Merrill Lynch’s $7.5 Million SAR Penalty: What Every Compliance Team Should Learn

Share

The SEC has fined Bank of America’s Merrill Lynch business $7.5 million after determining the firm failed to file numerous Suspicious Activity Reports (SARs) over a four-year period. While the penalty itself is significant, the underlying cause is even more important for compliance professionals.

This wasn’t a case where suspicious activity went completely unnoticed.

Instead, the firm’s own transaction monitoring process prevented many suspicious events from ever reaching investigators for review.

For compliance teams everywhere, the enforcement action is a reminder that how your monitoring system is configured can be just as important as having one in the first place.

Key Highlights

  • Merrill Lynch was fined $7.5 million by the U.S. Securities and Exchange Commission (SEC) for failing to file numerous Suspicious Activity Reports (SARs).
  • The failures occurred over more than four years, from April 2020 through September 2024.
  • According to the SEC, the firm’s transaction monitoring thresholds prevented investigators from reviewing potentially suspicious activity that should have resulted in SAR filings.
  • The case highlights a growing regulatory expectation that compliance teams continuously validate and tune transaction monitoring systems rather than relying on static rules.
  • Organizations should regularly review alert thresholds, perform retrospective testing, and ensure regulatory reporting processes are complete, accurate, and defensible.

What Happened?

According to the SEC, Merrill Lynch relied on Bank of America’s enterprise transaction monitoring system to identify suspicious activity.

The system grouped related events together and assigned each a risk score. Only groups with a score of 20 or higher were sent for investigation and possible SAR filing.

The problem?

Internal analyses showed that many event groups scoring below 20 would likely have resulted in SAR filings if investigators had reviewed them. Despite those findings, the threshold remained unchanged for years, resulting in numerous SARs never being filed. The missed activity reportedly involved hundreds of millions of dollars in transactions.

Eventually, Merrill Lynch lowered the threshold, conducted a retrospective review, and filed numerous delayed SARs while cooperating with regulators. Even so, the SEC imposed a $7.5 million civil penalty.

Why Alert Threshold Tuning Is a Regulatory Risk

Every compliance team balances the same challenge.

Lower thresholds generate more alerts.

More alerts require more investigators.

More investigators increase costs.

The temptation is to tune systems to reduce false positives. But this case demonstrates the risk of going too far.

Reducing alert volume cannot come at the expense of missing suspicious activity.

Regulators increasingly expect firms to demonstrate that their monitoring systems are not only operational, but also appropriately calibrated, tested, and supported by evidence. Simply relying on vendor defaults or historical settings is no longer enough.

What Regulators Expect From Transaction Monitoring Programs

Perhaps the most important takeaway isn’t the fine.

It’s that regulators examined how Merrill Lynch’s monitoring system was configured.

The SEC focused on whether alert thresholds reflected actual risk and whether the firm acted after internal testing identified weaknesses.

This reflects a broader shift happening across AML compliance.

Regulators are asking:

  • Why was this threshold chosen?
  • When was it last validated?
  • What testing supports it?
  • How quickly are changes implemented when gaps are identified?
  • Can the institution demonstrate that potentially suspicious activity is not being missed?

Compliance programs increasingly need evidence that their controls remain effective over time, not just that controls exist.

How Compliance Teams Can Reduce Their Risk

While every organization’s AML program is different, several best practices can help reduce the likelihood of similar regulatory findings.

1. Regularly Validate Monitoring Rules

Transaction monitoring should never be “set and forget.”

Alert thresholds should be reviewed periodically using historical data to determine whether suspicious activity is being appropriately captured.

2. Test for False Negatives, Not Just False Positives

Many organizations measure false positives. Fewer measure false negatives.

Retrospective testing of transactions that did not generate alerts can help identify whether monitoring rules are missing suspicious behavior.

3. Document Threshold Changes for Examiner Readiness

If thresholds are adjusted, document:

  • Why the change was made
  • What testing supported it
  • Who approved it
  • What impact it had on alert volumes and SAR filings

This documentation can become critical during examinations.

4. Monitor Reporting Timeliness

Detecting suspicious activity is only one part of compliance.

Institutions should also ensure SARs are reviewed, approved, and submitted within required regulatory timeframes.

Automation can significantly reduce delays caused by manual processes.

5. Review Your Regulatory Reporting Process

Even strong investigations can create compliance risk if reporting remains manual.

Many organizations still rely on spreadsheets, emails, and disconnected workflows to prepare SARs and other regulatory filings.

Automated reporting solutions help ensure reports are complete, consistent, submitted on time, and supported by a clear audit trail.

Technology Alone Isn’t Enough

This enforcement action wasn’t simply about software. It was about governance. 

Monitoring systems require ongoing oversight, regular tuning, independent validation, and continuous improvement as customer behavior, products, and financial crime risks evolve.

Technology should support those efforts, but organizations remain responsible for ensuring their AML program continues to operate effectively.

Strengthening SAR Filing Discipline

The Merrill Lynch enforcement action is a reminder that AML compliance is about more than detecting suspicious activity. It’s about ensuring suspicious activity can actually reach investigators, be properly assessed, and ultimately be reported when required.

For compliance professionals, it’s an opportunity to revisit monitoring thresholds, validate existing controls, and evaluate whether reporting workflows are helping or hindering compliance efforts.

Organizations that continuously test, document, and improve their monitoring and reporting processes will be far better positioned to withstand regulatory scrutiny than those relying on static configurations established years ago.

Schedule a free demo

See how Alessa can help your organization

100% Commitment Free

Recent Posts

Casino table

KYC Requirements for Casinos: What to Know

Casinos occupy a specific and heavily scrutinized position in the U.S. anti-money laundering (AML) framework. Large volumes of cash, rapid transaction turnover, and a diverse

X

chatbot-alessa Alessa

Hello, I'm Allie! I'm here to help if you have questions about Alessa and our products.

Please fill out the form to access the webinar: