Broker-Dealer KYC Compliance in New York: What FINRA Actually Requires at Account Opening FINRA Rule 2090 requires every broker-dealer to use reasonable diligence to know and retain the essential facts concerning every customer. Most New York firms interpret that as a document collection exercise. It is not. The rule requires verified identity, and the gap between what firms collect and what they actually confirm is where synthetic identities and stolen credentials enter the account opening pipeline. New York is home to more registered broker-dealers and registered investment advisors than any other state. It is also home to the compliance infrastructure, the FINRA district office, the SEC regional examination teams, and the enforcement actions that result when that infrastructure finds something wrong. For compliance officers and broker-dealer principals operating in this market, the stakes around KYC failure are not abstract. They are quantified in formal enforcement records and publicly posted on finra.org. This article breaks down what Rule 2090 requires, how it connects to three separate and distinct federal obligations, what a real identity verification gap looks like, and what complete client onboarding looks like when a firm closes it.

What Does FINRA Rule 2090 Actually Require?

FINRA Rule 2090, the Know Your Customer rule, states that every member shall use reasonable diligence, in regard to the opening and maintenance of every account, to know and retain the essential facts concerning every customer and concerning the authority of each person acting on behalf of that customer. The supplementary material to Rule 2090 defines essential facts as those required to effectively service the customer's account, act in accordance with any special handling instructions, understand the authority of each person acting on behalf of the customer, and comply with applicable laws, regulations, and rules. That last clause pulls in everything else: the USA PATRIOT Act Customer Identification Program, the FinCEN Customer Due Diligence Rule, and the Bank Secrecy Act. The obligation does not begin when a trade is recommended. It begins at account opening and continues throughout the life of the customer relationship.

What Is the Difference Between Document Collection and Identity Verification?

This distinction is the central argument of this article, and it is the gap where fraud enters. Document collection means a firm receives a copy of a government-issued ID, a Social Security number, an address, and a date of birth. The firm records those inputs. The account is opened. Identity verification means a firm confirms that the person presenting those documents is the actual person attached to that Social Security number, that the documents are authentic and unaltered, and that the identity presented has a traceable history of real-world existence. Those are not the same thing. A synthetic identity is specifically constructed to pass document collection. A fabricated person with a real stolen Social Security number, a fabricated name, a clean credit history built over 12 to 18 months, and AI-generated supporting documents will move through a standard onboarding checklist without triggering a single flag. The file looks clean because the file was built to look clean. According to Equifax's Digital Fraud Trends report, synthetic identities on credit applications have increased 14% year over year since 2020, a cumulative increase approaching 50% over four years. The same identities targeting lenders are targeting brokerage account openings, because brokerage accounts offer access to margin, securities-backed borrowing, and asset transfer capabilities that are worth far more than a credit card limit.

Why New York Broker-Dealers Face Elevated Risk

New York is the most concentrated financial services market in the country. That concentration cuts both ways. It produces the deepest pool of legitimate high-value clients, and it attracts the most sophisticated fraud operations targeting exactly those accounts. The same synthetic identity infrastructure that Manhattan landlords are now encountering in rental applications is operating at scale in financial services account opening. A fabricated identity that passes a credit check, secures a lease in the East Village, and establishes a rental payment history is the same identity that shows up 18 months later attempting to open a margin account at a registered broker-dealer. The identity was built for financial system penetration. Rental applications are often the first test run. According to a report from Sumsub, synthetic identity document fraud increased 311% between Q1 2024 and Q1 2025 in the United States. That is not a gradual trend. It is a structural shift in how fraud is being industrialized, driven by generative AI tools that produce fabricated financial documents and identity credentials at scale. New York firms are not more vulnerable than others by geography alone. They are more vulnerable because they onboard more high-value clients faster and operate in a competitive environment that creates pressure to minimize friction at account opening.

Broker-dealers face regulatory exposure and financial loss when synthetic or stolen identities pass through client onboarding because document collection alone cannot confirm who is actually opening the account.

VryfID verifies client identity in real time at account opening, supporting KYC and CIP compliance without adding friction that slows onboarding. Explore VryfID for Brokerage

Three Separate Obligations Most Firms Conflate

What Does the USA PATRIOT Act Section 326 Require? Section 326 of the USA PATRIOT Act of 2001 requires broker-dealers to implement a Customer Identification Program (CIP). The CIP must, at a minimum, collect the customer's name, date of birth, address, and identification number before opening an account. It must also include risk-based procedures for verifying the identity of each customer within a reasonable time after account opening, maintain records of the information collected, and check customers against government-provided lists of known or suspected terrorists or terrorist organizations. The CIP requirement is codified at 31 C.F.R. § 1023.220 for broker-dealers. It is a separate obligation from FINRA Rule 2090. Many firms satisfy the CIP collection requirement while not actually verifying the identity behind the collected information. Those are not the same act. What Does the FinCEN Customer Due Diligence Rule Require? The Financial Crimes Enforcement Network Customer Due Diligence Rule, finalized in 2018 and codified at 31 C.F.R. § 1010.230, requires covered financial institutions, including broker-dealers, to identify and verify the identity of beneficial owners of legal entity customers. The rule establishes a four-pillar framework: customer identification and verification, beneficial ownership identification and verification, understanding the nature and purpose of customer relationships, and ongoing monitoring for suspicious activity. The FinCEN CDD Rule is not the same as FINRA Rule 2090, and it is not the same as the CIP requirement under the USA PATRIOT Act. All three impose distinct obligations. Treating them as interchangeable is a compliance error that FINRA examiners specifically look for. What Does the Bank Secrecy Act of 1970 Require? The Bank Secrecy Act of 1970, 31 U.S.C. §§ 5311 through 5336, requires broker-dealers to establish and maintain anti-money laundering compliance programs, file Suspicious Activity Reports (SARs) for transactions involving funds derived from illegal activity, and maintain records sufficient to reconstruct transactions. FINRA Rule 3310 implements the BSA's AML program requirement for FINRA member firms. An AML program that cannot identify who is actually behind an account cannot fulfill its core function.

