Under Securities and Exchange Commission (“SEC”) authorization, the Financial Industry Regulatory Authority (“FINRA”) is “responsible for regulating (1) all securities firms that do business with the public[,]” (2) key stock exchanges, and (3) “operating industry utilities, such as trade reporting facilities and other over-the-counter operations.”  In furtherance of these regulatory responsibilities, in January 2016, FINRA published its 2016 Regulatory and Examinations Priorities Letter, which identified Anti-Money Laundering (“AML”) programs as an area of focus for the coming year. FINRA Chairman and CEO Richard Ketchum stated that “[i]n 2016, FINRA will be looking for firms to focus on their culture and whether it is putting customers first and promoting risk management adaptable to a changing business environment.”  Although FINRA will not require a “specific culture” at each firm, it will examine how individual firm “culture affects compliance and risk management practices.”  As discussed below, FINRA may be expected to place particular emphasis on firms’ culture of compliance with AML requirements and regulatory systems that accommodate high-risk transactions, such as penny stocks.
FINRA’s effort is illustrative of the increased focus by the government and industry on AML risks inherent in customer intake and monitoring and money movement and their role in combatting financial crime.  FINRA is thus likely to seek to bring enforcement actions in 2016 to highlight the importance for securities firms to adopt appropriate AML compliance and supervisory policies and procedures. Clients are thus well-advised to proactively review their AML practices.
FINRA and the BSA
The Currency and Foreign Transactions Reporting Act of 1970,  more commonly known as the Bank Secrecy Act (“BSA”), is the main source of law governing AML compliance. Among other things, it requires both United-States-based financial institutions and financial institutions with agencies or branches in the United States  to maintain transaction records and file Suspicious Activity Reports (“SARs”) and Currency Transaction Reports (“CTRs”) to assist the government’s AML efforts.  The BSA applies to broker/dealers registered with the SEC. 
In complying with the BSA, broker/dealers must file CTRs and SARs with the Financial Crimes Enforcement Network (“FinCEN”).  FinCEN is the bureau of the United States Treasury that oversees the financial system and, among other goals, aims to combat money laundering.  A broker/dealer generally must file a CTR for transactions that involve more than $10,000 in cash.  SARs are mandated when a transaction involves at least $5,000, whether individually or in aggregate, and if the broker/dealer suspects or has reason to know the transaction falls into one of four categories: (1) it involves funds derived from illegal activity; (2) it is designed to evade BSA requirements; (3) it appears to serve no legitimate business purpose, is not the type of business in which the specific customer typically engages, or is a transaction for “which the broker/dealer knows of no reasonable explanation after examining the available facts”;  or (4) it uses the broker/dealer’s services to facilitate criminal activity.  A broker/dealer also may file a SAR on “any suspicious transaction that it believes is relevant to the possible violation of any law or regulation but whose reporting is not required by this section[,]” for instance, because the $5,000 threshold is not met. 
Relevant FINRA Rules and Regulations
Compliance with FINRA AML rules permit fact-based enforcement scrutiny. The primary rules and laws at issue in AML cases are: FINRA Rule 3310, 31 C.F.R. § 1023.220 (“Regulation 1023.220”), and 31 C.F.R. § 1023.320 (“Regulation 1023.320”). Generally, the adequacy of an individual broker/dealer’s compliance with FINRA’s AML rules is dependent on the business context of the broker/dealer, which includes its size, scope, lines of business, and customer base. AML compliance programs and obligations are “not a ‘one-size-fits-all’ requirement.” 
FINRA Rule 3310 sets out broad minimum standards for the internal AML compliance programs of broker/dealers.  This rule functions as a vehicle through which FINRA reviews a broker/dealer’s compliance with the BSA’s AML requirements.  AML programs must be approved in writing by a member of senior management. The program must be reasonably expected to “detect and cause the reporting” of transactions within the scope of federal law, such as the filing of CTRs and SARs. A broker/dealer must implement policies reasonably designed to achieve compliance with the BSA and perform independent compliance testing of its AML policies. It must also designate an individual to FINRA who is responsible for the day-to-day monitoring of the AML policy. Finally, a broker/dealer must provide ongoing AML-related training for appropriate personnel.
Under Regulation 1023.220, broker/dealers are required to implement a customer identification program.  This is a federal regulatory requirement, and FINRA adopted it as part of its broader AML compliance program under Rule 3310. Among other things, it requires broker/dealers to verify the identity of each customer “to the extent reasonable and practicable.” The verification process should involve requiring customer identification and authenticating that information. The broker/dealer must then compare its customers with government terrorism watch lists. It also must provide customers with adequate notice regarding the identity verification. A broker/dealer may rely on another financial institution to perform these procedures so long as certain requirements are met. Regulation 1023.220 also contains recordkeeping and record retention requirements.
