On December 17, 2021, the SEC and the Commodity Futures Trading Commission fined J.P. Morgan a combined $200 million for failure to properly capture their communications.
Between January 2018 and November 2020, J.P. Morgan employees communicated about securities business matters on their personal devices, through communication apps including WhatsApp, and through their personal email.
These records, which they were unable to capture, were not preserved by the firm. These violations were conducted at all levels of authority.
According to the SEC, “dozens of managing directors across the firm [including] senior supervisors responsible for implementing J.P. Morgan’s policies and procedures, themselves failed to comply with firm policies by communicating using non-firm approved methods on their personal devices.”
J.P. Morgan had the appropriate policies and procedures in place. They spent millions on compliance professionals and processes. In short, they knew better.
Their employees were advised that the use of unapproved electronic communications channels, including on their personal devices, was prohibited. WhatsApp was even mentioned by name as a prohibited means of communication.
Which Rules Were Not Complied With?
Investment advisers and broker-dealers are required, pursuant to Rule 204-2 and Rule 17(a)-4, to maintain and preserve written communications. Specifically, Rule 17(a)-4 requires broker-dealers to create and preserve in an easily accessible place originals of all communications received and copies of all communications sent relating to the firm’s business.
The rule also requires that any required records must be furnished promptly to the appropriate regulator upon request. These rules are vital for ensuring that unscrupulous actors cannot evade the gaze of regulators and engage in communication practices that may be misleading, dishonest, unethical, or otherwise harmful.
However, despite their knowledge and vast resources, the financial giant was unable to maintain institutional control. They either made no effort to enforce their policies, or they focused myopically and weren’t able to see issues or concerns outside an immediate sphere of review/influence.
They also failed to implement a system of follow-up and review to detect compliance violations, which is unsurprising as senior supervisors responsible for enforcing their policies were both complicit and actively committing the violations themselves.
What Actions Did the SEC Take?
Between January 2018 and November 2020, J.P. Morgan responded to numerous document requests from the SEC. Although they responded to the request, the J.P. Morgan staff failed to produce communications through unapproved means.
Many of these messages would have been relevant to the SEC’s inquiries. The SEC only discovered evidence of these communications through their text messages with third parties. Upon further questioning by the SEC regarding the messages, J.P. Morgan said that it could not produce the unapproved communication as much of it was deleted, and they were unable to recover the messages. Upon further investigation, the SEC discovered over 21,000 business-related texts and email messages using unapproved communication methods.
As a result, J.P. Morgan violated Rule 17(a)- 4 and violated Section 15(b)(4)(E) of the Exchange Act for failure to supervise. In addition to their $125 million fine from the SEC, they received $75 million from the Commodities Futures Trading Commission. They were also censured and agreed to an undertaking to find a Compliance Consultant, which shall conduct a review of their procedures, produce a report, and evaluate their compliance after a year. Perhaps they could have found one beforehand and avoided the $200 million fine.
What Could They Have Done Differently?
The first and most critical decision they should have made: to manage all their communications through a books and records compliant system.
The firm had policies and procedures in place. They maintained all the correct information in their procedures handbook. However, the violations that were taking place were commissions, not omissions.
Compliance professionals need to ensure they’re doing more than just following a checklist. Checking items off a list is important, but it doesn’t cover every potential action or infraction that could affect a firm’s relationship with its clients or adherence to regulatory requirements.
Finally, compliance professionals need to build strong relationships with other departments and teams within their organization. Surely at some point in the 21,000+ unapproved texts and emails, someone might have wondered whether their communications choices were in line with the company’s policies.
If compliance people cultivate good relationships with other professionals within their organization, they become a resource for questions, guidance, and feedback instead of ignoring or avoiding obstacles. Building a culture of compliance begins with compliance professionals being open and accessible, having the bandwidth and resources available to knowledgeably manage higher-level inquiries, and serve as a trusted partner to their colleagues.
Do you need help making sure your compliance team has the bandwidth and focus to serve as a strategic partner, enforce compliance requirements across the organization, and build a culture of compliance? Reach out to our Red Oak team for software that streamlines the compliance review process and ensures 100% books and records compliance and compliance consulting support to build the compliance department your organization needs.