On 22 June, 2023, the Securities and Exchange Commission (SEC) issued a cease-and-desist order against multinational financial services giant J.P. Morgan. The order related to the permanent deletion of a staggering 47 million electronic communications, including emails and instant messages, many of which were required to be retained under SEC rules Section 17(a) and Rule 17a-4(b)(4) of the Exchange Act.
Many of the records that were deleted were subpoenaed in at least twelve ongoing civil securities-related regulatory investigations, with an internal email from a member of the J.P. Morgan compliance team acknowledging that the “lost documents could relate to potential future investigations, legal matters and regulatory inquiries.” The SEC’s order summarises that:
“Because the deleted records are unrecoverable, it is unknown – and unknowable – how the lost records may have affected the regulatory investigations.”
The resulting $4 million fine imposed by the SEC for the mass deletion event, as well as the related censure and order that J.P. Morgan “cease and desist from committing or causing any violations and any future violations” against recordkeeping rules brings the matter to a close legally. But the scale of the issue, and the factors involved, will have repercussions across the financial and regulatory space – and serve as a cautionary tale for other organizations.
The guilty third party?
Interestingly, the foundations of this issue were laid back in 2012. J.P. Morgan engaged an unnamed third-party vendor to handle its electronic communications storage. When asked by J.P. Morgan, and separately by the Financial Industry Regulatory Authority (FINRA), the vendor assured them that its practices complied with Rule 17a-4(b), and that all archived communications were coded in such a way that they could not be permanently deleted within the required retention period of 36 months.
Because the internal Corporate Compliance Technology team at J.P. Morgan was operating under the impression given to them by the vendor that coding was in place to prevent the deletion of emails, they ran deletion tasks on communications from 1, January – 23, April 2018. However, on investigation, it became apparent that the default retention setting had not been applied to communications within the ‘Chase’ domain, and as a result emails within that domain across that time period that were not subject to legal holds were permanently deleted.
Trusting third-party vendors is crucial to being able to use their services to fill gaps in expertise and efficacy within an organization. Although there is a clear responsibility for organizations to manage the potential risks inherent in third-party relationships, arguably that cannot extend to second-guessing third-parties operating procedures and assurances.
Expert insight: Rob Mason, Director of Regulatory Intelligence, Global Relay
“J.P. Morgan are frequently under regulatory scrutiny because they operate at considerable scale and across a huge range of assets and products. Because of this scrutiny, they will have done due diligence around third-party vendor relationships, and were operating under assurances that the vendor gave them around having the right failsafes in place. In that respect, compliance operations are only as good as the information you’ve been given.
“This situation has highlighted a perhaps unanticipated area of data risk. As firms grow, acquire others, or merge, they take on the data and recordkeeping burden of those organizations. This quickly mounts: data might not be held in the same locations or formats, or under the same domain name. It becomes challenging to implement comprehensive rules across siloed data. That said, J.P. Morgan will have had a huge amount of procedures in place already, so this has exposed a flaw in some of their original processes.
“Given assurances by a vendor, compliance and IT teams might operate under the assumption that the relevant safeguards and backups are in place, so won’t jump to the conclusion that missing data automatically means permanent deletion. They won’t check daily for a worst-case scenario having happened, but assumption is a dangerous thing when it comes to risk.
“It’s critical for organizations of any size to have good oversight and complete, well indexed recordkeeping, with protections that avoid permanent deletion. This is also a cautionary tale for vendors. Making assurances to clients and regulators – and then failing to deliver on your promises – will set alarm bells ringing throughout the compliance community. Specialist archiving experts and services are required to manage this level of risk. And even though organizations may never look in their data archive again once it has been established, it’s still a very necessary expense – because if someone like the SEC comes knocking, you need to be able to deliver the data they request urgently and completely.
“It’s feasible that this is a warning shot to organizations from the SEC of what their next focus area will be. Regulators cannot do their job if they don’t have complete information to hand. While we can’t speculate on the contents of the deleted communications, they could have related to a huge range of regulatory responsibilities and potential investigations – and that’s just within one institution. Solid, archiving is fundamental, and organizations would do well to learn from this cautionary tale and bump compliant archiving up their priority list – because it’s clearly high on the regulator’s lists already.”
Lessons Learned
In a statement on the SEC action, J.P. Morgan’s Veronica Navarro, Head of Communications, stated that “J.P. Morgan takes its record-keeping obligations seriously” and that the firm has “taken steps to enhance process and procedures”. These steps are said to include:
- Implementing its own 36-month retention coding to avoid accidental deletion risk
- Requiring that any employee seeking to run a deletion task requires approval from a senior-level information officer
These steps will perhaps satisfy regulators that J.P. Morgan have learned from this scenario, but with archiving and data protection bumped up the regulatory agenda, other organizations need to consider their own position and look introspectively.
As a longstanding leading supplier of data archiving and services, Global Relay understands the need to approach archive provision and purging from a compliance-first standpoint. We do not delete data from client archives without explicit direction to do so, provided by an appointed administrator of the given client account. All deletion actions undergo thorough review to ensure they are being implemented in line with express client direction, and that they fully comply to legal and regulatory obligations that both the client and Global Relay are subject to concerning data retention policies.