The Collision of the Inept With The Incompetent -- A Wall Street Compliance and Regulatory Tale

December 22, 2021

There are times when brokerage firms implement half-assed compliance policies. Similarly, there are times when Wall Street's regulators promulgate half-assed regulations. All of which fosters compliance departments and industry regulators that are incapable of effectively enforcing their own rules. Among the most breathtaking sights on the financial services landscape is the lightshow that emerges from the collision of failed compliance with incompetent regulators. Sit back and enjoy today's fireworks!

Case in Point

For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue,  SunTrust Robinson Humphrey, Inc. n/k/a Truist Securities, Inc. (referred herein as "SunTrust") submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. The AWC asserts that SunTrust has been a FINRA member firm since 1972 with about 1,169 registered persons at 26 branches. In the Matter of SunTrust Robinson Humphrey, Inc. n/k/a Truist Securities, Inc., Respondent (FINRA AWC 2018056299001)
https://www.finra.org/sites/default/files/fda_documents/2018056299001
%20SunTrust%20Robinson%20Humphrey%2C%20Inc.%20
nka%20Truist%20Securities%2C%20Inc.%20CRD%206271%20AWC%20sl.pdf

Flaggin' Emails

As alleged in part in the AWC:

From 2012 through 2017, SunTrust's supervisory system flagged 7,068,875 electronic communications for review. During that period, 855,770 flagged emails were not reviewed due to the filter setting. The firm retained the emails. 

SunTrust became aware of the electronic communications dropping out of the review set in April 2017. In November 2017, after conducting a review of the relevant process and technology issues, SunTrust expanded the filter setting so that unreviewed emails stayed in the review set for three months.3 Subsequently, in April 2019, SunTrust adopted an electronic communications surveillance system that prevented emails flagged for review from dropping out of the review set.

. . .

From 2012 through 2017, the firm also failed to ensure newly onboarded employees' Bloomberg email addresses fed into the email review system. This resulted in SunTrust failing to review approximately 94,539 messages from 239 Bloomberg email messaging accounts associated with 97 associated persons. 

SunTrust's WSPs required a regular review for new Bloomberg addresses and submission of a technology ticket to link the Bloomberg account to the associated person's profile. Because SunTrust did not consistently implement its procedure, the firm failed to include Bloomberg email addresses in the IT profiles of 97 associated persons during the onboarding process. This resulted in the firm's email server, which fed into the firm's email review system, not capturing emails from certain Bloomberg email addresses. The firm retained all the messages. 

In October 2015, the firm discovered instances of the failure to ensure newly onboarded employees' Bloomberg email addresses were linked to its email server. SunTrust did not implement new procedures until July 2017. In July 2017, SunTrust, after conducting an end-to-end review, implemented a weekly reconciliation of email account information from Bloomberg to the firm's email review system.
= = =
Footnote 3: The firm subsequently hired a consultant to assist in the review of the backlog of electronic communications.

FINRA Sanctions

In accordance with the terms of the AWC, FINRA found that Suntrust had failed to timely review approximately 950,000 electronic messages in violation of NASD Rule 3010 and FINRA Rules 3110 and 2010; and the self-regulatory-organization imposed upon SunTrust a Censure and a $150,000 fine.

Bill Singer's Comment

Starting with the Wow Factor, we got SunTrust flagging 7,068,875 electronic communications for review. That's some big number there -- over seven million electronic communications. Moreover, let's at least give some credit where credit is due because the AWC concedes that "SunTrust's supervisory system flagged" those multi-million communications. SunTrust's supervisory system managed to detect over seven million items, which means it was likely sifting through a much larger number. How come those seven million items were flagged by the system?  Well, the AWC explains that Suntrust:

had an automated email review system in place that alerted a designated supervisor to conduct a supervisory review for specified emails. SunTrust's email server fed into the firm's email review system.

Okay, as far as that goes, the automated system seems to have done its job in generating exception reports. Having called out several million items for review, what's next? The AWC alleges that:

SunTrust's email review system had a filter setting that limited the length of time flagged emails remained in the review set for supervisory review. This filter was set at an organizational level to two weeks, which meant emails not reviewed within two weeks dropped out of the supervisory review set. 

