What Happens When the Three Lines of Defense Fail: Inside JPMorgan’s $250 Million Fine

JPMorgan Chase Bank is on the hook for a $250 million civil money penalty after the Office of the Comptroller of the Currency (OCC) found the bank failed to maintain adequate internal controls and internal audit over its fiduciary business—an unsafe or unsound practice.

What exactly went wrong? It looks like weaknesses across the three lines of defense. While the enforcement action was short on details, we do know that for

several years the bank maintained a weak management and control framework for its fiduciary activities, according to the OCC.

That includes:

  • An insufficient audit program
  • Inadequate internal controls
  • Deficient risk management practices
  • An insufficient framework for avoiding conflicts of interest

A Closer Look at the Enforcement Action

A fiduciary relationship requires an institution to act for the benefit of the customer when acting on its behalf. The fact that the enforcement action specifically mentions “an insufficient framework for avoiding conflicts of interest” suggests that JPMorgan Chase might not have been doing enough to ensure the actions of its employees were for the benefit of its clients—and not the benefit of the bank or its bankers.

It’s something the bank should have been actively policing, especially from a risk management perspective. Fiduciary activities are a source of significant risk. There’s compliance risk, which can cost the bank both financially with fines and strategically if it causes regulators to limit acquisitions or other expansions. There’s operational and transaction risk. There’s also significant reputation risk. Consumers remember headlines suggesting a financial institution can’t be trusted to take care of their assets.

There’s also the fact that JPMorgan Chase has gotten in trouble for similar problems in the past. In 2015 the bank had to pay over $300 million to the SEC and U.S. Commodities Future Trading Corporation and admit it failed to disclose conflicts of interest to clients between 2008 and 2013. (JPMorgan referred clients to invest in the firm’s own, higher-priced proprietary investment products without proper disclosures.) Regulatory agencies don’t like repeat findings.

The bank should have interpreted that fine as a wake-up call to ensure its wealth management program had internal controls in place to proactively monitor and remediate potential conflicts of interest. Now the OCC says the bank has remediated the deficiencies that led to the OCC’s action. Not every financial institution engages in wealth management, but every FI needs a sufficient audit and risk management program. These two areas work in tandem to protect the FI from risk. These two functions, along with employees charged with following policies and procedures, make up the three lines of defense.

Looking at the JPMorgan Chase enforcement action, it’s possible that all three lines of defense failed.

The First Line of Defense: Employees

The first line of defense is the business. More specifically, it is the employees. From the back office to the front line, employees must be trained on and be responsible for carrying out the institution’s policies and procedures. They need to know their roles and responsibilities, follow risk and compliance processes, apply internal controls, and recognize risk.

The first line of defense is most likely to fail when there isn’t adequate training. Training isn’t just a quick check-the-box activity—especially when it comes to areas where enforcement actions are most common. Training must be robust to be effective. The financial institution needs to review audit results (see the Third Line of Defense) to uncover weaknesses in the first line and repeat and improve training as needed.

Why does training fall short? In many cases, there are mixed signals from the top. If management or the board say training is necessary but aren’t doing anything to ensure employees have the time or resources they need to train effectively, training won’t accomplish its goals. If management is telling employees to follow training but really just cares about generating revenue, the first line of defense will fail.

Conflicts of interest that benefit an institution’s bottom line, like the one at JPMorgan, don’t just happen. Someone makes that choice. Were employees incentivized to make choices that resulted in conflicts of interest? Was this incentive intended or unintended? Did their managers know they were making this decision and choosing to ignore it or were they ignorant? There’s plenty of potential blame to go around. If the first line of defense was functioning, employees would be following policies and procedures. That leads us to the role of the second line of defense.

The Second Line of Defense: Compliance and Risk Management

The second line of defense is made up of the financial institution's compliance and risk-related functions. These areas are responsible for creating and executing the policies, procedures, and systems that oversee and guide the first line of defense.

Risk management is responsible for assessing the risk of all business activities. If a business activity doesn’t fall within the FI’s risk tolerance, internal controls need to be added or adjusted—or the activity may need to be discontinued. For instance, many FIs exited the mortgage market when increasingly complex mortgage regulation made the risk of doing business too high to be worth the potential award.

Risk management also identifies high-risk areas that require increased scrutiny in the form of testing and monitoring to ensure the first line is working as intended to comply with rules and regulations.

Compliance is responsible for identifying applicable laws and regulations, interpreting them, and then developing and enforcing policies and procedures to support them through a compliance management system (CMS). It should work hand-in-hand with risk management to ensure risk assessments are thorough and up-to-date.

In the case of JPMorgan, risk management should have recognized that its fiduciary business was highrisk and required an increased level of risk management, mitigation, and monitoring. There should have been policies and procedures in place to prevent and detect conflicts of interest. Either these policies didn’t exist or weren’t effective. The framework for managing this risk was insufficient and internal controls were inadequate.

The Third Line of Defense: Audit

The third line of defense is the external and internal auditors who independently evaluate risks and controls, especially those designed to manage high-risk activities. They are also responsible for reporting on risk to the board, senior management, and other stakeholders.

The third line of defense includes ensuring that findings are addressed promptly and consistently. Auditing provides no value if you don’t do anything with the information. Being able to visualize and remediate problems is an essential step in assuring that risks are appropriately mitigated and the organization is ready for external regulatory exams and reviews. It makes sure that an FI identifies and corrects problems itself, rather than waiting for an examiner to uncover an issue.

The audit program at JPMorgan Chase was insufficient. It was probably stymied by poor internal controls. It’s hard to follow up on the effectiveness of controls that aren’t appropriate in the first place, but a good audit program would have noticed controls weren’t doing their job.

While the three lines of defense should provide a three-pronged approach to keeping an institution safe and sound, that’s only the case when the lines are functioning. When one area isn’t working, as the OCC said about the JPMorgan audit program, it raises the question of why the other functions didn’t catch the problem. Perhaps it’s because having one line down is a symptom of a greater problem.

Are you confident your bank’s three lines of defense are working? If there is a flaw in one line, it can reduce the impact of your other defenses. Make sure you have all the tools you need to keep everyone at your institution managing risk.


Michael Berman is the founder and CEO of Ncontracts, a leading provider of risk management solutions. His extensive background in legal and regulatory matters has afforded him unique insights into solving operational risk management challenges and drives Ncontracts’ mission to efficiently and effectively manage operational risk. During his legal career, Mr. Berman was involved in numerous regulatory, compliance, and contract management challenges and assisted in the development of information systems to better manage these efforts. Prior to founding Ncontracts, he was General Counsel for Goldleaf Financial Solutions, Tecniflex, Inc. and Imagic Corporation. Mr. Berman is a wellregarded speaker at financial institution conferences on risk management. He received his undergraduate degree from Cornell University and holds a J.D. degree from the University of Tennessee.