A former compliance executive with JPMorgan Chase alleges she was fired after pointing out flaws in the bank’s compliance program and misrepresentations the bank made to regulators regarding a 2016 settlement of bribery allegations in the Asia Pacific region.

Shaquala Williams, an attorney from New Jersey with more than a decade of experience in compliance, filed a lawsuit Thursday in U.S. District Court for the Southern District of New York alleging she was fired after bringing her concerns to her supervisors at JPMorgan. Her lawsuit was filed under the whistleblower protections provided by the Sarbanes-Oxley Act (SOX). She filed a separate claim with the Occupational Safety and Health Administration (OSHA) in April 2020, also alleging JPMorgan violated SOX’s whistleblower protection provisions.

A response from OSHA in April of this year determined only Williams’s firing—not the retaliation actions that preceded it—was open to review for being filed in a timely manner. OSHA indicated the complaint was dismissed after JPMorgan showed through “clear and convincing evidence” that its termination of Williams was not related to the issues she raised in her complaint. But Williams’s lawsuit states the Secretary of Labor “has not issued a final decision,” indicating OSHA’s initial finding might be under appeal.

Williams’s attorneys did not respond to a request for clarification.

According to the lawsuit, Williams was hired as a vice president by JPMorgan in its Global Anti-Corruption Compliance division in July 2018. Her primary responsibility was “managing, assessing, and improving” the bank’s third-party intermediaries (TPI) program. The program’s purpose, according to the lawsuit, was to “detect, prevent, and deter JPMorgan personnel and non-client third parties such as agents, consultants, vendors, and suppliers from engaging in corrupt behavior to obtain or secure business or government action on the bank’s behalf.”

This function of the bank’s compliance program was under regulatory scrutiny due to 2016 settlements with three federal regulators regarding violations of the Foreign Corrupt Practices Act (FCPA). The bank paid $264 million in penalties to the Securities and Exchange Commission, Department of Justice, and Federal Reserve to resolve the so-called “Sons and Daughters” scandal, in which the bank “won business from clients and corruptly influenced government officials in the Asia Pacific region by giving jobs and internships to their relatives and friends,” the SEC said at the time.

Regulators found the bank maintained spreadsheets connecting business opportunities to the hiring of hundreds of friends and relatives connected to JPMorgan clients, prospective clients, and government officials.

As part of the settlement with the Justice Department, JPMorgan revamped its hiring practices and began routing all hires through a centralized HR application process. The SEC took this a step further, requiring in its cease-and-desist order that the bank strengthen its internal controls regarding high-risk hires, and that the company’s compliance division review any hire referred by a client, potential client, or government official.

Williams alleged in her lawsuit the bank’s policies and procedures did not adequately document the steps necessary to mitigate corruption risk in the TPI program, and that the policies and procedures did not match the bank’s actual practices. She found some third parties were exempted from TPI controls, without any documented rationale to explain why. As a result, the bank’s records regarding its TPI controls were inaccurate, and the bank’s reporting about the robustness of those controls to regulators was overstated.

In addition (and contrary to the requirements of the SEC’s order), the bank did not “review invoices for red flags, high-risk indicators, or other anomalies that indicate corrupt payments” because there were so many exemptions granted and the controls that were in place were weak, she said. To give one alleged example, a former government official was considered a “high-risk third-party intermediary” for the bank’s CEO Jamie Dimon, but those invoices bypassed compliance review as part of an “emergency payment method” used by the bank.

There were other problems with the bank’s ranking of risk factors for third-party intermediaries and with the due diligence process that reviewed them, according to the lawsuit. There was no system in place to compare TPIs with the bank’s internal list of individuals and entities banned for money laundering, economic sanctions, and other financial crimes. Williams said she found other issues in areas for which compliance had oversight, including transactions, investigations, travel and expense, and referred candidates.

In general, the compliance division did not have enough independence to raise issues with the bank’s internal controls, she said.

In May 2019, Williams said she received a draft report that was meant to update the Justice Department on the status of the bank’s remediations to its compliance program that were ordered to be implemented by the 2016 consent order.

“The report contained numerous material misrepresentations about the monitoring, testing, and TPI program’s controls implemented to mitigate corruption risk and avoid further violations of SEC regulations and the Foreign Corrupt Practices Act,” the lawsuit said. The bank allegedly sent similar misleading reports to regulators in the United Kingdom and European Union.

Williams complained to human resources during her tenure with JPMorgan she had “‘experienced a culture that retaliates, excludes, suppresses internal escalations, uses euphemisms and violates document controls to avoid oversight, and discourages working across teams to mitigate risk to the firm’” to avoid additional work, the lawsuit said. Oversight of the TPI program was transferred to another employee as a result, she said, and the bank began retaliating against her by building a record of her alleged poor performance.

She was fired on Oct. 30, 2019, Williams said, because “she engaged in protected whistleblower activity under SOX by investigating, complaining about, and exposing practices and behaviors that she believed constituted violations of federal laws, regulations, rules, and internal policies, including, but not limited to, SEC rules and regulations and provisions of federal law relating to fraud against shareholders.”

A spokesperson for JPMorgan said, “We intend to fully defend these claims.”