Securities regulators are starting to look at how financial service firms are complying with rules on book-keeping and record retention as more employees work from home
The financial services sector has been hit with what might be the perfect storm. The global COVID-19 pandemic shuttered offices worldwide, forcing relocation to hastily assembled home offices that had workers using personal computers, phones, and other devices, rather than official office equipment. Consequently, many interactions between financial service personnel and others — including customers and counterparties — was and still is conducted using non-work place devices, and records of those interactions are generated by, and kept on, non-work platforms.
Not surprisingly under these circumstances, maintaining the books and records required by securities laws and rules becomes challenging.
As a former prosecutor with the Securities and Exchange Commission (SEC), I see these developments as creating another storm: one in which financial service firms are buffeted by investigations and enforcement actions for these books and records failures.
From a prosecutorial standpoint, prosecuting these cases is especially attractive. First, these are largely strict liability offenses, so wrongful intent need not be proven. Second, they are relatively easy to prove in most cases on an evidentiary basis. Either a firm has secured appropriate records, or it hasn’t — and often the presence of records on personal devices is sufficient evidence that their compliance may be lacking. Finally, because these are easier cases to prove due to lack of wrongful intent required and easier evidentiary burdens, these cases also tend to settle early, giving the SEC a sizeable win without requiring a concomitant commitment of prosecutorial resources during the litigation phase. Often, these cases can settle at the outset, without requiring an adversary proceeding.
At the beginning of the pandemic, I anticipated that widespread working from home would lead to an onslaught of books and records cases, and that it was likely that the SEC would conduct industry wide sweeps to ascertain which firms were complying with books and records requirements. Finally, the first of these cases has been filed and settled — and it is a doozy.
The JP Morgan case
By an SEC order dated December 17, 2021, JP Morgan Securities, a wealth management brokerage and subsidiary of JPMorgan Chase, agreed to enter into settled Order Instituting Proceedings (OIP), which set out a failure to comply with Sections 17(a)(1) of the Exchange Act and Rule 17a-4 thereunder, from January 2018 through November 2020. That compliance failure meant that JP Morgan Securities failed to preserve communications by employees about their securities business on personal devices, personal email, and other communication platforms. JP Morgan agreed to pay $125 million to the SEC and an additional $75 million to the Commodity Futures Trading Commission (along with some related entities). Among other things, JP Morgan conceded that, in response to various subpoenas from the SEC, it failed to search personal devices of its employees, thus failing to produce responsive materials.
Several factors stand out regarding this result. The first, obviously, is the sheer size of the awards. Even for a large international institution, $200 million is a sizeable sum. Importantly, the SEC award was entirely in the form of a penalty, with no disgorgement component. That is, JP Morgan received no improper benefit as a result of its compliance failures.
The second is that the OIP does not identify a single substantive violation of the securities law, or any misconduct that was allegedly concealed (other than the record-keeping violations). Employees were not using non-official channels, apparently, to engage in any misconduct, hide misconduct, or commit fraud.
The third is the identity, and size, of the SEC legal team that brought the case. While reading the press release, I recognized the enforcement personnel identified as including the most experienced, sophisticated, and accomplished attorneys within the SEC’s New York office. The fact that a murderer’s row of talented counsel brought this case together indicates, along with the size of the judgment, indicates the high level of importance placed by the SEC on books and records requirements.
Two lessons for the future
As a former prosecutor, I think there are two important lessons that can be drawn from the JP Morgan case. The first is that, while some of the conduct predates the pandemic, the proliferation of work-from-home arrangements, including use of non-workplace official equipment, can only lead to more cases. If an institution with a reputation for a robust compliance structure can fall afoul of these requirements, it is likely that the same defects plague many other financial services firms as well.
Second, the consequences are likely to extend beyond the legacy financial firms. There has been an explosion of newer finance platforms and fintech entities, often far younger companies without any robust and long-established compliance departments. These alternative finance platforms — often staffed by younger workers who are long accustomed to using multiple non-official platforms to communicate — could be playing a very risky compliance game with their official record-keeping.
Indeed, it is likely that whatever problems the major banks have in policing books and records violations will be multiplied in smaller, younger, and more aggressive companies. It should not be surprising if 2022 brings a wave of investigations and enforcement actions against these firms.