JP Morgan fined for widespread recordkeeping failures in the US

On 17 December, it was announced that JP Morgan entities were to pay two fines: (i) $125 million by the Securities and Exchange Commission for "widespread and longstanding failures by the firm and its employees to maintain and preserve written communications", and (ii) $75 million, by the Commodity Futures Trading Commission for "for failing to maintain, preserve, and produce records that were required to be kept under CFTC recordkeeping requirements, and failing to diligently supervise matters related to its businesses as CFTC registrants."

In addition to the fines, the CFTC Order required JPMorgan to cease and desist from further violations of recordkeeping and supervision requirements, and to engage in specific remedial undertakings. The SEC Order censured JP Morgan and required it to cease and desist from committing or causing violations or future violations of Section 17(a) of the Exchange Act and Rule 17a-4 thereunder.

JP Morgan also agreed to retain a compliance consultant, who will conduct a thorough review of its policies and procedures regarding retention of electronic communication on personal devices, and the bank's process for dealing with non-compliance with those policies and procedures.

How the issue was discovered

During the course of investigations into JP Morgan's trading, the bank received subpoenas for documents and voluntary requests from the SEC. When responding to these, JP Morgan "frequently did not search for relevant records contained on the personal devices of its employees" and thus failed to produce business communications which had been sent or received using unapproved communication methods because they were contained on personal devices. This meant that the SEC staff often only learned of the existence of these messages through others.

Systemic issue

The use of unauthorised communication methods on personal devices was widespread and systemic, involving employees at all levels of seniority. The SEC Order states that: "this widespread practice was not hidden within the firm. To the contrary, supervisors – i.e., the very people responsible for supervising employees to prevent this misconduct – routinely communicated using their personal devices. In fact, dozens of managing directors across the firm and senior supervisors responsible for implementing JPMorgan’s policies and procedures, and for overseeing employees’ compliance with those policies and procedures, themselves failed to comply with firm policies by communicating using non-firm approved methods on their personal devices about the firm’s securities business."

In the Order, the SEC gives one example of an Executive Director and co-supervisor of a trading desk launching a WhatsApp group chat entitled “Portfolio Trading/auto ex” and inviting the 19 other members of the trading desk to join. Between 24 April and 16 December 2019, over 1,000 messages were sent in that group. Almost all of the messages were work related, and discussed topics such as investment strategy and client meetings.

Key takeaways 

a) Crucial area of interest for regulators: Firms' compliance with recordkeeping obligations continues to be a key area of interest for regulators. This enforcement action demonstrates that regulators are committed to aggressively investigating and prosecuting violations of these rules. It is notable that as a result of the findings in this investigation, the SEC has stated that it will now commence additional investigations into record preservation practices at financial firms.

b) This issue is not unique to the US: Back in January 2021, the FCA warned in a Market Watch Briefing that risks of misconduct may be heightened due to the increase in people working from home, particularly due to the use of encrypted private messaging applications such as WhatsApp to communicate potentially sensitive work related information. And in March 2021, Mark Steward, the FCA's Executive Director of Enforcement and Market Oversight, stated that the use of such apps is "self-evidently suspicious". We expect to see more regulatory action from the FCA in this area.

c) Policies must be clear and up to date: There is a need for firms to have clear policies and guidance on channels of communication. But the key challenge for firms is to keep these under review and regularly up to date, because of the proliferation of new apps. We can already see this with the rise in popularity of communication apps Signal and Telegram. Firms need to be alive to the inevitable rise of these new methods of communication and the risks that they could present.

d) Monitoring is crucial: Although JP Morgan maintained policies and procedures to comply with recordkeeping obligations, and employees were advised that using personal email and apps for work purposes was prohibited (with WhatsApp being specifically prohibited for work related communications), the bank failed to maintain effective monitoring to ensure that these policies were being followed. Robust policies must be backed up by robust monitoring.

e) Unrelated enforcement action: Any enforcement action presents challenges for firms, but this case provides a striking illustration of how enforcement action by a regulator on one issue can rapidly expand, resulting in further, unrelated enforcement action.