Compliance | Electronic Records Management (ERM)
Late last year, the Securities and Exchange Commission announced that J.P. Morgan Securities LLC had agreed to pay $125 million to help settle charges of “widespread and longstanding failures by the firm and its employees to maintain and preserve written communications” over the course of several years. On the same day, the Commodity Futures Trading Commission (“CFTC”) levied a $75 million fine against J.P. Morgan Securities (“JPMS”), along with two other JPMorgan Chase & Co. (“JPMorgan”) entities, for substantially similar conduct—bringing the combined total penalty involving the JPMorgan parent organization to $200 million.
In its press release, the SEC cited “firm-wide” failures by JPMS employees to comply with recordkeeping requirements by using personal email accounts, SMS text messages, and WhatsApp messages sent on personal devices to discuss the company’s securities business without retaining or preserving those written communications. Consequently, JPMS was unable to produce complete records to the SEC. The SEC charged JPMS with violating Rule 17a-4 of the Securities Exchange Act of 1934 by failing to keep appropriate records and failing to adequately supervise its employees.
The $200m in total penalties by the SEC and CFTC is the largest aggregate financial sanction ever levied as a direct consequence of records preservation, maintenance, and production lapses. It underlines the importance of a comprehensive recordkeeping strategy that encompasses the full spectrum of technology platforms that employees may use to conduct business. It also provides insight into recordkeeping best practices, and illustrates just how serious the repercussions can be when those practices are ignored.
Widespread, Years-Long Recordkeeping Failures – Policies in Place, But No Oversight
According to the SEC, from at least July 2018 through November 2020, JPMS employees communicated with one another on platforms and devices out of the sight and reach of the company’s recordkeeping program. This practice was neither hidden nor sporadic: both supervisors and subordinates were aware that personal devices, personal email accounts, and messaging applications like WhatsApp were routinely used to communicate about business matters. JPMS allowed the practice to continue unabated. In one example highlighted by the SEC, a managing director used a personal device to communicate about securities matters.
JPMS maintained policies and procedures designed to ensure the retention of business-related records. This included prohibiting using unapproved electronic communication methods. JPMorgan policies also specifically forbade using WhatsApp for company business. But merely having these policies and procedures in place did not help the company’s case before federal regulators. Instead, the SEC cited significant policy violations and participation by supervisors charged with enforcing them as factors leading to its decision to impose a penalty. Despite JPMS’ written policies expressly preempting communications on unapproved platforms, the SEC noted that employees continued to use these platforms without so much as a reprimand or a rebuke. JPMS’ policies were no doubt written with the intent to improve compliance and protect the company; instead, they may have worsened its position.
As part of its settlement with the SEC, the company is required to retain a compliance consultant to conduct a comprehensive review of and provide recommendations regarding its recordkeeping practices and related policies and procedures. This must include training, supervision, and enforcement. JPMS also must require the consultant to submit a one-year report to the SEC. For two years, JPMS must report any discipline imposed on employees for violating company preservation policies and procedures. The company must also improve its internal auditing and continue cooperating with the SEC. All of these consequences are likely to result in additional costs to the company and negative employment actions against some employees. However, analyzing the example set by JPMS yields several important lessons and conclusions for information management that companies and RIM professionals should take to heart.
Lesson #1: Lax RIM Practices Can Have Huge Consequences
In the universe of bad outcomes from poor recordkeeping, being unable to produce a record in a legal proceeding and, consequently, being slapped with an adverse inference (i.e., a judge instructing a jury to presume the worst about any missing records: that their absence is intended to conceal unfavorable evidence) once was considered among the worst. This is what happened to accounting firm Arthur Andersen in the 2000s in connection with the Enron scandal, and it resulted in the company’s felony conviction for obstruction of justice and, ultimately, its destruction.
Fast forward two decades and JPMorgan’s monumental penalties have significantly raised the bar. Enforcement of the EU GDPR also has resulted in some mammoth fines against prominent tech companies, but those penalties have been based on various violations of privacy rights rather than pure recordkeeping failures. The size of these SEC and CFTC sanctions underlines the seriousness with which regulators regard information management in the financial sector. In the context of capital markets, market information can mean the opportunity for tremendous profit or loss, and it can enable connected participants to manipulate trading to reap massive illicit gains. For this reason, proper information management is of paramount importance to capital markets companies and the regulators who oversee them.
Lesson #2: Platform-Neutral Information Governance Strategy Centered on Ease of Use is Key
The JPMorgan matters illustrate that as information technologies develop, businesses of all stripes must continuously adapt their information governance practices to keep pace. “Business records” are not defined by any particular format or technology, but rather by their information content—regardless of where or in what form that information exists. Emails, a WhatsApp message, or even an interaction on a yet-to-be-developed metaverse or blockchain platform all can constitute business records. Businesses should be aware that their records with ongoing value and associated preservation requirements can, and likely will, exist on any information system routinely used by employees.
One approach to managing communications across existing and emerging platforms is to simply forbid their use and erect technical roadblocks. But as the JPMorgan matters demonstrate, employees often ignore or evade those barriers. Furthermore, the existence of a policy foreclosing such behavior isn’t a surefire defense in either a practical or a regulatory sense—allowing a culture of impunity or flagrant disregard to develop and persist can potentially be just as bad as not having a policy at all.
To help avoid making the same RIM mistakes as JPMorgan, an effective practice may include making compliance simple, intuitive, and even automatic if possible. This allows information to be captured, retained, and managed seamlessly in the ordinary course. This also helps avoid forcing employees to adhere to cumbersome retention processes or retrace their steps to preserve records.
