SEC fines BofA's Merrill Lynch $7.5M over AML lapses

• Key insight: Merrill Lynch, which allegedly failed to report certain suspicious activities, is paying for the shortcomings of its parent company's systems.
• Forward look: Bank of America has retained a consultant to review the bank's entire anti-money-laundering program.
• Expert quote: "We maintain rigorous anti-money laundering practices." — Bank of America, in a statement.

The Securities and Exchange Commission has hit Bank of America's investment subsidiary Merrill Lynch with a $7.5 million fine for allegedly failing to report suspicious activities.

Merrill's use of a BofA anti-money-laundering program landed it in hot water, according to the regulator. Software that assigned risk scores to potentially suspicious transactions, the SEC said, led certain activities to go unreported — even as "internal analyses" showed they should have been flagged.

Merrill, which neither admitted nor denied wrongdoing, agreed to pay the civil penalty.

"We maintain rigorous anti-money laundering practices," Merrill said in a statement emailed to American Banker. "As we have said previously, we have been engaged with regulators on this matter, and we continually review and enhance our AML systems to address evolving risks and report and detect suspicious activity."

The nation's second-largest bank purchased Merrill in 2008, at the height of the global financial crisis. The acquisition saved Merrill from bankruptcy, converting the famed investment bank into a unit inside of BofA.

As a registered broker-dealer, Merrill is required by law to file suspicious activity reports on certain transactions. But from at least 2020 onward, the SEC said, Merrill used BofA's "Event Processor" software to determine which activities to report — and that software fell short.

According to the regulator, the software would only recommend investigating transactions that fell into an "event group" with a risk score of 20 or higher. From April 2020 to September 2024, the SEC said, multiple transactions that fell below that threshold would have merited a suspicious activity report.

And the SEC maintains that Merrill knew better. During the relevant four-year period, the BofA unit allegedly learned through its own analyses that some transactions with under-20 risk scores should have been reported.

"These analyses showed, based on statistical sampling, that certain event groups with risk scores below 20 had high estimated SAR yields," the SEC said in its order. "These SAR yields, in some instances, were higher than the SAR yields for analyzed event groups at or above the 20-point threshold."

BofA and Merrill eventually lowered this threshold, the regulator said, but not until December 2023.

In the meantime, hundreds of millions of dollars in what the SEC considers suspicious transactions went unreported. These included transfers with "no apparent economic, business or other lawful purpose," transfers to or from high-risk geographic locations and transactions "related to criminal activity," the regulator said.

In response, the SEC censured Merrill and slapped it with a cease-and-desist order, as well as the multimillion-dollar fine.

Though it meted out punishment, the SEC also noted several examples of Merrill's cooperation. In addition to belatedly adjusting the risk score threshold, BofA and Merrill also conducted a review of transactions that had previously skirted under it — as a result of which, Merrill filed "numerous" new SARs. Also, BofA has hired a "compliance consultant" to review the bank's entire AML program.

This is not the first time BofA's AML efforts have run afoul of regulators. In 2024, the Office of the Comptroller of the Currency issued the bank a cease-and-desist order over alleged "unsafe or unsound practices" in its compliance with the Bank Secrecy Act. These practices, the OCC said at the time, included the "failure to timely file suspicious activity reports."