Skip to content
On this page
  1. Key Takeaways
  2. What It Is
  3. The Intuition
  4. How It Works
  5. Worked Example
  6. Common Mistakes
  7. Frequently Asked Questions
  8. Sources
  9. Disclaimer
← All concepts
Investment OperationsIntermediate5 min read

KYC AML: Client Identity and Anti-Money Laundering Rules

Know Your Customer (KYC) and Anti-Money Laundering (AML) are the two overlapping rule sets that require financial firms to identify who their clients are and monitor what those clients do with the firm's services.

Key Takeaways

  • KYC is a component of AML: you cannot monitor suspicious activity without first knowing who the customer is.
  • Firms must file Currency Transaction Reports for cash transactions above 10,000 dollars and Suspicious Activity Reports for behavior that looks like money laundering or fraud.
  • A common mistake is treating KYC as a one-time task at account opening, both BSA rules and FINRA 2090 require ongoing updates when client facts change.
  • KYC data feeds suitability analysis under FINRA Rule 2111, connecting compliance directly to investment recommendations.

Key Takeaways

  • KYC is a component of AML: you cannot monitor suspicious activity without first knowing who the customer is.
  • Firms must file Currency Transaction Reports for cash transactions above 10,000 dollars and Suspicious Activity Reports for behavior that looks like money laundering or fraud.
  • A common mistake is treating KYC as a one-time task at account opening, both BSA rules and FINRA 2090 require ongoing updates when client facts change.
  • KYC data feeds suitability analysis under FINRA Rule 2111, connecting compliance directly to investment recommendations.

What It Is

KYC is the obligation to collect and verify essential facts about every customer at account opening and to keep those facts current. In the United States broker-dealer context, KYC is codified primarily in FINRA Rule 2090. For investment advisers and banks it flows from the Bank Secrecy Act and related rules.

AML is the broader program of policies, procedures, and controls that financial institutions must have to detect, prevent, and report money laundering and terrorist financing. The core US statute is the Bank Secrecy Act of 1970 (BSA), amended and expanded by the USA PATRIOT Act of 2001. FinCEN, inside the Department of the Treasury, is the primary administrator.

KYC is therefore a component of AML, not a separate regime. You cannot monitor who is doing what without first knowing who the customer is.

The Intuition

Financial systems are useful to criminals precisely because they move value fast across borders with limited friction. KYC and AML exist to raise the friction on bad actors without smothering legitimate activity. The logic has three layers: identify the customer, understand what normal activity for that customer looks like, and flag activity that deviates enough to warrant investigation or a regulatory filing.

After September 11, 2001, the Patriot Act extended these duties aggressively, most notably by mandating a Customer Identification Program (CIP) for all covered institutions and requiring a formal written AML program with a designated compliance officer.

How It Works

A compliant program has five pillars, as set out in BSA regulations and the PATRIOT Act:

  • Customer Identification Program (CIP), which collects name, date of birth, address, and a government-issued identification number before opening an account, and verifies identity through documents or non-documentary methods
  • Written internal policies, procedures, and controls that describe how the firm handles onboarding, monitoring, and reporting
  • A designated AML compliance officer with enough authority and resources to run the program
  • Ongoing training for employees who interact with customers or transactions
  • Independent audit to test whether the program actually works

Beyond the pillars, institutions are required to file Currency Transaction Reports (CTRs) for cash transactions above 10,000 dollars and Suspicious Activity Reports (SARs) when they detect behavior that looks like money laundering, structuring, or fraud. Enhanced Due Diligence (EDD) kicks in for higher-risk customers, including Politically Exposed Persons (PEPs), customers in high-risk jurisdictions, and private banking relationships.

The broker-dealer side adds FINRA Rule 2090, which requires firms to use reasonable diligence to know essential facts about each customer and the authority of each person acting on the customer's behalf. Rule 2090 pairs with FINRA Rule 2111, the suitability rule, which uses the KYC information to decide whether a recommended security is appropriate for the customer's profile.

