News / SEC Fines Merrill Lynch $7.5M Over Suspicious Activity Reporting Failures
SEC Fines Merrill Lynch $7.5M Over Suspicious Activity Reporting Failures
02 min read
Enforcement action highlights the risks posed by ineffective transaction-monitoring thresholds and missed Suspicious Activity Reports.
The U.S. Securities and Exchange Commission has fined Merrill Lynch, Pierce, Fenner & Smith Incorporated $7.5 million for failing to file numerous Suspicious Activity Reports (SARs) between April 2020 and September 2024, reinforcing regulatory expectations around independent AML monitoring and reporting obligations.
According to the SEC’s settled order, Merrill relied on Bank of America Corporation’s enterprise-wide Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) program to meet its own SAR filing requirements. The monitoring system grouped potentially suspicious transactions and assigned them risk scores, but only event groups exceeding a predefined threshold were investigated for potential SAR filings.
The SEC found that internal analyses dating back to April 2020 showed that many lower-scoring event groups would likely have resulted in SAR filings if they had been reviewed. Despite this, those alerts were not investigated, causing Merrill to miss numerous reportable suspicious activities over a four-year period.
The regulator concluded that Merrill violated Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-8, which require broker-dealers to maintain effective AML programs and comply with Suspicious Activity Report filing obligations. Without admitting or denying the findings, Merrill agreed to a cease-and-desist order, a censure, and payment of the $7.5 million civil penalty.
The enforcement action highlights a growing regulatory focus on the effectiveness of transaction monitoring systems rather than simply having AML controls in place. Financial institutions are increasingly expected to validate alert thresholds, regularly review monitoring models, and ensure potentially suspicious activity is not excluded due to overly restrictive risk-scoring methodologies.
Why It Matters for Compliance
The Merrill settlement demonstrates that regulators expect firms to independently validate transaction monitoring systems and investigate alerts supported by internal risk analysis. Institutions that rely on automated thresholds without ongoing model validation or governance risk are missing reportable suspicious activity and facing significant enforcement action.
- Others
- June 23, 2026
03 min read
- Sanctions
- June 17, 2026
03 min read
- Others
- June 12, 2026
03 min read
Subscribe to our Newsletter
Our best articles, news and stories, delivered to your inbox every week.