FINRA Series 7 / 63 / 65 Know-your-customer (KYC) and Customer Identification

Last updated: May 2, 2026

Know-your-customer (KYC) and Customer Identification questions are one of the highest-leverage areas to study for the FINRA Series 7 / 63 / 65. This guide breaks down the rule, the elements you need to recognize, the named traps that catch most students, and a memory aid that scales to test day. Read it once, then practice the same sub-topic adaptively in the app.

The rule

FINRA Rule 2090 (Know Your Customer) requires every member firm to use reasonable diligence to know the essential facts about every customer and the authority of any person acting on the customer's behalf, and to retain those facts for the life of the account. Separately, the USA PATRIOT Act and FinCEN's Customer Identification Program (CIP) rule (31 CFR 1023.220) require firms to verify the identity of any person opening a new account before, or within a reasonable time after, the account is opened. KYC is an ongoing duty about understanding the customer; CIP is a one-time identity-verification gate. Both must be satisfied, and they live alongside the suitability obligation under FINRA Rule 2111.

Elements breakdown

FINRA Rule 2090 — Know Your Customer

Reasonable diligence to learn and retain the essential facts concerning every customer and every person authorized to act on the customer's behalf.

  • Essential facts about the customer
  • Authority of any person acting on the account
  • Reasonable diligence in opening and maintaining
  • Facts retained for life of the account
  • Effective servicing, supervision, and AML compliance

FINRA Rule 2111 — Suitability (related, distinct)

Reasonable basis to believe a recommendation is suitable based on the customer's investment profile.

  • Reasonable-basis suitability (the product itself)
  • Customer-specific suitability (this customer)
  • Quantitative suitability (series of recommendations)
  • Investment profile factors gathered at account opening
  • Updated as profile changes are reported

Common examples:

  • Age, tax status, time horizon, liquidity needs, risk tolerance, other holdings

Customer Identification Program (CIP) — 31 CFR 1023.220

BSA/USA PATRIOT Act rule requiring identity verification of every person opening a new account.

  • Collect name, date of birth, address, ID number
  • TIN or SSN for U.S. persons; passport/alien ID otherwise
  • Verify identity within reasonable time of account opening
  • Document verification, non-documentary, or both
  • Check against government lists (e.g., OFAC SDN)
  • Provide CIP notice to customer
  • Retain identifying information for 5 years after account closed

New Account Form — Essential Facts

Information collected and recorded at account opening under FINRA Rule 4512 and Rule 2090.

  • Customer name, address, DOB, SSN/TIN
  • Employment and source of income
  • Net worth and annual income
  • Investment objectives and risk tolerance
  • Whether customer is associated with another member
  • Whether customer is an officer/director/10% owner of a public company
  • Signature of registered rep and approving principal

Trusted Contact Person — FINRA Rule 4512(a)(1)(F)

Firm must make reasonable effort to obtain the name and contact info of a trusted contact for non-institutional accounts.

  • Age 18 or older
  • Authorized to be contacted about possible exploitation
  • Cannot transact in the account
  • Customer may decline; firm still must ask
  • Disclosed in writing at account opening

Suspected Exploitation — FINRA Rule 2165

Permits temporary hold on disbursements when financial exploitation of a specified adult is suspected.

  • Specified adult: 65+ or 18+ with impairment
  • Reasonable belief of exploitation
  • Initial hold up to 15 business days, extendable
  • Notify trusted contact and customer
  • Internal review required

Common patterns and traps

CIP/KYC Conflation

Wrong answers swap the labels, attributing CIP requirements to FINRA Rule 2090 or KYC requirements to the BSA. The candidate who has memorized rule numbers loosely will pick the choice that 'sounds right' but cites the wrong source. Distinguishing the two is a favorite testing point because the duties overlap in practice but originate in different statutes.

A choice that says 'FINRA Rule 2090 requires the firm to verify the customer's identity using a government-issued photo ID' — that's the CIP rule, not 2090.

Trusted Contact Overreach

Distractors describe the trusted contact as having authority to trade, receive distributions, or make investment decisions. In reality, Rule 4512 limits the trusted contact to being someone the firm may contact about the customer's whereabouts, health status, or possible exploitation. The customer may also decline to provide one, and the firm is only required to ask.

A choice that lets the trusted contact 'authorize liquidations' or 'place orders during the customer's illness' — they cannot do either.

Suitability-As-KYC

The trap suggests that completing a suitability analysis under Rule 2111 satisfies the KYC obligation. Suitability uses the KYC profile to evaluate a recommendation; it does not collect or maintain the underlying facts. KYC duties continue even when no recommendation is being made (e.g., self-directed accounts).