Worked Example

Consider a regional broker-dealer onboarding a new private wealth client. The firm must:

  1. Collect the client's full legal name, date of birth, residential address, and Social Security number as part of CIP, and verify identity through a driver's license or passport
  2. Screen the client against OFAC sanctions lists, PEP databases, and adverse media
  3. Document the client's investment profile: net worth, liquid net worth, income, investment objectives, risk tolerance, and time horizon, which satisfies FINRA 2090 and feeds FINRA 2111 suitability analysis
  4. Assign an AML risk rating based on factors such as source of funds, geography, and expected activity
  5. Set monitoring thresholds, so that if future wires exceed expected volume or come from flagged jurisdictions, the system alerts a compliance analyst

If six months later the client wires 250,000 dollars from an unfamiliar offshore account and withdraws a similar amount in cash, the monitoring system triggers. Compliance reviews the activity, and if the explanation is insufficient, a SAR is filed with FinCEN.

Common Mistakes

  1. Treating KYC as a one-time task. Essential facts change. Clients move, inherit, start businesses, or lose capacity. FINRA 2090 and BSA rules require ongoing updates, not just a box checked at onboarding.

  2. Collecting data but never using it. A beautifully filled-out KYC file that does not feed monitoring thresholds, suitability checks, or periodic reviews fails the spirit of the rules and, in practice, fails examinations.

  3. Underestimating PEP and EDD scope. Politically Exposed Persons include not just elected officials but also senior executives of state-owned companies, their families, and close associates. Missing these categories is a frequent audit finding.

  4. Confusing SARs with accusations. A Suspicious Activity Report is a regulatory alert, not a conclusion. Filing a SAR does not mean the customer committed a crime, and failing to file when warranted creates direct legal exposure for the institution.

  5. Assuming AML only applies to banks. Broker-dealers, futures commission merchants, money services businesses, and, increasingly, registered investment advisers are all covered. FinCEN finalized an AML rule extending program and SAR requirements to most SEC-registered investment advisers effective in 2026.

Frequently Asked Questions

Q: What are KYC and AML in simple terms? KYC requires firms to collect and verify basic facts about every client before opening an account. AML is the broader program of policies that monitors transactions for signs of money laundering and ensures suspicious activity is reported to regulators.

Q: How do KYC and AML rules affect investment decisions? KYC data directly feeds suitability analysis under FINRA Rule 2111. A client's stated risk tolerance, net worth, and investment objectives, all collected through KYC, determine which products an adviser can recommend. AML monitoring can also flag unusual trading patterns that affect account access.

Q: What is a real-world example of KYC and AML in practice? A regional broker-dealer onboards a new client, collects their ID and Social Security number, screens them against OFAC sanctions lists, and assigns a risk rating. Six months later, the client makes an unusual offshore wire. The monitoring system flags it, compliance reviews it, and a Suspicious Activity Report is filed with FinCEN.

Q: How can investors prepare for KYC requirements when opening accounts? Have government-issued ID, Social Security number, proof of address, and information about income and investment objectives ready. Expect periodic requests to update this information. Providing accurate information speeds up onboarding and reduces the chance of account restrictions.

Q: How is KYC different from suitability rules? KYC focuses on identity verification and fraud prevention under FINRA Rule 2090 and the Bank Secrecy Act. Suitability under FINRA Rule 2111 uses the KYC data to decide whether a specific recommendation is appropriate for that client. KYC identifies who you are; suitability determines what you should be offered.

Sources

  1. FINRA. "Rule 2090. Know Your Customer." https://www.finra.org/rules-guidance/rulebooks/finra-rules/2090
  2. FinCEN. "The Bank Secrecy Act." https://www.fincen.gov/resources/statutes-and-regulations/bank-secrecy-act
  3. FinCEN. "USA PATRIOT Act." https://www.fincen.gov/resources/statutes-and-regulations/usa-patriot-act
  4. FFIEC BSA/AML Examination Manual. "Customer Identification Program." https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/01

Disclaimer

This article is educational content only and is not financial advice. Nothing here is a recommendation to buy, sell, or hold any security. Consult a licensed advisor before making investment decisions.

The IWP Substack

You understand the concept. Now see it applied.

The Investing With Purpose Substack turns ideas like this into research and risk-managed trade plans on real stocks, updated every week.

Read on Substack (opens in a new tab)

Related concepts