CONTACT US TODAY

(860) 920-5181

FINRA Rule 2090: KYC Compliance in 2026

Home / Legal News / FINRA Rule 2090: KYC Compliance in 2026
finra-rule-2090-kyc-compliance

FINRA Rule 2090: KYC Compliance in 2026

June 16, 2026  |  Legal News

A lot of advisors only start thinking hard about FINRA Rule 2090 when a problem has already surfaced.

It usually starts with a question that looks small on paper. Why was this instruction accepted? Who had authority on the account? When was the client profile last updated? Why does the CRM say one thing, the signed form another, and the email trail something else? At that point, the issue isn't whether someone can say the firm had a KYC process. The issue is whether the file and the process are defensible.

That is where Rule 2090 stops being a routine onboarding obligation and becomes an enforcement risk in its own right. Advisors who treat it as a one-time form collection exercise often learn too late that regulators are looking at maintenance, authority, documentation, and supervision, not just whether an account packet existed. In practice, Rule 2090 often becomes the rule that exposes weaknesses in the rest of the relationship.

An Introduction to FINRA Rule 2090

A client calls after a divorce, asks to change beneficiaries, and tells your assistant that her former spouse should no longer have any say over the account. The CRM still shows standing instructions entered years ago. A family member is also emailing the branch about helping with decisions. If the file does not clearly establish who has authority, what changed, and when the firm verified it, Rule 2090 is already in play.

Many advisors still treat FINRA Rule 2090 as a standard know-your-customer requirement tied to account opening. That is too narrow. The rule creates its own enforcement exposure when firms collect information at the start of the relationship but fail to maintain it, reconcile conflicting records, or document how digital onboarding methods verified the facts they relied on.

Rule 2090 was adopted in 2010 and later amended, with the amended rule becoming effective in July 2012 as part of FINRA's updated suitability framework. The rule's history shows it was not written for clerical form collection. It was designed to underpin account servicing, supervisory decisions, and suitability analysis.

In practice, the question is straightforward. Did the firm know enough about the customer and the account relationship to accept instructions, service the account properly, and comply with its regulatory obligations, and can it prove that with a clean record?

Practical reality: A file can look complete at account opening and still become hard to defend later if authority changed, special instructions were never captured in a retrievable way, or online onboarding produced inconsistent records across systems.

Advisors who handle this rule well do not stop at collecting forms. They treat it as part of a broader regulatory compliance framework for businesses, with procedures for updating customer facts, escalating authority questions, and testing whether digital account-opening workflows preserve the records a regulator will ask for.

What Are the Core Obligations Under Rule 2090

A client opens an account online on Monday. By Friday, a spouse is calling with instructions, the beneficiary designation in one system does not match the intake file, and the advisor is relying on notes from a video call that never made it into the firm's books and records. That is a Rule 2090 problem, even before anyone asks whether a recommendation was suitable.

Rule 2090 requires member firms to use reasonable diligence to know the essential facts about each customer and each account at opening and during the life of the relationship. For advisors, the practical point is simple. FINRA can treat this as a standalone books, process, and supervision issue if the firm cannot show what it knew, how it knew it, and why it accepted the instruction or account setup in front of it.

A flowchart outlining the core obligations of FINRA Rule 2090 regarding reasonable diligence and essential facts.

Reasonable diligence is an ongoing duty

The phrase opening and maintenance matters because many defendable account files become weak after onboarding, not at the start. The initial packet may be complete. The record still fails if no one updates trustee authority, no one captures a client's special handling instructions in a retrievable system, or digital onboarding creates mismatched identity, address, or ownership records.

Reasonable diligence usually turns on four questions:

  • How were the facts obtained? Firms should be able to show whether the information came from the client, account documents, corporate records, trust instruments, follow-up communications, or digital verification tools such as an identity verification guide for businesses.
  • Was the source reliable enough for the action taken? A scanned form may be enough for one purpose and not enough for another, especially where authority is disputed or account access is being expanded.
  • What triggered a refresh? Good files show a review point tied to transfers, address changes, trading authority requests, entity updates, or other events that put the prior record in question.
  • Who resolved exceptions? If names, signatures, titles, beneficiaries, or control persons conflict across systems, someone has to own the escalation and the final determination.

