July 25, 2012
Securities Exchange Commission
100 F Street, N.E. Washington, D.C. 20549
Re: Sarbanes-Oxley Enforcement Action against JP Morgan CEO Jamie Dimon
Occupy the SEC (“OSEC”) is a group within the New York-based Occupy Wall Street (“OWS”) protest movement. We are writing to urge the SEC to aggressively pursue Sarbanes-Oxley (“SOX”) law violations against JPMorgan Chase (“JPM”).
Public information, including Jamie Dimon’s own testimony at the recent House and Senate banking subcommittee hearings, provides strong evidence of probable violations of Sarbanes- Oxley by Mr. Dimon and JPMorgan. We expect that a thorough investigation by the SEC will confirm that SOX violations occurred and that SOX enforcement actions against the bank and its executives are appropriate. We are particularly concerned that SOX violations were missing from the list of disclosure failures that the SEC is currently investigating according to your House subcommittee appearance on June 19, 2012.
I. Likely Violations of SOX, by Section
Below we provide examples of multiple likely violations of the various sections of Sarbanes Oxley by JPMorgan:
a. Section 302 – Corporate Responsibility for Financial Reports
Section 302 of the Sarbanes-Oxley Act states that the CEO and CFO are directly responsible for the accuracy, adequate documentation and appropriate submission of all financial reports, as well as for the establishment and maintenance of a public company’s internal control structure.
JPMorgan’s restatement of prior period financial statements (resulting from the revealed multi- billion dollar losses at its London-based CIO desk) indicates that the company’s initial first quarter 2012 financial statements did not meet the required standard. The disclosure of material weaknesses in internal controls also appears to have violated this section. Since a material weakness in internal controls is the worst condition a going concern can report in its financial statements, we would be very alarmed if the SEC were not pursuing a SOX violation inquiry under this theory.
b. Section 304 – Clawbacks
Section 304 of the Sarbanes-Oxley Act states that if any reporting company fails to comply with the financial reporting requirements of the federal securities laws, then the company’s CEO and CFO can be compelled to return bonus compensation or stock sale profits earned during the twelve months following the financial misreporting. Section 304 does not require that the CEO or CFO be personally charged with the misconduct or otherwise have violated the securities laws.
The SEC has the authority to clawback executive compensation in cases where there have been SOX violations. We believe the SEC should use this authority in this case, rather than permit the firm itself to determine the clawbacks based on company policies.
As you are aware, Section 954 of the Dodd-Frank Act enhances the SOX clawback provisions. We are distressed that SEC Commissioner Paredes has made public comments as recently as July 11, 2012 to the effect that he is opposed to strengthening the clawback provisions in the Section 954 rulemaking, a position that is contrary to the intent of the Dodd-Frank Act. Since the rules have not been published for public comment yet, we hope his opposition has been overruled by the rest of the commissioners.
c. Section 404 – Internal Control Report
Section 404 of the Sarbanes-Oxley Act requires that all annual financial reports must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective. JPMorgan’s recent disclosure of material weaknesses in internal controls points to a likely failure to satisfy section 404 requirements.
d. Section 409 – Real Time Issuer Disclosures
Companies are required to disclose on an almost real-time basis information concerning material changes in their financial condition or operations. JPMorgan’s disclosures since the initial announcement of the trading losses at the CIO desk fall short of this standard.
e. Section 902 – Attempts and Conspiracies to Commit Fraud Offenses
It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding.
Alleged reports of trader manipulation of the valuations used in JPM’s financial reporting appear to qualify as violations of this section of the law. It also must be noted that this practice separately falls well short of industry practice.
f. Section 906 – Corporate Responsibility for Financial Reports
Section 906 addresses criminal penalties for certifying a misleading or fraudulent financial report. Certifications by the CFO and CEO that no material weakness exist at the time of the certification must be investigated and referred to the Department of Justice if there are facts that suggest otherwise. Mr. Dimon’s attempts to dismiss the massive CIO loss as a “tempest in a teapot” warrant an inquiry under Section 906.
II. Numerous and Clear SOX Violations Have Occurred
Since this crisis began, many of us have wondered why, in spite of clear breakdowns in internal controls at failed institutions like Countrywide, Bear Stearns, Lehman Brothers, MFGlobal and others, there has been little evidence that the SEC is pursuing either civil or criminal SOX cases against the CEOs or CFOs of these institutions. Indeed, SOX is meant to be the most powerful weapon in the SEC’s arsenal to protect investors from misleading financial statements and rogue CEOs.
It has been widely reported that the risk exposure of the synthetic credit portfolio in JPMorgan’s CIO desk was larger than the combined risk exposure of all the JPM trading desks combined. (1) If such is the case, the controls around the CIO desk’s trading positions must be considered materially significant to the firm. Failure to design, implement and effectively operate a robust internal control environment around a materially significant trading operation is a likely breach of SOX requirements. Indeed JPMorgan has now admitted that this failure was as a material deficiency, which is to be remediated immediately. (2) Since this cannot be remediated retroactively, we urge the SEC to aggressively review the weaknesses’ impact on prior period financial reports.