Regulation 1023.320 is the federal rule mandating broker/dealers file SARs in appropriate circumstances.  Regulatory Notice 12-08 requires broker/dealers to make SARs available to any SRO like FINRA that examines compliance with Regulation 1023.320.  FINRA maintains that every broker/dealer is responsible for following the SARs requirements as part of its AML compliance program. 
2015 FINRA Enforcement Actions
Given FINRA’s stated expectation that firms sponsor a culture of “promoting risk management adaptable to a changing business environment,”  FINRA is likely to seek to bring actions in 2016 that reinforce the signals it sent last year regarding a culture of AML compliance, particularly regarding high-risk transactions.
A. 2014–2015 Comparison of Actions
The below chart illustrates FINRA’s enforcement actions in 2015. “Disciplinary actions” is the umbrella term for all of the formal proceedings against brokers/dealers or associated persons. Thus, the number of “disciplinary actions” encompasses suspensions, expulsions, and other sanctions or findings of violations.
Restitution to Investors
B. High-Risk Business Models
In December 2015, FINRA fined a major broker/dealer $6 million for selling billions of unregistered microcap stocks and for lacking an adequate AML program to detect suspicious transactions in such securities, the largest fine for penny stock and AML violations.  FINRA explained that firms accepting large quantities of low-priced, over-the-counter securities “should have written procedures and controls in place to prevent participation in an illegal unregistered distribution of securities[,]” due to the high risk of money laundering associated with such transactions.  It found that the broker/dealer’s system was not reasonably designed to accommodate such risk because it did not:
contain adequate procedures to determine whether shares were registered or control securities;
provide adequate guidance on how to determine if the securities were exempt from registration; or
provide adequate means to detect red flags of suspicious activity. 
The program’s asserted failures led to the broker/dealer’s selling over 73.6 million shares of microcap securities, resulting in approximately $1.3 million in commissions earned by the firm. 
FINRA also determined that the AML program was not “reasonably designed to detect [red flags] and cause the reporting of potential suspicious activity[,]” in violation of FINRA Rules 3310(a) and 31 C.F.R. § 1023.320.  Notably, the broker who managed the transactions reportedly did not consider the following red flags:
“[r]epeated deliveries of large volumes of recently issued, thinly traded microcap securities followed by the immediate liquidation of the securities and transfer of the proceeds;
[s]ecurities of issues that:
had no filings with the SEC;
had filings with the SEC that were not current;
had multiple name changes; and/or
were the subject of suspicious promotional campaigns;
[s]ales that dominated the daily market volume for trading in the security; and
[s]ales that constituted more than 10% of the total outstanding shares of a particular securities.” 
FINRA further determined that the broker/dealer’s compliance program had no manner of detecting whether a “customer’s sales of a microcap security represented a significant percentage of the day’s market volume, or that the shares deposited were in certificate form and recently issued, or that those shares were liquidated promptly after deposit, or that the customer owned more than 20% of the issuer’s total outstanding shares,” all of which FINRA stated would have revealed that additional due diligence was required. 
According to FINRA’s Executive Vice President and Chief of Enforcement:
If a broker/dealer is looking to increase its revenues by expanding a high-risk business line, the firm and its supervisors must tailor their supervision to the risks associated with those businesses. This is especially true when the new business involves the mass liquidation of microcap securities, which present overwhelming risks of fraud and investor harm. 
In part as a result of the asserted AML program failures, FINRA fined the broker/dealer $6 million, ordered disgorgement of the approximately $1.3 million in commissions, and suspended and fined the broker responsible for the transactions, as well as the Executive Manager Director of Equity Capital Markets who sought to expand the business, knowing “that it posed unique challenges.” 
C. Specific Compliance Failures in High-Risk Business Models
In August 2015, FINRA determined that a corporation’s AML compliance program was inadequate because the company failed to:
detect the potentially suspicious nature of the illicit sales of almost 3.9 billion shares of microcap stocks which generated over $1.1 million in commissions;
adequately investigate the activity; and
consider whether or not to report the activity by filing SARs. 
The corporation’s AML policies required that its AML Compliance Officer (“AMLCO”) be responsible for overseeing and implementing the firm’s AML program.  The procedures noted that “[t]rading penny stocks (which may involve unregistered distributions) . . . will, in particular, be monitored when they occur.”  However, the company allegedly did not have specific exception or surveillance reports to address irregular transactions in microcap securities and also failed to maintain evidence that this type of activity was actually being detected and investigated.  Although the AMLCO maintained a log of suspicious activity, FINRA found that this log was not circulated within the company and did not provide any information on the AMLCO’s decision to close suspicious alerts.  Due to these deficiencies, FINRA concluded that the company did not adequately detect or investigate the deposits of unregistered securities, which were quickly followed by liquidations, particularly when these transactions occurred during “suspicious promotional activities.” 