Essential facts are the facts that support account handling

For Rule 2090, a fact matters if the firm needs it to service the account correctly, follow instructions, determine who has authority, or meet another regulatory duty. That is why firms get into trouble when the customer profile looks complete on paper but does not answer the operational question in dispute.

In practice, advisors should ask whether another person inside the firm, looking only at the file, could determine who may act on the account, what limits apply, and why the firm treated a particular instruction as valid.

Memory is not a control.

Files that hold up in an exam or inquiry

The strongest Rule 2090 records usually include:

  • Authority documentation that matches the account activity. Powers of attorney, trust certificates, corporate resolutions, and guardian or custodian records need to be current and internally consistent.
  • Special instructions recorded in firm systems. Notes buried in email or text threads are hard to defend if operations and supervision cannot see them.
  • Documented follow-up on gaps or inconsistencies. If the firm asked a question, the file should show the answer and any supporting material.
  • A maintenance process that captures change, not just onboarding. Clients age, family dynamics shift, and entity control changes. The record has to keep up.

Weak files tend to share the same defects. One-time collection. Assumed authority. Conflicting records across platforms. Advisor side workarounds that never reach supervision.

That is why Rule 2090 should be treated as more than a KYC intake requirement. From an enforcement standpoint, the risk often starts when the firm accepts an instruction or continues servicing an account without a current, defensible basis for doing so.

Beyond the Checklist What Essential Facts Must Be Documented

A client opens an account through a digital workflow on Monday. On Thursday, someone claiming to be the client's spouse emails a transfer instruction. By Friday, the primary compliance question is no longer whether the new account form was completed. It is whether the file shows who had authority to act, what restrictions applied, and why the firm accepted or rejected the instruction.

Rule 2090 creates that risk on its own. A file can look orderly at account opening and still fail under scrutiny if it does not capture the facts needed to service the account over time, honor special instructions, and verify who can speak for the customer or entity. FINRA's Rule 2090 text is principles-based, which gives firms flexibility, but also leaves little cover for vague records and undocumented assumptions.

A diagram illustrating essential client facts for FINRA Rule 2090 compliance, including objectives, risk tolerance, and financials.

The file needs to support how the account is actually serviced

Basic identifying information is only the opening layer. Firms also need records that let supervision and operations understand the customer relationship in real terms, especially if account activity, product use, or instructions raise questions later. If the facts in the file cannot support the way the account was handled, Rule 2090 becomes an enforcement issue before anyone even reaches suitability.

A defensible file usually includes:

  • Financial circumstances that explain account use. Income, assets, liabilities, liquidity needs, and other facts that help explain why the account is structured and used the way it is.
  • Investment objectives stated with enough detail to test for inconsistency. "Growth" written in a box does not help much if the account shows short-term options trading, high concentration, or repeated withdrawals.
  • Risk tolerance and investment experience tied to actual activity. Labels should match the products, strategies, and frequency of trading in the account.
  • Tax status or legal constraints when they affect handling of the account. Retirement assets, trust accounts, entity accounts, and accounts with transfer or distribution restrictions need more than generic profile data.
  • Special instructions that can be seen and followed by the firm. Communication limits, approval requirements, standing restrictions, and concentration limits belong in systems the firm can supervise, not only in an advisor's inbox.

Digital onboarding adds another layer of exposure. A remote process may collect enough information to open the account while still leaving gaps on identity proofing, document authenticity, or authority validation. For teams reviewing remote intake controls, this identity verification guide for businesses is a useful reference point, particularly for thinking through how electronic verification tools support, or undermine, a file you may later need to defend.

Authority records usually decide the hard cases

In my experience, many Rule 2090 problems are authority problems wearing a KYC label. The customer profile may be perfectly adequate, but the firm still gets into trouble because the records do not clearly establish who can give instructions, whether that authority changed, and whether the firm's systems reflected the change.

