As highlighted here and here, in November 2016 JPMorgan (and related entities) resolved a $202.6 million DOJ and SEC Foreign Corrupt Practices Act enforcement action based on its alleged improper hiring and internship practices that the U.S. government has labeled bribery and corruption.
The DOJ action was resolved through a three year non-prosecution agreement involving JPMorgan Securities (Asia Pacific) Limited (“JPMorgan-APAC), a wholly subsidiary of JP Morgan, which involved a variety of requirements and undertakings imposed upon the company – as is typical in resolving FCPA enforcement actions.
Recently, Shaquala Williams (a former employee of JPMorgan in New York city) filed a civil complaint in federal court (S.D.N.Y) against JPMorgan. In summary fashion, the complaint alleges:
“Williams, a Black woman, is an attorney and financial crimes compliance professional with over a decade of experience. In June 2018, Williams joined JPMorgan in its Global Anti-Corruption Compliance (“GACC”) organization. During Williams’s tenure, she repeatedly tried to address material misconduct at the Bank that she reasonably believed broke the laws, regulations, and rules designed to prevent fraud against shareholders, to ensure that shareholders and the Securities and Exchange Commission (the “SEC”) have an accurate picture of a company’s finances, and to avoid corruption. Williams raised concerns that the Bank’s conduct violated, inter alia, a non-prosecution agreement with the United States Department of Justice (the “DOJ”); an SEC Cease and Desist order; provisions of Federal law relating to fraud against shareholders; and SEC rules and regulations, including those mandating adequate internal controls to prevent and detect material misrepresentations and fraud and those requiring accurate and reasonably detailed books and records.
In response to Williams’s efforts to address her concerns about the Bank’s legal violations, her managers were dismissive and hostile toward her. Williams had no choice but to escalate her concerns to, inter alia, the Bank’s senior leaders and its internal whistleblower team. In addition to raising concerns about Compliance failures and other misconduct that she believed violated the law, Williams also complained about the retaliation she faced due to her protected activities. This only made matters worse for Williams. Instead of fixing the problems, JPMorgan further retaliated against Williams that culminated in the Bank’s decision to fire her in October 2019.
Plaintiff brings this action to remedy whistleblower retaliation for her protected activities under the Sarbanes-Oxley Act of 2002 (“SOX”), 18 U.S.C. § 1514A.”
According to the complaint:
“Williams began working at JPMorgan on July 30, 2018, in its Manhattan offices. Williams joined the Bank as Vice President in GACC (Global Anti-Corruption Compliance).
In Williams’s position, she was primarily responsible for managing, assessing, and improving JPMorgan’s TPI (Third Party Intermediary) program. In this role, Williams provided advice to Anti-Corruption Compliance Officers (“ACCO”) and Relationship Managers (who hire and are responsible for managing third party intermediary relationships) concerning compliance issues; prepared metrics for monthly reporting to senior management regarding certain risk indicators; prepared updates about the TPI program; and prepared and provided anti-corruption and compliance training.
During her employment at JPMorgan, Williams also worked on other anticorruption compliance programs within GACC, including those concerning transactions, investigations, and referred candidates.”
Under the heading “Williams Raises Concerns About the TPI Program,” the complaint alleges:
“Williams was primarily responsible for GACC’s TPI program. During Williams’s tenure, GACC management asked Williams to review the TPI program. In performing her review, Williams identified numerous problems with the TPI program. Williams believed that in many ways the TPI program failed to comply with the law, including the NPA, the SEC Order, SEC rules and regulations, and provisions of Federal law relating to fraud against shareholders. By way of example only, some of the unlawful practices and behaviors are listed below.
A. Policies and Procedures
Williams raised concerns that the Bank’s policies and procedures did not adequately document steps needed to mitigate corruption risk in the TPI program and that those written policies and procedures did not match actual practices that the Bank had implemented, including that the written materials overstated the coverage and capability of the GACC program.
Further, Williams raised concerns about the Bank’s lack of policies and procedures concerning its practice of exempting some third parties from TPI controls. The Bank did not have any documented rationale for the exemptions, often failed to record approved exemptions, and applied exemptions in an inconsistent way. As a result, JPMorgan’s records concerning TPI controls were inaccurate as the Bank could not track with precision the number of third-party intermediaries. Thus, the monthly internal reporting and disclosures to regulators concerning this information was wrong.
