Goldman Sachs, FCPA, and Internal Controls
Now that we’ve all had the weekend to contemplate the massive Goldman Sachs FCPA enforcement action from last week (because that’s how we all spend our free time, right?), let’s return to an issue that’s been on my mind since the settlement was announced.
How does a company strengthen an internal control, when that control is a management review committee?
One is tempted to describe Goldman’s review committee as the weak link in its compliance program — the part that broke, and allowed Timothy Leissner and other Goldman executives to conspire with Jho Low to swindle billions from Malaysia’s 1MDB fund.
Except, I’m not sure that a chain is the right metaphor here. Fixing a management review committee isn’t the same as swapping in new due diligence software or implementing a centralized repository of transaction data for better analytics. Those components of a compliance program very much are links in a chain, that can be repaired or replaced, and then the chain is strong again.
A management review committee is about exercising good judgment, guided by commitment to ethical principles. In that case, the best metaphor might be a house or a statute. The foundation is the most important thing — and if that foundation is built on sand or made of clay, we all know what happens to everything else that rests upon it.
I don’t know if we should describe Goldman’s management review committee as the final internal control, or the most important internal control, or the internal control that should have been most deeply rooted in a corporate ethical culture — but wasn’t.
Regardless, the prime fact is that if executive judgment isn’t rooted in commitment to ethical principles, everything can go to hell no matter how well-oiled the other, more mechanical parts of your compliance program are. Which is what happened at Goldman Sachs with 1MDB.
So how do you improve an internal control like that?
Evidence of Control Failure
Let’s go back to what the SEC had to say about Goldman’s internal control failures.
The SEC consent order specifically faulted Goldman Sachs’ internal controls for the period of 2012 through 2015, when the bank approved three bond deals that raised $6.5 billion for 1MDB and that generated $600 million in revenue for Goldman along the way. An important point here is that for all three bond deals, Goldman committed its own capital first, and then brought other investors into the deals to recoup that money.
So even for an enormously successful firm like Goldman Sachs, those deals required a lot of money. As such, the SEC order said, “Under the company’s policy, the Goldman Sachs Capital Committee was intended to serve a vital control function with regard to significant commitments in firm capital.”
Fair enough. But how should a committee like that actually work as a control function?
At Goldman, the compliance function and the business intelligence group were both represented on the capital committee, and should have been able to raise concerns about corruption risk that Goldman’s due diligence teams had uncovered while Leissner was putting together the bond deals. Jho Low was lurking on the sidelines of those deals, and Goldman executives knew that, according to any number of court documents now filed in the case.
Consider this passage from the deferred-prosecution agreement Goldman signed with the Justice Department:
Although employees serving as part of Goldman’s control functions knew that any transaction involving Low posed a significant risk, and although they were on notice that he was involved in the transactions, they did not take reasonable steps to ensure that Low was not involved. Additionally, there were significant red flags raised during the due diligence process and afterward, including, but not limited to, Low’s involvement in the deals, that were either ignored or only nominally addressed so that the transactions would be approved and Goldman could continue to do business with 1MDB.
If I were a compliance officer with a similar corporate structure, where a management review committee had to provide oversight into high-risk deals, the above paragraph is what I’d contemplate the most. How can the company assure that review committees take ethics and compliance risks seriously, even amid lucrative business deals?
For Goldman specifically, however, we can’t overlook that earlier this year the bank had another brush with FCPA trouble, where its internal controls did work as intended. In that case, a Goldman banker is accused of conspiring with a Turkish power company in 2014 to bribe government officials in Ghana on an energy project. Those same management review committees flagged the Ghana deal as “significant and complex” (just like the 1MDB bond deals) — which triggered extra due diligence, which uncovered the illicit payments, which prompted Goldman to alert regulators.
In one case from the early 2010s, Goldman’s internal controls worked and the company avoided trouble. In another from the same period, this one involving 1MDB, the internal controls didn’t, and Goldman ended up paying the largest anti-corruption penalty in history.
What was different between the two deals? One can’t help but notice: 1MDB involved much more money.
What Goldman Has Done Lately
For Goldman Sachs’ side of the story, you can read a presentation of compliance program enhancements the bank says it has made since 1MDB blew up in its face several years ago. The bank has made many of what I call “mechanical” improvements, such as more sophisticated screening for due diligence and tighter approval policies for travel and entertainment. That’s good.
For those significant and complex transactions — the ones where managerial review committees are an internal control — the bank implemented these reforms, below.
Source: Goldman Sachs
If you can read the fine print, you’ll see that a lot of these improvements involve more reviews by more committees. That’s not necessarily a bad thing; the more people who review a deal, the more likely you are to penetrate the threat of groupthink — so that someone, somewhere, will have the gumption to say, “Who cares about the money? This stinks.”
That gumption is the crucial ingredient to make these review committees work as internal controls. Compliance officers, and all senior executives and board directors generally, need to consider how they foster that sensibility.
To a certain extent, policies and procedures can force some of the improvement. It’s worth noting that in the 1MDB deal, Goldman Sachs’ debt underwriting group was supposed to follow-up on several concerns the bank’s capital committee had raised. That follow-up didn’t happen, which is troublesome — but codifying policies and procedures to force follow-up, so that follow-up never done will stick out like a sore thumb, is one step in the right direction.
Still, I’ll always come back to training, executive commitment to ethics, and corporate culture as the most important elements of success. Let’s hope the Goldman of the 2020s does better than Goldman of the 2010s on that score.