In March 2024, JP Morgan Chase & Co. faced a significant financial penalty totaling nearly $350 million, due to deficiencies in its trade surveillance data capture procedures. Included in this was the Office of the Comptroller of the Currency (OCC) which imposed a $250 million civil penalty, citing the bank’s operation with “gaps in trading venue coverage and without adequate data controls required to maintain an effective trade surveillance program.” Concurrently, the Federal Reserve Board levied an additional $98.2 million fine, highlighting JPMorgan’s failure to monitor billions of trading activities across more than 30 global venues between 2014 and 2023.
This enforcement action emphasized the importance of comprehensive data capture and monitoring within financial institutions. It put firms on notice that regulators expect organizations to know where business activity is taking place, across both traditional channels and less obvious ones.
FINRA and the DOJ on the case
Since the issuance of JP Morgan’s fine for data completeness, we have seen regulatory messaging across the globe reiterating the importance of data capture and good data governance.
In response to the evolving technological landscape, regulatory authorities have issued guidance stressing the necessity for firms to capture and supervise all forms of communication, including those generated by AI tools.
The Financial Industry Regulatory Authority (FINRA), in its 2025 Annual Regulatory Oversight Report, stated:
“The content standards of Rule 2210 (Communications with the Public) apply whether member firms’ communications are generated by a human or technology tool.”
This implies that AI-generated communications are subject to the same regulatory scrutiny as traditional human communications, requiring diligent capture, archiving, and supervision. FINRA has further highlighted Gen AI as a risk and enforces the need for proper supervision and retention of chat sessions. It added that:
“Firms contemplating the use of Gen AI tools and technologies may want to consider: How to supervise the use of Gen AI on an enterprise level (as well as by individual associated persons)”
Similarly, the U.S. Department of Justice (DOJ) has outlined the potential risks associated with AI in corporate compliance. In its “Artificial Intelligence and Criminal Justice Final Report,” the DOJ called out the need for organizations to implement comprehensive compliance programs that encompass AI applications, ensuring that all communications and data generated by such technologies are properly recorded and monitored.
In addition, when referring to third-party messaging applications, the DOJ has previously expressed the need to capture all communications. In a keynote by Assistant Attorney General, Kenneth A. Polite, Jr., stated that:
“During an investigation, if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws.”
Clearly, complete oversight of business data and communication data – whether made on social media, WhatsApp, or ChatGPT, is now a regulatory priority. As demonstrated by JP Morgan, the cost of non-compliance is high. Firms should be prepared to meet regulatory standards, adopting technological solutions needed to follow the rules and remain compliant.
JPMorgan’s investment in GenAI
Amid these regulatory expectations, JPMorgan has demonstrated a significant commitment to integrating Gen AI into its operations. The bank has pledged to equip 140,000 employees with GenAI tools, aiming to enhance productivity and innovation. While this initiative positions JP Morgan at the forefront of technological advancement, it also amplifies the need for robust compliance measures. The substantial fines imposed for previous data capture deficiencies serve as a cautionary tale, stressing the potential consequences of inadequate monitoring in an AI-enhanced environment.
The need for AI communication capture
These recent developments uncover a critical mandate for financial institutions to follow: the necessity to capture and maintain a full audit trail of all communications, including those generated by AI tools like ChatGPT. This mandate includes the implementation of advanced monitoring systems capable of capturing and archiving AI-generated communications in accordance with regulatory standards. By collaborating with technology providers and vendors firms can ensure built-in robust compliance infrastructures into supervision practices.
As financial institutions increasingly integrate GenAI tools into their operations, capturing and monitoring all forms of communication becomes paramount. The substantial fines levied against JPMorgan for data capture deficiencies, coupled with explicit regulatory guidance from FINRA and the DOJ, highlight the potential risks of inadequate oversight. By proactively implementing comprehensive monitoring systems and ensuring a full audit trail of AI-generated communications, firms can navigate the complexities of technological innovation while maintaining compliance and mitigating potential penalties.
