Happy New Year! I hope you had an enjoyable holiday season. At least happier than that of JP Morgan Securities, which, right before Christmas, got to write checks to the SEC and the CFTC totaling $200 million. That’s a lot, even for JPMS. How did this happen?
Well, the story starts with a very old, and very broad, SEC rule, specifically, SEC Rule 17a-4(b)(4), which, since 1939 (as best I can determine) has required that broker-dealers preserve in an easily accessible place originals of all communications sent and received relating to the firm’s “business as such.” It was probably never easy to divine with much precision exactly what “business as such” means, but, clearly, this somewhat odd phrase was deliberately employed to capture an extremely wide swath of documents. So, for convenience sake, let’s say that it covers pretty much everything that anyone at a BD – but particularly the management of a BD – sends or receives that’s got anything whatsoever to do with the firm’s business. Unsolicited emails to buy generic Viagra? Feel free to delete those, but be careful with everything else.
Regardless, when all of a firm’s records were in paper form, it was a relatively easy proposition to keep track of and preserve the documents covered by the rule just by putting them in manila folders in a filing cabinet in the corner of the office. But, the world moved on from paper. Recognizing that, in 1970, the SEC permitted BDs to keep their records on microfilm. In 1993, through a no-action letter, the SEC recognized the optical disk as an acceptable means of storing communications. Then, in 1997, the codified and expanded this concept, approving any electronic storage medium to be utilized.
While the SEC should be commended for its attempt to keep up with the times, the times always manage to stay out ahead. Which is what caused the problem for JPMS. Specifically, the problem is that today, people communicate – A LOT – through personal devices, using specialized apps that no one could have contemplated when the rule was promulgated decades ago. But the SEC rule doesn’t care about that; the rule requires that ANY communication relating to the firm’s business must be captured, reviewed and preserved. Doesn’t matter how the communication was sent, whether it was paper or electronic or carrier pigeon or semaphore.
Most firms address this problem – the difficulty of simply being aware of communications being sent from personal devices – by flat-out forbidding their registered people from conducting firm business on their personal phones, laptops and tablets. Indeed, that’s what JPMS did. It’s just very, very hard to enforce such a policy because it runs completely contrary to how people act in 2022.
You want proof? Last year, in what now looks like the tip of the iceberg, the SEC settled a case with JonesTrading Institutional Services, a California BD, and tagged it with a $100,000 civil penalty because it “failed to preserve business-related text messages sent or received by several of its registered representatives on their personal devices when communicating with each other, with firm customers, and with other third parties.” Notably, the SEC found that “JonesTrading’s senior management were among those sending and receiving business-related text messages that were not retained by the firm.” Ouch.
It seems that the SEC must have figured, gee, if JonesTrading does this, what about everyone else? In October 2021, Gurbir Grewal, the Director of the SEC’s Division of Enforcement, citing the JonesTrading case, gave a speech in which he issued this not-so-cryptic warning:
Recordkeeping violations may not grab the headlines, but the underlying obligations are essential to market integrity and enforcement. . . . We continue to see in multiple investigations instances where one party or firm that used off-channel communications has preserved and produced them, while the other has not. Not only do these failures delay and obstruct investigations, they raise broader accountability, integrity and spoliation issues.
Shortly after that, the news broke that the SEC was conducting a “sweep,” looking for the same issues it had spotted at JonesTrading. And poor JPMS got caught in the SEC’s net. I venture to say it won’t be the last, because I believe that most firms, maybe even the vast majority of firms, are guilty of doing the same things as JonesTrading and JPMS.
This raises the question whether the problem is the way broker-dealers conduct their business, or whether the rule needs updating to reflect the reality that the ability to capture and preserve all communications that relate to a firm’s business as such is highly dubious given the ubiquity of personal communication devices. Candidly, I am not sure how the rule ought to read; I just know that it seems a bit unfair to tag a firm for $200 million in fines for doing what everyone else is also doing.
With that said, I suppose there are some lessons to glean from JPMS’s SEC settlement.
First, it should be noted, again, that JPMS did have a policy providing that “the use of unapproved electronic communications methods, including on their personal devices, was not permitted, and they should not use personal email, chats or text applications for business purposes, or forward work-related communications to their personal devices.” If you don’t already have such a policy, you need one. That’s the easy part, and there’s no excuse for failing to do even that.
Second, JPMS also “had procedures for all employees, including supervisors, requiring annual self-attestation of compliance” with its prohibition on the use of personal devices for business communications. So, again, points to JPMS, and another good practice to adopt.
Unfortunately, JPMS “failed to implement a system of follow-up and review to determine that supervisors’ responsibility to supervise was being reasonably exercised so that the supervisors could prevent and detect employees’ violations of the books and records requirements.” The firm also “failed to implement sufficient monitoring to assure that its recordkeeping and communications policies were being followed.” What does that mean in real terms? It means that “[e]ven after the firm became aware of significant violations, the widespread recordkeeping failures and supervisory lapses continued with a significant number of JPMorgan employees failing to follow basic recordkeeping requirements.”
Looking at this quantitatively, you can perhaps see why the fine was so big:
- An executive director and co-supervisor of the high grade credit trading desk launched a WhatsApp group chat entitled “Portfolio Trading/auto ex” on April 24, 2019, and invited the other 19 members of the trading desk to join. From April 24 through December 16, 2019, at least 1,100 messages were sent among the chat group, nearly all of which concerned the firm’s securities business;
- From at least November 2019 through November 2020, an executive director who worked on the capital markets desk texted with more than a 100 colleagues, including the investment bank, and with dozens of managing directors and heads of several business lines;
- The same executive director also texted with dozens of firm clients, third-party advisers, and market participants;
- In all, this executive director texted more than 2,400 times in the one-year period, discussing various aspects of the high yield and leveraged loan capital markets business;
- Between at least January 2018 and November 2019, firm employees, including desk heads, managing directors, and other senior executives sent and received more than 21,000 securities business-related text and email messages using unapproved communications methods on their personal devices.
This probably all sounds worse than it should simply by virtue of the fact that JPMC is a big firm, with lots of clients and lots of employees, so necessarily the numbers are high. I am thoroughly convinced, however, that the phenomenon cited in the settlement – that even the respondent’s senior executives use personal devices for firm business, thereby preventing those communications from being preserved – is commonplace in the industry.
Which brings me back to the rule itself: if there exists a rule that is, basically, impossible to comply with, but which carries a crazy expensive price tag for compliance failures, then there is a problem with the rule and not with the firms that are found to have violated it. I am sure that additional settlements will be forthcoming, and the facts will sound much like those in the JPMC settlement. All the more reason to consider how this cranky old rule can be dragged into the 21st century.