So, once items are flagged for review, those items were set aside for a SunTrust supervisor to come and look 'em over. And the bells clanged and the whistles blew for two weeks. What happened after those two weeks of cacophony if no one came to take a look?  Oddly, the AWC says that such flagged items "dropped out of the supervisory review set." If you ask me -- and, sure, go ahead and ask me -- that's a fairly dumbass supervisory system. Imagine you have a smoke alarm that only rings for two minutes and then goes silent. With the two-week design flaw embedded into SunTrust's supervisory system, the AWC admonishes that 855,770 flagged emails were never reviewed within the two-week horizon and, to use FINRA's euphemism, those hundreds of thousands of flagged messages wound up "dropping out" of the review protocol. 

What troubles me is that two-week flagging issue started in 2012 -- and it was only in April 2017 (some five years later) that SunTrust became aware of the dropping-out issue. That prompted SunTrust to extend the two weeks timer to a three months timer in November 2017. Not exactly the swiftest of fixes (having taken some seven months to implement after the April 2017 discovery), but, sure, I'm at least giving the firm credit for detecting its failed supervisory protocol and taking steps to redress it. Moreover, since the firm terminated the sunsetting of flagged electronic communications in April 2019 and such items remained in the exception-run queue until reviewed, it seems that the firm tried to tweak its oversight. Hard to ask for more than that out of any Wall Street compliance department. Mistakes happen. It's the fixing of the mistakes that Wall Street regulation should promote, and that's what eventually happened here . . . sort of.

All of which should redirect our attention, for the moment, from SunTrust to FINRA. What's Wall Street's self-regulatory-organization to do when it discovers that for some five years a member firm was watching items flagged for supervisory review dissolve into oblivion? Notably, SunTrust's dissolving supervision extended from 2012 into 2019 (a total of some seven years), at which time a fix was implemented whereby nothing dissolved because there was no longer a countdown of any type. Offsetting all the good-will afforded SunTrust for trying to fix its supervisory hiccup, is the fact that just shy of one million emails never got reviewed but merely dissolved during various sunsetting timeouts. That's about 171,200 disappearing emails a year for each of five years, which works out to about 14,250 per month -- and to go a step farther, for a 20-business-day month, that works out to about 713 lost emails each day. Geez, Bill, when you put it that way, omigod, that's a bit scary and overwhelming. Yeah, I know, that's why I put it that way. As such, we can imagine that FINRA wasn't all that thrilled with the mess presented to it by SunTrust's wavin' flags and dissolvin' emails.

Setting aside those 14,000-plus disappearing emails for each month of a five year span, the AWC presents a second regulatory/compliance miscue by SunTrust that ran concurrently during the  2012 through 2017 timeframe. The AWC alleged that SunTrust had failed to

ensure newly onboarded employees' Bloomberg email addresses fed into the email review system. This resulted in SunTrust failing to review approximately 94,539 messages from 239 Bloomberg email messaging accounts associated with 97 associated persons. 

Ouch!  In terms of onboarded SunTrust employees' emails, it took nearly three years -- until October 2015 -- for the firm to discover the lapse and then it was only in July 2017 (some five years into the continuum) that the firm implemented what seems a workable solution via weekly reconciliation of newly onboarded employee's email addresses and the confirmation that those were entered into the firm's email review system. Again, ya gotta give SunTrust some credit for discovering the problem and trying to resolve it; however, you also need to take note of the fact that the firm knew about the issue in 2015 but only came up with a fix in 2017.

The most deafening silence in the SunTrust AWC is any reference to just where the hell FINRA was from 2012 through 2017, when the member firm's electronic communications oversight was so atrocious. 

Where the hell was FINRA's examination staff? 

How did FINRA not notice for years on end that some 800,000 electronic communications were never reviewed? 

It's not like we're talking about a few dozen missing messages or a handful on onboarded reps. The numbers speak for themselves. The extended passage of years speak for themselves. As damning a set of facts as the AWC presents against SunTrust's compliance department, the fact pattern presents an equally damning picture of FINRA's half-assed and ineffective regulation.

