On 29 June 2026, the SEC fined Merrill Lynch, Pierce, Fenner and Smith Incorporated $7.5 million for failing to file Suspicious Activity Reports across a four-year period. The transaction monitoring system was present and generating risk scores. More importantly, Merrill's own internal analyses had already identified the problem. Even so, the threshold governing which alerts triggered human review was set too high, and the firm did not act on what its own data was telling it.
This is not a case of absent technology. Rather, it is a case of misconfigured technology and absent governance over that misconfiguration. For BSA officers and AML compliance teams at broker-dealers and financial institutions, it is one of the most instructive enforcement actions of the year.
What the SEC Found
Under the Bank Secrecy Act, broker-dealers must file SARs with FinCEN for transactions involving $5,000 or more where the firm knows, suspects, or has reason to suspect money laundering or other illicit activity. Importantly, this obligation applies regardless of whether the underlying activity is ultimately confirmed as criminal.
Merrill's compliance relied on Bank of America's transaction monitoring software, which aggregated potentially suspicious events into event groups and assigned each a risk score. Merrill only reviewed event groups with risk scores of 20 or above for possible SAR filings. The problem, however, was documented internally: Merrill's own analyses showed that some event groups scoring below 20 would have triggered SAR filings if reviewed. The firm had identified the gap. It did not close it.
The SEC did not find that Merrill's monitoring system was inadequate in design. Instead, it found that Merrill failed to act on what its own system was telling it. The monitoring system was working. The configuration was wrong. As a result, internal data showing that had not translated into remediation action for four years.
How the Failure Unfolded
Three Root Causes Behind the Fine
Threshold misconfiguration.
The SAR review threshold of risk score 20 or above was not calibrated against the regulatory standard. Instead, it was an operational choice that the firm's own data showed was producing under-reporting. Furthermore, there was no governance process to periodically validate whether the threshold remained appropriate against the firm's actual transaction profile and SAR obligations under Rule 17a-8. As a result, configuration governance was entirely absent.
Failure to act on internal data.
Internal analyses identifying the threshold problem did not produce a remediation action. Consequently, the gap between knowing the configuration was wrong and fixing it became a governance failure, not a technology failure. Internal findings need to generate mandatory escalation and documented response timelines. Specifically, a finding that goes into a report without a tracked remediation obligation is a record, not a control.
Shared-platform dependency risk.
Merrill's BSA compliance depended on Bank of America's enterprise transaction monitoring software. However, the firm never independently validated the configuration it inherited from the parent against the broker-dealer's own SAR obligations under Rule 17a-8. The BSA's SAR obligations apply at the firm level. Therefore, shared platforms require independent validation against each registered entity's specific regulatory requirements, regardless of the parent institution's compliance posture.
This Is Not the First Time
The 2026 enforcement action is not Merrill's first SAR penalty. In 2023, the SEC and FINRA jointly fined Merrill $12 million for failing to file hundreds of SARs from 2009 to 2019, the result of an incorrect $25,000 threshold applied during that period. Notably, the 2026 fine covers a separate, subsequent breach period beginning in April 2020.
Taken together, these are two SAR enforcement actions covering two separate multi-year periods, both rooted in misconfigured thresholds. That pattern is the most important data point in this case for compliance teams. It is not a coincidence. Rather, it is what happens when threshold governance is treated as a one-time implementation decision rather than an ongoing compliance obligation.
How Sentinel Addresses Each Layer of This Failure
| SEC Finding | Sentinel Capability | How It Helps |
|---|---|---|
| Risk score threshold too high — SAR-qualifying events missed | Configurable Alert Thresholds | Thresholds are set against regulatory guidance, not operational defaults. Changes require documented approval and are audit-trailed, preventing silent misconfiguration. |
| Internal data showed threshold problem — no corrective action taken | Governance Workflows | Exception and anomaly findings generate mandatory review tasks. Internal findings cannot be filed and forgotten. They require a documented disposition within a defined timeframe. |
| SAR filing failures across 4-year period undetected | SAR Filing Tracker | Every event group reviewed, every SAR filed or declined, and every exemption rationale is logged in an immutable audit trail. Regulators can see the full decision chain on demand. |
| Inherited platform configuration not validated against broker-dealer obligations | Regulatory Calibration Reviews | Scheduled configuration review cycles compare platform settings against applicable regulatory thresholds and flag deviations for compliance sign-off. |
| Four-year breach period without detection | Continuous Monitoring | Real-time dashboards surface filing-rate anomalies and SAR volume trends. Declining filing rates are flagged as a risk signal before a multi-year gap can develop. |
Three Questions Every BSA Officer Should Ask Right Now
The Merrill Lynch case should prompt every BSA Officer and MLRO at a broker-dealer or financial institution to ask three questions about their current transaction monitoring program:
Who set your SAR review threshold, and when was it last validated? If the answer is "the implementation team, years ago," that is a governance gap. Thresholds should be reviewed periodically against your current transaction profile, your SAR filing rate, and the regulatory standard. A threshold that was appropriate at implementation may not be appropriate for the institution as it exists today.
What happens when your internal analytics identify a potential configuration problem? If the answer is "it goes into a report," that is not a control. It is a record. Controls require documented escalation, mandatory response timelines, and an audit trail that demonstrates the finding was acted on. The Merrill case is a direct consequence of findings that were not translated into action.
Are you running a monitoring program designed for your entity's obligations, or one inherited from a parent or vendor? The BSA's SAR obligations apply at the firm level. Shared platforms need independent validation against each registered entity's specific obligations under FinCEN rules. Inheriting a parent company's configuration is not the same as validating it against your own regulatory requirements.
The Sentinel Perspective
The Merrill Lynch fine illustrates a compliance risk that is widespread but underappreciated: the gap that exists not in the absence of technology, but in the misconfiguration or under-governance of technology that is already present. Many financial institutions operate transaction monitoring systems they did not build, calibrated by teams they no longer employ, running thresholds that no one has reviewed against the regulatory standard since implementation.
In practice, the system generates alerts and compliance staff review what appears above the line. However, nobody is systematically asking whether the line itself is in the right place.
Truth Technologies has been building AML compliance technology for regulated financial institutions since 1996. Accordingly, Sentinel addresses the governance layer that sits above transaction monitoring technology, ensuring that alerts are reviewed, thresholds are calibrated, SAR decisions are documented, and internal findings produce action rather than accumulate as unresolved records.
Do Not Wait for the SEC to Find Your Threshold Problem.
Sentinel provides the governance layer your transaction monitoring system is missing. Configurable thresholds, mandatory review workflows, and an immutable SAR decision audit trail.
Official References
- SEC Newsroom — Merrill Lynch SAR Enforcement Action, June 29, 2026
- SEC and FINRA — Prior SAR Enforcement Against Merrill Lynch (2023-128), 2023
- Bank of America's Merrill Lynch Fined $7.5M for Failing to Submit SARs — AML Intelligence, June 29, 2026
- Bank Secrecy Act — 31 U.S.C. § 5318(g): SAR Filing Obligation
- FinCEN — 31 CFR § 1023.320: SAR Requirements for Broker-Dealers
- Securities Exchange Act of 1934 — Section 17(a) and Rule 17a-8: Books, Records and SAR Reporting
Truth Technologies provides AML, KYC, OFAC, and sanctions screening compliance solutions through the Sentinel platform. This post is published for informational purposes only and does not constitute legal advice. BSA and AML obligations vary by institution type, size, and regulatory status. All regulatory citations link to official US government sources. The SEC's June 2026 order against Merrill Lynch was published the same day as this article. TTI recommends consulting the official SEC order directly at sec.gov for full findings.