SEC Fines JP Morgan $4M for Deleting eMails
The US Securities and Exchange Commission has fined JP Morgan Securities $4 million for deleting data related to Chase Bank. Under the Securities Exchange Act, JP Morgan is required to retain emails for three years; the 47 million messages in question, which were dated from January-April 2018, were deleted in 2019. JP Morgan detected the issue and self-reported to the SEC in 2020. JP Morgan says responsibility for deleting the data lies with a third-party vendor they hired to manage their archived data.
A lot of errors in this one. A third-party vendor service was claiming to be compliant with FINRA rules of enforcing 3 year retention requirements, but neither JP Morgan or FINRA noticed that it really wasn’t. Good idea to check your processes or services to see if too little or too much deletion is really happening.
You can outsource the task but you cannot outsource the responsibility. Always make sure that your third-party suppliers are fully aware of the compliance, regulatory, legal, and contractual obligations your organization, and therefore they, have to operate under.
In a regulated space, archives are a big deal. Know your retention requirements, and what disposition means. In the public sector, that means you’re likely obligated to turn over records, including email, to the national archives.
This appears to have been a lapse by JP Morgan Securities in validating that the third-party vendor was meeting the compliance controls required for data retention. It’s a financially painful lesson for JP Morgan Securities but one that others can learn from.