JPMorgan Securities, a subsidiary of JPMorgan Chase, has reached a $4 million settlement with the Securities and Exchange Commission to resolve charges that it deleted tens of millions of electronic communications that it should not have deleted.
According to the SEC’s cease-and-desist order, from January to April 2018, JPMorgan deleted “approximately 47 million electronic communications in about 8,700 electronic mailboxes” many of which were business records required to be retained pursuant Section 17(a) of the Exchange Act and Rule 17a-4(b)(4).
“Beginning in 2016, JPMorgan undertook a project to delete from its system older communications and documents no longer required to be retained,” the SEC order stated. “The deletion tasks implemented by JPMorgan employees in connection with the project experienced glitches, with the identified documents not, in fact, being expunged.”
In June 2019, while troubleshooting the issue, firm employees executed deletion tasks on electronic communications from the first quarter of 2018, “erroneously believing, based on written representations from JPMorgan’s archiving vendor,” that the electronic communications were coded in a way to prevent deletion of records that were within the 36-month required regulatory retention period, the SEC stated.
In reality, the vendor “did not apply the default retention settings in a particular email domain and those communications, including many required to be maintained pursuant to the broker-dealer recordkeeping rules, were permanently deleted,” the order continued. “Thus, approximately 47 million electronic communications of JPMorgan employees in the Chase banking retail group, thousands of whom were registered representatives of JPMorgan, are unrecoverable.”
According to the SEC, in at least 12 civil securities-related regulatory investigations, eight of which were conducted by SEC staff, JPMorgan received subpoenas and document requests for communications that could not be retrieved or produced, because they had been deleted permanently.
Following the deletion event, JPMorgan implemented its own 36-month retention coding. Additionally, JPMorgan’s eComm Tech team updated its procedures and were trained to prohibit deletion tasks from being run on electronic communications that are still under regulatory retention requirements, and any employee seeking to run a deletion task are now required to first obtain approval from a senior-level information officer.
JPMorgan reported the deletion event to the SEC in January 2020. It neither admitted nor denied wrongdoing in agreeing to the settlement. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.