Well here’s something to take to the board as you’re planning the 2021 budget: the Justice Department hit JPMorgan this week with $920 million in penalties and disgorgement for commodities trading fraud — a penalty that could have been even larger but wasn’t, partly because the bank spent many millions improving its compliance program.
The misconduct itself is rather arcane for anyone outside the commodities trading world. The short version: JPMorgan employees were running two separate scams from 2008 into 2016 to manipulate the price of precious metals and of U.S. Treasurys. Traders would place bogus buy or sell orders, a type of misconduct called spoofing. The bogus orders would warp the true prices of the commodities in question, and the employees would then exploit those discrepancies to pocket the difference.
First, this misconduct went on for many years, in multiple JPMorgan offices around the world. Plus, JPMorgan did not self-report this misconduct to the Justice Department. Plus, JPMorgan previously pleaded guilty in 2015 to similar spoofing behavior in the foreign exchange market.
That’s three factors against JPMorgan. Granted, much of this spoofing misconduct happened before the 2015 guilty plea. Still, the failure to self-disclose what was essentially repeat misbehavior does not look good.
On the other hand, JPMorgan also won credit for several factors working in its favor. First, extensive cooperation with the Justice Department (and the Securities & Exchange Commission, which also got a piece of this enforcement action). Second, remedial action taken by the bank after these scandals broke, including firing numerous employees implicated in the misconduct. Two of those ex-traders have since pleaded guilty to personal indictments against them.
And third? “Adopting heightened internal controls, and substantially increasing the resources devoted to compliance.”
OK, now we’re talking.
JPMorgan’s Program Expansion
Exactly what compliance program improvements did JPMorgan make? That was outlined in a three-year deferred-prosecution agreement the bank also accepted as part of its settlement. Since that prior guilty plea in 2015, the bank has:
- Spent more than $335 million on compliance personnel and related costs.
- Increased the budget for internal audit by $100 million and boosted the audit function’s headcount by 400.
- Expanded the bank’s business conduct training to include several specific scenarios involving spoofing.
- Issued compliance bulletins to staff at regular intervals, which flagged other firms busted for spoofing.
- Expanded the bank’s surveillance of employee communications, where JPMorgan systems now process 100 million messages a month from various trading platforms, and analysts review 100 percent of messages flagged as concerning.
- Built a web-based “Supervisory Portal,” which lets managers review the risk profile of their employees. The portal includes metrics such as employee attendance at compliance training and whether the employee’s trading for the month crossed any thresholds that would require supervisory approval.
- Adding business conduct and commitment to compliance as factors in employee compensation decisions— a surefire way to get a banker’s attention.
- Implemented a program of independent quality assurance testing for compliance alerts, to assure consistency in the documentation and treatment of alerts.
OK, that’s a lot of action. Because of those compliance program improvements and the other factor counting in its favor, JPMorgan received an aggregate discount of 12.5 percent off of the bottom of the standard fine recommended by the U.S. Sentencing Guidelines.
To be clear, however, in the grand scheme of JPMorgan operations, compliance and internal audit still account for a relatively small part of total spending. For example, the bank reported spending $9.8 billion last year on tech, communications and equipment; it spent $8.5 billion on outside professional services.
So we can applaud an extra $335 million spent over the course of five years, but that’s only 3.4 percent of what JPMorgan spent on technology in the single year of 2019. We don’t know JPMorgan’s dedicated compliance and internal audit budget, to estimate that as a percentage of all revenue. The bank does say a lot about its compliance, risk, and audit structure in its financial statements — but no budget numbers, alas.
Money aside, the notable thing is how closely the compliance improvements tied to JPMorgan’s misconduct: the spoofing. That is right in line with what the Justice Department told the world over the summer in its updated guidance for effective compliance programs: that prosecutors want to see compliance programs evolving with the risks. (Emphasis below added by me.)
How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments or subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
JPMorgan took those steps. This is the result.