After weighing the facts and explanations and balancing the scales, it still seems to me that the SunTrust AWC comes up light in terms of imposing only a Censure and a $150,000 fine. What's bothering me . . . what's nagging me . . . is how FINRA justifies and how we're supposed to react to the Censure/six-figure-fine FINRA meted out to SunTrust and this:

https://www.sec.gov/news/press-release/2021-262
-and-
J.P. Morgan Securities LLC (JPMS), a broker-dealer subsidiary of JPMorgan Chase & Co., agreed to the entry of an SEC Order https://www.sec.gov/litigation/admin/2021/34-93807.pdf in which it admitted to the SEC's factual findings and its conclusion that the firm's conduct violated Section 17(a) of the Securities Exchange Act and Rules 17a-4(b)(4) and 17a-4(j) thereunder, and that the firm failed reasonably to supervise its employees with a view to preventing or detecting certain of its employees' aiding and abetting violations. Accordingly, JPMS was ordered to cease and desist from future violations of those provisions, was censured, and was ordered to pay the $125 million penalty; and, further, the firm agreed to retain a compliance consultant. Separately, the Commodity Futures Trading Commission announced a settlement with JPMS and affiliated entities for related conduct. As alleged in part in the SEC Release:

[JPMS] admitted that from at least January 2018 through November 2020, its employees often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts. None of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. Indeed, supervisors, including managing directors and other senior supervisors - the very people responsible for implementing and ensuring compliance with JPMS's policies and procedures - used their personal devices to communicate about the firm's securities business.

JPMS received both subpoenas for documents and voluntary requests from SEC staff in numerous investigations during the time period that the firm failed to maintain required records. In responding to these subpoenas and requests, JPMS frequently did not search for relevant records contained on the personal devices of its employees. JPMS acknowledged that its recordkeeping failures deprived the SEC staff of timely access to evidence and potential sources of information for extended periods of time and in some instances permanently. As such, the firm's actions meaningfully impacted the SEC's ability to investigate potential violations of the federal securities laws.

JPMorgan Chase Bank, N.A., J.P. Morgan Securities LLC, and J.P. Morgan Securities plc (collectively, "JPMorgan") agreed to the entry of a CFTC Order  
https://www.cftc.gov/media/6836/enfjpmorganchasebankorder121721/download in which the firms admitted that since at least July 2015, JPMorgan employees, including those at senior levels, communicated both internally and externally on unapproved channels, including via personal text messages and WhatsApp messages; and that none of these written communications were maintained and preserved by JPMorgan, and they were not able to be furnished promptly to a CFTC representative when requested.  In accordance with the CFTC Order, JPMorgan will pay a $75 million civil monetary penalty; cease and desist from further violations of recordkeeping and supervision requirements, and engage in specified remedial undertakings. As alleged in part in the CFTC Release:

The order notes that during the course of a CFTC investigation into certain of JPMorgan's trading, CFTC staff issued subpoenas to JPMorgan for certain communications. The Division of Enforcement learned, based on communications received from a third party, that JPMorgan traders had been using personal text messages and WhatsApp to communicate. Moreover, certain of those communications were responsive to the CFTC's subpoenas. After CFTC staff brought the use of unapproved communication methods by certain of JPMorgan's traders to JPMorgan's attention, JPMorgan notified CFTC staff that the firm was aware of widespread and longstanding use by JPMorgan employees of unapproved methods to engage in business-related communications.

As a result of JPMorgan's failure to ensure that employees-including supervisors and senior-level employees-complied with the firm's communications policies and procedures, JPMorgan failed to maintain thousands of business-related communications in connection with its commodities and swaps businesses, and thus failed diligently to supervise its businesses as CFTC registrants, in violation of CFTC recordkeeping and supervision provisions.

For a better sense of the nature of JPM's noncompliant communications policies/procedures, consider this from Page 4 of the CFTC Order:

As a result of JPMorgan's failure to ensure that employees-including supervisors and senior-level employees-complied with the firm's communications policies and procedures, JPMorgan failed to maintain thousands of business-related communications in connection with its commodities and swaps businesses, and thus failed diligently to supervise its businesses as Commission registrants. These supervision failures resulted in the widespread use of nonapproved methods of communication by many JPMorgan employees in violation of the firm's policies and procedures, as well as a widespread failure to maintain certain records required to be maintained pursuant to Commission recordkeeping requirements. 