FINRA’s Executive Vice President and Chief of Enforcement stated:
Firms who open their doors to penny stock liquidators must have robust systems and procedures to ensure strict adherence to the registration and AML rules given the significant risk of investor fraud and market manipulation. The compliance officers sanctioned in this case were directly responsible for supervising sales of restricted securities but failed to conduct a meaningful inquiry in the presence of significant red flags . . . 
FINRA determined that the company violated FINRA Rule 3310(a) and fined the broker $950,000. It also required the firm to retain an independent consultant to review its AML policies and procedures and suspended and fined the AMLCO. 
AML-related enforcement is a meaningful and energized part of FINRA’s enforcement apparatus. As the above enforcement actions illustrate, whether due to a certain business model or perceived lapses by compliance personnel, FINRA can be expected to scrutinize closely what it considers high-risk brokerage firms, especially in low-priced securities. To mitigate the risks, potential violations, and possible penalties, brokerage firms should proactively review and analyze their current AML procedures and related training to determine if their programs are reasonably designed to satisfy regulatory requirements.
 SEC Gives Regulatory Approval for NASD and NYSE Consolidation, SEC Press Release (Jul. 26, 2006), https://www.sec.gov/news/press/2007/2007-151.htm.
 FINRA’s 2016 Focus: Supervision, Liquidity and Securities Firms’ Culture, FINRA News Release (Jan. 5, 2016), https://www.finra.org/newsroom/2016/finras-2016-focus-supervision-liquidity-and-securities-firms-culture.
 For example, the SEC also announced that adequacy of AML programs will be a priority for 2016. See Examination Priorities for 2016, SEC Office of Compliance Inspections and Examinations, (Jan. 2016), http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf. Additionally, on January 13, 2016, FinCEN issued Geographic Targeting Orders (“GTOs”) temporarily requiring “certain U.S. title insurance companies to identify the natural persons behind companies used to pay ‘all cash’ for high-end residential real estate in the Borough of Manhattan in New York City, New York and Miami-Dade County, Florida” in an attempt to prevent individuals from hiding their assets or identities by purchasing residential properties through limited liability corporation or other entities. FinCEN Takes Aim at Real Estate Secrecy in Manhattan and Miami, https://www.fincen.gov/news_room/nr/html/20160113.html (Jan. 2016). The New York City GTO is available at https://www.fincen.gov/news_room/nr/files/Real_Estate_GTO-NYC.pdf and the Miami GTO is available at https://www.fincen.gov/news_room/nr/pdf/GTO_Miami.pdf. See also K&L Gates, OCIE and FINRA Announce 2016 Examination Priorities, http://www.klgateshub.com/details/?pub=OCIE-and-FINRA-Announce-2016-Examination-Priorities-01-14-2016 (Jan. 2016); K&L Gates, Certain Compliance Risks in Marketplace/Peer-to-Peer/Online Lending, http://www.klgates.com/certain-compliance-risks-in-marketplacepeer-to-peeronline-lending-02-09-2016/ (Feb. 2016).
 The Currency and Foreign Transactions Reporting Act of 1970, 31 U.S.C. § 5311 et seq. (2012).
 Bank Secrecy Act, 31 U.S.C. § 5312(a)(2)(D) (2012).
 Bank Secrecy Act, 31 U.S.C. § 5312(g) (2012) (“‘financial institution’ means . . . a broker or dealer registered with the Securities and Exchange Commission under the Securities Exchange Act of 1934”).
 Reports by Brokers or Dealers in Securities of Suspicious Transactions, 31 C.F.R. § 1023.320 (2011).
 About FinCEN: What We Do, https://www.fincen.gov/about_fincen/wwd/ (last visited Feb. 16, 2016).
 Notice to Customers: A CTR Reference Guide, FinCEN, https://www.fincen.gov/whatsnew/pdf/
CTRPamphletBW.pdf (last visited Feb. 22, 2016).
 31 C.F.R. § 1023.320.
FINRA Annual Conference, Enhancing Anti-Money Laundering Procedures (May 28, 2015), http://www.finra.org/sites/default/files/2015_AC_Enhancing_Anti-Money_Laundering_Procedures.pdf.
 Customer Identification Programs for Broker-Dealers, 31 C.F.R. § 1023.220 (2011).
 31 C.F.R. § 1023.320.
 About FINRA, supra note 10.
 FINRA Letter of Acceptance, Waiver and Consent No. 2012034964301.
 FINRA Letter of Acceptance, Waiver and Consent No. 2012034964301, at 4–8.
 Disciplinary Proceeding No. 2011026386001, Order Accepting Offer of Settlement (Aug. 3, 2015).