The bank has been fined $250m by the OCC and $98m by the US Fed in a joint action by the two agencies.

The OCC investigation found that, since at least 2019, the trade surveillance program at JP Morgan has “operated with certain deficiencies that have compromised its effectiveness”.

The bank failed to establish “adequate governance over trading venues on which it is active” and had in place a trade surveillance program that “operated with gaps in venue coverage and without adequate data controls”.

Onboarding new venues restricted

Both the OCC and the Fed have highlighted the fact that the bank has been fully cooperative and that corrective action at the bank is already in progress, but both have restricted the onboarding of new venues by the bank without their explicit approval. And this suggests a continuing lack of confidence in the systems and processes currently in place.

Rob Mason, director of regulatory intelligence at Global Relay, suggested that the size of the fine “is sending shockwaves through the industry and will be a key lever for firms, especially the bigger banks, to acquire much needed budget at a time when there is general consolidation in the surveillance compliance area.”

He drew a parallel between this regulatory action and those connected to recordkeeping issues, pointing out that the underlying problem is a very large and incomplete data set that has not been captured or reviewed and is not available for the regulator to scrutinize.

Remedial action ordered

The remedial action ordered by the OCC is exhaustive and also reveals a little bit more about the extent of the problems that has led to these sizeable fines. The OCC has ordered:

• a restriction on the on-boarding of new venues;
• enhancements to the trading venue and data governance program including the design and implementation of:
  • policies and procedures providing for:
    • trading venue governance;
    • data governance;
    • related controls;
  • trade surveillance data governance and related control processes consistent with the bank’s own policies and standards;
  • processes to maintain accurate and complete trading venue inventories;
  • risk assessment processes ensuring trading venues with the risk of misconduct are subject to trade surveillance;
  • auditable and version-controlled reliable source for venue data configuration;
  • trading venue and data change management controls;
  • automated reconciliation of venue order and trade data and compensating controls where market automation is not available;
  • reporting to ensure effective governance of venues and trade data;
  • effective second-line oversight of;
    • trading venue governance;
    • data governance;
    • related controls;
• a review or “lookback” of the historical trade data, including the identification of any market misconduct;
• the retention of a third party  to assess the trade surveillance program;
• the enhancement of the trade surveillance internal audit program.

The Fed has ordered the bank to:

• complete an ongoing review of trading during the period when its surveillance was inadequate and provide a written report that includes any instances of market misconduct;
• retain an independent party to assess and prepare a report on the trade surveillance program covering:
  • policies and procedures;
  • board of director oversight;
  • trading venue inventory and risk assessment controls;
  • automated data reconciliation and compensating controls where automation is not available;
  • calibration of scenarios and parameters ensuring reasonable market misconduct detection;
  • routine and annual monitoring, testing and assessment.

In addition the bank will be able to on-board new trading venues only after securing prior written non-objection from the Fed.

Although the extensive nature of the failings is a little surprising and is the reason for the very substantial fines, it has been clear for some time that regulators are putting increased pressure on financial services firms to carry out forensic testing and data analytics on trades, orders and other critical data points.

And in fact, regulators themselves are using technology that detects this kind of activity among the firms they regulate, enhancing their expectation that firms follow suit and recognize the need to detect manipulative and unusual trading patters in a timely way.

GRIP Comment

The principal practical problem for the bank now is the sheer volume of data, involving a number of different data sets, that now need to be captured or re-captured and then analyzed.

With both regulators asking for regular reports and setting strict deadlines for compliance with their remedial action points the pressure on the teams responsible will be immense.

Although the trading venues for which trade surveillance was deficient have not been identified the number of trades being in the billions as well as their designation as “global trading venues” in the orders suggests that these would not have been insubstantial operations, which begs the question how and why trade surveillance for them could have been so sorely lacking if not absent outright.

Rob Mason: “This may well not be classified as a surveillance failing because the surveillance team can only work with the data that is being delivered to it. Completeness checks and audits need to be performed to ensure that upstream data providers have given them comprehensive data sets. And in this instance the population of venues for which data was being supplied to surveillance appears to have been incomplete.

“Attestations for data completeness from upstream data owners does provide some oversight and control, but a more thorough reconciliation will be a requirement going forward to validate the capture of complete populations.”