A choice that says 'because the rep made no recommendation, no KYC duty applies' — Rule 2090 still requires essential-facts diligence.

Refusal-To-Provide-TIN Loophole

Distractors imply the firm may open the account if the customer promises to provide identifying information later, or that a foreign customer is exempt. CIP requires the firm to obtain the four identifying data points before opening or within a reasonable time, and to have risk-based procedures when verification fails — including refusing to open or closing the account.

A choice that says the firm 'must open the account but freeze trading until ID is verified' — CIP procedures must address refusal-to-open as an option.

Update-Trigger Blind Spot

Wrong answers treat the new-account form as a one-time snapshot. KYC is ongoing: material changes (marriage, retirement, large inheritance, change of objectives) must be captured, and Rule 4512 requires the firm to attempt to update profile information at least every 36 months for accounts where a recommendation has been made.

A choice that says 'the firm has no duty to update the profile after account opening unless the customer requests it.'

How it works

Think of three separate but overlapping duties. CIP is the front door: before Mei Tanaka can fund her new individual account at Reyes Capital Markets, the firm must collect her name, DOB, residential address, and SSN, then verify her identity (driver's license plus a credit-bureau match, for example) and screen her against the OFAC SDN list. KYC is the broader, ongoing duty: the rep records that Mei is 34, an emergency-room nurse earning $145,000, with $60,000 in liquid savings and a 25-year horizon, and updates that profile when she calls to say she just inherited $400,000. Suitability under Rule 2111 then uses that KYC profile every time the rep recommends a security. Finally, Rule 4512 requires the rep to ask Mei for a trusted contact, and to record the answer even if she declines. The exam loves to blur these — remember that gathering facts (KYC) and verifying identity (CIP) are different obligations with different rule sources.

Worked examples

Worked Example 1

Under FINRA Rule 4512, what is Marcus's correct course of action regarding the trusted contact?

  • A Refuse to open the account until Daniela provides a trusted contact, because Rule 4512 requires one.
  • B Open the account and document Daniela's refusal; the rule requires the firm to ask, not to obtain. ✓ Correct
  • C Designate Liu Securities' branch manager as the default trusted contact in the absence of a customer designation.
  • D Open the account but restrict it to cash-only transactions until a trusted contact is supplied.

Why B is correct: FINRA Rule 4512(a)(1)(F) requires the firm to make a reasonable effort to obtain the name and contact information of a trusted contact person for non-institutional accounts, but the customer is free to decline. The firm's obligation is to ask and to document; the account may be opened either way. Marcus should record Daniela's refusal in the account file.

Why each wrong choice fails:

  • A: Rule 4512 obligates the firm to request a trusted contact, not to obtain one. Refusing to open the account misstates the rule. (Trusted Contact Overreach)
  • C: A trusted contact must be selected by the customer; the firm cannot unilaterally designate an internal employee, which would also create an obvious conflict. (Trusted Contact Overreach)
  • D: There is no rule conditioning trading authority on the presence of a trusted contact. The 'cash-only restriction' is invented. (Trusted Contact Overreach)
Worked Example 2

Which rule or statute most directly imposes the identity-verification obligation Reyes Capital Markets satisfied?

  • A FINRA Rule 2090 (Know Your Customer).
  • B FINRA Rule 2111 (Suitability).
  • C The Customer Identification Program rule under the USA PATRIOT Act and Bank Secrecy Act (31 CFR 1023.220). ✓ Correct
  • D FINRA Rule 4512 (Customer Account Information).

Why C is correct: Identity verification — collecting name, DOB, address, and TIN, and confirming the customer is who they claim to be — is the heart of the CIP rule under 31 CFR 1023.220, promulgated under the BSA as amended by the USA PATRIOT Act. FINRA Rules 2090, 2111, and 4512 deal with essential facts, suitability, and recordkeeping respectively, but none of them is the source of the verification mandate.

Why each wrong choice fails:

  • A: Rule 2090 governs knowing essential facts about the customer and any agent, not verifying identity. It is often confused with CIP because both apply at account opening. (CIP/KYC Conflation)
  • B: Rule 2111 governs suitability of recommendations and presupposes the firm already knows the customer. It does not address identity verification. (Suitability-As-KYC)
  • D: Rule 4512 specifies what customer information must be recorded and updated, but the verification mandate (and its document/non-document procedures) flows from the BSA's CIP rule. (CIP/KYC Conflation)
Worked Example 3

Which statement BEST reflects the firm's obligations under FINRA Rules 2090 and 4512?

