Merrill Lynch’s $7.5m SAR fine exposes threshold risk

SAR

The US SEC has hit Bank of America’s Merrill Lynch arm with a $7.5m civil penalty after finding the firm failed to file numerous SARs over a period spanning more than four years, from April 2020 to September 2024.

According to Alessa, what makes this enforcement action stand out is not the size of the fine, but the mechanism behind the failure. Suspicious activity was not overlooked by investigators; rather, the firm’s own transaction monitoring configuration stopped many suspicious events from ever reaching them in the first place.

Alessa recently discussed Merrill Lynch’s $7.5m SAR penalty, and what every compliance team should learn.

For compliance teams across the RegTech and FinTech landscape, it is a stark warning that how a monitoring system is calibrated can matter just as much as whether one exists at all.

According to the SEC, Merrill Lynch depended on Bank of America’s enterprise-wide transaction monitoring system to flag suspicious behaviour. The platform clustered related events into groups and assigned each a risk score, with only those scoring 20 or above escalated for investigation and potential SAR filing.

Internal analyses, however, revealed that many groups scoring beneath that mark would likely have triggered SAR filings had investigators actually reviewed them. Despite this, the threshold sat untouched for years, and the missed activity reportedly involved hundreds of millions of dollars in transactions. Merrill Lynch ultimately lowered the threshold, ran a retrospective review, filed the delayed SARs and cooperated with regulators, but the SEC still imposed the penalty.

The case shines a light on a tension every compliance function knows well. Lower thresholds create more alerts, more alerts demand more investigators, and more investigators drive up costs.

The temptation to tune systems to suppress false positives is understandable, but this action demonstrates the danger of going too far. Regulators now expect firms to prove their monitoring systems are appropriately calibrated, tested and evidenced, asking why a threshold was chosen, when it was last validated, what testing supports it and how quickly gaps are remediated. Relying on vendor defaults or legacy settings is no longer defensible.

To reduce exposure, firms should validate monitoring rules regularly rather than treating them as set and forget, and test for false negatives as well as false positives through retrospective reviews of transactions that never generated alerts.

Any threshold change should be documented, capturing why it was made, what testing supported it, who approved it and its impact on alert volumes and SAR filings. Institutions should also monitor reporting timeliness and modernise regulatory reporting workflows still built on spreadsheets, emails and disconnected processes.

Ultimately, this was a failure of governance, not just software. Monitoring systems demand ongoing oversight, tuning, independent validation and continuous improvement as customer behaviour and financial crime risks evolve. Firms that continuously test, document and refine their controls will be far better placed to withstand regulatory scrutiny than those leaning on configurations set years ago.

Read the full Alessa post here. 

Read the daily RegTech news

Copyright © 2026 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.