That issue shows up in familiar fact patterns. A trustee resigns but remains listed internally. A corporate officer leaves, yet operations continues to accept directions. An adult child helps an elderly parent with account administration, then starts giving substantive instructions without a power of attorney. Those scenarios can lead to customer complaints, internal reviews, and in some cases allegations closer to securities fraud and unauthorized trading misconduct.

The practical question is simple. Could someone reviewing the file months later determine who had authority on the date the instruction was taken, what documents supported that conclusion, and whether any limits applied?

Documentation should explain the firm's judgment

Strong Rule 2090 files do more than collect forms. They show the firm's reasoning. If there was a discrepancy in entity documents, the file should show follow-up. If a signature looked inconsistent, the file should reflect escalation. If a client gave unusual instructions through a digital channel, the record should show what verification steps were taken before the firm acted.

That is the difference between a file that can be defended and one that depends on memory.

The practical trade-off is speed versus proof. Faster onboarding, remote signatures, and advisor-side accommodations may help the client experience, but each shortcut increases the chance that the firm will later have to explain why it relied on incomplete or stale facts. Under Rule 2090, that explanation often determines the outcome.

Rule 2090 vs Rule 2111 Understanding the Connection

Rule 2090 and Rule 2111 are separate obligations, but in practice they operate in sequence. If the customer information is weak, the suitability analysis built on top of it will also be weak.

Industry compliance materials describe Rule 2090 as the input layer for Rule 2111 because the reliability of the customer's investment profile depends on the quality of the information gathered and maintained under Rule 2090, as noted in this overview of FINRA Rules 2090 and 2111.

The practical difference

Rule 2090 asks whether you know enough about the customer and account relationship.

Rule 2111 asks whether your recommendation was suitable based on that information.

If the profile is outdated, incomplete, or unsupported, a suitability defense becomes much harder. Advisors sometimes want to argue the merits of the product recommendation first. Regulators often start one step earlier and ask whether the advisor had a reliable basis to understand the customer at all.

FINRA Rule 2090 vs. Rule 2111

Aspect FINRA Rule 2090 (Know Your Customer) FINRA Rule 2111 (Suitability)
Primary focus Knowing and retaining essential facts about the customer and account authority Evaluating whether a recommendation fits the customer
Timing Begins at account opening and continues through account maintenance Applies when making recommendations
Core question Do you have reliable, current customer facts? Did you use those facts to make a suitable recommendation?
Key risk area Incomplete profiles, stale data, unclear authority, missing special instructions Recommendations that don't align with customer profile or account activity
Typical evidence Account records, authority documents, update history, supervisory follow-up Recommendation rationale, profile match, trading pattern review
Litigation impact Often shapes whether the file is defensible at all Often shapes whether the recommendation can be justified

Why the connection matters in defense

In investigations, these two rules often travel together even when only one is the immediate focus. A profile problem under Rule 2090 can become the fact pattern that fuels a suitability issue, a supervision issue, or a misrepresentation theory. That overlap is one reason many customer disputes framed as bad recommendations end up requiring a much closer look at the underlying customer file and even allegations that resemble securities fraud issues and defenses.

If you can't show how you knew the customer, it becomes much harder to show why the recommendation made sense.

Real World Enforcement and Common Pitfalls

A representative opens an account through a polished digital workflow, gets a clean identity match, and starts taking instructions. Six months later, a family member disputes who had authority to move funds, the client profile no longer matches the account activity, and the file shows scattered emails instead of a controlled record. That is a Rule 2090 problem even before anyone argues suitability.

Rule 2090 creates its own enforcement risk. Firms get into trouble because the customer file cannot support who the customer was, who could act for the account, what changed over time, and what the firm did when the facts stopped lining up. Written procedures help only if the record shows they were followed.

A professional analyzing a financial spreadsheet on a laptop screen displaying operational gaps and errors.

What examiners tend to focus on

In a Rule 2090 exam or investigation, the practical question is simple. Can the firm reconstruct why it believed the customer information and authority records were accurate at the time they mattered?

Recurring pressure points include:

  • Stale customer profiles: life events, employment changes, liquidity needs, or control-person changes occurred, but the active account file stayed untouched
  • Authority breakdowns: a spouse, assistant, trustee, business officer, or adult child gave instructions without clear and current documentation
  • Fragmented records: operations, branch records, CRM notes, and email traffic reflected different versions of the same customer facts
  • Custodial and special account failures: the firm did not update records when a minor reached majority, a trustee changed, or estate documentation shifted control
  • Weak escalation practices: exceptions were handled informally by the representative instead of being formally reported, reviewed, and closed with a documented decision

Those facts matter because Rule 2090 is often easier to prove than the downstream sales practice claim. If the file is stale, inconsistent, or silent on authority, FINRA does not need a complicated theory to frame the case.

Digital onboarding creates speed and risk

Digital onboarding has improved consistency in many firms. It has also created a common defense problem. A clean onboarding result can give the business side false comfort that the Rule 2090 analysis is finished.

It is not finished at account opening. The harder cases involve later-stage discrepancies rather than initial identity matches. A trusted contact is added informally. A business account continues to rely on old corporate resolutions. An inherited account starts operating before all transfer and authority documents are reconciled. A mobile workflow captures a signature, but no one verifies whether the signer still has legal authority to act.

I often see firms defend the technology instead of defending the decision process. That is the wrong fight. The better question is whether the system captured enough information, flagged meaningful inconsistencies, and required human follow-up before the account activity continued. Firms that automate compliance audits still need a record showing who reviewed the exception and why it was cleared.

Automation helps with collection and consistency. It does not solve stale facts, disputed authority, or undocumented judgment calls.

Common operational mistakes

Some of the most damaging Rule 2090 failures start as routine shortcuts:

  • Relying on memory: the representative believed the client had approved a change, but the file did not show when or how
  • Treating maintenance as episodic: updates happened only after a complaint, transfer request, or trading issue forced attention
  • Using email as the primary record: authority discussions and instruction details lived in inboxes rather than in supervised systems
  • Ignoring termination events: powers of attorney expired, fiduciary roles changed, or employment ended, but permissions remained active
  • Accepting partial documentation: staff moved forward with “good enough” paperwork because the customer relationship seemed low risk or familiar

These breakdowns also surface in employment and reporting disputes. A weak record around customer authority, supervision, or account handling can later affect how a firm explains a departure and drafts Form U5 disclosures in FINRA-related reporting matters.

Building a Defensible Compliance Process

A Rule 2090 process is defensible only if the firm can show how customer facts were collected, who resolved gaps, and what happened when those facts changed after the account opened. That is the practical problem. Many firms can produce a new account form. Fewer can produce a clean record of follow-up, authority review, and supervised judgment over time.

Digital onboarding has made that gap easier to miss. Remote identity tools, third-party data feeds, and automated risk flags can speed intake, but they also create a false sense that the file is complete. Rule 2090 exposure often comes from what the system could not interpret on its own, such as inconsistent authority documents, stale employment information, or instructions that no longer match the customer's circumstances.

A six-step infographic outlining a defensible process for achieving FINRA Rule 2090 compliance in a firm.

Build around three moments

The cleanest approach is to organize the process around three points in the account life cycle:

  1. Initial onboarding
  2. Periodic review
  3. Event-driven update

That framework works because it matches how Rule 2090 problems develop. The enforcement risk is rarely the opening file alone. It is the opening file, plus what the firm missed later, plus the absence of a record showing who made the call.

Initial onboarding

At onboarding, the objective is a usable baseline, not a completed packet.

The file should show the customer's core identifying facts, the basis for any authority granted to another person, and the resolution of inconsistencies before trading or disbursement activity begins. If the account involves a trust, an entity, a power of attorney, or standing instructions, staff should document what was reviewed, what authority was accepted, and any limits on that authority. A defense lawyer wants to see that in the file immediately, not reconstructed after a complaint.

