Merrill Lynch fined $7.5m: when AML thresholds become a governance problem

Merrill Lynch’s $7.5m SEC penalty has prompted a familiar debate: are financial penalties large enough to change behaviour at major financial institutions? It is a fair question. But the more useful compliance lesson is not only about the size of the fine. It is about what happens when a firm’s own AML testing shows that suspicious activity may be falling below a monitoring threshold, and the firm does not respond quickly enough.

The US Securities and Exchange Commission announced settled charges against Merrill Lynch, Pierce, Fenner & Smith Incorporated for failing to file numerous Suspicious Activity Reports between April 2020 and September 2024. Merrill agreed to pay a $7.5m civil penalty, accept a censure and comply with a cease-and-desist order.

According to the SEC order, Merrill relied on Bank of America’s enterprise-wide BSA/AML programme to help meet its SAR-filing obligations. But the SEC made clear that Merrill retained its own independent responsibility for complying with those requirements.

What went wrong?

The case centred on Bank of America’s “Event Processor”, a transaction monitoring system used to aggregate potentially suspicious events into “Event Groups” and assign each group a risk score. Event Groups with a score of 20 or more were promoted for investigation as “Cases”. Event Groups below 20 were not investigated for potential SAR filings. If they did not become a Case after 13 months, older events were retired without investigation.

That kind of system is not unusual in large financial institutions. Firms need ways to manage alert volume, prioritise higher-risk activity and avoid overwhelming level one analysts. A risk-based system will inevitably involve thresholds, scoring logic and decisions about what gets reviewed first.

The problem was the feedback loop. The SEC found that Bank of America and Merrill regularly reviewed sampling analyses of Event Groups below the 20-point threshold. These analyses tested the likelihood that below-threshold groups would have required SAR filings if they had been investigated, a statistic referred to as “SAR Yield”. During the relevant period, the analyses showed that some below-threshold Event Groups had high estimated SAR Yields. In some cases, those yields were higher than for Event Groups at or above the 20-point threshold. Despite this, the threshold was not changed until December 2023.

That is the part of the order that matters most. This was not simply a case where suspicious activity existed below a monitoring line. That will happen in any risk-based system. The more difficult issue was that the firm’s own testing suggested the line itself may no longer have been defensible.

AML is not a zero-failure system

It is important to be clear about what this case does not mean. AML compliance cannot be a zero-failure system. No bank, broker-dealer, law firm or regulated business can identify every instance of suspicious activity. If every possible alert were investigated, firms would need enormous investigation teams and would generate vast numbers of false positives.

That distinction matters. AML monitoring cannot be judged against an impossible standard where every instance of suspicious activity must be identified. A risk-based approach requires judgement, prioritisation and an acceptance that some lower-scoring activity will not be investigated immediately.

But risk-based does not mean static. A threshold may be reasonable when it is set. It may even remain reasonable for a period of time. But once testing shows that below-threshold activity is producing higher SAR yields than activity being escalated, the question changes. The firm is no longer just defending an initial model design. It is defending what it did after its own evidence suggested the model was missing risk.

Knowledge creates a burden

The practical point is simple: once a firm has evidence that its controls may be missing reportable activity, the burden shifts. The question is no longer just whether the original threshold was reasonable. It is whether the firm acted on what it knew, documented the decision and could explain why the control remained appropriate.

Merrill’s exposure did not arise only because reportable activity may have existed below the threshold. It arose because internal sampling allegedly showed a problem, and the response was not quick enough.

That makes the decision trail critical. Who reviewed the finding? Who had authority to accept the residual risk? Was the threshold recalibrated? Was the typology investigated? Was the issue escalated to senior management? Was there a remediation plan? Was there a deadline?

Those questions are critical because regulators are increasingly looking beyond whether a system exists. They want to know whether it works, whether it is tested and whether the firm can prove what it did when testing revealed a weakness.

That point is just as relevant in the UK. The 2026 changes to the Money Laundering Regulations reinforce a more contextual, risk-based approach across areas such as customer due diligence, enhanced due diligence triggers, pooled client accounts and high-risk country rules. 

