What is Risk? Compliance Lessons from the Senate Hearing On the Whale

What is Risk? Compliance Lessons from the Senate Hearing On the Whale

What is risk? Under the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act risk is generally doing business in a non-compliant manner under these laws, where such action can increase the possibility of engaging in or facilitating a corrupt payment or bribe. However, risk can involve other areas. If you are an investment bank, one of the risks which requires management is losses around trading.  This was painfully put on in public display last week in the US Senate Permanent Subcommittee on Investigations hearings into the JP Morgan trading losses and the trader who has come to be known as the "London Whale".

The London Whale involved trading losses which eventually hit $6.2bn for certain credit trades. In the FT Lex Column, an article entitled "Whale fail" stated that either the "bank leadership actively circumvented risk controls and misled the regulator and investors [the Senate's take] or the affair was an exercise in systematic incompetence [JPMorgan's]". Either version is not a good one for JPMorgan. The Senate report identified a list of failings at JPMorgan, accused the Chief Investment Officer (CIO) of putting into place a risky investment strategy and then trying to hide the losses. It alleged the bank hid its trading losses and finally lied to regulators. The Senate Subcommittee report and hearings provide many valuable lessons for the compliance practitioner.

Change in Business May Increase Risk

As reported by the Financial Times (FT), in an article entitled, "Harpooning The Whale-Dimon and his lieutenants caught in spotlight over risk management" showed how this trading desk morphed over the years. While the trades were initially set up as derivative positions meant to be used as a hedge by JPMorgan, at some point they morphed into something very different so that by the first quarter of 2012, "the portfolio exploded in size, complexity and risk, with little or no notice to the bank's senior risk managers or its regulators." The trading program went from a "notational size of $51bn in 2011" to a value of $157bn in the Q1 2012.

When you have program that goes from a financial hedging operation to a program which generates profits, you have a very different risk profile. If your risk profile increases through such a change, you need better management of that risk. While the extent to which JPMorgan senior management were aware of the additional risk is unclear, it is clear that JPMorgan's risk management program was sorely lacking by failing to bring this trading desk into its overall risk management structure.

When Employees Call (Internal) 911

One of the things made clear at the Senate hearings was that JPMorgan executives tried to blame those big, bad traders in London for the whole debacle. In an article in the New York Times (NYT) Dealb%k, entitled, "Withering Questions at Senate Hearing on JPMorgan Loss", reporter Jessica Silver-Greenberg wrote, "Ina Drew, who resigned in May as the head of JPMorgan's chief investment office, the group at the center of the problems... directed virtually all of the blame at lower-level traders in London and other subordinates." However, the reporting by the FT would suggest otherwise. In "Harpooning the Whale" it said that the trader nicknamed the "London Whale" sent "panicked emails to his superiors" in late January 2012. Among other emails quoted in the FT piece it was stated that he said, "We need to discuss the synthetic book. The current strategy doesn't seem to work out." In another email he wrote, "The financial [p]erformance is worrisome." Finally he wrote that the derivatives trades were "huge" and "scary". Indeed.

A company certain wants its employees to notify upper management if something goes awry and a company's risk significantly increases. In the safety part of any company it is now standard procedure that 'safety is everyone's responsibility' and if any employee sees an unsafe operation occurring, you have the right to shut it down immediately, with no fear of retaliation. However the key lesson to be learned from this experience is that if an employee notifies his or her superiors of a high risk activity, that risk needs to be identified and the conduct which led to the risk stopped.

Do Not Raise/Exceed the Risk Bar

When these emails from the London Whale and other information came back to JPMorgan about the potential size of these losses, did it try and call off its position? No. It continued, but tried to contain the losses by changing the risk parameters so that the losses did not appear as losses and the trades were made to appear to be within the bank's risk restrictions. Gretchen Morgenson, writing in the NYT, in an article entitled, "JPMorgan's Follies, For All To See" explained the bank did so by changing its normal practice in valuing these types of derivatives. She said that "Normal practice at the bank and across the industry is to value these kinds of derivatives at the midpoint between the bid and offer prices available in the market. But in early 2012, as it became apparent that JPMorgan's big trades at the chief investment office were going bad, the bank began valuing the portfolio well outside the midpoint. This reduced its losses.

For example, in January 2012, the portfolio valuations hewed closely to the midpoint on all but 2 of the 18 measures, the Senate investigators found. A month later, 5 of the 18 valuation measures deviated from the midpoint. In March, however, all 18 deviated, and 16 were at the outer bounds of price ranges. In every case, the prices used by the bank understated its losses. While these valuation shifts were taking place in the chief investment office, JPMorgan's investment bank officials continued to mark their identical positions using the midpoint value.

In addition to changing its risk parameters, the Senate reported noted that JPMorgan did not follow its own guidelines regarding risk boundaries for such trades. Morgenson writes that "Risk limits, intended to protect the bank from losses, were also routinely breached at JPMorgan Chase. [...] From late 2011 to the first quarter of 2012, Senate investigators saw a huge jump in the number of risk-limit breaches - to more than 170, from 6. Then, in April 2012 alone, risk limits were exceeded 160 times." Morgenson concluded that the bank's risk limits "were either ignored or modified to make the portfolio look better".

Risk parameters are put in place for a reason. It is to manage a company's risk, whether that be in an investment strategy or relating to bribery and corruption under the FCPA. Once a protocol is in place, it should not be changed in the absence of careful analysis and documentation of that analysis. When it all hits the fan it is not the time to change your risk protocols. It is equally important that a company follows its risk parameters and does not exceed them on a routine basis. While it is important that you have a compliance and risk management program, if you have one and do not follow it the consequences can be even more severe.

What Did You Do About It?

In thinking about any risk breach, whether it be safety, FCPA or credit trading; I always conclude my thoughts with Paul McNulty's Third Maxim, "What did you do when you found out about it?" JPMorgan did launch its own internal investigation into the trading losses but Morgenson noted that report produced was criticized by the Senate Subcommittee for its lack of rigor. She also reported that JPMorgan "has repeatedly said it made mistakes and has changed its policies." What about discipline for those involved? In an article in the Wall Street Journal, entitled, "Senate Puts 'Whale' On the Grill", it was reported that Douglas Braunstein, J.P. Morgan's former chief financial officer, testified "that his annual pay had been cut to $5 million from $9.5 million." Other senior executives at the bank, including Mr. Dimon, [JPMorgan Chief Executive] also saw large pay cuts.


For most companies which face a FCPA issue, they will not have to go through such a thorough and very public Senate investigation and hearing. However, because it was such a public event, there were many public lessons which can be learned by the compliance practitioner. As a publicly listed institution, it is the shareholders who will ultimately bear the losses sustained by the bank. The Lex Column of the FT stated that "Until Mr. Dimon has shown over a series of reporting periods that the "whale" was an aberration rather than a reflection of rotten corporate culture, investors should tread cautiously." In the FCPA world, if you have such a breach of your risk parameters, you may well have this same question posed to you.

Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.