JPMorgan Chase will pay $200 million in fines to settle charges brought by two federal regulators regarding the bank’s failure to maintain records of communications on securities, commodities, and swaps business matters made on bank employees’ personal devices.

Citing “widespread and longstanding failures” to maintain and preserve text and personal email messages and WhatsApp chats, the Securities and Exchange Commission (SEC) announced a $125 million fine against the bank Friday to settle violations of the agency’s books and records rules by a subsidiary, JPMorgan Securities, dating back to 2018. The Commodity Futures Trading Commission (CFTC) announced a $75 million fine for similar violations dating back to 2015.

The bank acknowledged to the SEC that JPMorgan Securities failed to “reasonably supervise its employees with a view to preventing or detecting certain of its employees’ aiding and abetting violations.” The bank also admitted to the violations alleged by the CFTC regarding its commodities and swaps businesses. In both cases, JPMorgan agreed to cease and desist from future violations of the agencies’ record-keeping regulations.

What happened?

According to the SEC’s order, from at least January 2018 through at least November 2020, “JPMorgan employees regularly communicated about securities business matters on their personal devices, using text messaging applications (including WhatsApp) and personal email accounts. None of these records was preserved by the firm. The failure was firm-wide and involved employees at all levels of authority.”

The SEC noted “dozens of managing directors across the firm and senior supervisors responsible for implementing JPMorgan’s policies and procedures, and for overseeing employees’ compliance with those policies and procedures, themselves failed to comply with firm policies by communicating using non-firm approved methods on their personal devices about the firm’s securities business.”

One executive director on the capital markets desk sent more than 2,400 texts in a one-year period from his personal device. JPMorgan could not furnish these texts when requested by the SEC, according to the order.

From January 2018 to November 2019, JPMorgan desk heads, managing directors, and other senior executives sent and received more than 21,000 text and email messages “using unapproved communications methods on their personal devices. These messages were not preserved by JPMorgan,” the SEC said.

The record-keeping failures came to light as the bank attempted to respond to SEC subpoenas for documents and record requests “in numerous Commission investigations during the time period,” the SEC said. The agency learned about the unauthorized communications via third parties, not the bank itself, according to the order.

According to the CFTC’s order, JPMorgan Securities informed the agency in April it did not maintain records of communications by bank employees on their personal devices, dating back to 2015. The issue came to light as the CFTC was requesting documents from the bank during an investigation.

Failure to collect and maintain such records not only violated federal securities laws, but also the bank’s own policies and procedures, both regulators noted.

Compliance takeaways

At the behest of both the SEC and CFTC, JPMorgan agreed to hire a compliance consultant to conduct a comprehensive review of the bank’s “supervisory, compliance, and other policies and procedures designed to ensure that JPMorgan’s electronic communications, including those found on personal electronic devices … are preserved in accordance with the requirements of the federal securities laws.”

The review must be submitted to the SEC and CFTC within 45 days. Its recommendations must be implemented within 90 days, the orders said.

As part of the review, the consultant will examine the bank’s training procedures for its employees to ensure they understand the record-keeping requirements of federal securities laws. Employees will be required to certify in writing, on a quarterly basis, they are compliance with the requirements.

In addition, the consultant will assess the bank’s surveillance program of employees’ communications, assess technical solutions offered, and assess the measures used by the firm to “prevent the use of unauthorized communications methods for business communications by employees.” The bank will have to show it has incorporated communications on employee personal devices into its communication surveillance program and detail all instances of noncompliance in a report that includes which employees violated the policies, the corrective action, the penalties imposed, and whether those penalties were consistent across business lines and security levels.

Beyond JPMorgan, the SEC said it has commenced additional investigations of record preservation practices at financial firms.

What are they saying?

“Books-and-records obligations help the SEC conduct its important examinations and enforcement work. They build trust in our system,” said SEC Chair Gary Gensler in a press release. “Ultimately, everybody should play by the same rules, and today’s charges signal that we will continue to hold market participants accountable for complying with our time-tested recordkeeping requirements.”

CFTC Chair Rostin Behnam stated, “The message of today’s enforcement action could not be more clear: The Division of Enforcement will aggressively investigate potential recordkeeping and related supervision violations, and the Commission will impose appropriate penalties for violations of these critical regulatory requirements.”

JPMorgan did not respond to a request for comment.