The Securities and Exchange Commission fined JPMorgan Chase $4 million for mistakenly deleting 47 million emails, many of which the regulator was trying to access as part of multiple probes.
The contents of some of the emails, which could not be recovered since they were permanently deleted, were requested in subpoenas for at least a dozen civil securities-related regulatory investigations, the SEC said in an administrative order published on Thursday.
The emails from January to April 2018 were deleted in 2019 from 8,700 inboxes belonging to as many as 7,500 employees in the retail banking division of the nation's largest bank.
Miscommunications between the bank's corporate compliance technology division and an outside vendor tasked with archiving and deleting communications dating back to the 1970s and 1980s led to the erroneous deletion of the 2018 emails, JPMorgan claimed, according to the order. SEC regulations required JPMorgan to retain emails for a 36-month period.
Upon discovery, JPMorgan reported the deletions to the SEC in 2020.
"Because the deleted records are unrecoverable, it is unknown -- and unknowable -- how the lost records may have affected the regulatory investigations," the SEC order stated. "Indeed, a member of JPMorgan's compliance department acknowledged in an internal email after the deletion event was discovered that lost documents could relate to potential future investigations, legal matters and regulatory inquiries."
The bank said it is working to prevent a similar situation from taking place in the future.
"JPMorgan takes its record-keeping obligations seriously," said Veronica Navarro, who heads JPMorgan's corporate communications division. "We have taken steps to enhance our process and procedures."
JPMorgan agreed to sanctions laid out by the SEC including to "cease and desist from committing or causing any violations and any future violations" of the rule that require broker-dealers to retain all communications for three years.
The bank said in the order that it "implemented its own 36-month retention coding" to prevent erroneous deletions. An employee "seeking to run a deletion task" will now be required to get "approval from a senior level information officer" before acting.