What is Risk? Compliance Lessons from the Senate Hearing On the Whale

by Thomas Fox

What is risk? Under the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act risk is generally doing business in a non-compliant manner under these laws, where such action can increase the possibility of engaging in or facilitating a corrupt payment or bribe. However, risk can involve other areas. If you are an investment bank, one of the risks which requires management is losses around trading.  This was painfully put on in public display last week in the US Senate Permanent Subcommittee on Investigations hearings into the JP Morgan trading losses and the trader who has come to be known as the “London Whale”.

The London Whale involved trading losses which eventually hit $6.2bn for certain credit trades. In the FT Lex Column, an article entitled “Whale fail” stated that either the “bank leadership actively circumvented risk controls and misled the regulator and investors [the Senate’s take] or the affair was an exercise in systematic incompetence [JPMorgan’s]”. Either version is not a good one for JPMorgan. The Senate report identified a list of failings at JPMorgan, accused the Chief Investment Officer (CIO) of putting into place a risky investment strategy and then trying to hide the losses. It alleged the bank hid its trading losses and finally lied to regulators. The Senate Subcommittee report and hearings provide many valuable lessons for the compliance practitioner.

Change in Business May Increase Risk

As reported by the Financial Times (FT), in an article entitled, “Harpooning The Whale-Dimon and his lieutenants caught in spotlight over risk management” showed how this trading desk morphed over the years. While the trades were initially set up as derivative positions meant to be used as a hedge by JPMorgan, at some point they morphed into something very different so that by the first quarter of 2012, “the portfolio exploded in size, complexity and risk, with little or no notice to the bank’s senior risk managers or its regulators.” The trading program went from a “notational size of $51bn in 2011” to a value of $157bn in the Q1 2012.

When you have program that goes from a financial hedging operation to a program which generates profits, you have a very different risk profile. If your risk profile increases through such a change, you need better management of that risk. While the extent to which JPMorgan senior management were aware of the additional risk is unclear, it is clear that JPMorgan’s risk management program was sorely lacking by failing to bring this trading desk into its overall risk management structure.

When Employees Call (Internal) 911

One of the things made clear at the Senate hearings was that JPMorgan executives tried to blame those big, bad traders in London for the whole debacle. In an article in the New York Times (NYT) Dealb%k, entitled, “Withering Questions at Senate Hearing on JPMorgan Loss, reporter Jessica Silver-Greenberg wrote, “Ina Drew, who resigned in May as the head of JPMorgan’s chief investment office, the group at the center of the problems… directed virtually all of the blame at lower-level traders in London and other subordinates.” However, the reporting by the FT would suggest otherwise. In “Harpooning the Whale” it said that the trader nicknamed the “London Whale” sent “panicked emails to his superiors” in late January 2012. Among other emails quoted in the FT piece it was stated that he said, “We need to discuss the synthetic book. The current strategy doesn’t seem to work out.” In another email he wrote, “The financial [p]erformance is worrisome.” Finally he wrote that the derivatives trades were “huge” and “scary”. Indeed.

A company certain wants its employees to notify upper management if something goes awry and a company’s risk significantly increases. In the safety part of any company it is now standard procedure that ‘safety is everyone’s responsibility’ and if any employee sees an unsafe operation occurring, you have the right to shut it down immediately, with no fear of retaliation. However the key lesson to be learned from this experience is that if an employee notifies his or her superiors of a high risk activity, that risk needs to be identified and the conduct which led to the risk stopped.

Do Not Raise/Exceed the Risk Bar

When these emails from the London Whale and other information came back to JPMorgan about the potential size of these losses, did it try and call off its position? No. It continued, but tried to contain the losses by changing the risk parameters so that the losses did not appear as losses and the trades were made to appear to be within the bank’s risk restrictions. Gretchen Morgenson, writing in the NYT, in an article entitled, “JPMorgan’s Follies, For All To See” explained the bank did so by changing its normal practice in valuing these types of derivatives. She said that “Normal practice at the bank and across the industry is to value these kinds of derivatives at the midpoint between the bid and offer prices available in the market. But in early 2012, as it became apparent that JPMorgan’s big trades at the chief investment office were going bad, the bank began valuing the portfolio well outside the midpoint. This reduced its losses.

For example, in January 2012, the portfolio valuations hewed closely to the midpoint on all but 2 of the 18 measures, the Senate investigators found. A month later, 5 of the 18 valuation measures deviated from the midpoint. In March, however, all 18 deviated, and 16 were at the outer bounds of price ranges. In every case, the prices used by the bank understated its losses. While these valuation shifts were taking place in the chief investment office, JPMorgan’s investment bank officials continued to mark their identical positions using the midpoint value.

In addition to changing its risk parameters, the Senate reported noted that JPMorgan did not follow its own guidelines regarding risk boundaries for such trades. Morgenson writes that “Risk limits, intended to protect the bank from losses, were also routinely breached at JPMorgan Chase. […] From late 2011 to the first quarter of 2012, Senate investigators saw a huge jump in the number of risk-limit breaches — to more than 170, from 6. Then, in April 2012 alone, risk limits were exceeded 160 times.” Morgenson concluded that the bank’s risk limits “were either ignored or modified to make the portfolio look better”.

Risk parameters are put in place for a reason. It is to manage a company’s risk, whether that be in an investment strategy or relating to bribery and corruption under the FCPA. Once a protocol is in place, it should not be changed in the absence of careful analysis and documentation of that analysis. When it all hits the fan it is not the time to change your risk protocols. It is equally important that a company follows its risk parameters and does not exceed them on a routine basis. While it is important that you have a compliance and risk management program, if you have one and do not follow it the consequences can be even more severe.

What Did You Do About It?

In thinking about any risk breach, whether it be safety, FCPA or credit trading; I always conclude my thoughts with Paul McNulty’s Third Maxim, “What did you do when you found out about it?” JPMorgan did launch its own internal investigation into the trading losses but Morgenson noted that report produced was criticized by the Senate Subcommittee for its lack of rigor. She also reported that JPMorgan “has repeatedly said it made mistakes and has changed its policies.” What about discipline for those involved? In an article in the Wall Street Journal, entitled, “Senate Puts ‘Whale’ On the Grill”, it was reported that Douglas Braunstein, J.P. Morgan’s former chief financial officer, testified “that his annual pay had been cut to $5 million from $9.5 million.” Other senior executives at the bank, including Mr. Dimon, [JPMorgan Chief Executive] also saw large pay cuts.


For most companies which face a FCPA issue, they will not have to go through such a thorough and very public Senate investigation and hearing. However, because it was such a public event, there were many public lessons which can be learned by the compliance practitioner. As a publicly listed institution, it is the shareholders who will ultimately bear the losses sustained by the bank. The Lex Column of the FT stated that “Until Mr. Dimon has shown over a series of reporting periods that the “whale” was an aberration rather than a reflection of rotten corporate culture, investors should tread cautiously.” In the FCPA world, if you have such a breach of your risk parameters, you may well have this same question posed to you.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.