Regulators with the Federal Reserve and the Office of the Comptroller of the Currency (“OCC”) have fined JP Morgan Chase & Co. a combined total of $348.2 million over the bank’s failure to monitor client trading activities between 2014 and 2023. The enforcement action is a testament to regulators’ emphasis on the importance of sound market conduct risk controls, to which diligent record-keeping remains paramount.

According to OCC, an investigation into JP Morgan’s trade surveillance practices revealed that the bank “failed to surveil billions of instances of trading activity on at least 30 global trading venues.” For years, JP Morgan’s trade surveillance program was riddled with gaps and blind spots, amounting to a pattern of “unsafe and unsound practices.” JP Morgan also failed to establish adequate governance over trading venues on which the bank is active.

This incident is the latest in a series of unfortunate, costly mishaps involving JP Morgan’s data management and record-keeping. In 2021, the bank was fined a combined $200 million by the Securities and Exchange Commission (“SEC”) and the Commodities Futures Trading Commission (“CFTC”) to settle charges relating to widespread use of personal email, SMS, and ephemeral messaging platforms (such as WhatsApp) by JP Morgan employees. Regulators at the SEC found this conduct to be in violation of Rule 17a-4 of the Securities Exchange Act of 1934, which requires that exchange members, brokers, and dealers keep appropriate records and adequately supervise their employees. Likewise, according to the CFTC, JP Morgan’s widespread allowance of personal device usage also ran afoul of the Commodity Exchange Act and related regulations.

At the time, JP Morgan’s $200 million fine was the largest ever relating specifically to a company’s failure to preserve, maintain, and produce records. In its 2021 SEC settlement, JP Morgan agreed to enhance its trading venue and data governance protocols, conduct a trade surveillance “lookback” to identify misconduct that may have initially been overlooked, undertake an internal audit, and retain an independent third-party to evaluate the bank’s existing processes and remediation related to the enforcement action’s findings.

However, there have been indications that the bank continues to struggle with data management and record-keeping. For example, in June 2023, the SEC assessed a $4 million fine against JP Morgan’s brokerage arm after it accidentally––and permanently––deleted some 47 million electronic communications, including emails and instant messages, that JP Morgan was required to keep records of. As a result, the bank was unable to comply with subpoenas and document requests in at least 12 civil securities-related regulatory investigations, as it simply no longer had the data that regulators were asking for.

All of which sets the stage for JP Morgan’s latest, blockbuster fine of $348.2 million (likely to grow larger still, after a third, unnamed regulator issues its own findings, according to a recent disclosure the bank made to investors). Regulators lost their patience with JP Morgan after seeking financial market activity data from the bank, which the bank was unable to provide across 30 different trading platforms and venues. This prevented regulators from effectively enforcing rules against insider trading and market manipulation, as access to complete data is essential for detecting misconduct.

JP Morgan’s struggles with data governance and effective record-keeping offer a number of important takeaways for banks seeking to remain on regulators’ good side. Obviously, banks must have fine-tuned record-keeping systems in place to preserve information in accordance with federal regulations. Employees must be sufficiently trained to understand their own, and the business’s, obligations with respect to data preservation. Regular audits should be undertaken to assess the organization’s compliance posture on this and related issues.

Looking to the future, the maintenance and preservation of employee communications, as well as the effective surveillance of market activity, will continue to be a priority for bank regulators. This information is essential to facilitate regulatory oversight, and banks should expect substantial penalties in the event that they are unable to produce it upon request.