JPMorgan Chase DPA Provides Insight into Government’s Assessment of Compliance Programs
The settlement agreements resolve investigations by the Department of Justice (the DOJ), the Commodity Futures Trading Commission, and the Securities & Exchange Commission (the SEC). As part of the settlement, JPMorgan Chase entered into a deferred prosecution agreement (DPA) and agreed to pay over $920 million in criminal penalties, disgorgement, and restitution.
The DPA builds on recent updates to guidance from the US government regarding best practices for corporate compliance programs. In June 2020, the DOJ published an updated version of its document, “Evaluation of Corporate Compliance Programs” (the Guidance), and the next month, the DOJ’s and SEC’s “A Resource Guide to the US Foreign Corrupt Practices Act” (the FCPA Guide) was revised to include, among other changes, expanded guidance related to the evaluation of corporate compliance programs. The DPA includes language consistent with the compliance hallmarks outlined in the Guidance and FCPA Guide and also reflects some of their latest additions, indicating that the government will continue to examine these hallmarks when evaluating a compliance program’s effectiveness.
The language in the DPA tracks the Guidance on key elements of a compliance program, but also adds a new focus on using data to build an effective program and explicitly links it to a root cause analysis. For example, the DPA mandates that JPMorgan Chase “will ensure that compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing” and that it will test the data in order to “conduct a thoughtful root cause analysis and timely and appropriately remediate to address the root causes.” This mirrors the new language added to the Guidance in June 2020 concerning data resources and access, and further connects it to root cause analysis as part of remediation efforts.
New concepts from the Guidance about the review and evolution of a compliance program are also reflected in the DPA, which requires that JPMorgan Chase’s trainings, where appropriate, discuss prior compliance incidents. The latest update to the Guidance encourages prosecutors to consider whether a company reviews and adapts “its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.” The July update to the FCPA Guide similarly stresses that the “truest measure of an effective compliance program is how it responds to misconduct” and that the compliance program should “integrate lessons learned from misconduct into the company’s policies, training, and control.” JPMorgan Chase’s obligations under the DPA about conducting a root cause analysis and training based on past incidents highlight the government’s focus on companies’ remediation efforts to apply “lessons learned” from previous compliance episodes.
The US government guidance materials recognize that there is no one-size-fits-all approach to compliance and that each company’s compliance program should be calibrated to its risk profile. Nevertheless, the inclusion of the recent updates to the Guidance and FCPA Guide in the DPA underscores the importance of a company’s ability to conduct a meaningful root cause analysis and having effective investigation and training mechanisms. Companies should be prepared to revise their corporate compliance programs in light of lessons learned from past compliance misconduct.
- Related Practices