In November 2016, JPMorgan Chase (JPM) and its subsidiary, JPMorgan Securities (Asia Pacific) Limited (JPM-APAC) resolved its long running Foreign Corrupt Practices Act investigation and enforcement, obtaining a non-prosecution agreement (NPA) from the Justice Department with a penalty of $72M, agreeing to a cease-and-desist order  (Order) from the Securities and Exchange Commission, with a penalty consisting of profit disgorgement and interest of $135 million, and reaching an agreement with the Federal Reserve Bank for a consent cease-and-desist order (Fed Order) to put in place a best practices compliance program and pay a penalty of $61M.

The conduct involved JPM-APAC’s Client Referral Program, named the “Sons & Daughters Program,” which targeted children of high Chinese government officials and employees of state owned enterprises, together with other close family members and even close friends and associates of these officials and employees, for hiring in a blatant attempt to win business. It was designed, created, and implemented by the top management of JPM-APAC, which went so far as to keep a tally of those persons hired by JPM-APAC and JPM to specific business development. As noted in the NPA, “certain senior executives and employees of (JPM-APAC) conspired to engage in quid pro quo agreements with Chinese officials to obtain investment-banking business, planned and executed a program to provide specific personal benefits to senior Chinese officials in the position to award or influence the award of banking mandates, and repeatedly falsified or caused to be falsified internal compliance documents in place to prevent the specific conduct at issue.” The language quid pro quo is replete throughout the settlement documents because that is the specific language used by JPM-APAC personnel when discussing Sons and Daughters.

This enforcement action did not involve the odd, one-off hiring of a family member of a foreign government official. In a speech at the ACI 2016 National FCPA Conference, SEC Director of Enforcement Andrew Ceresney noted that over the life of the Sons and Daughters hiring program, JPMorgan hired approximately 200 interns and full-time employees at the request of its APAC clients, prospective clients, and foreign government officials. Added to this were nearly 100 candidates referred by foreign government officials at more than twenty different Chinese state-owned enterprises.

Furthermore, JPM-APAC was well aware that these hires potentially violated the FCPA, since the subsidiary engaged in specific, intentional conduct designed to subvert the internal controls around the company’s hiring process. Business justifications were provided, which were either inaccurate or outright falsehoods. In the NPA, it cited as an example of collusion with the subsidiary’s compliance and legal group a revised business justification from an unacceptable reason to one which would pass muster in the unsuspecting corporate human resources department.

The matter also included what has come to be known as “the spreadsheet,” where JPMorgan documented each hire, the referring client, the relationship of the candidate, and the amount of revenue generated attributable to the hire in U.S. dollars. The purpose of the spreadsheet was to track deals that resulted from the hires and measure revenue associated with Client Referral Program hires. So the corruption scheme and the benefits obtained therefrom were fully documented.

Result achieved by JPMorgan. Yet as bad as the conduct engaged in by JPM-APAC may be, one clear lesson is the superior result achieved by JPM in its FCPA resolution. Not only did it receive a 25 percent discount off the bottom of the U.S. Sentencing Guidelines fine range, but it received an NPA (not even a deferred prosecution agreement) and no outside monitor was required of the company going forward. While some of this result is due to having excellent defense counsel, a large part is due to the cooperation by JPM and the remediation engaged in by the company. The NPA, Order, and Fed Order all lay out how the penalties under this matter follow this framework, even though the case arose far before the implementation of the Justice Department’s FCPA Pilot Program.

The addition of a Fed enforcement action adds an interesting wrinkle to institutions subject to Fed oversight. It might also lead to state banking oversight for such cases, as the focus of the Fed seems to be the bank’s own internal policies around anti-bribery and anti-corruption as much as the FCPA itself. Whatever the reason might be, it presents new complexity for any financial institution going forward.

