Compliance professionals have another large FCPA enforcement action to pore over this week, thanks to the perpetually struggling Credit Suisse and several economic development loans for the country of Mozambique that were, quite literally, soaked in corruption.
The headline, announced on Tuesday, is that Credit Suisse will pay $475 million to regulators in the United States, London, and Switzerland for its role in two financing deals Mozambican officials cooked up in the 2010s, ostensibly to develop Mozambique’s coastal infrastructure. Of course those financing deals — totaling more than $1 billion — were corrupt, where the officials worked with a sketchy intermediary to divert some $200 million into various people’s pockets. Three Credit Suisse bankers have already pleaded guilty for their roles in the scam, too.
Compliance professionals could examine this enforcement action from all sorts of angles. Today let’s study the flawed corruption risk assessment that Credit Suisse applied to the transactions, and how that flawed assessment then led to larger internal control failures that resulted in a three-year deferred-prosecution agreement and significant monetary penalties (on top of the usual disgorgement plus interest).
If that’s our focus, then the place to start is the settlement order from the U.K. Financial Conduct Authority.
What intrigued me most in the FCA’s order was its description of how Credit Suisse failed to intercept what clearly were transactions that stunk with corruption. Yes, the compliance team did go through the appropriate due diligence motions, and even found red flags. But management didn’t consider those concerns in a sincere, unified way. As the FCA said in its order:
Credit Suisse conducted due diligence, including enhanced due diligence, on the relevant entities and individuals related to the transactions, and other key functions and committees were involved in reviewing and approving the transactions. However, Credit Suisse’s consideration of the above risk factors was inadequate because it gave insufficient weight to the risk factors individually and failed to adequately consider them holistically. Credit Suisse failed to recognize that a corruption ‘red flag’ will often be — rather than direct evidence of corruption or bribery — apparent from the context of the transaction, sector, jurisdiction and counterparty.
Or, more simply: if executives want a way to rationalize a bad deal, they can usually find one. Hence the control environment is so important to give control activities real force. Which is not what happened here, and left Credit Suisse facing severe penalties in addition to the usual disgorgement.
The Devil in the Details
Let’s back up and review the corruption itself, and then return to the internal control failures later.
As described by the FCA and in a separate settlement order from the U.S. Securities & Exchange Commission, Credit Suisse arranged two financing deals from 2012 into 2016 to help Mozambique develop its coastal infrastructure. The first deal was to strengthen the Mozambican navy, by working with a newly formed state-owned company called ProIndicus. Credit Suisse arranged to pour $622 million into ProIndicus from various lenders, including Credit Suisse itself. The second deal was to develop Mozambique’s coast for tuna fishing, through another newly formed state-owned company called EMATUM. Credit Suisse arranged $850 million in funding for that deal.
In both deals, a crucial character was an unnamed intermediary based in the United Arab Emirates — described in one due diligence report as “a master of kickbacks,” and by one of Credit Suisse’s own bank managers as “an undesirable client… obviously involved in corrupt business practices.”
ProIndicus and EMATUM both contracted with the intermediary supposedly for him to provide vessels, other equipment, and services back to Mozambique. Credit Suisse then transferred proceeds of the financing deal directly to bank accounts in the UAE controlled by the intermediary; he then skimmed funds off the top to serve as kickbacks for the Credit Suisse bankers, Mozambican government officials, and himself.
What’s interesting is that in both transactions Credit Suisse did at least go through the motions of due diligence and compliance, and found troubling evidence about Mr. Intermediary.
For example, there was that due diligence report flagging him as the master of kickbacks. The report went on to say that “all sources we spoke to about [Mr. Intermediary] were confident of his past and continued involvement in offering and receiving bribes and kickbacks.” In the EMATUM deal, a due diligence report revealed that Mr. Intermediary wasn’t selected as a partner through a standard competitive bidding process, but rather through his “high-level connections” with the Mozambican government.
Despite a due diligence report that was highly problematic, Credit Suisse’s senior managers still managed to develop a blind eye and decided to pursue the business. How?
Credit Suisse’s Control Failures
The Financial Conduct Authority’s settlement order includes numerous examples of deficiencies Credit Suisse had in its risk and compliance functions at the time. Among them:
- Credit Suisse’s anti-corruption teams were siloed and under-resourced. For example, in 2013 the bank had only one regional anti-corruption officer for the whole EMEA region. The anti-corruption team as a whole also had to rely heavily on bankers in the first line of defense to identify corruption risks, which is pretty much the fox guarding the henhouse.
- Credit Suisse’s reputation risk process was weak. The bank had a total of three full-time employees devoted to assessing reputation risk in 2013. Those three weren’t enough to fulfill the demands of Credit Suisse’s reputation risk policies and processes, given the breadth of business Credit Suisse was conducting (especially in high-risk markets such as Africa).
- Credit Suisse’s various compliance and risk assurance functions operated as silos, without an overall strategy to reduce financial crime risk. The FCA mentioned this point several times: that without an overall strategy, internal control activities happened essentially in a vacuum, where senior executives could turn that blind eye we mentioned earlier. Too many risk and compliance executives had junior titles, or acted in advisory capacities with limited power to force First Line business leaders to confront difficult risk questions.
- And as such, the first line business leaders could engage in poor risk decisions. To quote directly from the FCA: “At times, a lack of engagement by senior individuals within the emerging markets business contributed to Credit Suisse’s failure to adequately scrutinise these transactions. Collectively, the above shortcomings constituted a failure by Credit Suisse to take reasonable care to organise and control its affairs responsibly and effectively.”
So senior leaders at the bank failed to make anti-corruption and ethical business a high enough priority; which meant the overall financial crime compliance strategy was weak and poorly executed; which created an environment where First Line business executives could push ahead with sketchy business deals even when compliance teams turned up clear, compelling evidence of risk.
That’s how Credit Suisse got here. That’s how its internal control structures looked good on paper but failed in practice.
I’m sure that some people will point to those three now-former Credit Suisse employees, complicit in the misconduct; and say that rogue employees make rooting out misconduct immeasurably harder. I don’t buy that.
“Master of kickbacks” was written right there in the due diligence reports. More than $1 billion in economic development funds for Mozambique were going directly to accounts in Abu Dhabi. Anyone with more than two brain cells knew that Mozambique was a high-risk country for corruption. None of those things could be covered up by internal employees no matter how rogue they were.
But when commitment to ethical business practice doesn’t flow down from the top, all that evidence can just exist in pockets of lower-level activity and never pierce through the noise. It all still depends, as always, on the control environment supporting control activities that can actually get things done.