The SEC fined Merrill $7.5M on 29 June 2026 for a transaction monitoring threshold it knew was miscalibrated. Why repeat SAR failures are the real risk.
Table of contents
The SEC fined Merrill $7.5 million on 29 June 2026 because its transaction monitoring system only investigated alerts scoring 20 or higher, even after Merrill's own analysis showed lower-scoring events would have produced suspicious activity reports. The software worked. The threshold was wrong, Merrill knew, and it took about three years to fix.
- The SEC imposed a $7.5 million civil penalty on Merrill Lynch, Bank of America's brokerage arm, on 29 June 2026, for conduct from April 2020 to September 2024.
- Merrill's transaction monitoring, its "Event Processor", only escalated event groups with a risk score of at least 20; internal analyses showed some lower-scoring groups would have resulted in SARs if investigated.
- Merrill lowered the threshold in December 2023, ran a retrospective review of the previously uninvestigated events, and filed numerous additional SARs.
- This is Merrill's third SEC action for the same kind of SAR failure, after settlements in 2017 and a $12 million penalty with FINRA in 2023.
- Merrill settled without admitting or denying the findings and agreed to cease and desist.
What did the SEC actually find?
Merrill relied on Bank of America's transaction monitoring software, which scored client activity and escalated only the event groups that crossed a set threshold. Per the SEC order, Merrill investigated only groups with "risk scores of at least 20" for potential SAR filings. The problem was not the score. It was the cut-off. Merrill's own internal analyses showed that some event groups scoring below 20 would have resulted in suspicious activity reports had anyone reviewed them. Those events were never investigated, from April 2020 to September 2024. In December 2023 Merrill finally lowered the Event Processor threshold, went back over the previously uninvestigated event groups, and filed numerous SARs it should have filed years earlier. The retrospective filing is the tell: the activity was reportable all along, and only the threshold stood between it and a regulator. The missed activity did not disappear while it sat below the line. It accumulated until someone lowered the threshold, then surfaced all at once as a wave of late filings that itself signals the control was mis-set for years.
Why is this a calibration failure, not a technology failure?
This is the distinction every compliance leader should take from the case. The monitoring system did exactly what it was configured to do. It scored events and escalated the ones above 20. Nothing broke. What failed was the human decision about where to set the line, and the failure to revisit it once the firm's own data showed it was too high. A control tuned to escalate less is not a smaller version of a working control. It is a control that manufactures a clean audit trail while the reportable activity slips underneath it. That is why "we have a transaction monitoring system" is no longer a defence. The SEC is grading whether the system is calibrated to catch what it is supposed to catch, and whether you can prove it. The uncomfortable part is that the evidence of the failure came from Merrill itself. Its own analysis flagged the missed cases, which means the information needed to fix the control existed inside the firm long before the regulator arrived. A control you know is mis-set and do not act on is worse than one you never built, because the record shows you knew and waited.
Why do repeat violations matter more than the $7.5 million?
For Bank of America, $7.5 million is a rounding error. The real risk is the pattern. This is the third time the SEC has sanctioned Merrill for essentially the same SAR failure: a settlement in 2017, a $12 million joint penalty with FINRA in 2023 for conduct running to 2019, and now a penalty for conduct that began in April 2020, barely after the previous period ended. A regulator that sees the same control fail three times in under a decade stops treating it as an accident. Repeat findings are what turn a civil penalty into something with teeth: undertakings, an independent compliance consultant, or a consent order that dictates how you run the control. At some point the fines stop mattering and the supervision starts. For any firm the lesson is that repeat transaction monitoring failures compound: each recurrence raises the odds that the next remedy is structural rather than financial.
| SEC SAR action against Merrill | When | Outcome |
|---|---|---|
| First settlement | 2017 | SAR-reporting findings settled |
| Joint SEC and FINRA action | July 2023 | $12 million penalty, conduct 2009 to 2019 |
| Latest order | 29 June 2026 | $7.5 million penalty, conduct April 2020 to September 2024 |
What does this change for your AML obligations?
The order maps onto specific duties, and each is now a question you must be able to answer with evidence. First, model and threshold validation: you must periodically test whether your alert thresholds are catching reportable activity, and Merrill's own below-threshold analysis is exactly the kind of test that, once run, creates a duty to act on it. Second, SAR completeness: an alerting cut-off does not discharge the obligation to file, and unreviewed below-threshold activity becomes a backlog and a lookback. Third, governance of parameters: a threshold change, or the decision to leave one in place, needs a documented, risk-based rationale a regulator can read. Fourth, remediation speed: the three-year gap between knowing and fixing is what elevated this. The throughline is that credible transaction monitoring rests on knowing your customer well enough to score risk correctly, the same foundation as decentralised KYC. It is the same lesson regulators drove home in the Canaccord FinCEN penalty, where gamed surveillance produced a record fine.
What is still uncertain, and where is the risk heading?
The open question is escalation. A third strike for the same issue signals the SEC is watching Merrill's controls closely, and the next step for a repeat pattern is rarely another fine of the same size. It is supervision: mandated undertakings, an independent consultant, or a consent order. Every firm running automated monitoring should assume its own thresholds could face the same scrutiny, and that the existence of internal analysis showing missed cases is both the fix and, if ignored, the aggravating factor. There is also a data problem hiding in plain sight: many firms have never run the below-threshold test that would tell them whether they have a Merrill problem, which means they cannot yet prove they do not. Firms that cannot show a recent, documented review of their transaction monitoring thresholds are the most exposed to exactly this line of enquiry.
What should compliance teams do now?
Treat monitoring parameters as living controls, not set and forget. Three questions are worth asking this week. When did you last validate your alert thresholds against actual reportable activity? Do you have data showing cases below the threshold that should have been escalated, and if you do, what have you done about it? And are your parameters reviewed on a documented schedule with a named owner? Beyond that, keep a complete, exportable audit trail so you can show an examiner what was reviewed, when, and why, and remediate any finding on a tight, documented timeline rather than leaving it for years. This is the model Zyphe is built for: verified identity at onboarding so risk scoring rests on real data, a reusable credential rather than a stored honeypot, and an exportable audit trail on every decision. Automated transaction monitoring is only as strong as the last time you proved its thresholds still catch what they should. See the how it works page, or book a demo to test it against your own monitoring.
The bottom line
Merrill's $7.5 million penalty is small, but the message is not. Having a transaction monitoring system is no longer enough; regulators want proof that you calibrate it, and that you act when your own data says the threshold is wrong. The firms that treat thresholds as living controls, validate them against real activity, and keep an audit trail they can hand to an examiner will avoid the slow slide from fines to consent orders that repeat findings invite.
Cited sources
Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.