Broker-Dealer KYC Requirements: What You Need to Know

For any fintech launching or operating a broker-dealer, Know Your Customer (KYC) is a core operational requirement. 

US laws make customer due diligence non-negotiable for broker-dealers. Still, many fintech teams find the specifics fragmented across agencies and difficult to piece together.

This article explores what broker-dealer KYC actually involves, from CIP and beneficial ownership to FINRA’s Know Your Customer Rule, and who enforces what. You’ll also find practical breakdowns of what to collect, how to structure your workflows, and where fast-moving fintechs often get tripped up.

What Is Broker-Dealer KYC?

Broker-dealer KYC refers to the set of regulatory obligations that require firms to identify, verify, and understand their customers before opening accounts or facilitating transactions. It’s a foundational part of both anti-money laundering (AML) compliance and investor protection.

In practice, KYC is implemented through a combination of policies, procedures, and operational workflows. It touches every part of the customer lifecycle from account onboarding and identity checks to ongoing monitoring and periodic information updates. It also plays a central role in meeting suitability requirements under the Financial Industry Regulatory Authority (FINRA) and Securities and Exchange Commission (SEC) rules.

Why KYC Matters for Broker-Dealers

For broker-dealers, KYC is a regulatory obligation with real operational impact. Whether the broker-dealer is onboarding retail investors or integrating with a third-party platform, how KYC is implemented affects how the firm collects data, assesses risk, and manages compliance across your business.

From a legal standpoint, KYC sits at the intersection of anti-money laundering laws and securities regulation. It's part of how you meet your obligations under the Bank Secrecy Act, comply with FINRA rules, and avoid running afoul of sanctions restrictions. But it also connects to other areas like determining suitability, maintaining supervision, and reporting suspicious activity.

Fintech moves fast. But when it comes to KYC, regulators still expect structure, consistency, and a risk-based approach. If those pieces aren’t in place, they usually surface later through audits, regulatory exams, or enforcement letters. It's easier to build it right from day one than to fix it under pressure.

Key Regulatory Bodies and Their Roles

Several agencies shape and enforce broker-dealer KYC requirements in the US. Each plays a distinct role, but their expectations overlap in ways that directly affect how compliance programs are designed and executed.

1. SEC

The SEC doesn’t manage broker-dealer KYC directly, but it sets the rules that make it mandatory. Its regulations lay the groundwork for what information is required to be obtained when firms onboard customers and assess their suitability.

It also plays a role in how reliance agreements work. For example, when a broker-dealer partners with another entity for identity checks, the SEC provides guidance on what’s allowed and what isn’t.

The SEC also collaborates with FinCEN on AML regulations, such as the Customer Identification Program rule adopted under the Bank Secrecy Act. For fintechs with novel business models or shared responsibilities across entities, understanding how SEC rules define "customer" and interpret risk is critical to avoiding regulatory friction.

2. FINRA

FINRA is the front-line regulator most broker-dealers deal with day to day. It enforces the KYC and AML rules that stem from federal law and SEC oversight. If you're a registered broker-dealer, FINRA exams are where your KYC policies, procedures, and execution are put under the microscope.

Read our Fintech Guide to AML Compliance →

The two most relevant rules here are FINRA Rule 2090 (Know Your Customer) and FINRA Rule 3310 (AML Compliance Program). Rule 2090 requires firms to gather and maintain essential facts about each customer. Rule 3310 mandates a written AML program that includes a risk-based Customer Identification Program and procedures for ongoing due diligence.

FINRA also enforces Rule 2111 (Suitability), which ties directly back to KYC data. Without accurate customer profiles, firms can’t meet suitability standards for product recommendations.

Fast onboarding is a priority for most fintechs, but FINRA still expects the underlying KYC controls to hold up.

