What is risk? Under the Foreign Corrupt Practices Act
(FCPA) and UK Bribery Act risk is generally doing business in a non-compliant
manner under these laws, where such action can increase the possibility of
engaging in or facilitating a corrupt payment or bribe. However, risk can
involve other areas. If you are an investment bank, one of the risks which
requires management is losses around trading. This was painfully put on
in public display last week in the US Senate Permanent Subcommittee on
Investigations hearings into the JP Morgan trading losses and the trader who
has come to be known as the "London Whale".
The London Whale involved trading losses which eventually
hit $6.2bn for certain credit trades. In the FT Lex Column, an article entitled
"Whale fail" stated that either the "bank leadership actively
circumvented risk controls and misled the regulator and investors [the Senate's
take] or the affair was an exercise in systematic incompetence [JPMorgan's]".
Either version is not a good one for JPMorgan. The Senate report identified a
list of failings at JPMorgan, accused the Chief Investment Officer (CIO) of
putting into place a risky investment strategy and then trying to hide the
losses. It alleged the bank hid its trading losses and finally lied to
regulators. The Senate Subcommittee report and hearings provide many valuable
lessons for the compliance practitioner.
Change in Business May Increase Risk
As reported by the Financial Times (FT), in an article
entitled, "Harpooning The Whale-Dimon and his lieutenants caught in
spotlight over risk management" showed how this trading desk morphed over
the years. While the trades were initially set up as derivative positions meant
to be used as a hedge by JPMorgan, at some point they morphed into something
very different so that by the first quarter of 2012, "the portfolio exploded in
size, complexity and risk, with little or no notice to the bank's senior risk
managers or its regulators." The trading program went from a "notational size
of $51bn in 2011" to a value of $157bn in the Q1 2012.
When you have program that goes from a financial hedging
operation to a program which generates profits, you have a very different risk
profile. If your risk profile increases through such a change, you need better
management of that risk. While the extent to which JPMorgan senior management
were aware of the additional risk is unclear, it is clear that JPMorgan's risk
management program was sorely lacking by failing to bring this trading desk
into its overall risk management structure.
When Employees Call (Internal) 911
One of the things made clear at the Senate hearings was
that JPMorgan executives tried to blame those big, bad traders in London for
the whole debacle. In an article in the New York Times (NYT) Dealb%k, entitled,
Questions at Senate Hearing on JPMorgan Loss", reporter Jessica
Silver-Greenberg wrote, "Ina Drew, who resigned in May as the head of
JPMorgan's chief investment office, the group at the center of the problems...
directed virtually all of the blame at lower-level traders in London and other
subordinates." However, the reporting by the FT would suggest otherwise. In "Harpooning
the Whale" it said that the trader nicknamed the "London Whale" sent
"panicked emails to his superiors" in late January 2012. Among other emails
quoted in the FT piece it was stated that he said, "We need to discuss the
synthetic book. The current strategy doesn't seem to work out." In another
email he wrote, "The financial [p]erformance is worrisome." Finally he wrote
that the derivatives trades were "huge" and "scary". Indeed.
A company certain wants its employees to notify upper
management if something goes awry and a company's risk significantly increases.
In the safety part of any company it is now standard procedure that 'safety is
everyone's responsibility' and if any employee sees an unsafe operation
occurring, you have the right to shut it down immediately, with no fear of
retaliation. However the key lesson to be learned from this experience is that
if an employee notifies his or her superiors of a high risk activity, that risk
needs to be identified and the conduct which led to the risk stopped.
Do Not Raise/Exceed the Risk Bar
When these emails from the London Whale and other
information came back to JPMorgan about the potential size of these losses, did
it try and call off its position? No. It continued, but tried to contain the
losses by changing the risk parameters so that the losses did not appear as
losses and the trades were made to appear to be within the bank's risk
restrictions. Gretchen Morgenson, writing in the NYT, in an article entitled, "JPMorgan's
Follies, For All To See" explained the bank did so by changing its
normal practice in valuing these types of derivatives. She said that "Normal
practice at the bank and across the industry is to value these kinds of derivatives
at the midpoint between the bid and offer prices available in the market. But
in early 2012, as it became apparent that JPMorgan's big trades at the chief
investment office were going bad, the bank began valuing the portfolio well
outside the midpoint. This reduced its losses.
For example, in January 2012, the portfolio valuations
hewed closely to the midpoint on all but 2 of the 18 measures, the Senate
investigators found. A month later, 5 of the 18 valuation measures deviated
from the midpoint. In March, however, all 18 deviated, and 16 were at the outer
bounds of price ranges. In every case, the prices used by the bank understated
its losses. While these valuation shifts were taking place in the chief
investment office, JPMorgan's investment bank officials continued to mark their
identical positions using the midpoint value.
In addition to changing its risk parameters, the Senate
reported noted that JPMorgan did not follow its own guidelines regarding risk
boundaries for such trades. Morgenson writes that "Risk limits, intended to
protect the bank from losses, were also routinely breached at JPMorgan Chase.
[...] From late 2011 to the first quarter of 2012, Senate investigators saw a
huge jump in the number of risk-limit breaches - to more than 170, from 6.
Then, in April 2012 alone, risk limits were exceeded 160 times." Morgenson
concluded that the bank's risk limits "were either ignored or modified to make
the portfolio look better".
Risk parameters are put in place for a reason. It is to
manage a company's risk, whether that be in an investment strategy or relating
to bribery and corruption under the FCPA. Once a protocol is in place, it
should not be changed in the absence of careful analysis and documentation of
that analysis. When it all hits the fan it is not the time to change your risk
protocols. It is equally important that a company follows its risk parameters
and does not exceed them on a routine basis. While it is important that you
have a compliance and risk management program, if you have one and do not
follow it the consequences can be even more severe.
What Did You Do About It?
In thinking about any risk breach, whether it be safety,
FCPA or credit trading; I always conclude my thoughts with Paul McNulty's Third
Maxim, "What did you do when you found out about it?" JPMorgan did
launch its own internal investigation into the trading losses but Morgenson
noted that report produced was criticized by the Senate Subcommittee for its
lack of rigor. She also reported that JPMorgan "has repeatedly said it made
mistakes and has changed its policies." What about discipline for those
involved? In an article in the Wall Street Journal, entitled, "Senate Puts
'Whale' On the Grill", it was reported that Douglas Braunstein, J.P. Morgan's
former chief financial officer, testified "that his annual pay had been cut to
$5 million from $9.5 million." Other senior executives at the bank, including
Mr. Dimon, [JPMorgan Chief Executive] also saw large pay cuts.
For most companies which face a FCPA issue, they will not
have to go through such a thorough and very public Senate investigation and
hearing. However, because it was such a public event, there were many public
lessons which can be learned by the compliance practitioner. As a publicly
listed institution, it is the shareholders who will ultimately bear the losses
sustained by the bank. The Lex Column of the FT stated that "Until Mr. Dimon
has shown over a series of reporting periods that the "whale" was an aberration
rather than a reflection of rotten corporate culture, investors should tread
cautiously." In the FCPA world, if you have such a breach of your risk
parameters, you may well have this same question posed to you.
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.