Merrill Lynch Fined $7.5 Million as SEC Targets AML Monitoring and SAR Failures
- 1 day ago
- 5 min read
Merrill Lynch has agreed to pay a $7.5 million civil penalty after the U.S. Securities and Exchange Commission found that the broker-dealer failed to file numerous Suspicious Activity Reports over a period of more than four years.

The case adds another enforcement action to the growing list of regulatory interventions focused not only on whether financial institutions have AML systems in place, but whether those systems are calibrated, tested and escalated properly when they generate known weaknesses.
The SEC announced the settled charges on 29 June 2026 against Merrill Lynch, Pierce, Fenner & Smith Incorporated, a Bank of America subsidiary registered as both a broker-dealer and investment adviser. According to the regulator, Merrill failed to file certain SARs with the U.S. Treasury Department’s Financial Crimes Enforcement Network between April 2020 and September 2024, in breach of broker-dealer reporting and recordkeeping requirements. Merrill agreed to a cease-and-desist order, a censure and the $7.5 million penalty without admitting or denying the SEC’s findings.
The Problem Was Not the Absence of a System
The case is significant because the SEC did not describe a firm with no monitoring structure.
Rather, the issue was that Merrill relied on Bank of America’s enterprise-wide BSA/AML programme and the group’s transaction monitoring software to satisfy Merrill’s own independent SAR-filing obligations.
The software, referred to in the SEC order as “Event Processor”, aggregated potentially suspicious activity into “Event Groups” and assigned those groups risk scores. Only Event Groups with scores of 20 or above were promoted for investigation as potential SAR cases. Groups below that threshold were not investigated for SAR filing, and after 13 months certain unpromoted events were retired without review.
That is where the regulatory issue emerged. The SEC said internal analyses showed, at least as early as April 2020, that certain Event Groups below the 20-point threshold would have resulted in SAR filings if investigated. In some cases, the estimated SAR yield for below-threshold groups was higher than for groups that were actually being promoted for review. Despite that, the threshold was not changed until December 2023.
This is the core compliance lesson from the action: regulators are not only examining whether a firm has automated monitoring, scoring logic and alert aggregation. They are asking whether the institution understood the output of its own testing, acted on model-performance indicators, and corrected known blind spots before suspicious activity disappeared from the review queue.
Hundreds of Millions of Dollars in Potentially Suspicious Activity
The SEC order states that the activity not reviewed due to the threshold issue related to hundreds of millions of dollars in transactions conducted by, at, or through Merrill. The potentially suspicious activity included transfers with no apparent economic, business or lawful purpose, large round-dollar transfers, transactions involving high-risk geographic locations, apparently structured cash activity, transactions linked to criminal activity, and activity in accounts connected to subjects of previous SARs or prior suspicious activity reviews.
Reuters reported that the case stemmed from Merrill’s reliance on Bank of America’s transaction monitoring software to comply with federal Bank Secrecy Act obligations, under which broker-dealers are required to file SARs with FinCEN when suspicious activity meets the relevant reporting criteria. The report also noted that after lowering the review threshold, Merrill filed numerous SARs following a retrospective review.
Independent Responsibility Cannot Be Outsourced Internally
A key point in the SEC’s order is that Merrill retained responsibility for complying with its broker-dealer SAR obligations even though it relied on the wider Bank of America BSA/AML programme. In other words, use of an enterprise-wide system did not relieve the regulated broker-dealer of its own reporting duties.
That point matters for large financial groups, especially those operating shared-service compliance models across banking, brokerage, wealth management and advisory businesses. Group-level AML infrastructure may create consistency and operational efficiency, but the regulated entity still needs to demonstrate that the programme works for its own risk profile, products, customer base and regulatory perimeter.
For compliance teams, the enforcement action is a reminder that reliance on centralised controls must be accompanied by entity-level ownership. If a monitoring model is shared across the group, each regulated entity must still be able to explain why thresholds are appropriate, how exceptions are tested, how model weaknesses are escalated, and how known deficiencies are remediated.
Part of a Wider Bank of America AML and Sanctions Scrutiny
The SEC’s action also sits against a wider compliance backdrop. In December 2024, the Office of the Comptroller of the Currency issued a cease-and-desist order against Bank of America, N.A. requiring comprehensive corrective action to strengthen its BSA/AML and sanctions compliance programmes. The OCC order required, among other things, an independent consultant assessment of the bank’s BSA/AML and sanctions compliance framework and lookback reviews to ensure suspicious activity had been appropriately reported.
The SEC order itself also referenced earlier settled administrative proceedings against Merrill relating to SAR failures, including matters from 2017 and 2023. That history is likely to be relevant to how supervisors assess the seriousness of repeat AML weaknesses, even where a specific case is resolved without admissions.
Taken together, the Merrill and Bank of America actions reflect a broader regulatory focus on AML governance, suspicious activity escalation, sanctions controls and the effectiveness of enterprise-wide monitoring platforms. The regulatory expectation is no longer satisfied by having a system that produces alerts. Firms must show that their systems are risk-sensitive, validated, responsive to internal testing and capable of surfacing activity that requires regulatory reporting.
Why This Case Matters for AML Compliance
The Merrill action is not simply another SAR-filing penalty. It highlights the compliance risk created when monitoring thresholds become a substitute for professional judgment.
Automated systems are essential for large institutions, but thresholds must be defensible and dynamic. If internal testing shows that below-threshold activity is producing meaningful SAR yield, the institution cannot ignore that information simply because the activity did not cross the configured score.
The case also demonstrates the importance of feedback loops in AML systems. Sampling, model validation, alert-quality testing and retrospective reviews are only useful if their results lead to operational change. Where a firm identifies a weakness but delays corrective action, the weakness can become evidence that the firm knew, suspected or had reason to suspect that reportable activity was being missed.
For the wider market, the message is clear: AML technology does not reduce regulatory exposure if it is not governed properly. Regulators expect financial institutions to understand their monitoring architecture, challenge thresholds, act on testing results and file SARs when suspicious activity meets the relevant legal standard. In Merrill’s case, the SEC found that the failure to investigate below-threshold activity resulted in numerous missed filings across a multi-year period.
The $7.5 million penalty is therefore more than a monetary sanction. It is a warning about overreliance on automated scoring, insufficient threshold governance and the dangers of treating enterprise-wide AML systems as a complete answer to entity-specific regulatory obligations.
By fLEXI tEAM





Comments