Last week, the SEC issued a cease and desist order to JPMorgan Securities LLC (JPM) for its deletion of approximately 47 million electronic communications in about 8,700 electronic mailboxes relating to the period January 1 through April 23, 2018.
Many of these communications were business records required to be retained pursuant Section 17(a) of the Exchange Act and its attendant Rule 17a-4(b)(4).
The SEC says in its order that, beginning in 2016, JPM undertook a project to delete from its system older communications and documents no longer required to be retained. The deletion tasks performed in connection with the project experienced glitches with the identified documents not actually being expunged. After trying unsuccessfully to delete some communications from the 1970s and 1980s, JPM sought help from an outside vendor managing the bank’s email storage.
Deletion tasks
In June 2019, while troubleshooting the issue, firm employees executed deletion tasks on electronic communications from the first quarter of 2018, erroneously believing, based on written representations from JPM’s vendor, that all the documents were coded in a way to prevent permanent deletion of records still within the retention period required by Rule 17a-4(b).
In reality, the vendor had failed to properly apply the default 36-month retention setting to JPM’s communications domain. As a result, the troubleshooting exercise permanently deleted all of the emails in that domain and from that period that were not explicitly subject to legal holds.
In response to the deletion event, JPM implemented its own 36-month retention coding and updated its procedures to prohibit deletion tasks from being run on electronic communications within a period subject to regulatory retention requirements.
Those communications included many considered business records, which were required to be archived for three years pursuant to broker-dealer recordkeeping rules. And it led to approximately 47 million electronic communications belonging to as many as 7,500 employees who regularly worked with customers in the Chase banking retail group becoming unrecoverable.
In at least 12 civil securities-related regulatory investigations, eight of which were conducted by the SEC’s staff, JPM received subpoenas and document requests for communications that could not be retrieved or produced because they had been deleted permanently.
In response to the deletion event, JPM implemented its own 36-month retention coding, plus its Electronic Communications (eComm) Tech team updated its procedures to prohibit deletion tasks from being run on electronic communications within a period subject to regulatory retention requirements.
Senior level approval
JPM further required any employee seeking to run a deletion task to first obtain approval from a senior level information officer, and the whole eComm Tech team was trained on these new procedures.
JPM has its principal office in New York City and is registered with the Commission as a broker-dealer and as an investment adviser. It is a wholly owned subsidiary of the global financial services firm JPMorgan Chase & Co., also headquartered in New York.
As the SEC notes in its order, JPM has previously consented to orders finding violations of the recordkeeping requirements involving emails and text messages under Rule 17a-4.
In December 2021, it agreed to pay $200m to resolve charges from the SEC and the Commodity Futures Trading Commission (CFTC), paying the SEC $125m and the CFTC $75m.
Comprehensive review
JPM also agreed to retain a compliance consultant to help it conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications found on personal devices and the firm’s framework for addressing non-compliance by its employees with those policies and procedures.
JPM was not subject to the SEC’s September 2022 round-up of charges against 15 broker-dealers and one affiliated investment adviser for recordkeeping failures associated with employee use of “off-channel” or often unapproved forms of communication to discuss business, such as text messaging or online messaging services.
But that enforcement action (and the associated charges brought by the CFTC against 11 of those firms) formed the basis of speeches and regulatory notices to financial services firms, plus a memo to DOJ’s own staff and enforcement sweeps specifically focused on this issue.
This enforcement action demonstrates that regulatory scrutiny in this area continues and that it is essential to have good systems and processes in place to avoid inadvertently finding oneself in the regulatory cross-hairs.