What Happens When New York Firms Get This Wrong

FINRA enforcement actions provide the clearest picture of what KYC and AML failures cost. FINRA fined Merrill Lynch $6 million for longstanding AML program failures, specifically for failing to establish and implement policies, procedures, and internal controls reasonably designed to cause the reporting of suspicious transactions as required by the Bank Secrecy Act, according to FINRA's publicly posted enforcement announcement. The SEC issued a separate $6 million penalty in the same matter. In 2019, FINRA issued fines totaling $1.4 million to five Wall Street firms for compliance failures under FINRA Rule 2090, according to Global Relay's published compliance analysis of the enforcement action. In September 2025, FINRA issued an acceptance, waiver, and consent in which a firm was censured and fined $1 million for AML program failures that included not conducting independent testing of its AML program until 2023, according to FINRA's November 2025 disciplinary actions report. These are not edge cases. They are the documented results of treating KYC as a paperwork exercise rather than an identity confirmation process. The pattern across enforcement actions is consistent: firms collected documents, built records, and never confirmed the actual person behind them.

What a Complete Identity Verification Process Looks Like at Account Opening

The goal at account opening is not to receive documents. It is to confirm that the person submitting documents is the actual person attached to the identifying information provided. That requires cross-referencing the applicant's government-issued ID against biometric presence, confirming that the Social Security number or tax identification number belongs to a real person with a verifiable history of real-world existence, checking that submitted documents have not been digitally altered or AI-generated, and completing all of this in real time without adding friction that causes legitimate clients to abandon the onboarding process. VryfID performs this verification layer at account opening. For New York broker-dealers, the integration supports KYC and CIP obligations by confirming identity before the account is created, not after the account is flagged. That distinction matters for regulatory purposes. FINRA Rule 2090's obligation begins at account opening. An identity verification step that operates post-opening does not satisfy a pre-opening obligation. For compliance officers managing FINRA examination cycles, real-time identity verification at onboarding also creates a documented record that the firm used reasonable diligence to confirm who the customer is. That record is the defense when an examiner asks how the firm knew its customers were who they claimed to be.

Legal and Regulatory Context

All New York broker-dealers registered with FINRA are subject to FINRA Rule 2090 (Know Your Customer), FINRA Rule 3310 (Anti-Money Laundering Compliance Program), the Customer Identification Program requirement under Section 326 of the USA PATRIOT Act of 2001 (31 C.F.R. § 1023.220), and the FinCEN Customer Due Diligence Rule (31 C.F.R. § 1010.230). Registered investment advisors are subject to SEC-equivalent obligations under the Investment Advisers Act of 1940 and SEC examination priorities. New York State also imposes its own financial services compliance requirements through the New York State Department of Financial Services (NYDFS). NYDFS Part 504 requires covered institutions to maintain a transaction monitoring program and a watch list filtering program as separate and distinct compliance obligations. This information is for educational purposes only. Consult a qualified compliance attorney or registered compliance consultant for advice specific to your firm. Never rely on this article as a determination that any practice is compliant with any specific regulation or jurisdiction.

Frequently Asked Questions

What is the difference between FINRA Rule 2090, the USA PATRIOT Act CIP, and the FinCEN CDD Rule? They are three separate and distinct obligations. FINRA Rule 2090 requires broker-dealers to use reasonable diligence to know and retain essential facts about every customer throughout the account relationship. The USA PATRIOT Act Customer Identification Program (Section 326, 31 C.F.R. § 1023.220) requires broker-dealers to collect and verify specific identity information before or at account opening. The FinCEN Customer Due Diligence Rule (31 C.F.R. § 1010.230, finalized 2018) requires identification and verification of beneficial owners of legal entity customers and ongoing monitoring of customer relationships. Treating them as interchangeable is a compliance error. All three apply independently to registered broker-dealers. Do FINRA KYC requirements apply to online and digital account opening at New York broker-dealers? Yes. FINRA Rule 2090's reasonable diligence standard applies regardless of whether account opening occurs in person, online, or through a mobile application. The obligation to know and retain essential facts about every customer is not channel-specific. Digital onboarding workflows must include the same identity verification rigor as in-person processes, and firms must maintain records sufficient to demonstrate that verification occurred. FINRA examiners review digital onboarding procedures as part of standard examination cycles. What does synthetic identity fraud look like at brokerage account opening? A synthetic identity at brokerage account opening presents a real Social Security number attached to a fabricated name and history, supporting documents that appear authentic but were constructed using AI tools, and a credit profile built specifically to appear legitimate. The identity passes document collection because it was engineered to pass document collection. It fails only when identity verification goes beyond the document to confirm the actual person, cross-referencing biometric presence, Social Security number validity, and real-world existence signals simultaneously. Firms that rely on document collection alone have no mechanism to detect a well-constructed synthetic identity before the account is opened.