Wall Street’s $1bn messaging ‘nightmare’

In 2018 and 2019, as JPMorgan Chase bankers chased lucrative mandates from an aggressively expanding WeWork, they fired off messages to one of their most high-profile clients at a frenetic pace. But as they did so, they broke rules governing communications on Wall Street.

The US Securities and Exchange Commission — in an early flashpoint of an investigation that has spread across Wall Street — found that JPMorgan failed to track more than 21,000 texts and emails, sent and received on personal phones or through unapproved apps, related to the co-working company, according to people familiar with the matter.

The investigation, which became public last year, has ensnared a growing number of banks, which are preparing to pay more than $1bn in fines to the SEC and Commodity Futures Trading Commission, dwarfing earlier penalties for record-keeping breaches.

It has also raised questions about banks’ ability to monitor dealmakers in an era of disappearing messages. As the probe has spread, individual bankers have hired their own lawyers, according to people familiar with the matter, amid fears of personal liability and to prevent their employers accessing their private phones to check for work messages. Others have refused to be represented by lawyers hired by their firms.

“The messaging thing is a nightmare,” said one senior banker on Wall Street.

JPMorgan in December agreed to pay a $200mn penalty to resolve the matter, with $125mn going to the SEC and $75mn to the CFTC. The SEC order referred to JPMorgan’s work for “an investment banking client”, which was WeWork, according to the people familiar with the matter.

The bank’s dealings with WeWork made up one of a string of cases cited by the SEC to show insufficient record-keeping, which included improper preservation of WhatsApp messages, text messages and emails. Other examples included a group of credit traders exchanging over 1,000 messages in a WhatsApp group entitled “Portfolio Trading/auto ex”.

JPMorgan and the SEC declined to comment. WeWork did not respond to a request for comment.

Now, a group of other banks, including Morgan Stanley, Barclays and Credit Suisse, have earmarked similar amounts to cover potential settlements with US regulators.

“It’s a fairly major crackdown,” said David Rosenfeld, an associate professor at Northern Illinois University and a former SEC attorney, noting that Morgan Stanley and Merrill Lynch paid $15mn and $2.5mn, respectively, for record-keeping breaches in 2006.

“In 2006, $15mn was considered a pretty big number . . . but still this is a quantum leap,” he added.

The fines, which could be announced as soon as this month, have caught some banks off guard. Credit Suisse chief financial officer David Mathers told investors in July that the Swiss lender was “not anticipating the $200mn charge in respect of unapproved electronic communications”.

The use of personal phones to do business has also exposed rifts between bankers and their counterparts in risk and compliance.

At Deutsche Bank, client-facing staff had been complaining for years that they were at a disadvantage to rivals because they were banned from using WhatsApp for work — both to speak with customers or colleagues — according to a person familiar with the matter. Many clients have grown to prefer WhatsApp as an easier and more immediate way to communicate.

Compliance would not sign off on WhatsApp or WeChat usage without a formal way of policing messages but some bankers decided to start using the apps anyway despite lacking sufficiently robust software to monitor communications, said the person.

One unsuccessful attempt was made to use Goldman Sachs-led messaging platform Symphony, but staff found it too cumbersome and later branded it “useless”, the person added. As a result, many started using WhatsApp and text messages despite their use being expressly forbidden. Internal watchdogs found evidence of this by detecting words and phrases in recorded emails.

In July, Deutsche took a €165mn provision for “regulatory enforcement” related to SEC and CFTC WhatsApp probes. Chief executive Christian Sewing and his top management team also offered to each give up €75,000 of their bonuses to show contrition about their responsibility for the lax internal culture.

By doing so voluntarily, they headed off the risk of a probe by Deutsche’s supervisory board into their own potential text and WhatsApp communications that could have resulted in more serious sanctions, the person said.

Deutsche has acted more decisively this summer, requiring certain employees to install an application called Movius on their phones that allows compliance staff to monitor calls, text messages and WhatsApp conversations with clients, the Financial Times has reported.

Deutsche said “the statements relating to supposed interactions between investment bank employees and compliance are incorrect, as is your depiction of the management board’s rationale”.

The bank added that it “responded at an early stage to indications that private short message services were being used for business communications in the industry and the board immediately initiated measures to ensure, in particular, the proper documentation of business transactions and compliance with retention requirements”.

The SEC has argued lax record-keeping has impeded several investigations over the years. In its order sanctioning JPMorgan, the regulator said inadequate record-keeping practices meant that the bank on numerous occasions gave incomplete replies to government subpoenas and information requests.

After JPMorgan paid its $200mn fine, the SEC told the other banks being investigated that penalties would be proportional to any misconduct uncovered, people familiar with the matter said.

However, regulators had difficulty quantifying the wrongdoing at different institutions, resulting in the anticipation of flat $200mn fines at several big banks, the people said.

Some smaller banks are expected to pay lower fines. Jefferies has set aside $80mn to cover penalties from the investigation.

“What can they impose that won’t make them go to trial? There’s always a back and forth on why the numbers are unfair . . . but they have pretty broad discretion,” said one lawyer involved in the case.

The unauthorised use of personal mobile phones to do business was an issue before the Covid-19 pandemic, but the practice became more widespread during government-mandated lockdowns when many workers, including bankers, moved to working from home.

Now, as fines mount, banks are cracking down and bankers are having to find new ways of working.

Credit Suisse and HSBC have fired employees found to have used unapproved messaging applications with clients. JPMorgan has promised to hire a compliance consultant to review and assess its record-keeping practices.

WhatsApp and apps such as Signal, where messages can be preprogrammed to disappear after a period of time, are outlawed by many employers. And when bankers do receive a work-related message on their personal phone, banks such as Goldman Sachs now require employees to take a picture of the message and forward it to compliance so that it will be preserved.

Goldman declined to comment.

But the issue is far from resolved. Ultimately, if banks want to stop the use of a continually mutating roster of unapproved apps, they are going to have to change the mindset of employees, according to Dan Nardello, a former federal prosecutor in Manhattan and now chief executive of global investigations company Nardello & Co.

“If folks want to communicate off-channel, they’re going to do it,” he said. “You can implement all the software you want but it’s not foolproof. It’s about cultural change.”

Additional reporting by Eric Platt in New York