Regulators found Bank of America’s monitoring software had a known flaw Merrill left uncorrected for years.
Bank of America’s brokerage unit has agreed to pay $7.5 million to settle Securities and Exchange Commission charges that it failed to file hundreds of suspicious activity reports over more than four years – the firm’s third such enforcement action for SAR-related failures since 2017.
The SEC’s order, issued Monday, found that Merrill Lynch, Pierce, Fenner & Smith Incorporated willfully violated Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-8 thereunder. The federal rule compels registered broker-dealers to comply with Bank Secrecy Act reporting requirements, including filing suspicious activity reports (SARs) with the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN).
Merrill neither admitted nor denied wrongdoing in accepting the sanctions, which also include a formal censure and a cease-and-desist order.
What the SEC found
The SEC’s findings center on the period from April 8, 2020 through September 10, 2024. During that window, Merrill delegated the bulk of its Bank Secrecy Act compliance work to Bank of America’s enterprise-wide anti-money laundering program, which used a software system called “Event Processor” to aggregate alerts into “Event Groups” and assign each group a numeric risk score.
The critical flaw in Merrill’s process, according to the regulator, was that it only investigated Event Groups with risk scores of 20 or higher for potential SAR filings. That’s even though the firm’s own internal analyses showed, at least as far back as April 2020, that some groups below that threshold would have resulted in SAR filings had they been reviewed.
In other words, Merrill knew its monitoring threshold was generating blind spots and failed to lower it for more than three years. Bank of America and Merrill did not adjust the Event Processor’s case promotion threshold until December 2023, the SEC said.
The suspicious transactions that fell through the cracks were significant in scale. According to the SEC’s order, the flagged activity pertained to hundreds of millions of dollars in transactions conducted by, at, or through Merrill.
The oversights in oversight, based on the SEC’s investigation, included transfers with no apparent lawful business purpose, large round-dollar wire transfers, cash transactions that appeared structured to avoid reporting thresholds, transfers connected to high-risk geographic locations, transactions linked to criminal activity, and activity in accounts that had previously been the subject of SAR reviews.
Regulatory history repeating
This is not the first time Merrill has faced SEC scrutiny for SAR failures. The firm settled a similar action with the SEC in December 2017 and again in July 2023 – the latter resulting in a combined $12 million penalty shared with the Financial Industry Regulatory Authority. At that time, regulators found Merrill failed to apply the correct reporting threshold for more than a decade.
In accepting this latest settlement, the SEC noted that Merrill cooperated with investigators and took remedial steps. After lowering the Event Processor threshold in December 2023, Merrill and Bank of America conducted a retrospective review of previously uninvestigated Event Groups and filed numerous SARs.
Bank of America also retained an outside compliance consultant to assess its enterprise-wide BSA/AML program.
Merrill has 14 days from the entry of the June 29 order to pay the $7.5 million civil penalty to the SEC.