Businesses would do well to lean into the various information and communications platforms that are available. These include Microsoft Office 365’s Teams, Slack, Google’s G-Suite, Workplace from Facebook, Blink, and others. These platforms all allow communications and documents that are exchanged between employees to be easily captured and managed with retention rules. While it may be tempting to impose strict new processes intended to tightly manage communications, for many businesses, a better approach may be giving employees multiple options for communicating in ways that will feel natural to the rhythm of their work.
Consider this an alternative to imposing a completely new process that employees may regard as annoying, burdensome, or onerous. After all, a new bureaucratic layer that interferes with productivity is the last thing most organizations need. As a rule, companies should simultaneously integrate recordkeeping into workflows through a system that enhances both productivity and compliance.
Once a business has settled on suitable options for capturing records, the next step is to incorporate those options into a holistic information governance plan and implement it. As a general matter, it’s a good idea to use API integrations wherever possible to automatically capture, store, and manage relevant information across different web-based, on-premises, and mobile device platforms. A broad constellation of desktop and mobile apps and other IT options are available to automatically capture, catalogue, and store business communications and then apply retention rules.
Lesson #3: Carefully Manage the Human Role and Tread Lightly
Having systems and processes to automatically capture business records is ideal, but even then, an element of direct human intervention may still be required to properly capture all records. For example, a business might require employees to store their files in designated locations like shared folders. For this, you’ll need a well-developed procedure that specifies steps employees must take to capture records.
It is important, though, that any procedure be sufficiently detailed. This prevents ambiguity. But the procedure also needs to incorporate a healthy dose of reality; generally, the more complications a procedure adds to an employee’s daily routine, the more tempted they are to avoid it. The lightest touch usually is the best approach, so temper your expectations for how much you can rely on employees to perform new recordkeeping tasks. A good objective often is to establish a process that requires less, not more, active human participation.
Once policies and procedures are in place, a business must make every reasonable effort to communicate them, then regularly re-communicate them to underline their importance and emphasize that they are a priority. Companies should establish a training program for all existing policies and procedures, train employees on new policies and procedures, and regularly refresh their understanding.
Also, keep clear and accurate records of the entire process. It often is helpful to administer tests to confirm employees’ understanding of policies and procedures. And a business should ensure it keeps clear, accurate records of training completion.
JPMorgan’s troubles highlight the dangers of merely establishing policies, then allowing them to fall by the wayside. A lack of follow-up risks fostering a culture of disregard and invites the significant associated consequences.
Lesson #4: Implement Effective Internal Controls & Audit Regularly
To further maximize compliance and minimize risk, a business should have systems in place to ensure accountability and identify any recordkeeping or other information management problems in a routine and systematic way. Implementing effective internal controls and conducting regular audits will ensure that information is being captured and managed as expected.
Internal controls should function as guardrails that help stop violations before they occur. Technology-based controls that prevent the manual deletion of messages or the storage of records in unapproved locations are a great start, but many other options are feasible. A good approach to designing effective internal controls is to consider the most likely ways that things might go awry. Then, develop tripwires that can render these issues impossible before they happen or are at least capable of promptly alerting the company of violations.
Internal audits should be planned with a frequency and scope calculated to identify deficiencies in their early stages. This helps an organization cure violations long before major problems develop that can threaten the organization. Had JPMorgan conducted more aggressive audits earlier—and promptly worked to address and remediate any issues identified in those audits—it’s conceivable that the violations flagged by the SEC and CFTC would have been discovered and corrected long before they became a costly crisis. However, avoid scheduling audits so frequently and pervasively that they drain organizational resources or interfere with operations.
Lesson #5: Succeed by Embracing and Integrating Changing Technologies
Technological change is a fact of life, and businesses that can adapt to emerging ways of communicating, collaborating, and conducting business are more likely to thrive. Employees will adopt new technology platforms whether or not executives and IT managers like it. Forcing personnel to set aside those beloved technologies during their work life—especially considering the increasingly blurry line between work and personal life—is steadily becoming a more unreasonable demand. Setting up roadblocks to corral employees into outmoded methods of communicating and working can quickly become an exercise in futility.
Employees facing such constraints are more likely to become frustrated and dissatisfied with the business. Businesses that fail to design their information governance program to be nimble and adaptive to the constantly changing technological landscape will find themselves unable to keep up, and, as the actions against JPMorgan make clear, negative outcomes will follow.
Ultimately, records managers should view new technologies not as headaches that frustrate and complicate information governance efforts, but as opportunities for personnel to manage information better, work smarter, and improve business. By putting technological change at the center of your business’s information governance strategy and continuously integrating new ways to work and communicate, your personnel will have the tools and support they need to succeed for themselves and for your organization today and into the future.
Final Thoughts
The JPMorgan matters present a cautionary tale from which businesses handling records and employee communications on multiple platforms—that is, virtually all businesses—can draw a number of important conclusions. The hammer swung by regulators is now larger than ever, and it can come down very hard on businesses for lax RIM practices. To avoid something similar happening to your organization, make sure that compliance efforts are commensurate to the risks.
To design an adequate program, a platform-neutral approach touching all avenues and channels of the business is essential. Automatic recordkeeping should be favored wherever possible, but to the extent humans need to take deliberate steps to fulfill recordkeeping obligations, those steps need to be simple, minimally burdensome, and non-invasive. Once a practical and workable system is in place, constant and ongoing auditing, internal controls, trainings, and refreshers are needed to ensure the system continues to run smoothly and to catch any problems early.
Finally, although technological change creates the need for an adaptive RIM program that evolves along with it, change also creates new opportunities to make information governance easier and simpler. By adopting these lessons and incorporating them into a RIM program, businesses can improve information governance outcomes, minimize regulatory risks, benefit from new technologies, and minimize the pain of RIM compliance.