The UK reforms are not the same as the Merrill case. But the underlying compliance expectation is familiar: professional judgement is valuable only if it is documented, tested and capable of being explained.

The fine is only part of the risk

Some commentators questioned whether a $7.5m fine is meaningful for an institution of Merrill’s size. That criticism is understandable. If a penalty is small compared with the revenue generated during the relevant period, it can look less like a deterrent and more like a cost of doing business.

But from a risk management perspective, the fine is not the whole story. The order records that Merrill was censured, made subject to a cease-and-desist order and required to pay the penalty. It also notes that Bank of America and Merrill lowered the Event Processor Case promotion threshold, conducted a retrospective review of previously below-threshold Event Groups, filed numerous SARs as a result and retained a compliance consultant to assess Bank of America’s enterprise-wide BSA/AML programme.

Those consequences extend well beyond the penalty. Retrospective reviews are resource-intensive. External assessments can be intrusive. Regulatory trust can be difficult to rebuild. Senior management attention gets pulled into remediation. And the reputational impact of a public enforcement action can last longer than the penalty itself.

So while the size of the fine is worth debating, the better lesson for compliance teams is broader: the cost of weak governance is rarely limited to the cheque written to the regulator.

AML controls have to learn from what they miss

Every missed alert is also a missed opportunity to improve the firm’s understanding of the customer. That is where AML monitoring can become more than a defensive process. A well-run programme should not only refine thresholds. It should refine the firm’s understanding of customer identity, ownership structures, expected behaviour, transaction patterns and changing risk indicators.

If below-threshold testing identifies recurring typologies, high-risk geographies, unusual round-dollar transfers, structuring indicators or accounts linked to previous SARs, the response should not be limited to filing more SARs after the fact. The firm should also ask what those findings say about the customer risk model, onboarding information, ongoing monitoring rules and escalation criteria.

The SEC order referred to suspicious activity involving hundreds of millions of dollars in transactions, including transfers with no apparent lawful purpose, large round-dollar transfers, transfers involving designated high-risk geographical locations, apparent structuring, transactions related to criminal activity and accounts linked to prior SARs or suspicious activity reviews.

Those are not just missed outputs. They are signals. The question is whether the AML programme learns from them.

What firms should take from the Merrill order

The practical message is not that every threshold should be lowered to zero. That would simply recreate the false-positive problem thresholds were designed to solve.

The better message is that thresholds need governance. Firms should be able to explain why a threshold exists, what data supports it, how often it is tested and what happens when testing shows unexpected results. Below-the-line testing should not be treated as a technical exercise. It should feed into genuine decision-making.

Where sampling shows that uninvestigated activity may be producing SAR-worthy findings, firms should document the issue, assess the typologies involved, decide whether the threshold or model logic needs to change, assign ownership and set a timeline for remediation.

They should also be clear about authority. Not every analyst, model owner or business lead should be able to accept the risk of leaving a known control weakness untreated. Decisions to continue unchanged, retire below-threshold event groups or suppress certain typologies need clear sign-off, evidence and review dates.

That kind of governance is becoming increasingly important as firms rely more heavily on automated monitoring, scoring systems and AI-assisted risk tools. The existence of technology will not be enough. Regulators will want to know whether the system was calibrated, whether it was effective and whether the firm acted when evidence showed it was missing risk.

The real lesson

The Merrill Lynch case is not a lesson that AML teams must find everything. That is impossible.

The lesson is that when an AML programme generates evidence that it is missing something, the firm has to respond.

A risk-based approach is not a fixed threshold. It is a cycle of testing, learning, documenting and improving. Once the data shows that the model may be wrong, the burden shifts. The firm needs to show what it knew, what it decided, who approved it and what changed as a result.

AML does not have to find everything. But it does have to learn from what it misses.

Strengthen your AML training

VinciWorks’ AML training suite helps staff understand money laundering risks, recognise suspicious activity, conduct appropriate due diligence and report concerns in line with their responsibilities. Our AML courses include practical scenarios, real-life case studies and customisation options to help organisations move beyond tick-box training.

Packed with realistic scenarios, real-life case studies and customisation options, our suite of AML courses will help you stay protected.

Train now →