JP Morgan accidentally deletes evidence in multi-million record retention screwup

JP Morgan has been fined $4 million by America's securities watchdog, the SEC, for deleting millions of email records dating from 2018 relating to its Chase Bank subsidiary.

The financial services giant apparently deleted somewhere in the region of 47 million electronic communications records from about 8,700 electronic mailboxes covering the period January 1 through to April 23, 2018.

Many of these, it turns out, were business records that were required to be retained under the Securities Exchange Act of 1934, the SEC said in a filing [PDF] detailing its findings.

Worse still, the screwup meant that it couldn't produce evidence that that the SEC and others subpoenaed in their investigations. "In at least 12 civil securities-related regulatory investigations, eight of which were conducted by the Commission staff, JPMorgan received subpoenas and document requests for communications which could not be retrieved or produced because they had been deleted permanently," the SEC says.

What went wrong?

The trouble for JP Morgan can be traced to a project where the company aimed to delete from its systems any older communications and documents that were no longer required to be retained.

According to the SEC’s summary, the project experienced “glitches,” with those documents identified for deletion failing to be deleted under the processes implemented by JPMorgan.

Troubleshooting? Try trouble overshooting

When troubleshooting the issue, workers carried out deletion tasks on electronic communications from the first quarter of 2018. This was apparently done under the belief that all the documents were stored in such a way that it would not be possible to permanently delete any records within the 36 month regulatory retention period specified by the Exchange Act.

For its part, JP Morgan places the blame squarely on an unnamed archiving vendor that it hired to handle the storage for its communications.

The vendor had apparently assured both JP Morgan and the Financial Industry Regulatory Authority (FINRA) on multiple occasions that its media storage complied with the relevant Exchange Act rules regarding the 36 month retention period, and therefore documents falling within that period were protected from deletion.

In addition, JP Morgan says that extra coding was applied to mailboxes which were subject to “legal holds” in order to prevent the deletion of documents required to be maintained for other purposes, such as litigation.

However, the reality turned out to be otherwise. In June 2019, a team from the Corporate Compliance Technology department was working on the project to delete any electronic communications, which included emails and instant messages that were no longer required to be retained.

When the procedures developed by JP Morgan and the vendor failed to delete the appropriate documents, the team tried to troubleshoot the process, running deletion tasks across multiple time periods including emails from January 1 through to April 23, 2018.

This was apparently done under the belief that safeguards were in place that would block the deletion of any records that were required to be retained.

But it seems the vendor had failed to properly apply the retention setting to the “Chase” domain within JP Morgan, leading to all emails within in it being permanently deleted, save those that were protected by the extra coding on “legal holds.”

According to JP Morgan, it only became aware of this in October of 2019 when the company’s legal discovery team found that electronic communications were missing from the early 2018 time period. It reported the incident to the SEC in January 2020.

• JP Morgan must face suit from Ray-Ban maker after crooks drained $272m from accounts
• Banks face their 'darkest hour' as malware steps up, maker of antivirus says
• Ever suspected bankers used WhatsApp comms at work? $1.8b says you're right
• 'Sharp' chip inventory correction looms on horizon, warns investment banker

In response to the incident, JP Morgan said it had implemented its own 36 month retention coding, and overhauled its operating procedures. These prevent deletion tasks from being run on electronic communications still subject to retention requirements, and also require that any employee seeking to run a deletion task must obtain approval from a senior level information officer.

The SEC found that JP Morgan had “wilfully violated Section 17(a) of the Exchange Act and Rule 17a-4(b)(4) thereunder” which require broker-dealers to preserve for at least three years all communications received and copies of all communications sent relating to its business.

The company was ordered to cease and desist from committing or causing any future violations, and to pay a penalty of $4 million to the SEC.

In a statement, the company told us that: “JP Morgan takes its record keeping obligations seriously. We have taken steps to enhance our process and procedures.” ®