Today I want to revisit that enforcement action against JP Morgan from last week, because there’s more here that compliance officers need to consider. We need to talk about the compliance consultant JP Morgan has to hire as part of its settlement.
In our first post about this scandal last Friday, we looked at the misconduct itself. The Securities and Exchange Commission charged JP Morgan with “widespread and longstanding failures” to preserve employee communications in the bank’s broker-dealer unit, where bankers routinely talked shop using WhatsApp, personal email accounts, and text messages on personal devices.
We won’t rehash all the allegations again here, but the SEC settlement order painted an ugly picture. The misconduct happened from 2018 through 2020; and it involved even senior managers at the bank who were supposed to be responsible for enforcing JP Morgan’s recordkeeping policies and procedures. The SEC discovered the missing communications because it had subpoenaed other Wall Street banks, which included messages from JP Morgan as part of their evidence submissions — after JP Morgan had already told the SEC that such messages didn’t exist. Yikes.
JP Morgan will pay $200 million in monetary penalties, and admittedly that’s chump change for a bank that reported $27.4 billion in net income for 2020. But the bank must also hire “an independent compliance consultant” to review its recordkeeping compliance efforts.
That’s where things get interesting. The SEC devotes a whopping 18 paragraphs to describe this consultant’s duties, the freedoms he or she shall have, and the reports the consultant will make to both JP Morgan’s board of directors and to the SEC. The whole arrangement feels like a compliance monitorship, although the SEC never actually uses that term. What’s going on here?
The Compliance Consultant Duties
First, the consultant is supposed to conduct a “comprehensive compliance review” of JP Morgan’s recordkeeping program and its policies and procedures for employee communications. The review must specifically look at:
- JPMorgan’s supervisory, compliance, and other policies and procedures to assure that the bank’s communications, including those on employees’ personal devices, are preserved in accordance with federal securities law.
- The training JP Morgan conducts with employees to assure that they understand their duties and the bank’s policies on this subject.
- The surveillance program JP Morgan uses to monitor employee communications and assure recordkeeping compliance. (Surveillance of employee communications is a routine compliance exercise in the banking world.)
- The technology JP Morgan has begun using to meet its records retention requirements, “including an assessment of the likelihood that JPMorgan personnel will use the technological solutions going forward” and a review of how JPMorgan tracks employee usage of those tools.
- The measures JP Morgan uses to prevent improper communication methods, including a review of the bank’s policies and procedures to see whether they provide “significant technology and/or behavioral restrictions” to prevent abuse.
- The framework JP Morgan uses to address instances of non-compliance. This will include a look at how JP Morgan determines that someone has violated policy, the discipline imposed, and whether those disciplinary actions “were handed out consistently across business lines and seniority levels.”
That is indeed a comprehensive review of JP Morgan’s compliance efforts. The consultant is supposed to complete the review within 90 days of his or her hiring; and then give a written report to both JP Morgan’s audit committee and the SEC 45 days after that. Within another three months after that, JP Morgan is supposed to implement whatever recommendations the consultant makes.
In cases where the bank and the consultant disagree about a recommendation, they’ll try to reach a compromise solution. If they can’t reach a compromise, “JPMorgan shall adopt and implement all of the recommendations that the compliance consultant deems appropriate.” (Emphasis mine.)
But Wait, There’s More
The SEC order also specifies that JP Morgan can’t fire the consultant without prior approval of SEC staff; and that the consultant have unfettered access to all relevant files, books, records, and bank personnel. He or she will perform that first review outlined above, and then perform another review one year later to assess how well JP Morgan has progressed in implementing whatever recommendations come out of the first report. That one-year report goes to both the audit committee and the SEC.
Separate from the compliance consultant’s one-year report, JP Morgan’s internal audit team must also perform a separate audit (at roughly the same time) to assess the bank’s progress on those compliance recommendations. That audit has to go to the SEC staff too.
Lastly, for the next two years JP Morgan must notify the SEC any time it imposes disciplinary action against employees for violating its recordkeeping policies. That includes any written warnings, loss of pay, or termination.
What’s Really Going on Here?
Clearly what’s going on is that the SEC doesn’t trust JP Morgan to implement necessary compliance improvements on its own. So the SEC is forcing the issue with a compliance consultant with a mandate to assess pretty much everything, make recommendations, and then (after a requisite period of polite negotiations) force JP Morgan to do whatever the consultant recommends anyway.
This arrangement strikes me as an independent compliance monitor, even if the SEC calls it an “independent compliance consultant.” The only significant differences I can see are: (1) the consultant seems to have only a one-year term, rather than three years like we usually see with monitors; and (2) the consultant only provides a handful of specific reports to the SEC, rather than a larger and more regular schedule of reports.
Technically the SEC does have legal authority to appoint a compliance monitor, although usually only the Justice Department appoints them. I can’t even recall the last time I saw an SEC settlement that included a monitor. The SEC did require an independent compliance consultant for KPMG’s cheating scandal in 2019; perhaps this compliance consultant gig is just the SEC’s way of getting to the same point (independent assurance of changes to the compliance program) by another route.
Regardless, compliance officers should take heed at… well, whatever this arrangement is. It seems like a compliance monitor in substance, if not in name. Something tells me it won’t be the last time we see such an arrangement in SEC settlements either.