Non-prosecution agreement. The company engaged in extensive remediation during the pendency of the investigation. According to the NPA, the company took the following steps:

Ended the employment relations with five employees who participated in the misconduct;

Fired another employee “who failed to identify issues with referral hiring and failed to take appropriate steps to mitigate risks”;

Disciplined an additional 23 “employees who failed to detect the misconduct, failed to supervise effectively those who were engaged in the misconduct, failed to take appropriate steps to mitigate corruption and compliance risks, and/or who were lower-level employees engaged in the misconduct at the direction of supervisors”;

Imposed more than $18.3 million in financial sanctions on former or current employees;

Conducted individualized training for remaining employees;

Adopted “heightened controls related to their hiring programs, including standardizing hiring programs and requiring that every application for a hire be routed through a centralized human resources application process”;

More than doubled company resources devoted to compliance, particularly in the Asia-Pacific region; and

Requiring improved FCPA training.

SEC cease and desist order. The SEC Order specifies additional remedial conduct engaged in by the company more geared toward internal controls, specifically around HR and the role of compliance in high-risk hires. These remediation actions included:

Enhancing its anti-corruption compliance program and hiring practices on a global basis, making changes to its anti-corruption policy to further address the hiring of government officials’ relatives;

Requiring that every hire with the company, including referral hires, be routed through a centralized human resources application process;

Establishing a control function role for human resources with respect to hiring;

Requiring that company’s anti-corruption office reviews and approves each hire of a candidate referred by a client, potential client, or government official; and

Instituting procedures and practices for the monitoring and auditing of referral hiring.

Fed consent order. Although not a part of the DoJ or SEC resolution, but certainly in concert with those two settlements, the Fed Order also had some interesting points about the company’s conduct going forward that certainly contributed to the favorable result achieved by JPM. There would be senior management oversight that would “ensure that senior management periodically reassesses risks associated with the Firm’s Referral Hiring Practices to proactively identify practices vulnerable to legal and reputational risks”; and ensure senior management’s effective oversight of the firm’s referral hiring practices.

There would be a compliance management risk program that would create and implement “written policies and procedures governing the appropriate evaluation of, and processes for, vetting referred candidates consistent with the Firm’s anti-bribery policies and procedures” tying FCPA compliance to Human Resources (HR). Within the HR function itself, there would be written policies and procedures designed to ensure compliance with applicable anti-bribery laws and policies within all business lines and training “regarding appropriate hiring practices and compliance with applicable anti-bribery laws and policies.”

Internal audit was also assigned an enhanced role going forward. It was designated to conduct audits on a regular basis, business line controls, and compliance detection and monitoring processes, “designed to identify and prevent potential misconduct in connection with the Firm’s Referral Hiring Practices.” Moreover, such audits are to be conducted by “qualified parties who are independent of the firm’s business lines and compliance functions.” There are to be “enhanced escalation procedures for the timely resolution of material audit exceptions and recommendations in connection with the Firm’s Referral Hiring Practices.” Finally, and sounding right out of the COSO 2013 Framework for internal controls, there is to be a “periodic review of risk assessments to ensure emerging risks associated with the Firm’s Referral Hiring Practices.”

More to come. Finally, Ceresney said there were more FCPA enforcement actions in the pipeline from the SEC’s industry sweep on financial institutions. According to regulatory filings other banks under FCPA scrutiny include Citigroup Inc., Credit Suisse Group AG, Deutsche Bank AG, Goldman Sachs Group Inc., HSBC Holdings, Morgan Stanley, and UBS Group AG. All this means there may well be much more to come in this area.

The approach of the Fed Consent Order, focusing on the risk management issues raised by the bank’s failures in its anti-corruption program, leads to several interesting questions about how the Fed might look at other banking institutions that have publicly announced they have ongoing FCPA investigations. It would seem the Fed is most concerned about how the wholesale failures of JPMorgan Chase around its hiring protocols for family members of foreign government officials impacts the bank’s “risk management framework that includes strong governance over compliance risk at all levels of management.”

The addition of a Fed enforcement action adds an interesting wrinkle to institutions subject to Fed oversight. It might also lead to state banking oversight for such cases, as the focus of the Fed seems to be the bank’s own internal policies around anti-bribery and anti-corruption as much as the FCPA itself. Whatever the reason might be, it presents new complexity for any financial institution going forward. As many banks were sanctioned over LIBOR or the mortgage scandals of the past decade and entered into DPAs, they could well run afoul of those resolutions by having either FCPA violations or violations of their own internal compliance programs.