JP Morgan Chase Bank is on the hook for a $250 million civil money penalty after the Office of the Comptroller of the Currency (OCC) found the bank failed to maintain adequate internal controls and internal audit over its fiduciary business—an unsafe or unsound practice.
What exactly went wrong? While the enforcement action was short on details, we do know that for several years the bank maintained a weak management and control framework for its fiduciary activities, according to the OCC.
That includes:
The OCC says these audit and risk management deficiencies violated 12 CFR 9.9, which requires a suitable audit over all significant fiduciary activities.
A fiduciary relationship requires an institution to act for the benefit of the customer when acting on its behalf. The fact that the enforcement action mentions specifically mentions “an insufficient framework for avoiding conflicts of interest” suggests that JP Morgan Chase might not have been doing enough to ensure the actions of its employees were for the benefit of its clients—and not the benefit of the bank or its bankers.
It’s something the bank should have been actively policing, especially from a risk management perspective. Fiduciary activities are a source of significant risk. There’s compliance risk, which can cost the bank both financially with fines and strategically if it causes regulators to limit acquisitions or other expansions. There’s operational and transaction risk. There’s also significant reputation risk. Consumers remember headlines suggesting a financial institution can’t be trusted to take care of their assets.
There’s also the fact that JP Morgan Chase has gotten in trouble for similar problems in the past. In 2015 the bank had to pay over $300 million to the SEC and U.S. Commodities Future Trading Corporation and admit it failed to disclose conflicts of interest to clients between 2008 and 2013. (JP Morgan referred clients to invest in the firm’s own, higher-priced proprietary investment products without proper disclosures). Regulatory agencies don’t like repeat findings.
The bank should have interpreted that fine as a wake-up call to ensure its wealth management program had internal controls in place to proactively monitor and remediate potential conflicts of interest. Now the OCC says the bank has remediated the deficiencies that led to the OCC’s action.
Not every financial institution engages in wealth management, but every FI needs a sufficient audit and risk management program. These two areas work in tandem to protect the FI from risk. These two functions, along with employees charged with following policies and procedures, make up the three lines of defense.
Looking at the JP Morgan Chase enforcement action, it’s possible that all three lines of defense failed.
First line of defense: Employees. Conflicts of interest that benefit an institution’s bottom line don’t just happen. Someone makes that choice. Were employees incentivized to make choices that resulted in conflicts of interest? Was this incentive intended or unintended? Did their managers know they were making this decision and choosing to ignore it or were they ignorant? There’s plenty of potential blame to go around. If the first line of defense was functioning, employees would be following policies and procedures. That leads us to the role of the second line of defense.
Second line of defense: Risk management and compliance. Risk management and compliance create and execute the policies, procedures, and systems that oversee and guide the first line of defense. Risk management should have recognized that its fiduciary business was high-risk and required an increased level of risk management, mitigation, and monitoring. There should have been policies and procedures in place to prevent and detect conflicts of interest. Either these policies didn’t exist or weren’t effective. The framework for managing this risk was insufficient and internal controls were inadequate.
Third line of defense: Audit. The audit program ensures internal and external auditors independently evaluate risks and controls, especially those designed to manage high-risk activities. The audit program at JP Morgan Chase was insufficient. It was probably stymied by poor internal controls. It’s hard to follow up on the effectiveness of controls that aren’t appropriate in the first place, but a good audit program would have noticed controls weren’t doing their job.
Read also: Credibility in an Era of Misinformation: What is the Purpose of Auditing
Are you confident your bank’s three lines of defense are working? If there is a flaw in one line, it can reduce the impact of your other defenses. Make sure you have all the tools you need to keep everyone at your institution managing risk.
For more insights into the third line of defense, download our whitepaper, Best Practices for Tracking Audit & Exam Findings.