An analysis, for example, of the three traders whose communications that were the subject of Commission subpoenas in the investigation noted above illustrates the breadth of JPMorgan's supervision and recordkeeping failures. An analysis of just those three custodians reveals the frequent use of non-approved methods to communicate with brokers and market participants. Further, those three traders' communications revealed that dozens more JPMorgan employees (including numerous supervisors, managing directors, and executive directors) conducted firm business on unapproved channels (including in hundreds of text and WhatsApp messages). Certain of these communications constituted records that were required to be kept pursuant to Commission recordkeeping requirements, and none of the communications were preserved and maintained by JPMorgan. 

JPMorgan's recordkeeping and supervision failures were firm-wide and involved employees at all levels of authority. Moreover, employees' use of unapproved communication methods was not hidden within the firm. To the contrary, certain supervisors-the very people responsible for supervising employees to prevent this misconduct-routinely communicated using unapproved channels on their personal devices. In fact, managing directors and senior supervisors responsible for implementing JPMorgan's policies and procedures, and for overseeing employees' compliance with those policies and procedures, themselves failed to comply with firm policies by communicating using non-firm approved methods on their personal devices about the firm's Commission-regulated businesses.

Similarly, consider this litany of noncompliance as set forth in the SEC Order:

5. From at least January 2018 through at least November 2020, JPMorgan employees often communicated about securities business matters on their personal devices, using text messaging applications (including WhatsApp) and personal email accounts. None of these records was preserved by the firm. The failure was firm-wide, and involved employees at all levels of authority. 

6. Moreover, this widespread practice was not hidden within the firm. To the contrary, supervisors - i.e., the very people responsible for supervising employees to prevent this misconduct - routinely communicated using their personal devices. In fact, dozens of managing directors across the firm and senior supervisors responsible for implementing JPMorgan's policies and procedures, and for overseeing employees' compliance with those policies and procedures, themselves failed to comply with firm policies by communicating using non-firm approved methods on their personal devices about the firm's securities business. 

7. JPMorgan received and responded to Commission subpoenas for documents and records requests in numerous Commission investigations during the time period that it failed to maintain required securities records relating to the business. In responding to these subpoenas and requests, JPMorgan frequently did not search for records contained on the personal devices of JPMorgan employees relevant to those inquiries. JPMorgan's recordkeeping failures impacted the Commission's ability to carry out its regulatory functions and investigate potential violations of the federal securities laws across these investigations; the Commission was often 3 deprived of timely access to evidence and potential sources of information for extended periods of time and, in some instances, permanently. 

8. Commission staff brought the failure to produce text messages in an ongoing matter to JPMorgan's attention, and JPMorgan identified other recordkeeping failures that it subsequently reported to the staff. JPMorgan now has engaged in a review of certain recordkeeping failures and begun a program of remediation. As set forth in the Undertakings below, JPMorgan will retain a compliance consultant to review and assess the firm's remedial steps relating to JPMorgan's recordkeeping practices, policies and procedures, related supervisory practices and employment actions.

Ultimately, neither the SEC's nor the CFTC's sanctions will deter any future recordkeeping violations by any major industry firm -- about all that these sanctions will accomplish will be to further the unseemly cost-benefits analysis of noncompliance, which for all the millions of dollars in fines that are trumpeted in the regulators' press releases amounts to little more than a day's worth of toilet paper used at JPM. Yet another despicable and shameful example of Wall Street's double standard when it comes to the misconduct of the industry's largest member firms in contrast to the misconduct of the industry's smaller member firms or hundreds of thousands of registered representatives. 

