Overview
- The SEC issued a final order on June 29 that found Merrill Lynch failed to file required suspicious activity reports from April 2020 through September 2024 and imposed a $7.5 million civil penalty.
- The agency says Merrill used Bank of America's group-wide monitoring software that bundled transactions into 'event groups' and assigned each group a risk score, and only groups above a set threshold were reviewed for possible SAR filings.
- Internal analysis showed some lower-scoring event groups would have generated SARs if examined, but Merrill did not review those groups during the period in question and as a result numerous SARs were not filed.
- Merrill accepted a censure, a cease-and-desist order, and the penalty without admitting or denying the SEC's findings, and Bank of America said it is engaged with regulators and is reviewing and enhancing its AML systems.
- This action follows a 2023 enforcement that resulted in a $12 million fine for earlier SAR lapses and raises the prospect of escalated oversight and tighter controls that could affect how big banks onboard higher-risk clients, including crypto firms.