B. Invoice Controls
Williams objected to the lack of invoice controls because the NPA, the SEC Order, and other laws and regulations (including SEC rules and regulations and provisions of Federal law relating to fraud against shareholders) required that there must be controls in place to ensure that the amounts paid to third-party intermediaries were consistent with relevant factors, including business needs, stated payment expectations, and market rates. If properly implemented, invoice controls would ensure that JPMorgan was not funding corruption by labeling corrupt third-party payments as legitimate business expenses.
Williams also raised concerns because the Bank had no requirements for the Compliance group to review invoices for red flags, high risk indicators, or other anomalies that indicate corrupt payments; because the Bank granted many third-party intermediaries exemptions from invoice requirements without documenting or explaining the basis for doing so; because the Bank had no controls to ensure that the entity requesting payment was the same third-party intermediary that had contracted with the Bank; because the Bank had no controls to ensure that the third party intermediary had a contract or other agreement with the Bank before performing the services; and because the Bank could not reconcile actual payments with the invoices.
Williams raised concerns that there were no consequences for Bank employees who failed to upload invoices or who did not review uploaded invoices. These measures were important to ensure that the payments sought corresponded with the roles and tasks for which the Bank had engaged the third-party and did not otherwise raise any serious concerns.
Williams also raised concerns about JP Morgan’s inaccurate books and records. There were inconsistencies between the TPI payment records and the Bank’s centralized payment systems that feed into its general ledger. For example, a former government official (“TPI1”) was a high risk JPMorgan third-party intermediary for Jamie Dimon (“Dimon”), JPMorgan’s Chief Executive Officer. The Bank processed the invoices for TPI1 through the “emergency payment method.” The Bank’s policies made clear that the “emergency payment method” should be used for urgent payments critical to the day-to-day operations of Chase such as emergency utility bills “to prevent the lights from going out.” The TPI1 invoices did not satisfy this standard, thus leaving the payment method open to unchecked corrupt payments and violations of the Bank’s accounting controls, the NPA, SEC Order, SEC rules and regulations, and provisions of Federal law relating to fraud against shareholders. Further, the payments as reflected in the general ledger did not correspond with management’s general or specific authorization for the invoice payments, thereby creating inaccurate records that also constituted violations of the NPA, the SEC Order, SEC rules and regulations and/or provisions of Federal law relating to fraud against shareholders.
C. Oversight, Monitoring, and Testing
Williams also raised concerns about the lack of independent oversight within Compliance. For example, employee Compliance Control Officers were responsible for overseeing GACC. The Monitoring and Testing (“M&T”) team was responsible for monitoring and testing the business units’ compliance with internal GACC policies and procedures. However, GACC, the Employee Compliance Control Officers, and the M&T team all reported to the same managers. Williams raised concerns that due to the lack of independence, the Employee Compliance Control officers and the M&T team were less likely to raise concerns about GACC’s reporting to regulators, adherence to policies and procedures and, ultimately, the applicable legal requirements.
For example, in May 2019, the M&T team published a TPI testing report concluding that there were “no issues found” with TPI invoices. This was not accurate as members of the M&T team provided an issues log with several deficiencies in the TPI invoices that were unresolved when the M&T team published its report and previously raised concerns that they were unable to locate invoices and were also unable to match invoices with payments. Williams raised concerns that M&T issued the false “no issues found” report to satisfy the NPA, SEC Order, SEC rules and regulations, and/or provisions of Federal law relating to fraud against shareholders due to pressures from shared senior leadership within Compliance.
D. TPI Risk-Based Approach
The applicable law, rules, and regulations, including the NPA, SEC Order, SEC rules and regulations, and/or provisions of Federal law relating to fraud against shareholders, required that JPMorgan “institute appropriate risk-based due diligence and compliance requirements pertaining to” the TPI program. During the TPI review process, the Bank assigned each third-party intermediary a risk ranking using a risk ranking calculator referred to as a risk matrix. The risk ranking determined the level of due diligence and compliance requirements like due diligence reports, contract terms, and management approvals required for the third-party intermediaries.
