requires intensive oversight.

Effective monitoring adjusts review frequency and supervisory intensity based on measurable risk factors: transaction volume and complexity, number of authorized parties, customer age and vulnerability indicators, account size relative to stated net worth, product types traded, and historical compliance issues.

This concentrates attention where violations actually occur rather than spreading resources uniformly across all accounts.

✔️ Track authorization changes for special account types systematically

UTMA/UGMA accounts, trusts, corporate accounts, and powers of attorney share a vulnerability: authorization that terminates or transfers based on events that firms do not automatically track.

Custodial authority ends when beneficiaries reach the age of majority under state law. Trustee authority ends upon resignation or trust termination. Corporate officer authority ends when they leave the organization.

Without systematic tracking, authorization failures become inevitable rather than preventable.

✔️ Verify authority through documentation rather than assumptions

Proper verification requires documented proof with dates: corporate resolutions, trust documents identifying current trustees, board minutes authorizing specific individuals, and state records confirming custodial transitions at the age of majority.

Reverification must occur automatically when triggering events happen: personnel turnover at institutional clients, beneficiaries reaching legal age, trust amendments, and corporate restructuring.

Without systematic tracking, firms permit unauthorized individuals to control accounts for months or years after their authority terminates.

✔️ Treat the 36-month update as a floor rather than a target

The SEC requires firms to attempt updates every 36 months for accounts requiring suitability determinations. Many firms interpret this as a sufficient attempt to contact every three years and document the effort. This misses the fundamental obligation.

Profile updates become necessary whenever facts change or account activity suggests the profile no longer reflects reality. Systems should recognize these events and initiate updates automatically rather than waiting for the next scheduled cycle.

How can Signzy help with Rule 2090 compliance?

Rule 2090 compliance demands continuous verification, monitoring, and documentation across the entire customer lifecycle. Manual processes cannot scale to meet these requirements while maintaining accuracy and speed.

Signzy provides an integrated compliance platform that automates the most resource-intensive aspects of Know Your Customer obligations.

🌍 Identity verification that works across jurisdictions

Broker-dealers serving clients across multiple states or countries face a practical problem: different jurisdictions issue different ID formats, use different languages, and have different security features on their documents.

Manually training compliance staff to recognize authentic documents from 180+ countries is impossible. Signzy solves this through:

• AI-powered analysis of 10,000+ document formats that detects forgeries, tampering, and synthetic identities regardless of origin
• Automatic extraction of essential customer information via OCR in 50+ languages, eliminating manual data entry errors
• Deep fake-resistant liveness detection ensures the person presenting credentials is actually present and genuine
• Real-time verification that completes identity checks in under 3 seconds without sacrificing accuracy

🚨 Continuous monitoring that catches profile drift before examiners do

Customer circumstances change constantly, but most firms only discover profile drift during examinations when it is too late to fix. Signzy monitors transaction patterns in real time and flags activity inconsistent with documented profiles immediately.

When a conservative investor suddenly starts trading options or a low-activity account shows unusual transaction volumes, the system triggers profile review workflows automatically rather than waiting for the next scheduled update cycle.

🔍 Integrated AML screening that satisfies multiple compliance obligations

Rule 2090 requires firms to comply with applicable laws, which include the Bank Secrecy Act and AML regulations under Rule 3310. Most firms treat these as separate compliance functions with different systems and workflows, creating gaps where customer risk factors slip through. Signzy unifies compliance:

• Real-time screening against 1,000+ sanctions lists, PEP databases, and adverse media at onboarding and continuously throughout the relationship
• Transaction monitoring that identifies structuring, layering, and emerging money laundering schemes as they occur
• Dynamic risk assessments that adjust monitoring intensity based on customer behavior, transaction complexity, and changing profiles
• Automated alerts on genuine threats while filtering out noise, keeping legitimate customers moving without unnecessary friction

This integrated approach ensures firms maintain current knowledge of customer risk status as required by both Rule 2090 and overlapping AML obligations without operating redundant compliance systems.

"Our customer complaints related to account opening delays dropped 73% year-over-year after implementation. That actually shows up in retention numbers. The Signzy team understood our pain points immediately." — Chief Risk Officer, Multi-Branch Brokerage.

To know more about how exactly Signzy can help, book a demo here.