See how Regly’s KYC/KYB module uses AI-powered tools to streamline client onboarding →

3. FinCEN

The Financial Crimes Enforcement Network (FinCEN) is the bureau within the US Treasury responsible for administering the Bank Secrecy Act (BSA). This is where most of the AML rules tied to broker-dealer KYC originate. While FinCEN doesn’t directly supervise broker-dealers, its rules are binding and enforced by FINRA and the SEC.

Under the Bank Secrecy Act, broker-dealers are expected to maintain an AML program that fits their risk profile. That includes a Customer Identification Program, procedures for due diligence, and, for business accounts, steps to identify who actually owns the entity.

FinCEN is also the agency behind SARs. If a transaction looks suspicious, your firm may be required to report it, even if the issue originated with a third-party tool or vendor.

For fintech broker-dealers, these rules shape how the entire compliance operation is built. What matters most is that your program reflects your risks and that you can show how it works in practice.

4. OFAC

The Office of Foreign Assets Control (OFAC) is a part of the US Treasury that enforces economic and trade sanctions. For broker-dealers, this means customers must be screened against OFAC’s Specially Designated Nationals (SDN) list and any other relevant sanctions lists before and during the relationship.

OFAC compliance is non-negotiable. Unlike risk-based KYC controls, sanctions screening is a strict liability obligation: if your firm does business with a sanctioned individual or entity, even unintentionally, you're still liable.

Screening must happen at onboarding and on a recurring basis. That includes checking new information like updated ownership structures or address changes.

Many fintech broker-dealers use automated tools to handle sanctions screening during onboarding. A vendor failure doesn’t shift responsibility. If a match slips through, regulators will still look to the broker-dealer.

See how Regly’s AML screening module helps broker-dealers scan clients against global sanctions lists →

Broker-Dealer KYC Requirements Under US Regulations

KYC requirements for broker-dealers are not defined by a single rule. Instead, they’re built from multiple regulatory layers that apply across identity verification, customer due diligence, recordkeeping, and sanctions compliance.

Customer Identification Program (CIP)

The Customer Identification Program (CIP) is a foundational part of broker-dealer KYC. It’s required under the Bank Secrecy Act and applies to every account-opening process, whether for an individual or a legal entity.

Verification can be documentary (e.g., a government-issued ID) or non-documentary (e.g., database checks). The verification method must be risk-based and built into written procedures.

CIP must also include procedures for handling red flags, such as failed verifications or conflicting information. Accounts can’t be opened, and should be closed, if identity can’t be reasonably confirmed.

Fintech broker-dealers often build CIP directly into digital onboarding. That’s fine, as long as the controls are reliable, consistently applied, and backed by documentation that can stand up to audit.

Customer Due Diligence (CDD)

Customer Due Diligence (CDD) builds on CIP by requiring broker-dealers to go beyond identity and understand the purpose and risk profile of each account. These procedures are mandatory under FinCEN’s CDD Rule and form a core part of any AML program.

For legal entities, firms must collect identifying details on anyone who owns 25% or more of the company, as well as a control person, even if they don’t own equity. This step is where KYC meets ownership transparency, and it’s a frequent pain point for fintechs dealing with platform clients or layered structures.

CDD isn’t static. If a client’s risk profile changes or their behavior deviates from what was expected, the firm is expected to revisit and update its assessment. Regulators don’t view CDD as a one-time onboarding step. It’s an ongoing part of compliance.

Learn more about CDD and EDD →

Beneficial Ownership Rule

The Beneficial Ownership Rule is a critical component of CDD, specifically focused on legal entity customers. It requires broker-dealers to identify and verify the individuals who own or control the company opening the account.

Firms must collect:

• The names of individuals who own 25% or more of the entity

• One person with significant control over the entity (even if they own no equity)

• Personal details for those individuals: name, date of birth, address, and ID number

• Verification of identity, using the same standards applied in CIP

This rule was designed to close gaps exploited through shell companies and opaque ownership structures. For fintechs working with platforms, layered business entities, or overseas customers, this is often where compliance complexity spikes.