Williams raised concerns that there were multiple versions of the risk ranking calculator, that there was no identifiable or documented rationale or methodology justifying the risk ranking scores, and that, as a result, JPMorgan assigned inconsistent rankings to third party intermediaries. This forced the European GACC team to create after-the-fact a TPI methodology and rationale for TPI risk rankings to submit in response to a regulatory request by the United Kingdom Financial Conduct Authority (the “FCA”).
The Bank required all departments to submit risk calculators to its internal Model Risk Governance (“MRG”) team for oversight based on a regulatory commitment to, inter alia, the SEC. Williams raised concerns that GACC and Employee Compliance Control Officers avoided submitting the various TPI risk matrix (a risk calculator) and other risk calculators to MRG for evaluation as a “model.” As a result, the TPI risk matrix and the other GACC risk calculators were not subject to the MRG team’s evaluation and oversight in violation of a regulatory commitment.
Also, on one occasion, Williams’s manager, Melissa Laferriere (“Laferriere”), asked Williams to delete information from a version of a TPI risk matrix before her manager sent it to the MRG team. Williams performed the task and provided the edited risk matrix to her manager. However, later, Williams submitted an unedited version directly to the MRG team.
E. Due Diligence Reviews
Williams uncovered that the Bank’s due diligence review process of third-party intermediaries was deficient. The Bank did not search government economic sanctions lists, other government lists, and JPMorgan’s “do not do business with” list to determine if third-party intermediaries and persons related to them were on those lists before retaining them or at later points during the relationship.
The Bank’s Client List Screening group within the Anti-Money Laundering program was responsible for screening the records of individuals and entities doing business with the Bank to determine whether government economic sanctions applied and was responsible for escalating “positive hits” in order to respond to government requests for applicable information.
On at least two occasions, Williams objected when she learned that the Bank had not connected TPI systems to the internal screening systems that the Client List Screening group used. Because the two systems were unconnected, the Client List Screening group, when responding to government requests, did not include information about third party intermediaries, a violation of economic sanctions and SEC rules and regulations. The Client List Screening team agreed to fix the problems, but GACC Management refused to allow the repair to move forward.
Similarly, Williams raised concerns that the TPI system was not connected to, nor compared against, JPMorgan’s internal list of individuals and entities that the Bank had banned for money laundering, economic sanctions, and other financial crimes concerns. Thus, GACC did not screen potential and current third-party intermediaries to ensure that the Bank had not included them on a “do not do business with” list either prior to or during the engagement.
F. Training & Contracts
The Bank provides mandatory training courses for third-party intermediaries and JPMorgan personnel that hire those third parties. Williams raised concerns that there were no controls in place to prevent hiring third parties who had not completed the training course. Williams also raised concerns because there were no consequences for JPMorgan personnel that failed to complete the required training on time.
JPMorgan required Relationship Managers to attach contracts (both drafts and final versions) with third-party intermediaries to their TPI records. Williams raised concerns that there were no controls in place to ensure that there was a contract at all or to review the contracts to ensure that they contained the required information, including terms regarding the proper scope of the assignment and pay structure.
Williams raised concerns about the TPI program’s failure to keep track of the overall number of third-party intermediaries. Such information was important for purposes of managing risk and disclosing information to regulators including the number of TPIs that the Bank had terminated due to corruption concerns.”
Under the heading “Williams Identifies Problems with Other Anti-Corruption Programs,” the complaint alleges:
“In addition to raising concerns about the TPI program, Williams also objected to key aspects of the other Anti-Corruption programs, including Transactions, Investigations, and AoV (Anything of Value), because she believed that they did not comply the Bank’s legal obligations, including those under the NPA, the SEC Order, SEC rules and regulations, and provisions of Federal law relating to fraud against shareholders. For example:
- Transactions: Williams reported a lack of controls to identify JPMorgan groups that were planning to, or were capable of, engaging in corporate transactions to evaluate the proposed or possible deals; there was no required documentation nor recordkeeping system for tracking previously reviewed transactions; and there were no consequences for failing to follow policies.
- Investigations: Williams raised concerns that there were major deficiencies for internal investigations of corruption, including no policies and procedures, no centralized list of entities or individuals discharged as a result of an investigation, and no method to report on or otherwise restrict such discharged entities or individuals.
