JPMorgan Chase hit with almost $350 million in fines for gaps in trade surveillance data

With JPMorgan Chase being fined a considerable $350 million sum for “unsafe or unsound” practices around trade surveillance, what impacts will this have on how firms trade and communicate compliantly?

21 March 2024 7 mins read
by Jay Hampshire

In brief:

  • JPMorgan Chase has been fined nearly $350 million for deficiencies in its trade surveillance data capture procedures
  • The action, jointly taken by the OCC and Federal Reserve Board, also includes stipulations for the firm to undertake a comprehensive third-party review of policies
  • The size of the fine, combined with its intersection with previous cases of failures to capture comprehensive data, may indicate this is the next area of regulatory focus

It has been just over six months since the last substantial regulatory action sent shockwaves through the financial space, so the recent news of a near $350 million fine levied against JPMorgan Chase (JPMC) by the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board may feel like history repeating for those in the industry.

But whereas the Security and Exchange Commission (SEC)’s $289 million action was taken against 11 Wall Street firms for recordkeeping failures around off-channel communications, the OCC and Federal Reserve Board’s fine was levied solely against JPMC – and for something that might prove to be the next area of regulatory focus.

“Unsafe and unsound”

The joint actions, with the OCC fining JPMC $250 million and the Federal Reserve Board imposing a $98.2 million penalty, were taken against JPMC due to “deficiencies in its trade surveillance program”:

“The OCC found that JPMC operated with gaps in trading venue coverage and without adequate data controls required to maintain an effective trade surveillance program.”

The Federal Reserve Board’s summary also adds that JPMC “operated without adequate oversight and reconciliation processes to achieve effective and comprehensive trade surveillance” and failed to “monitor firm and client trading activities for market misconduct”.

The regulators found, that since at least 2019 (and possibly as far back as 2014), JPMC:

 “Operated with gaps in trading venue coverage and without adequate data controls required to maintain an effective trade surveillance program.”

Trading venues are digital platforms that “bring together multiple third-party buying or selling interests in financial instruments to perform a transaction”. By failing to establish effective processes and surveillance workflows, JPMC:

“Failed to surveil billions of instances of trading activity on at least 30 global trading venues.”

The OCC ruling summarized that the regulator “expects banks to perform trade surveillance to monitor the market conduct of its traders”, which JPMC was unable to evidence due to the huge volume of missing trade data. The OCC stated that these gaps in the surveillance program constitute “unsafe or unsound banking practices”.

Cut to the (JPMorgan) chase

Both regulators, as part of their case summaries, highlighted that the bank had self-identified the issue, which was confirmed by JPMC:

“A bank spokesperson said the firm self-identified the issue and is working to address the matter, and does not expect any disruption of existing client services. In addition, there was no evidence of employee misconduct or harm to clients or the broader market.”

Interestingly, self-reporting issues can sometimes lead to regulators reducing a fine (or not fining a firm at all) for non-compliance, urging that organizations take a “self-report, cooperate, and remediate” approach to regulatory relations. In this instance, however, it appears that JPMC’s proactivity might not mitigate all of these outcomes, perhaps due to the timescale and severity of the surveillance issue:

“JPMorgan disclosed in February that it expected to pay roughly $350 million in civil penalties for reporting incomplete trading data to surveillance platforms. It said at the time it was also in “advanced negotiations” with a third unnamed regulator that may not result in resolution.”

There may be more to come on this case should this “third unnamed regulator” follow the OCC and Federal Reserve Board’s examples and act against JPMC. Time will tell.

Making amends

Both the OCC and Federal Reserve Board rulings set out in no uncertain terms what actions JPMC need to take in the wake of this case – some of which are already in progress at the bank. JPMC must:

  • Take corrective actions to address the deficiencies in its trade surveillance program.
  • The firm is also required to provide a written report documenting the affected trading venue and activities, the volume of non-surveilled activity, and any related incidents of market misconduct
  • Seek the approval of both regulators before onboarding new trading venues, with JPMC being unable to onboard new trading venues without prior written non-objection
  • Obtain an independent third party to conduct a trade surveillance program assessment, including a written report of findings and recommendations from the review of surveillance policies and procedures

It’s little surprise that JPMC has chosen to ‘play ball’ with the regulators over this case and take proactive measures to correct the deficiencies in its compliance posture. In 2021, the firm was hit with a $200 million fine as part of the wider crackdown on off-channel communications, and fined a further $4 million in 2023 for the accidental deletion of 47 million electronic communications records – meaning the firm knows how the regulatory game is played.

Failure to communicate

While the issue in this case is around JPMC’s failure to capture and account for trading data due to insufficient surveillance practices and policies, it does echo the previous SEC crackdown on off-channel communications because the problem is missing data, and what that data can’t tell regulators.

The overlap between JPMC’s surveillance failures and the recordkeeping issues of other rulings is that, if a regulator were to request this data as part of an investigation, the firm wouldn’t be able to provide it – meaning it cannot be used to prove or disprove whether there were any instances of non-compliant activity. The SEC’s summary of JP Morgan’s previous email deletion case summarizes:

“Because the deleted records are unrecoverable, it is unknown – and unknowable – how the lost records may have affected the regulatory investigations.”

Each trading venue also includes communications functionality so that traders can discuss details and positions via the platform. This means that, where JPMC is missing “billions of instances of trading activity on at least 30 global trading venues”, it is also missing substantial quantities of communications data related to these trades – putting this in the same ballpark as other regulatory actions against communications recordkeeping failures.

Failure to communicate

A fine of this size inevitably leads to those across the industry sitting up and taking notice. Firms across the industry will taking steps to ensure they learn from this cautionary tale. So, how can you put these learnings into practice and strengthen your trade surveillance – and wider compliance – posture?

  • Refresh and review your oversight processes to make sure you have a complete picture of your trades, trading communications, and the data you capture. This can include making sure you have the right capture and connectivity solutions for trade data and for any bespoke communications channels around trades
  • Review your available surveillance and compliance budget and use this case as a ‘lever’ to open discussions about allocating more where it’s needed, even if budget has been consolidated overall
  • Consider your overall surveillance strategy – is your current solution optimized to spot the tell-tale signs of market abuse, rogue trading, and non-financial misconduct? 
  • Scrutinize any proposed new trading venues and consider whether they present a problem for compliant data capture – regulators aren’t insisting that all firms get the go-ahead on new trading venues before they’re implemented, but due diligence is vital
  • Review your end-to-end data lifecycle – your surveillance function is only as good as the data fed into it, whether it’s trading or communications data, so ensure upstream data providers are providing complete data (and that complete data is being captured and archived) is a must

From trading data sets to capture communications data and records of potential non-financial misconduct incidents – regulators are increasingly expecting firms to be able to supply complete datasets across a variety of areas. Ensuring that data is captured completely, stored securely, and can be surveilled for signs of risk are becoming must have capabilities to stay on the right side of regulators.