Matt Levine has quickly become one of my favorite newsletter editors. You may not have heard of him, but I think you’re going to like him as much as I do once you get a taste of his work. See, he edits a newsletter called “Money Stuff” for Bloomberg, the business network, and it’s pure gold. I invite you to check out his archive for a few good laughs… but also occasionally serious or thought-provoking comments about financial and business issues. (I particularly liked the ongoing wallopings he delivered to WeWork and its disgraced CEO during its slow disintegration. Masterful stuff!)
I have a specific column in mind—just before Christmas, Matt wrote a newsletter called “JP Morgan Sent the Wrong Emails.” It recounts the whopping $200 million fine levied against JPMorgan Chase & Co. for “recordkeeping failures.” That sounds bad, right? Here’s what Matt had to say:
There is a model of compliance in which you do a lot of formalized compliance stuff to reduce the risk of doing crimes. If you fail to do the formalized compliance stuff, you might do crimes, and if you do crimes you will get in bad trouble. But the giant banks are too big and too regulated for that model. In giant banks, the model is that the formalized compliance stuff becomes an end in itself, and if you don’t do it right you can be fined two hundred million dollars even if you don’t also do substantive crimes. This is partly because, if your bank is big enough, somebody is always doing crimes, so formalized compliance programs are the way to distinguish “a few bad actors did crimes, but we tried to stop them” from “we have a culture of doing crimes.” But it is also because the formalized compliance stuff is very legible to regulators and very easy to catch.”
Let’s unpack that a little. See, in this case, what happened, according to the Securities and Exchange Commission announcement of the fines, is that…
…an executive director and co-supervisor of the high-grade credit trading desk launched a WhatsApp group chat entitled “Portfolio Trading/auto ex” on April 24, 2019, and invited the other nineteen members of the trading desk to join.
From April 24 through December 16, 2019, at least 1,100 messages were sent among the chat group. Nearly all of the chat messages concerned the firm’s securities business, including investment strategy; discussions of client meetings; and communications about market color, analysis, activity trends or events.
One of the key distinctions in common law (which underpins the US and UK legal systems and was a large influence in other countries) is between something which is inherently bad (malum in se—stuff like murder or rape, which is always bad no matter what) and something which is bad because it is forbidden (malum prohibitum, like speeding or jaywalking). The SEC is not saying that the JPMorgan staffers did any crimes—they’re saying that their failure to use the “correct” communications system was in itself a crime (as clear an example of malum prohibitum as you’ll ever find).”
The SEC goes on to say that:
As described in the SEC’s order, JPMS admitted that from at least January 2018 through November 2020, its employees often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts. None of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. Indeed, supervisors, including managing directors and other senior supervisors – the very people responsible for implementing and ensuring compliance with JPMS’s policies and procedures – used their personal devices to communicate about the firm’s securities business.”
Now this fine gets even more interesting. JPMorgan had to pay $200 million because a) its employees were “communicat[ing] about securities business matters on their personal devices”, b) the records they generated were not “preserved by the firm as required by federal securities laws,” c) “these failures were firm-wide”, and d) the compliance team was doing the same thing. That’s quite a combination.
Let’s say you work for a large financial company, and you are not doing any crimes but also do not want to cause your employer to have to pay nearly a quarter-billion dollars. Since the SEC says, “we will continue to hold market participants accountable for violating our time-tested recordkeeping requirements,” you might wonder how you can avoid JPMorgan’s fate.
One way to think about this is that JPMorgan will probably factor in the $200 million as a cost of doing business, fire a few token offenders, and keep on trucking. You might argue that it would cost them more than $200 million to deploy more compliance measures, or to restrict its employees from using shadow IT to do their jobs. So, you might shrug and decide to take your chances.
A better way to think about it is from the standpoint of prevention. As Levine says about the executive director named in the complaint, “This guy is not a criminal mastermind. This is a guy whose job is to type electronic messages about bond deals, and he did his job, but he typed the messages in the wrong box.” Did he know it was the wrong box? (The SEC said “yes.”) Did the company do anything to prevent, delay, or block access to the wrong box, or even to tell people “hey, don’t do that?” Apparently not, which is why they just paid enough of a fine to run the US National Park Service for 11 months.
What does this have to do with Microsoft 365? Plenty. Microsoft has invested heavily in adding compliance features both to control but also to surveil various aspects of M365 workloads. Despite this investment, and the large investment in evangelizing and marketing these features, I think it’s fair to say that these tools won’t help you prevent people from doing crimes in your M365 system, nor will they prevent the specific problem that JPMorgan ran into. There are other parts of the M365 ecosystem that might be useful; for example, you might be able to prevent users on your network (or on your managed endpoints) from accessing personal email accounts or WhatsApp or whatever.
Matt closes his column by with this observation:
There are tons of startups and tech companies and crypto projects that have under-invested in compliance and formality and record-keeping, and have justified it by saying “we have a good culture and trust our people to do the right thing without a lot of rules,” or “it’s better to ask forgiveness than to ask permission,” or “ehhhh those laws are pretty antiquated, what are the odds that they apply to us?” And here are JPMorgan’s bankers very earnestly discussing deals with colleagues and clients in the wrong text boxes on the wrong phones, and they paid a $200 million fine.”
At the end of this episode, what I take from it is this: there’s a fundamental limitation of all compliance and information protection tools. They keep honest people honest, but they can be circumvented with enough effort. In this particular case, the problem is worse: there wasn’t even any effort! Whether because of a lack of training, a lack of giving a damn, or a desire to do their jobs without extra friction, the JPMorganites staged an end run around the existing (and no doubt costly) compliance mechanisms already in place. Perhaps it’s worth reflecting on how you budget for compliance and whether that budget might be better allocated to more training, more tools, or better attorneys. Think about it; meanwhile, don’t do crimes even though everything is securities fraud.