- Regarding the sub-program Travel & Expense (“T&E”), Williams raised concerns that the Bank failed to effectively monitor and test reimbursement requests for expenses; that the Bank did not accurately maintain expense records; and that there were inconsistencies between invoices and payments that prevented GACC and M&T from implementing appropriate monitoring and testing for T&E. Williams raised concerns that GACC was maintaining an alternate ledger of corrected transactions that did not match the uncorrected transactions on the official JPMorgan balance sheet.
- Regarding the subprogram Referred Candidates (“RC”), Williams raised concerns that the Bank was not adequately monitoring RCs. For example, there was no system in place or requirement to evaluate whether there was a business need for a given role. Williams also raised concerns that there were serious gaps in the RC electronic surveillance procedures because GACC did not adequately document how the Bank selected certain personnel for surveillance; because GACC did not advise the group responsible for conducting the electronic communications surveillance about the scope of the electronic searches; and because GACC did not provide guidance on how to determine the significance of communications that the Bank located in its searches.
The complaint continues:
“Williams also repeatedly protested the misrepresentations and misleading disclosures that the Bank made to government agencies and regulators.
- For example, Williams raised concerns that the Bank misled or omitted information when reporting to the SEC (including in publicly filed materials), the DOJ, the Federal Reserve Bank of New York, and international regulators about performance, capability, and state of the anti-corruption, anti-money laundering, economic sanctions, and risk governance programs.
- In May 2019, Williams received a draft report that purportedly updated the DOJ concerning JPMorgan’s compliance with the SEC Order, NPA, and other legal obligations. The report contained numerous material misrepresentations about the monitoring, testing, and TPI program’s controls implemented to mitigate corruption risk and avoid further violations of SEC regulations and the Foreign Corrupt Practices Act. For example, contrary to what JPMorgan stated in the draft report, the TPI program had no risk ranking methodology, no invoice controls, no invoice monitoring, and the identification controls were weak.
- Williams also objected because the GACC misreported to the DOJ and the Federal Reserve that invoice testing occurred on an annual basis and that the Bank would implement invoice monitoring in 2019. Such representations were not accurate because the Bank’s testing procedures were not designed to uncover substantive problems; instead, the testing only assessed whether a Relationship Manager had uploaded an invoice to the TPI system.
- Williams also protested because the Bank made misleading reports to the UK Regulator, FCA, and other European regulators. For example, in January 2019, the FCA requested a list of third-party intermediaries that the Bank had terminated based on corruption concerns. The GACC, however, did not maintain such a list. Accordingly, the Bank’s employees provided a response that they based on guesswork and that did not contain an accurate description of GACCs documentation process. Williams was concerned that GACC had submitted similar disclosures in previous years that were inaccurate. When Williams asked to review those earlier submissions, the Bank told her that the information was unavailable because the records no longer existed or because the regulators had not asked for similar information in the past (which Williams learned was untrue).
- Also, in June 2019, the FCA asked GACC to explain the basis of the Bank’s risk rankings for certain third-party intermediaries. JPMorgan had no way to explain the rankings due to multiple versions of the risk calculator and lack of standardized process and documentation. Accordingly, the Bank’s employees needed to explain the rankings retroactively and failed to disclose the deficiencies in process and documentation.
- Williams also complained about GACC’s and GACC Europe, Middle East, and Asia’s (“EMEA”) misleading disclosures to the FCA regarding third-party intermediaries’ that engage in “government interactions.” JPMorgan could not provide data for some thirdparty intermediaries because, for example, onboarding procedures for the Legal department did not include any questions addressing government interactions. Williams raised this issue with individuals responsible for reporting to the FCA and recommended that the Bank add an explanation to its submission regarding the gap in data. GACC, however, did not add any caveat and the Bank did not otherwise notify the FCA about the reporting gap.
- Despite Williams’s protests, the GACC and GACC EMEA team knowingly and intentionally reported misleading and inaccurate information to the DOJ, SEC, Federal Reserve, FCA, the Belgian National Bank, and De Netherlandshe Bank, and JPMorgan leadership including information regarding the number and identity of exited third-party intermediaries and the number of consultants providing Anti-Money Laundering due diligence services.”
Strategies For Minimizing Risk Under The FCPA
A compliance guide with issue-spotting scenarios, skills exercises and model answers. "This book is a prime example of why corporate compliance professionals and practitioners alike continue to listen to Professor Koehler."