Policies and Procedures: 125 Million New Reasons to Revisit Books-and-Records Obligations

Regulators have sent a chilling message to the securities industry by imposing record fines for widespread and longstanding failures against J.P. Morgan Securities LLC, a subsidiary of JP Morgan Chase & Co., a multinational investment bank and financial services company. The settlement also extracted rare admissions regarding pervasive record-keeping violations to include the implementation of robust improvements to its compliance policies and procedures.

J.P. Morgan Securities LLC was fined $125 million by the U.S. Securities and Exchange Commission (SEC) in December, far exceeding the previous record $15 million penalty for record-keeping deficiencies levied against Morgan Stanley in 2006. The Commodity Futures Trading Commission (CFTC) imposed an additional $75 million fine against JPMorgan for its failure to archive business-related messages made by employees on personal devices.

The SEC requires records of internal business communications to be kept for a period of not less than six years. The CFTC’s minimum archival period is five years. JPMorgan, however, failed to preserve tens of thousands of messages as far back as 2015 involving discussions of company business, client meetings, investment strategies, and market analysis.

The bank’s failure to retain business-related employee communications led to regulators not allowing JPMorgan to settle without acknowledging wrongdoing. Among their admission of fault, the firm also agreed to hire a compliance consultant to review its internal policies and procedures for retaining electronic communications.

“Books-and-records obligations help the SEC conduct its important examinations and enforcement work,” SEC Chair Gary Gensler said. “They build trust in our system. Ultimately, everybody should play by the same rules, and today’s charges signal that we will continue to hold market participants accountable for violating our time-tested record-keeping requirements.”[1]


The Importance of Internal Controls

This enforcement action is prime example of what not to do when it comes to using personal devices to communicate about securities business matters. Their firm-wide use of text messages and chats and lapse of record-keeping requirements has prompted SEC staff to commence additional investigations of record preservation practices across the industry.

Ongoing enhancements in technology and the growing prevalence of remote working conditions resulting from the COVID-19 pandemic have further complicated compliance’s responsibility to monitor and retain business-related employee communications. The SEC is unforgiving when it comes to a firm’s failure to perform required surveillance of employees using personal device applications such as WhatsApp, Signal, and WeChat along with SMS or iMessage text messaging and personal email.

The history-making action is likely to remain a focus area for SEC examiners this calendar year and beyond. Firms should actively think about and address the many compliance-related issues raised by the increased use of personal devices and new communications channels.

Staying out of the SEC’s crosshairs is a common goal for firms, but where does one start?


Embracing a Culture of Compliance

At Core Compliance & Legal Services, Inc. SM (“Core Compliance”) we urge clients to begin with performing an internal audit of books-and-records obligations. Educating personnel on the front lines and those who supervise them is also a vulnerable area that is often overlooked, as many firms presume that everything is under control and handled. Written policies and procedures must be clear about what is expected from employees and their supervisors.

Regular training, testing, and the enforcement of the internal controls is integral to establishing a culture of compliance. Make certain to include your firm’s policies and procedures for personal device use as a part of your next compliance internal risk assessment, and contact Core Compliance to schedule a consultation.


[1] See https://www.sec.gov/news/press-release/2021-262