SEC fines Merrill Lynch $7.5m over missed SARs after transaction monitoring threshold failed for more than four years
The SEC has fined Bank of America’s Merrill Lynch business $7.5m after finding it failed to file numerous Suspicious Activity Reports (SARs) from April 2020 through September 2024. For AML teams, the useful part of this case is not the penalty size; it is that the failure came from the way the monitoring system was configured, not from a lack of monitoring altogether.
- According to the SEC, Merrill Lynch used Bank of America’s enterprise transaction monitoring system, which grouped related events and assigned each group a risk score. Only groups scoring 20 or higher were escalated for investigation and potential SAR filing.
- Internal analyses showed that many groups scoring below that threshold would likely have triggered SAR filings if investigators had reviewed them. The SEC said the missed activity involved hundreds of millions of dollars in transactions, and the threshold reportedly stayed in place for years.
- The firm later lowered the threshold, carried out a retrospective review and filed numerous delayed SARs while cooperating with regulators. The SEC still imposed the $7.5m civil penalty.
- The enforcement action puts a familiar RegTech problem on the record: lower thresholds create more alerts, more alerts require more investigators, and more investigators raise costs. But tuning a system to suppress false positives stops being a neat operational choice once it starts suppressing suspicious activity that should have been reviewed in the first place.
- The SEC’s focus was not just on whether a monitoring system existed, but on how it was configured. That means supervisors are looking at why a threshold was chosen, when it was last validated, what testing supports it, and how quickly gaps are fixed after they are found.
For compliance teams, the practical point is straightforward: monitoring rules should not be “set and forget.” Thresholds need review against historical data, false negatives need testing alongside false positives, and any threshold change should be documented with the rationale, supporting testing, approvals and impact on alert volumes. If reporting still depends on spreadsheets and email, that is one more place where delays and weak audit trails can build up fast.
Weekly high-risk digest
Regulation, sanctions and payment news across your verticals — once a week, free.
Please check your inbox and click the link to confirm your subscription.
Please enter a valid email address!