We are especially concerned that the internal control gaps that have just come to light may have existed for far longer than most observers assume. In his written testimony, Dimon explained that a review of the positions was undertaken in 2011 in anticipation of new Bank of International Settlement (“BIS”) capital rules, slated to come into effect for European banks at year-end 2011. Although the so-called BIS 2.5 capital rules do not impact capital charges for US banks, JPM made the decision to reduce the exposure in anticipation of higher capital charges expected under Basel III rules that are under discussion in the US. This indicates that the positions were significant in 2011.
III. A Litany of Incriminating Public Comments and Attestations
A quick review of Mr. Dimon’s public comments since the positions were unearthed by journalists in early April shows a pattern of denial and minimization, which is tantamount to failure to disclose material facts to investors and regulators in a clear or timely manner.
a. The Size and Significance of the CIO Desk’s Positions
The relative riskiness of the CIO desk’s position is at odds with Mr. Dimon’s characterization of the synthetic trading portfolio as ‘small’ in his testimony before the House and Senate subcommittees. The magnitude of the desk’s position requires that the controls of this desk be held to a higher standard of internal control than all the other trading desks at the firm. Yet it appears that the internal controls of this, the riskiest unit, were apparently (by design and operating effectiveness) substandard as compared to the risk controls in the other JPM trading units. They were certainly substandard compared to normal industry practices.
b. Significant Risk Management Failure
Mr. Dimon has repeatedly acknowledged that there was a significant risk management failure around the activities of the CIO unit. We believe that it is the SEC’s responsibility to reassure the public that “significant risk management” failures are not to be dismissed as mere “mistakes,” especially if they are “egregious” and “stupid” on the scale that occurred at JPM. Instead, the SEC should find that such failures are violations of securities law. The risk management failures at JPM appear to result from deep-seated, structural deficiencies rather than minor operational “mistakes.”
At the House subcommittee meeting on June 19, 2012 Rep. Gary Miller (R-Calif.) questioned Mr. Dimon about the certification of the effectiveness of internal controls that Mr. Dimon signed for JPMorgan’s 2011 Annual Financial statement, in which he certified there were no material weakness in internal controls:
Rep. Miller: Was the certification correct?
Mr. Dimon: I believed that the risk controls at the CIO at that time were properly being done.
SOX requires that the CEO’s “belief” and the certification of that determination be supported by substantial documentary evidence. SOX eliminates the “I rely on my subordinates” defense that was common in the pre-SOX era. That is the reason why the CEO’s signature alone appears on the certification. That signature is acknowledgement that the CEO accepts and understands the potential exposure to civil and criminal liability for failure to obtain adequate documentation from subordinates. It is the CEO’s responsibility to proactively investigate the state of the internal control environment prior to signing the certification. It appears that Mr. Dimon failed to perform adequate due diligence to support his assertion at year-end 2011. If that is true, his certification can no longer be relied upon, and liability should ensue.
c. Deficiencies in the Value-at-Risk Model
JPMorgan’s flawed Value-at-Risk (VaR) model, as it applied to the CIO desk, also suggests that internal control weaknesses existed at year-end 2011.
In his House appearance on June 19, 2012, Mr. Dimon stated that the updated CIO VaR model went through a model review and approval process sometime during the summer of 2011. Mr. Dimon has stated at various times that the model was replaced because the new model was superior to the previous model. The replacement model was implemented in early 2012.
However, the replacement model was apparently flawed and understated the risk of the CIO portfolio by more than 100% as of March 31, 2012. Given the disparity between the results under the old and new models for the First-Quarter 2012 positions, further questions arise about the adequacy of the original model itself (which was used at year end 2011) and the controls around the model review process that were in effect in the summer of 2011. The process that was used to approve the model was in force at year-end, and was therefore covered by the annual certification of internal controls. This appears to further undermine the integrity of the 2011 certification.
If the original VaR model was deemed to be inadequate and had already been approved for replacement before year-end, we ask: why was it still in effect at year-end? Given the material disparity between the results under the two models, and the fact that model results are a major component of the required capital calculations for the CIO portfolio, a review of the capital impact as of year-end is highly warranted.
Sarbanes-Oxley, like Dodd-Frank, was landmark legislation that promised to redress the disclosure gaps that Enron and other malefactors had used to such devastating effect. We are dismayed that a decade since SOX’s passage, there is scant evidence that the SEC has acted to enforce the law in the face of what appears to be a plethora of egregious violations of the law at banking institutions.
The Senate is holding a hearing this week to assess Sarbanes-Oxley on the tenth anniversary of its passage. We hope the Commission’s failure to enforce this law, which was drafted to prevent top executives from escaping responsibility for disclosure and supervision failures, is brought to center stage.
We urge the Commission to establish a strong precedent for strong SOX enforcement in the banking industry.
Occupy the SEC
(1) Douwe Miedema & Steve Slater, JPMorgan Loss Shows Risks in Safe-haven Banks, Reuters, May 15, 2012,
(2) Jonathan Weil, Is JPMorgan Chase Out of Controls?, Bloomberg, July 13, 2012