(Reuters) — JPMorgan Chase has been fined $4 million by the U.S. Securities and Exchange Commission after about 47 million emails belonging to its retail banking group were accidentally and permanently deleted.
The emails dated from January 1 to April 23, 2018, and were deleted in June 2019 from approximately 8,700 mailboxes, including those belonging to as many as 7,500 employees who regularly worked with customers.
Many of the emails were business documents that the largest US bank was required to preserve for three years under SEC rules.
The deletions came after JPMorgan’s corporate compliance technology division, which had tried unsuccessfully to remove some communications from the 1970s and 1980s, sought help from an outside vendor that managed the bank’s email storage.
According to a cease and desist order, the provider failed to properly apply the three-year retention setting to “Chase” emails beginning in early 2018.
“As a result, the debugging exercise permanently deleted all emails in that domain from that period that were not subject to legal holds,” the order said.
JPMorgan, which is based in New York, did not admit or deny wrongdoing when it agreed to the civil settlement. It has adopted its own email encryption procedures to avoid a repeat.
“JPMorgan takes its recordkeeping obligations seriously,” the bank said in a statement.
According to the SEC, in at least 12 civil securities regulatory investigations, JPMorgan has failed to comply with subpoenas and document requests for communications that were permanently deleted.