Skip to content

JP Morgan gets $4 million fine for ‘accidentally’ deleting evidence

  • by
  • 3 min read

The US Securities and Exchange Commission (SEC) has fined JP Morgan $4 million for deleting some 47 million email records from 2018 related to its Chase Bank subsidiary. The emails were ‘accidentally’ deleted from 8,700 mailboxes and dated from January 1 to April 23, 2018. Interestingly, many of these deleted emails were business records that the SEC required to be retained under the Securities Exchange Act of 1934. 

On JP Morgan’s part, the mistake was caused by a project from 2016 where the company was deleting any old communications and documents that were no longer required to be retained. Per the SEC, this project faced some ‘glitches’ while identifying which documents to delete.

When troubleshooting the issue, JP Morgan employees carried out the deletion process on documents from the first quarter of 2018, reportedly working under the belief that all documents were stored in a way that would make it impossible to delete any records within the 36-month regulatory period required by the aforementioned Exchange Act. 

The company is blaming the mistake on an unnamed archiving vendor hired to manage the communication storage. The vendor had assured JP Morgan and the Financial Industry Regulatory Authority (FINRA) multiple times that its media storage complied with all relevant Exchanges Act rules regarding the retention period, protecting any documents falling under it from deletion. 

When working on communication deletion, a team from the Corporate Compliance Technology Department found that the procedures developed by JP Morgan and the vendor had failed to delete the required documents. When troubleshooting the issue, they carried out deletion across multiple periods under the belief that safeguards were active that would block the deletion of any documents still in the retention period. 

No such settings were applied to the Chase domain within JP Morgan’s network infrastructure, permanently deleting everything except any emails protected by a layer of extra coding called “legal holds” implemented by the finance company earlier. 

Overall, these deleted documents mean that in at least 12 civil securities-related regulatory investigations, eight of which were conducted by the SEC staff, JP Morgan received subpoenas and document requests for communications that could not be retrieved or produced as they had been deleted permanently. 

On the other hand, the company insists that it only found out about the issue in October 2019 when its legal discovery team found missing communication from the early 2018 period. The issue was then reported to the SEC in January 2020. 

The SEC notes that JP Morgan willfully violated Section 17(a) of the Exchange Act and Rule 17a-4(b)(4) thereunder, ultimately handing the company a cease from committing or causing any future violations while also slapping them with a $4 million fine. 

In the News: Amazon’s AI-powered robots to revolutionise warehouse automation

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: