JPMorgan Chase Bank was fooled into wildly overpaying for a student loan assistance company after the bank dropped its guard on how carefully to vet the startup’s customer database.

The story of how Charlie Javice convinced JPMorgan her startup firm, Frank, had valuable data on 4.25 million college students—when it had less than 300,000 customers—offers a cautionary tale to compliance professionals on due diligence failures.

On Tuesday, the Securities and Exchange Commission (SEC) filed a complaint against Javice, alleging she orchestrated a scheme to create nearly four million fake student accounts and convince JPMorgan and a third-party verifier the bank hired the data was legitimate. The bank paid $175 million to acquire Frank in 2021 but likely would have paid much less—or rejected the merger altogether—had the number of legitimate customer accounts at Frank been known.

Javice was arrested and charged with one count of conspiracy to commit bank and wire fraud, one count of wire fraud affecting a financial institution, one count of bank fraud, and one count of securities fraud.

In December, JPMorgan filed a lawsuit against Frank, Javice, and Frank’s Chief Growth Officer Olivier Amar in U.S. District Court for the District of Delaware that made similar allegations.

The bank’s lawsuit and the SEC’s complaint are only allegations, and the cases are pending. If proven, however, the cases explain how Javice was able to convince the country’s largest bank to pay $175 million for a list of fake college students, along with how corporate data privacy concerns can be weaponized by the unscrupulous.

Frank launched in 2017 as a “trusted financial coach for students,” primarily through reducing the time necessary for them to fill out the Free Application for Federal Student Aid (FAFSA). By 2021, Frank claimed on its website and in its pitch to JPMorgan it collected valuable information on 4.25 million college students who had applied for federal financial aid. JPMorgan saw an opportunity to buy Frank to gain access to those young consumers and pitch them its array of banking and financial services.

The bank’s investment thesis was “that Frank’s acquisition of 4.265 million customer accounts demonstrated that Frank had created momentum, growth, and scale by developing meaningful relationships with millions of students,” its lawsuit said.

During the due diligence process, Javice repeatedly told JPMorgan that Frank had information on 4.25 million college students who filled out FAFSA forms. But Frank actually possessed 293,193 customers, according to the bank’s lawsuit.

“In [JPMorgan’s] view, the 4.265 million purported customer accounts were the foundation for the deal,” the bank said in its lawsuit. “… If [JPMorgan] had known that Frank had fewer than 300,000 customer accounts, it would not have acquired Frank.”

Instead of insisting it be allowed to scrutinize the data so it could verify the customers were legitimate, JPMorgan agreed to a series of conditions that led to it allegedly being duped.

Javice’s fraud hinged on her successful ploy to protect the privacy of the personal information on the college students in Frank’s database, according to the SEC and JPMorgan.

The information consisted of student names, dates of birth, home addresses, phone numbers, and email addresses. As part of the due diligence process, JPMorgan’s head of corporate development asked to verify the information existed in Frank’s database, according to the bank’s lawsuit.

Javice, however, objected to providing the personal information of Frank’s customers to JPMorgan. Instead, she offered to provide customer names, dates of birth, and phone numbers. Customer home addresses and emails would be protected by a “unique ID” that consisted of a randomly generated identifier.

Javice then requested Frank provide its customer data to a third-party data management vendor, Acxiom, instead of JPMorgan. To perpetrate her alleged fraud, Javice hired a data science professor who created the fake Frank customer accounts, the bank’s lawsuit said.

The fraudulent list was forwarded to Acxiom. Acxiom validated there was data in all 4.25 million source data fields in Frank’s data set. But Acxiom apparently did not verify if any of the data was legitimate, even though JPMorgan said it understood “that Acxiom was validating actual customer account data.”

That gap in understanding between Acxiom and JPMorgan proved critical. A JPMorgan spokesperson declined to comment on the matter. Acxiom said it was unable to comment.

The merger closed in September 2021. JPMorgan would later conclude Javice’s privacy concerns were illegitimate and “just a cover for her attempts to conceal her fraud.”

When JPMorgan asked Frank for the email addresses of its customers so it could conduct a marketing campaign, Javice and Amar scrambled to purchase other lists of student names and emails from two educational vendors and provided that data to the bank, according to the lawsuit.

In January 2022, JPMorgan’s marketing team attempted to contact approximately 400,000 Frank customers via email as part of a marketing campaign. The campaign was a “disaster,” the lawsuit said, noting only 103 people contacted clicked through to Frank’s website.

The bank conducted an internal investigation in June 2022, using Javice’s and Amar’s emails it obtained as part of its acquisition of Frank. After the investigation was completed, Javice and Amar were fired, the bank said.