A Merrill Lynch employee's discovery that the firm had fallen short of its obligation to report suspect criminal activity has led to a $12 million fine from federal regulators.
The Securities and Exchange Commission and the Financial Industry Regulatory Authority, which together oversee large swaths of the financial services industry, announced Tuesday that they had reached separate settlement deals with brokerage giant Merrill Lynch for $6 million each. Merrill agreed to pay the penalties after an employee in its fraud investigations group — who goes unnamed by the SEC — discovered in September 2019 that the firm was using the wrong threshold to determine when it had to report incidents of suspected unauthorized debit withdrawals, forged or altered checks, identity theft, and phone or internet scams.
The trouble for Merrrill arose from the difference between reporting requirements for brokerages and those for banks. Merrill Lynch's parent company — BAC North America Holding, a subsidiary of Bank of America — was obliged to report any no-suspect criminal activity of $25,000 or more. For brokerages like Merrill Lynch, the threshold for reporting such activity was $5,000.
Merrill Lynch's misstep,
"Law enforcement and regulators depend on FINRA member firms to properly report potential fraud and other suspicious activities," Christopher Kelly, the senior vice president and acting head of FINRA's department of enforcement, said in a statement. "It is therefore essential that member firms comply with their SAR filing obligations. Merrill Lynch failed in this basic responsibility."
Merrill Lynch was specifically alleged to have failed to report "no-suspect activity" — meaning regulators have no clearidea of who's committing it. Such activity must be documented in what are known as suspicious activity reports, or SARs. The reports must be filed within 30 days with the Financial Crimes Enforcement Network, a division of the U.S. Treasury that seeks to combat money laundering and similar crimes.
Read more:
A Bank of America spokesperson emphasized the firm's cooperation with investigators. "Following an internal review, we reported this matter to regulators and have enhanced our process and training regarding these filings," according to the emailed statement.
Separately,
The SEC gave Merrill Lynch credit for bringing the deficiencies to its attention and working to remediate them once they were discovered. The federal regulator said Merrill eventually filed 865 SARs for transaction records dating to 2014 — the oldest the firm still had on file. The SEC also credited Merrill for cooperating with its subsequent investigation.
Louis Straney, a regulatory expert at Arbitration Insight, noted that U.S. laws on SARs and the reporting of suspect activity became markedly stricter following the adoption of the Patriot Act of 2001. He said the $12 million was "significant" for a case of this sort and most likely would have been greater had the firm not cooperated with regulators.
Read more:
"The core to this is: What lesson did the firm learn?" Straney said. "It happened once. But what are they going to do so it's never going to happen again?"
Katharine Zoladz, the co-acting director of the SEC's Los Angeles Regional Office, said Merrill and its parent company had "failed to comply with one of the most basic requirements for a SAR program."
"Broker-dealers have a critical obligation to report suspicious activity in their accounts," she said in a statement.