Ownership data must be collected at onboarding and retained for five years. If the ownership structure changes, the firm is expected to update its records accordingly. Regulators treat beneficial ownership as a live data point,  not something you file away and forget.

Recordkeeping Obligations

Broker-dealer KYC doesn’t stop once the customer is onboarded. Firms must maintain clear, accessible records that document how identity was verified, when due diligence was completed, and what procedures were followed. These rules come from multiple sources, including the Bank Secrecy Act, SEC regulations, and FINRA guidance.

At a minimum, firms must retain:

• Customer identity information collected during onboarding

• Documentation or references for how that identity was verified

• Beneficial ownership data (if applicable)

• Notes or reports from any enhanced due diligence

• Evidence of ongoing monitoring, updates, or risk reclassifications

CIP records must be retained for five years after the account is closed. Other documentation, like verification methods and risk assessments, must also be kept for five years from when the record was created.

For fast-moving fintechs, this isn’t just about storage; it’s about access. If a regulator asks for proof, you need to know where it lives, who owns it, and whether it’s current. That’s often where compliance teams uncover gaps in workflow or documentation discipline.

See how Regly Compliance helps broker-dealers centralize data and provide an easily accessible audit trail →

FINRA’s Know Your Customer Rule (Rule 2090)

FINRA Rule 2090 requires broker-dealers to understand who their customers are and how their accounts should be handled. That includes collecting the right details at the start and making sure those details stay current. The rule isn’t tied to a form or a moment in time. It’s ongoing.

In practice, this means firms need to know who controls the account, what the customer’s financial situation looks like, and what the account is meant to do. If those facts change, the record needs to change too. 

Regulators expect firms to stay in sync with the customer, not just file paperwork once and forget it.

Suitability, Reg BI, and the Link to KYC

KYC doesn’t just support anti-money laundering. It’s also the foundation for determining whether a recommendation is appropriate. That’s where FINRA Rule 2111 (Suitability) and Regulation Best Interest (Reg BI) come in.

Rule 2111 requires firms to evaluate whether a recommended product fits the customer’s financial situation, investment experience, and objectives. 

Reg BI, which applies to retail customers, goes further. It requires broker-dealers to act in the customer’s best interest when making recommendations, not just suitable ones.

Both rules rely heavily on accurate and up-to-date KYC data. If you don’t have a clear picture of the customer’s goals, risk tolerance, or liquidity needs, it becomes difficult to meet either standard. In practice, that means KYC data isn’t just collected. It has to be used.

For fintechs offering robo-advisory tools, hybrid models, or alternative assets, this can get complex. But the regulatory expectation is straightforward: if you’re giving advice or offering investment options, the recommendation must match the person behind the account. And the only way to do that is to know who they are and what they need.

What Broker-Dealers Must Collect: A KYC Checklist

Every broker-dealer is expected to gather specific information during onboarding. What’s required depends on who the customer is. The details are used to assess risk, support suitability reviews, and meet regulatory requirements.

Here’s a breakdown of what’s typically required:

• Individual Customers: Full legal name, date of birth, residential address, Social Security number (or other ID).
  
  

• Legal Entity Customers: Entity name, formation documents, tax ID, business address, nature of business, and beneficial ownership information. This includes individuals with 25% or more ownership and at least one control person.
  
  

• Authorized Users and Account Controllers: Identification details and documentation for anyone with trading authority, signatory power, or other decision-making roles. This often includes portfolio managers, trustees, or legal representatives.

All of this data should be verifiable and tied to the firm’s documented KYC procedures. For fast-growth fintechs, the challenge is usually less about collecting the fields and more about integrating that process with risk scoring, onboarding flows, and downstream compliance tasks. 

See how Regly FinCrime helps broker-dealers monitor risks →

Common KYC Challenges for Fintech Broker-Dealers

Regulations may be clear on paper, but fintech broker-dealers often run into real-world obstacles when putting KYC programs into action. The challenges tend to surface during onboarding, rapid growth, or when multiple systems and teams have to work together.

