All right compliance professionals, it’s here: Goldman Sachs has agreed to pay $4.3 billion to settle corruption charges for its role in the 1MDB scandal — making Wall Street’s premier investment bank responsible for the largest criminal penalty in FCPA history.
U.S. regulators announced the news today, although rumors of a settlement had been swirling for the better part of a week. Moreover, everyone knew for years that Goldman would be held accountable for its role in 1MDB eventually. That day has arrived.
This is a sprawling case that will take several posts to analyze fully. Today we’ll recap the allegations and the settlement agreement, break down the components of that $4.3 billion penalty, and consider the internal control issues raised in Goldman’s consent order with the Securities and Exchange Commission.
1MDB was the Malayasian government investment fund created in 2009 ostensibly to fund economic development projects for the Malaysian people. In reality, 1MDB became a vehicle that allowed Jho Low, now one of the most notorious fugitives and fraudsters in the world, to plunder billions from the Malaysian government.
What happened? As outlined in court documents (and documented in the best-seller Billion Dollar Whale), Low conspired with two now-former Goldman bankers, Tim Leissner and Roger Ng, to pay roughly $1.6 billion in bribes to government officials in Malaysia and Abu Dhabi in the early 2010s. Those bribes paved the way for Goldman Sachs to manage three bond issues for 1MDB, which raised $6.5 billion and netted Goldman $600 million in revenue.
Then came the plundering. Justice Department officials say Low, Leissner, Ng, and others involved in the scheme embezzled $4.5 billion — yes, billion — that helped to fund all sorts of personal enrichment: luxury parties in Las Vegas, private air travel, magnums of champagne, art collections. Read the book if you want the full details.
Leissner, the former chairman of Goldman’s operations in Southeast Asia, pleaded guilty to two counts of conspiracy and FCPA violations in 2018. Ng has been indicted but is contesting the case. Former Malaysian prime minister Najib Razak, was convicted of corruption charges in Malaysia earlier this summer. Low remains a fugitive, whereabouts unknown.
The Settlement(s) Reached Today
Goldman’s penalties to the U.S. Justice Department and SEC were only part of a much larger global settlement involving regulatory agencies around the world. Here’s the full breakdown of who imposed what against Goldman and its subsidiaries just on Thursday:
The Justice Department did say it will credit $1.6 billion of its penalty back to Goldman, in consideration of the other penalties the bank is paying. Also, this amount does not include a separate settlement of $2.5 billion that Goldman agreed to pay to the government of Malaysia. In exchange, Malaysia dropped pending criminal charges against Goldman and numerous executives there.
Goldman Sachs also accepted a three-year deferred-prosecution agreement, but did not receive a corporate compliance monitor. Its Malaysia unit, GS Malaysia, pleaded guilty to one count of violating the FCPA; although Goldman itself only “admitted wrongdoing” without a guilty plea.
The board of Goldman Sachs also said today that it will claw back or cancel $174 million in compensation to numerous current or former executives, including current CEO David Solomon and former CEO Lloyd Blankfein.
Now we can finally get to the good stuff: Goldman’s internal control lapses.
Parsing the SEC Consent Order
So to what extent did Goldman Sachs know that Leissner, Ng, and others were working with Low, and bribing foreign government officials to win lucrative bond deals for the bank? What internal accounting controls were in place to prevent such misconduct, and why didn’t they work?
The SEC’s order provides some detail about Goldman Sachs’ internal control systems. Those controls depended heavily on management committees that reviewed deals for potential trouble. Let’s say that again for clarity: the committees’ approval process was the internal control.
For example, Goldman did have an anti-bribery policy, enforced by its compliance function and a separate group known as the business intelligence team. Those two groups, however, worked with other management review committees that considered significant transactions — like the three bond deals for 1MDB — and reviewed those transactions for potential risks. In the SEC’s words: “The committees played a critical role in the chain of management approvals necessary for transactions such as the bond deals to be consummated.”
From 2009 into 2011, Leissner and Ng tried to persuade Goldman Sachs to work with Low directly — but senior executives at the bank decided against that, because they deemed Low was a suspicious character not worth the risk.
From 2012 into 2014, however, Goldman Sachs then managed those three 1MDB bond deals. All the while, Leissner, Ng, and other senior employees at Goldman knew that Low was working behind the scenes to help arrange those deals with lucrative Middle East funding sources. Leissner, Ng, and at least one other Goldman employee knew that Low was bribing government officials.
The deals were approved, the bonds were issued, the $6.5 billion was raised. Then portions of that money were transferred to other accounts, owned by shell companies controlled by Low or other corrupt players. Again, from the SEC order: “Goldman Sachs’s books and records… failed to accurately reflect key aspects of the transaction, including the involvement of a third-party intermediary.”
So What Internal Controls Failed?
This is the part that intrigues me. If your internal accounting control is a committee review process, how should that process work? What information does the compliance team provide, what factors does the management committee consider, and how do things go wrong?
The deferred-prosecution agreement gives us a few more details:
Although employees serving as part of Goldman’s control functions knew that any transaction involving Low posed a significant risk, and although they were on notice that he was involved in the transactions, they did not take reasonable steps to ensure that Low was not involved. Additionally, there were significant red flags raised during the due diligence process and afterward, including, but not limited to, Low’s involvement in the deals, that were either ignored or only nominally addressed so that the transactions would be approved and Goldman could continue to do business with 1MDB.
That paragraph tells me that even when the compliance function was performing its duties identifying Jho Low as a risk, the rest of Goldman had a desultory attitude about compliance — which is a problem of leadership and culture.
Let’s also remember that this is Goldman’s second brush with FCPA enforcement this year. In April the SEC brought charges against a former Goldman banker for alleged bribery in Ghana. In that instance, Goldman dodged any corporate liability for its supposedly effective compliance program. The difference between that case and 1MDB is the money: 1MDB involved a lot more of it.
Back to the DPA. In the mid-2010s, both the media and Goldman employees were chattering about Low’s probable involvement in the bond deals and bribery payments to make those deals happen. And yet, as the DPA says:
Goldman failed to investigate these red flags or to perform an internal review of its role in the bond deals despite the clear implication that the deals had involved criminal wrongdoing. Further, high ranking employees of Goldman failed to escalate concerns about bribery and other criminal conduct related to the bond deals pursuant to Goldman’s escalation policy.
The evidence of those leadership failures is clear because, like all large financial firms, Goldman recorded executives’ phone calls extensively. So we know that even as late as 2015, employees were telling senior Goldman executives that they suspected Low and Leissner were involved in corruption (on Page 56 of the DPA, if you’re curious). Yet there was no follow-up.
So what can a company do to remediate that sort of internal control failure? It’s not like a flawed accounting policy that can be fixed, or a payments procedure that can be hard-coded to happen in a better way.
The DPA outlines all the usual corrective actions one would expect when a company promises better corporate compliance. How much will those steps really work? I’m not sure. When you have a weak commitment to good conduct at the leadership ranks, that transcends the usual compliance program fixes we discuss so much. You need to discipline, and potentially change, the leaders themselves.
David Solomon has only been CEO of Goldman since late 2018, but he joined the bank in 1999 and has been a senior executive for years. Sure, Lloyd Blankfein is being forced to give up tens of millions in compensation, but Blankfein is a billionaire. How much will he feel the sting of that clawback?
We can (and will) go into further detail about Goldman’s misconduct, since there is a ton to consider here.
For now, however, consider this: What’s the best way to strengthen an internal control that depends on management taking compliance seriously?