Few examples of the troubling regulatory/compliance double-standard is more glaring than this:

Johnny E Burris, Plaintiff, v. JPMorgan Chase & Company, et al., Defendants (Order, 18-CV-03012, United States District Court for the District of Arizona / October 7, 2021)

Plaintiff Johnny Burris ("Plaintiff") worked as a financial advisor for J.P. Morgan Chase & Co. and J.P. Morgan Securities, LLC (together, "Defendants") until November 2012, when he was terminated. In this action, which was filed in September 2018 (following an array of related proceedings between the parties in other forums), Plaintiff contends that he was fired for complaining about Defendants' efforts to push investors into risky, "bank managed" financial products and then improperly blacklisted from the financial industry, in violation of the whistleblower retaliation provisions of the Sarbanes Oxley Act of 2002 and the Dodd-Frank Act of 2010. 

The current issues before the Court, however, have nothing to do with whistleblower retaliation. Instead, they arise from Plaintiffs' systematic efforts to destroy electronically stored information ("ESI") from an array of phones, laptops, email accounts, and external storage devices. Plaintiff's evidence-destruction efforts took a variety of forms, including the repeated use of software programs called "BleachBit" and "iShredder," and spanned a period of years, beginning before (but in anticipation of) this litigation and accelerating as the litigation unfolded. Eventually, a court-appointed forensic expert was tasked with investigating the scope of Plaintiff's efforts to destroy ESI, but the day before Plaintiff produced certain devices to the expert, he used wiping software on them, too. Based on this and other conduct, the expert concluded, "to a reasonable degree of scientific certainty, that [Plaintiff] caused Potentially Relevant ESI to be irrevocably lost from his Electronic Media." (Doc. 73-1 at 3.) 

Following the issuance of the expert's report, Defendants filed a motion for terminating sanctions. (Docs. 78 [sealed], 84 [unsealed].) That motion, as well as Plaintiff's motion for leave to belatedly submit certain exhibits in opposition to the sanctions motion (Doc. 92), are now fully briefed and ripe for resolution. For the reasons that follow, Defendants' motion is granted, Plaintiff's motion is denied, and this action is terminated.

Plaintiff does not propose any sanctions in lieu of dismissal, instead arguing that "there is no basis to impose any sanction whatsoever" (Doc. 89 at 1), but the Court would decline to impose lesser sanctions even if Plaintiff had proposed them. An adverse jury instruction or presumption that covers all of the destroyed evidence would have to be so broad that it would, itself, essentially terminate the case. Additionally, the sheer scope of Plaintiff's dishonesty and spoliation efforts-which the Court explicitly finds amounted to bad faith-makes this the rare case where it is impossible to have confidence that Defendants will ever have access to the true facts. Thus, the Court finds that although it did not impose alternative sanctions before dismissal, such sanctions are "not necessary" in this case. Valley Engineers, 158 F.3d at 1057. 

Of course, dismissal will be highly prejudicial to Plaintiff. But Plaintiff already had the opportunity to litigate several of his termination-related claims on the merits, via a two-week FINRA arbitration. This somewhat reduces the prejudice of dismissal. At any rate, because Plaintiff has engaged in such extensive misconduct and deception, without any obvious contrition or awareness of the wrongfulness of his conduct, there is a serious risk that further proceedings will continue to be plagued by a "pattern of deception and discovery abuse [which makes] it impossible for the district court to conduct a trial with any reasonable assurance that the truth would be available." Id. at 1058. 

How nice, how goddamn wonderful it is that JPM gets to walk away from Burris' lawsuit over his purported destruction of information but when the firm fails to preserve similar records, it's afforded the magnanimous opportunity to pay a fine (out of the pockets of its shareholders!) and endure thee unspeakable torture of, omigod, hiring an outside independent consultant. Talk about no consequences on Wall Street for the big and powerful. As to the underlying issues in Burris' ongoing battle with JPM and the industry's regulators, read: 

Wall Street Whistleblower Johnny Burris Speaks Truth To Power (BrokeAndBroker.com Blog /  June 30, 2017)  http://www.brokeandbroker.com/3516/burris-whistleblower/

For those wondering just what the SEC or CFTC could have -- should have -- done to JPM, I would suggest you read: 

Historic Federal Reserve Restrictions On Wells Fargo (BrokeAndBroker.com Blog /  February 5, 2018) http://www.brokeandbroker.com/3808/federal-reserve-wells-fargo/
This is what effective regulation looks like!!!