High-Friction Onboarding vs. Compliance

Fast sign-ups are a priority for fintechs, but KYC can slow things down. What the product team sees as friction, compliance sees as essential. Cutting steps might boost conversions. However, it can also create regulatory blind spots.

The key isn’t to remove friction entirely. It’s to figure out which parts of the process are essential, which can be automated, and where risk-based decisions can give flexibility. Removing the wrong step may save a user click, but create a problem during an audit. Successful firms don’t just optimize for speed. They optimize for what will hold up under scrutiny.

See how Regly’s KYC/KYB module makes screening more efficient using AI-powered tools →

Data Gaps and System Silos

As fintech broker-dealers scale, KYC data often ends up scattered across tools, teams, and platforms. One system collects identity documents. Another handles risk scoring. A third stores suitability notes. Over time, the gaps between them become harder to manage.

When KYC data lives in separate systems, it’s not just hard to track. It’s risky. If updates get missed or no one has end-to-end ownership, the compliance team can’t explain how certain decisions were made. That lack of visibility becomes a real problem during a regulatory exam or audit.

Fixing this isn’t just a tech problem. It’s a data governance issue. Every firm needs to know where customer data lives, who maintains it, and how it maps back to regulatory obligations.

See how Regly Compliance helps broker-dealers centralize their data →

Misunderstanding Who “the Customer” Is

KYC starts with a simple question: who’s the customer? But in fintech, especially when platforms or intermediaries are involved, that question gets messy.

Is it the platform itself, or the end user behind it? What if funds flow through one legal entity but investment discretion lives elsewhere? Regulators expect firms to look through these structures and identify the real parties involved.

When teams misclassify the customer, they often miss required information, skip risk assessments, or apply the wrong procedures entirely. This can create exposure not just during exams, but in enforcement actions if something goes wrong.

The safest approach: map the relationship clearly at the start, document who’s on the other side of the transaction, and treat any ambiguity as a flag for deeper review.

Relying on Vendors or Advisors: What’s Allowed?

Fintech broker-dealers often turn to third parties for help with KYC: identity checks, onboarding tools, compliance workflows, or legal input. This can improve efficiency. However, regulators outline that outsourcing tasks does not outsource responsibility.

If a vendor handles customer verification or recordkeeping, the broker-dealer still owns the outcome. That includes making sure data is accurate, the process is documented, and issues are escalated when needed.

See how Regly’s vendor management module helps broker-dealers track and assess vendor relationships →

Certain setups, like formal reliance on another firm’s CIP, are allowed under SEC and FINRA rules. But they require contracts, documentation, and a clear process for oversight. 

Best Practices for Building a Scalable KYC Program

A strong KYC program needs to scale as your customer base, risk profile, and regulatory exposure grow. 

The following best practices help broker-dealers design adaptable KYC controls:

• Risk-Based Frameworks: Don’t treat every customer the same. Use a risk-based approach to tailor the depth of checks, frequency of reviews, and escalation paths. This allows low-risk accounts to move quickly while flagging higher-risk ones for deeper scrutiny.
  
  

• Periodic Reviews and Update Cycles: Build triggers and schedules for reviewing customer data, especially when there's a change in behavior, ownership, or financial activity. Periodic refreshes reduce stale profiles and support ongoing suitability assessments.
  
  

• Documentation and Oversight: A scalable program needs structure. That means clearly written policies, defined ownership across teams, and auditable workflows. If a decision is made, automated or manual, it should be traceable. When regulators ask “why,” you need to show “how.”

—

No KYC program is perfect out of the gate, but it should be designed to improve over time. The most resilient broker-dealers are the ones who can answer tough questions under audit.

That clarity only comes from having strong policies, clear data ownership, and documented decisions. Whether you’re handling onboarding in-house or leaning on vendors, the accountability stays with you.

KYC is a moving target, but with the right structure, it’s one you can keep up with.