  • A Because the firm has never made a recommendation, no KYC update obligation applies and the file may remain as-is.
  • B The firm must use reasonable diligence to maintain essential facts about Priya for the life of the account, and Rule 4512 requires periodic attempts to update profile information for accounts where recommendations have been made. ✓ Correct
  • C The firm must close the account because Priya has materially changed her financial circumstances without notifying the firm.
  • D The firm must immediately freeze the account and refer the matter to FinCEN as a suspicious activity report.

Why B is correct: FINRA Rule 2090 imposes a continuing duty to know essential facts for the life of the account, regardless of whether the firm makes recommendations. FINRA Rule 4512 separately requires periodic updates (generally an attempt at least every 36 months) for accounts where recommendations have been made. The rep should attempt to refresh Priya's profile.

Why each wrong choice fails:

  • A: Rule 2090's essential-facts duty is not contingent on recommendations being made. The 'no recommendations means no KYC' framing is the classic Suitability-As-KYC inversion. (Suitability-As-KYC)
  • C: Customers are not required to volunteer life changes, and there is no rule requiring closure for an outdated profile. Closure is a disproportionate, invented remedy. (Update-Trigger Blind Spot)
  • D: An outdated profile is not, by itself, suspicious activity. SAR filings under the BSA address suspected money laundering or other illicit conduct, not stale KYC data. (CIP/KYC Conflation)

Memory aid

CIP = 'Confirm Identity Promptly' (4 data points: Name, DOB, Address, ID number). KYC = 'Know Your Customer' (essential facts + authority of agents). Suitability = use the KYC profile to recommend.

Key distinction

CIP is a one-time identity gate driven by the BSA/USA PATRIOT Act; KYC under FINRA Rule 2090 is an ongoing duty to know essential facts and the authority of anyone acting on the account, and it persists for the life of the relationship.

Summary

Verify identity (CIP), gather and maintain essential facts (KYC Rule 2090), ask for a trusted contact (Rule 4512), and only then layer suitability (Rule 2111) on top.

Practice know-your-customer (kyc) and customer identification adaptively

Reading the rule is the start. Working FINRA Series 7 / 63 / 65-format questions on this sub-topic with adaptive selection, watching your mastery score climb in real time, and seeing the items you missed return on a spaced-repetition schedule — that's where score lift actually happens. Free for seven days. No credit card required.

Start your free 7-day trial

Frequently asked questions

What is know-your-customer (kyc) and customer identification on the FINRA Series 7 / 63 / 65?

FINRA Rule 2090 (Know Your Customer) requires every member firm to use reasonable diligence to know the essential facts about every customer and the authority of any person acting on the customer's behalf, and to retain those facts for the life of the account. Separately, the USA PATRIOT Act and FinCEN's Customer Identification Program (CIP) rule (31 CFR 1023.220) require firms to verify the identity of any person opening a new account before, or within a reasonable time after, the account is opened. KYC is an ongoing duty about understanding the customer; CIP is a one-time identity-verification gate. Both must be satisfied, and they live alongside the suitability obligation under FINRA Rule 2111.

How do I practice know-your-customer (kyc) and customer identification questions?

The fastest way to improve on know-your-customer (kyc) and customer identification is targeted, adaptive practice — working questions that focus on your specific weak spots within this sub-topic, getting immediate feedback, and revisiting items you missed on a spaced-repetition schedule. Neureto's adaptive engine does this automatically across the FINRA Series 7 / 63 / 65; start a free 7-day trial to see your sub-topic mastery climb in real time.

What's the most important distinction to remember for know-your-customer (kyc) and customer identification?

CIP is a one-time identity gate driven by the BSA/USA PATRIOT Act; KYC under FINRA Rule 2090 is an ongoing duty to know essential facts and the authority of anyone acting on the account, and it persists for the life of the relationship.

Is there a memory aid for know-your-customer (kyc) and customer identification questions?

CIP = 'Confirm Identity Promptly' (4 data points: Name, DOB, Address, ID number). KYC = 'Know Your Customer' (essential facts + authority of agents). Suitability = use the KYC profile to recommend.

What's a common trap on know-your-customer (kyc) and customer identification questions?

Confusing CIP (identity verification) with KYC (essential facts)

What's a common trap on know-your-customer (kyc) and customer identification questions?

Thinking suitability replaces KYC — it builds on KYC

Related FINRA Series 7 / 63 / 65 sub-topics

Ready to drill these patterns?

Take a free FINRA Series 7 / 63 / 65 assessment — about 25 minutes and Neureto will route more know-your-customer (kyc) and customer identification questions your way until your sub-topic mastery score reflects real improvement, not luck. Free for seven days. No credit card required.

Start your free 7-day trial