Reeling from its “London Whale” scandal, accusations it hired the children of government officials to boost business operations in China, and a cyber-attack that compromised sensitive data for approximately 76 million households, and more than $23 billion in penalties over the past few years, JPMorgan Chase has issued a 100-page report that details efforts to improve compliance, culture, and internal controls.
The report, “How We Do Business,” comes in response to a request from The Sisters of Charity of Saint Elizabeth, a shareholder and member of the Interfaith Center on Corporate Responsibility. They asked the bank for “comprehensive transparency regarding the challenges faced by the bank and controls put in place to address them.”
In the report, JPMorgan details investments it has made compliance, internal controls, risk assessment, and audit. The bank added more than 1,200 compliance professionals in 2012 and 2013 and is on pace to add 470 more by the end of 2014. With those hires, its compliance headcount will be approximately 3,150, an increase of 117 percent since 2012. In 2014, it will spend over $450 million in compliance technology operations platforms, adding 720 employees. In 2013, employees completed more than 1 million hours of training related to risk, control, and compliance.
The internal audit headcount grew by 15 percent from 2012 to 2013, and will increase by an additional 15 percent as 2014 draws to a close. By the end of this year, JPMorgan will have hired more than 9,500 full-time equivalent employees focused on financial crime-related matters, a more than 300 percent increase since 2012.
JPMorgan’s global Compliance department is described as “a core component of the company’s control efforts.” The firm-wide CCO is supported by a CCO for each business line, as well as regional CCOs in the Europe, Middle East and Africa, Asia Pacific and Latin America regions. Ongoing improvements include implementing quality assurance processes to assess whether the lines of business and regions have effectively implemented standards and protocols and more consistent reviews of compliance risks across businesses and functions.
Other improvements, both underway and planned:
• Development of a more robust risk assessment program that includes a survey tool that assesses compliance risk to enhance “consistency, documentation and comprehensiveness.”
• Revising a compliance risk scoring matrix to better find and assess ineffective controls.
• Enhancing enterprise-wide anti-money laundering risk assessments.
To better comply with anti-corruption laws, including the Foreign Corrupt Practices Act, JPMorgan has implemented new global controls across the lines of business. These include: enhanced oversight over gifts, entertainment, and third-party vendors; expanded monitoring of corporate events, sports, and entertainment; and new standards for conducting due diligence on third-party vendors.
Ongoing improvements in customer due diligence and client risk scoring include: enhancing Know Your Customer program guidance documents, including risk tolerance guidelines; and improving customer risk scoring models, which will drive the need for enhanced due diligence, more frequent periodic reviews, greater number of senior approvals, and in-depth transaction monitoring
“To have a globally consistent framework,” JPMorgan is in the midst of a culture and conduct risk program in the Europe, Middle East and Africa (EMEA) region. This effort will involve an assessment of conduct risks, mitigation plans across those risks, metrics, and training.
To better ensure that regulatory obligations are met, the bank has established “specific purpose committees” to provide oversight in connection with regulatory orders issued by the Federal Reserve and the Office of the Comptroller of the Currency. These include: a Bank Secrecy Act/Anti-Money Laundering Compliance Committee; Mortgage Compliance Committee; Trading Compliance Committee; Foreign Exchange Compliance Committee. Each of these committees has between two and four independent directors.
The report also details JPMorgan’s efforts to improve Suspicious Activity Reports and its Know your Customer efforts. “We needed to upgrade our control environment and systems to dedicate more resources to KYC, transaction monitoring, and escalation in order to continue to serve our clients while managing our risk profile,” it says.
As for hackers, the bank created a Cybersecurity Executive Council that brings together internal IT and security expertise for monthly meetings. A year-and-a-half long Cyber Attack Remediation initiative will focus on security perimeters and post-crisis remediation.
“The report appropriately acknowledges the lapses in ethical conduct that resulted in significant damage to the company’s reputation and details steps taken to reduce the possibility of such lapses in the future,” Rev. Séamus Finn, chairman of the board of the Interfaith Center on Corporate Responsibility, said in a statement. “That their actions have broader, societal repercussions beyond the scope of the company seem also to have been recognized. We are hopeful that management sees the value in this type of self-examination as a bridge to begin to restore trust and confidence between Main Street and Wall Street.”