The US Securities and Exchange Commission (SEC) has fined Bank of America’s Merrill Lynch business $7.5m after finding the firm failed to file numerous Suspicious Activity Reports (SARs) over a period spanning more than four years, from April 2020 through September 2024.
According to Alessa, what makes the case stand out is not the size of the penalty but its cause. Suspicious activity was not missed because nobody was watching. Rather, the configuration of the firm’s own transaction monitoring process stopped many suspicious events from ever reaching investigators, meaning reports that should have been filed never were.
Alessa recently discussed Merrill Lynch’s $7.5m SAR penalty, and what every compliance team should learn.
According to the SEC, Merrill Lynch relied on Bank of America’s enterprise transaction monitoring system, which grouped related events together and assigned each group a risk score. Only groups scoring 20 or higher were escalated for investigation and potential SAR filing.
Internal analyses showed that many groups scoring below that mark would likely have triggered SAR filings had investigators reviewed them. Despite those findings, the threshold stayed in place for years, and the missed activity reportedly involved hundreds of millions of dollars in transactions.
Merrill Lynch eventually lowered the threshold, carried out a retrospective review and filed numerous delayed SARs while cooperating with regulators. The SEC nevertheless imposed the $7.5m civil penalty.
The case shines a light on a familiar dilemma in RegTech and AML compliance. Lower thresholds generate more alerts, more alerts require more investigators, and more investigators drive up costs. Tuning systems to cut false positives is tempting, but this enforcement action shows the danger of going too far — reducing alert volume cannot come at the expense of missing genuinely suspicious behaviour.
Perhaps the most significant lesson is that regulators scrutinised how the monitoring system was configured, not merely whether one existed. The SEC examined whether thresholds reflected actual risk and whether the firm acted once internal testing exposed weaknesses. Supervisors increasingly want to know why a threshold was chosen, when it was last validated, what testing supports it, and how quickly gaps are remediated.
For compliance teams, the practical takeaways are clear. Monitoring rules should never be “set and forget”, and thresholds should be reviewed against historical data. Firms should test for false negatives as well as false positives, using retrospective analysis of transactions that did not generate alerts.
Any threshold changes should be fully documented, covering the rationale, supporting testing, approvals and impact on alert volumes, to withstand examination. Institutions should also monitor reporting timeliness and modernise regulatory reporting workflows still reliant on spreadsheets and email, where automation can reduce delays and provide a defensible audit trail.
Ultimately, the enforcement action was about governance rather than software. Technology can support AML programmes, but organisations remain responsible for ensuring monitoring systems are continuously tuned, independently validated and improved as customer behaviour and financial crime risks evolve.
Firms that test, document and refine their controls will be far better placed to withstand regulatory scrutiny than those relying on static configurations set years ago.
Read the full Alessa post here.
Copyright © 2026 FinTech Global









