On Sept. 26, 2016, the Securities and Exchange Commission (the “SEC”) announced that Merrill Lynch agreed to pay a $12.5 million penalty for maintaining ineffective trading controls, highlighting the importance of proper oversight at financial firms.

An SEC investigation uncovered that Merrill Lynch’s systems failed to prevent erroneous orders from being sent to the markets, causing mini-flash crashes. According to the SEC, the incidents resulted in market disruptions on at least 15 occasions from late 2012 to mid-2014 and violated the Market Access Rule (the “Rule”) because its internal controls in place to prevent erroneous trading orders were set at levels so high that it rendered them ineffective.

Introduced in November 2010, the Rule requires any broker-dealer with access to the market to create and enforce risk-management controls and supervisory procedures in order to ensure: customers’ transactions fall within credit and capital thresholds; orders are not made in error; and orders don’t violate applicable regulatory requirements. These risk-management controls fall under the “direct and exclusive control” of the broker-dealer. This includes the establishment of written policies and procedures and oversight over trading activities, as well as a mandatory annual review of related policies and procedures.

The SEC also found that Merrill Lynch violated in 2013 and 2014 the Rule’s requirement for annual CEO certifications. Merrill Lynch neither admitted nor denied the SEC’s findings. However, it agreed to pay a $12.5 million penalty, the highest-ever for a violation of the Rule. Merrill Lynch will also be censured and will cease and desist from further violations of Section 15(c)(3) of the Securities Exchange Act and Rule 15c3-5.

The penalty against Merrill Lynch follows a similar SEC enforcement action against Wells Fargo Advisors in 2014, in which the wealth management unit was also charged for failing to maintain proper controls. In that case, Wells Fargo agreed to pay a $5 million penalty for failing to prevent an employee broker from making trades based on a customer’s nonpublic information. It was the first instance of a broker-dealer being penalized for failing to protect a customer’s material nonpublic information.

The SEC’s order found that multiple groups responsible for compliance or supervision within Wells Fargo received indications that the broker was misusing customer information. However, these groups lacked coordination or any assigned responsibilities, and they ultimately failed to act on these indications. Federal law requires broker-dealers and investment advisers to establish, maintain, and enforce policies and procedures to prevent such misuse of material nonpublic information.

Other examples of the SEC enforcing the Rule include investigations against Goldman Sachs (resulting in a $7 million penalty), Knight Capital ($12 million penalty) and Morgan Stanley ($4 million penalty).

These cases and others demonstrate the need for firms to continuously ensure proper controls, supervision and process are in place in order to prevent and react to such instances of improper trading – an area that should not come as a surprise to securities firms. The SEC has repeatedly emphasized in recent years the importance of proper supervision at financial firms, including the establishment of policies and processes regarding prevention and reporting procedures. As a result of this ongoing regulatory focus, firms must ensure they are able to demonstrate an awareness of their traders’ activities and have plans to respond appropriately in the event of any misconduct.