Firms that use digital intake need a rule for exceptions. If a name mismatch, document inconsistency, or authority question appears, someone with assigned responsibility needs to review it and record the outcome.

Periodic review

Periodic reviews are a common point of failure for many firms because the review cycle exists on paper but not in practice. Advisors assume the client will mention a change. Operations assumes the advisor knows the account. Compliance sees the issue only after activity raises a question.

A better review process ties the depth of review to account type, authority structure, and recent activity. Some firms use workflow tools to automate compliance audits and track unresolved exceptions across systems. That can help identify stale records or skipped review steps. It does not replace human judgment about whether the customer profile still makes sense or whether account authority remains valid.

The record matters as much as the review itself. If the firm confirms no changes, the file should show when that happened, how the confirmation occurred, and who reviewed any discrepancies.

Event-driven updates

Event-driven updates usually separate a defensible process from a weak one. Life events do not wait for the annual review, and Rule 2090 does not excuse inaction merely because the formal review date has not arrived.

Use specific triggers for reassessment, including:

  • Authority changes: new trustee, revoked power of attorney, business reorganization, death, incapacity
  • Financial changes: retirement, inheritance, sale of a business, major liquidity need
  • Behavior changes: account activity that no longer matches the documented profile
  • Instruction changes: new communication channels, standing instructions, or restrictions

When one of these events occurs, the file should show three things. What the firm learned. Who reviewed it. What restrictions, updates, or follow-up steps were imposed before the account continued to operate as usual.

Supervisory design matters

Rule 2090 problems often come down to ownership. If no one is clearly responsible for clearing exceptions, reviewing disputed authority, or deciding whether an account can remain active with missing information, the process will break at the exact point that later matters in an exam or enforcement inquiry.

That is why Rule 2090 should sit inside the firm's broader written supervisory procedures framework, not in a stand-alone onboarding workflow. The firm needs documented responsibility, escalation paths, and a record of supervisory decisions. Without that, the file may show activity, but it will not show a defensible process.

Responding to a FINRA Inquiry About Rule 2090

When a FINRA inquiry mentions customer information, authority, account handling, or maintenance, don't assume the issue is minor because the rule sounds administrative. Rule 2090 matters often widen quickly once regulators start comparing forms, notes, system entries, emails, and supervisory records.

The first step is to slow down. Gather the file before you start explaining it. That usually means new account records, update history, authority documents, correspondence, internal notes, exception approvals, and anything showing how the firm handled changes over time. You need to understand what the records say before you try to frame the response.

Do not create backfilled notes to make the file look cleaner. Do not revise documents in a way that blurs what existed at the relevant time. And do not let multiple people provide inconsistent explanations informally before counsel has assessed the issue.

A disciplined response usually turns on a few questions:

  • What exactly is FINRA asking about
  • What records existed at the time
  • Where are the inconsistencies
  • Who made the relevant decisions
  • Can the firm show a real process, not just a form

Many advisors make the mistake of treating a Rule 2090 inquiry as a paperwork cleanup project. It is usually a defense exercise. The record may affect supervision, suitability, authority disputes, customer complaints, and employment consequences. Early legal guidance helps define the scope, preserve the chronology, and avoid admissions that create larger problems than the underlying file itself.

If you want to discuss your business law matter, contact Kons Law at (860) 920-5181.

  • Tags

Request a Consultation

Search

konslaw_vector_white

Information

Home

About Us

Blog

Contact

Contact-Us


  • 100 Pearl Street, 14th Floor
    Hartford, CT 06103

  • (860) 920-5181
  • info@konslaw.com

ADVERTISING MATERIAL  |  ATTORNEY ADVERTISEMENT 

MAKE A PAYMENT

This website is marked as “ADVERTISING MATERIAL” and as “ATTORNEY ADVERTISING”. The responsible attorney for this attorney advertisement is Joshua B. Kons, Esq. (Juris No. 434048), Copyright © 2012-2026. All Rights Reserved. In contingency fee representation, clients may still be responsible for costs. Prior results do not guarantee a similar outcome.

Terms & Conditions   |   Privacy & Policy