The SEC slapped Merrill Lynch with a $7.5 million civil penalty for failing to file suspicious activity reports, the second time in three years the firm has been dinged for essentially the same problem.

The fine, announced on June 29, covers violations stretching from April 2020 through September 2024. That is a four-and-a-half-year window during which Merrill allegedly missed flagging suspicious client transactions that should have been reported to authorities.

What went wrong, again

The root of the problem is almost comically straightforward. Merrill relied on Bank of America’s transaction monitoring software, which used a risk-scoring system to determine which client activities warranted closer scrutiny. The system set a threshold, and anything that scored below it simply did not get flagged.

Suspicious Activity Reports, or SARs, are a cornerstone of anti-money laundering compliance. Financial institutions are required to file them when they spot transactions that could involve fraud, money laundering, terrorist financing, or other illicit behavior.

Merrill settled without admitting or denying wrongdoing. As part of the settlement, the company agreed to cease and desist from future violations.

In 2023, the SEC and FINRA jointly fined Merrill $12 million for hundreds of SAR filing failures that occurred between 2009 and late 2019. So the timeline is worth noting: the previous round of violations ended in 2019, and the new batch started in April 2020. There was barely a gap.

Why this matters beyond Wall Street

Major financial institutions like Bank of America and its Merrill Lynch unit are the exact firms that crypto companies need as partners to bridge digital assets into mainstream finance. When those institutions face escalating regulatory pressure over basic AML compliance, the ripple effects hit crypto-adjacent operations disproportionately hard.

Regulators have spent years signaling that crypto transactions carry elevated money laundering risk. If legacy firms cannot even get their traditional monitoring systems right, the regulatory scrutiny they will face when onboarding crypto clients or integrating digital asset custody increases substantially. The calculus for compliance teams becomes simple: the easiest way to reduce risk is to avoid the riskiest-looking clients entirely.

What investors should watch

The repeated nature of Merrill’s violations is the most telling detail here. A $7.5 million fine is rounding error for Bank of America, which reported over $100 billion in revenue in recent years. The financial pain is negligible. What matters is the regulatory signal.

When the SEC fines the same entity twice for the same category of violation, it establishes a pattern that invites escalation. The 2023 fine was $12 million. This one was $7.5 million.

There is also a competitive angle worth monitoring. Crypto-native firms that have built compliance infrastructure from scratch, rather than bolting it onto legacy banking software, may find themselves with an unexpected advantage if traditional players continue to struggle with monitoring conventional transactions.