Tomorrow Investor

Merrill’s Algorithm Misstep Exposes Compliance Risks

long-term revenue mix illustration
long-term revenue mix illustration

The SEC fined Bank of America’s (BAC) Merrill Lynch unit $7.5 million on Monday for failing to file legally required suspicious activity reports across a four-and-a-half-year window, exposing a compliance blind spot rooted in automated transaction-monitoring software.

For long-horizon investors in large-cap financials, the penalty underscores the regulatory and reputational risk embedded in over-reliance on algorithmic compliance tools – a cost center that scrutiny is pushing upward across the sector.

Key Takeaways

  • SEC levies $7.5 million civil fine on Merrill Lynch over SAR failures.
  • Software risk-score threshold of 20 caused systemic under-reporting.
  • Merrill cooperated, lowered threshold, and filed outstanding SARs.

Market Reaction & Context

The $7.5 million penalty is modest relative to Bank of America’s (BAC) scale – the Charlotte, North Carolina-based lender reported roughly $27 billion in net income in fiscal 2024 – but it arrives as regulators industry-wide sharpen their scrutiny of Bank Secrecy Act compliance at broker-dealers. 1

Peer firms including Wells Fargo and TD Bank have faced far larger anti-money-laundering settlements in recent years, making the Merrill action a mid-tier reminder rather than an existential event. BAC shares showed no material reaction at the time of the SEC’s announcement.

What Went Wrong: The Risk-Score Problem

The violation stems from Merrill’s use of Bank of America’s proprietary transaction-monitoring software to satisfy its Bank Secrecy Act obligations, which require broker-dealers to file suspicious activity reports (SARs) with the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). 2

According to the SEC, the software grouped potentially suspicious transactions into “event groups” and assigned each a numerical “risk score.” Merrill investigated only those event groups scoring 20 or above for possible SAR filings – even though the firm’s own internal analyses had identified that some lower-scoring groups would have generated SAR filings had they been reviewed. The gap persisted from April 2020 through September 2024.

Regulatory Findings & Company Response

The SEC said Merrill neither admitted nor denied wrongdoing in accepting the civil fine. 3 The cooperation credit the regulator extended is significant: after the probe began, Merrill lowered its internal review threshold and retroactively filed the missing SARs.

“Bank of America maintains rigorous anti-money laundering practices, and continually reviews its anti-money laundering systems to detect and report suspicious activity,” the bank said in a statement.

The self-corrective action – lowering the score threshold and submitting outstanding reports – likely contributed to keeping the penalty below the nine-figure sums levied in more egregious BSA cases, compliance attorneys note.

Implications for Compliance-Driven Investors

The case is a textbook illustration of how automated risk-scoring systems can create systematic blind spots when calibration is not independently validated against regulatory outcomes. For investors assessing BAC’s compliance infrastructure, the voluntary remediation and cooperation are constructive signals; the four-year duration of the gap is less so.

Broker-dealers across the industry are re-examining SAR-filing thresholds in the wake of this action, a dynamic that could modestly increase compliance staffing and technology spend in the near term – a headwind for efficiency ratios, but a necessary evolution. 1

Conclusion

Monday’s SEC action against Merrill Lynch is less a financial shock than a compliance cautionary tale: automated monitoring tools require ongoing internal validation against actual regulatory outcomes, not just initial deployment. For long-term BAC shareholders, the penalty is immaterial to earnings; the process failure and its four-year duration are the more salient data points to watch as the firm modernises its AML infrastructure.

Not investment advice. For informational purposes only.

References

1Jonathan Stempel (June 29, 2026). “US SEC fines BofA’s Merrill Lynch $7.5 million for not flagging enough suspicious activity”. Reuters. Retrieved June 29, 2026.

2Jonathan Stempel (June 29, 2026). “US SEC fines BofA’s Merrill Lynch $7.5 million for not flagging enough suspicious activity”. KFGO / Thomson Reuters. Retrieved June 29, 2026.

3(June 29, 2026). “US SEC fines BofA’s Merrill Lynch $7.5 million over suspicious activity reports”. MarketScreener. Retrieved June 29, 2026.

Tomorrow Investor
The Tomorrow Investor

Markets research for retail investors

Independent coverage of small-cap equities, biotech catalysts, and emerging market opportunities.