As you might have already heard (because compliance is such a gossipy profession), last week a former compliance officer for J.P.Morgan filed a lawsuit against the bank, accusing executives there of retaliating against her because she was raising concerns about failures and weaknesses in the compliance program.
I spent the weekend reading the complaint, which you can download and read yourself if you want. Tempting as it may be to dissect the salacious parts of her suit — who retaliated against whom; which executives might “rip off your head” for using forbidden words in a meeting — I want to focus instead on the substantive allegations of compliance failures. Just what was J.P.Morgan’s compliance program supposedly doing wrong?
That might be the best way for most compliance professionals to study this case. We have no idea whether the allegations are true, and presumably J.P.Morgan will insist they’re not. But the allegations do offer examples of how a compliance program might go wrong, and that’s material others can use to assure that your own compliance programs don’t go wrong. So what are those supposed shortcomings?
First, the background. The lawsuit was filed last week by Shaquala Williams, who worked for J.P.Morgan for 16 months in 2018 and 2019. At the time, J.P.Morgan was still under a non-prosecution agreement for its “princeling” scandal, where the bank had given plum jobs to relatives of foreign officials in China and other Asia-Pacific nations. J.P.Morgan agreed to pay $264 million in penalties and disgorgement to settle charges, and had a three-year NPA that ran until November 2019.
Williams arrived in July 2018 as a vice president in the bank’s global anti-corruption compliance team. Her primary duties were to prepare monthly reports for senior management on certain corruption risk indicators, and to review and oversee the bank’s third-party intermediary compliance program.
One of Williams’ early assignments, she says in her lawsuit, was to review that third-party intermediary (TPI) program. She promptly identified numerous problems and “believed that in many ways the TPI program failed to comply with the law.”
The Allegations Themselves
First, Williams had concerns about J.P.Morgan’s policies and procedures to govern third-party intermediaries. For example, she said, the bank sometimes exempted certain third parties from the usual TPI controls, but lacked policies and procedures to document the rationale for those exemptions. It also failed to record approved exemptions many times, and applied exemptions inconsistently. As a result, Williams said, the bank couldn’t precisely track the total number of intermediaries; which consequently meant that internal reporting and disclosure to regulators was wrong.
Second, Williams warned about a lack of invoice controls. Strong invoice controls were supposed to be in place as part of J.P.Morgan’s regulatory settlement, to assure that amounts paid to intermediaries were consistent with business needs, stated payment expectations, and market rates. (You know, all those criteria listed in the Justice Department’s FCPA Resource as important for third-party oversight.) Williams, however, said J.P.Morgan had numerous flaws with invoice controls, including:
- No requirements for the compliance group to review invoices for red flags or other high-risk indicators of corruption;
- Exempting many third parties from invoice requirements, without documenting the basis for doing so;
- No controls to assure that the entity requesting payment was the same third-party intermediary that had contracted with the bank;
- No consequences for bank employees who failed to upload invoices or who didn’t review uploaded invoices.
Third, Williams said J.P.Morgan was inconsistent with the risk-based approach it was supposed to take to manage third parties. The bank assigned a risk ranking to each third-party intermediary; and that ranking then determined the level of due diligence and other compliance requirements (contract terms, due diligence reports, management approvals) the intermediary should receive.
Except, Williams said, J.P.Morgan had multiple versions of its risk ranking calculator, and there was no documented rationale or methodology to justify the risk ranking scores; so the bank applied its TPI risk rankings inconsistently. Williams also said the compliance teams didn’t submit their risk calculators to J.P.Morgan’s internal “model risk governance” team for evaluation — in violation of the bank’s own internal policies, Williams said, as well as its agreement with the Securities and Exchange Commission.
Fourth, Williams said J.P.Morgan’s third-party due diligence processes were deficient. She claimed that J.P.Morgan had a “client list screening group” within its anti-money laundering function; that group’s job was to screen the records of individuals and entities doing business with the bank to determine whether economic sanctions applied, and to escalate “positive hits” to respond to government requests for data.
But, Williams went on to say, J.P.Morgan hadn’t connected the TPI systems and the client list screening group’s systems — so when the client list screening group responded to government requests, it wasn’t including information about third-party intermediaries. Williams says she objected several times to that arrangement, and the client list team agreed to fix the issue; but managers in the global anti-corruption compliance team blocked the project from moving forward.
Williams alleged numerous other compliance program failures, too:
- shortcomings in training for third parties;
- lack of documented policies and procedures for internal investigations;
- failure to monitor “referred candidates” (that is, potential princelings) to confirm whether there was a legitimate need for them to be on the bank’s payroll;
- Ineffective testing of controls for travel and entertainment expenses;
…and more from there. You can download and read Williams’ complete lawsuit if you want. J.P.Morgan itself hasn’t released any formal statement about Williams’ lawsuit.
Points to Ponder
Let’s assume for a moment that you’re staring at a compliance program with all the shortcomings William alleges above. How does that happen? What flaws give rise to those bad practices?
One issue would be lack of documented policies and procedures. From that fundamental mistake, 100 more compliance failures can bloom. Lack of documented policies and procedures gives management the breathing room it needs to exercise its own subjective judgment — and that’s what Williams alleges against J.P.Morgan in numerous instances. Exempting intermediaries from standard review, deficiencies in internal investigations, conflicting risk rankings because employees use multiple methodologies: all those specific compliance failures can trace back to lack of documented policies and procedures.
Writing down policies and procedures forces executives to follow through on all those lofty ethics and compliance goals the C-suite likes to talk about. The better your documentation is, the harder it is for executives to evade compliance goals, because their non-compliance acts will stick out like a sore thumb. I’ve made that argument before in the context of accounting fraud; it’s just as true in the anti-corruption world.
Another fundamental problem would be keeping the third-party oversight system isolated from other business functions. Williams makes that complaint about the TPI system isolated from the anti-money laundering screens that the bank does, but I’ve seen this fundamental bad habit manifest in other ways, too. For example, I’ve heard many tales of companies that don’t connect their due diligence and accounting functions, so the compliance team can’t block a payment going to a third party that flunked due diligence.
I don’t see why a company would ever want to separate AML and anti-corruption due diligence in the first place. They’re two different angles of the same thing: third-party risk management.
Next issue: inconsistent risk assessment. The best risk ranking matrix in the world won’t do a company much good if you also use the second-best matrix in the world, plus a few others, and end up with multiple ways to assign a risk ranking. You have too many ways to make judgments, which increases the chance that you’ll make a flawed judgment.
This gets to that “single source of truth” phrase that GRC vendors love to cite so much. Third-party risk assessments need to follow a disciplined process, and ideally one that’s been validated by some independent team (like J.P.Morgan’s model governance team or an external auditor). Too much discretion in how you assess a third party’s risk can lead to all manner of problematic results.
That’s enough for today (although we could keep going). Suffice to say that whatever the merits of Williams’ case against J.P. Morgan may or may not be, the allegations do provide a glimpse into the ways that a compliance program could stall out. Now others can look at their own programs and see how familiar Williams’ allegations sound.