Compliance lessons from Goldman Sachs’ $2.9B 1MDB settlement

1MDB was created by the government of Malaysia to promote economic development in the country through global partnerships and foreign direct investment, and its funds were intended to be used for improving the well-being of the Malaysian people. Instead, billions of dollars were stolen from it. The Department of Justice (DOJ) and many other global regulators have handed down punishments to the businesses and individuals involved in the scandal over the last several years.

“One factor in our analysis was the fact that not only was there criminal conduct by a number of Goldman Sachs executives, but there was also a number of red flags that were raised over the course of the years that would have and should have allowed Goldman Sachs to either identify misconduct and follow up on it, or stop it altogether—either at the outset or at some point before the scheme was completed.”

Acting DOJ Criminal Division head Brian Rabbitt

“Senior Goldman bankers played a central role in this scheme, conspiring with others to siphon off approximately $2.7 billion from 1MDB,” acting DOJ Criminal Division head Brian Rabbitt said in announcing Thursday’s settlement. Those bankers then used those funds to line their pockets and pay approximately $1.6 billion in bribes, “which to our knowledge is the largest amount of bribes ever paid by a company in violation of the FCPA,” Rabbitt added.

Under the agreement, the Justice Department will receive $1.26 billion, which is “the largest criminal monetary penalty ever paid to the United States in a corporate criminal foreign bribery resolution,” Rabbitt said.

The remainder of the $2.9 billion breaks down as follows: $606 million will be credited to the Government of Malaysia as disgorgement; the Securities and Exchange Commission (SEC) will receive $400 million in a civil penalty; the Federal Reserve Board will receive $154 million in a civil penalty; and several foreign regulators will receive similar amounts in penalties, credited against the global total.

“Today’s case is also important because of the unprecedent cooperation and coordination that made it possible,” Rabbitt said. No fewer than nine agencies were involved, including the DOJ; the SEC; the New York Department of Financial Services; the Federal Reserve Board; the U.K. Financial Conduct Authority (FCA) and Bank of England Prudential Regulation Authority (PRA); as well as several other foreign authorities, including those in Switzerland, Singapore, Luxembourg, and Malaysia.

The FCA/PRA stake was a fine of £96.6 million (U.S. $126 million) for risk management failures at Goldman Sachs International.

For any firm faced with a global investigation, the key message is this: “Where companies work in good faith to facilitate a coordinated resolution in a case such as this, we will do our part by avoiding ‘piling on’ and not imposing duplicative fines or penalties,” Rabbitt said.

In addition to the $2.9 billion in penalties and disgorgement, Goldman Sachs Malaysia pleaded guilty for its role in the scandal and admitted criminal liability for FCPA violations. Goldman Sachs Group, however, avoided a guilty plea and instead entered a three-year deferred prosecution agreement with the Justice Department.

Compliance lessons abound

There are many compliance lessons to garner from Goldman Sachs’ involvement in the 1MDB scandal, as described by enforcement authorities. “Here, one factor in our analysis was the fact that not only was there criminal conduct by a number of Goldman Sachs executives, but there was also a number of red flags that were raised over the course of the years that would have and should have allowed Goldman Sachs to either identify misconduct and follow up on it, or stop it altogether—either at the outset or at some point before the scheme was completed,” Rabbitt said.

He added that the resolution “shows companies the importance of corporate compliance programs. It shows companies that they need to ensure that their corporate compliance programs are not only adequate on paper, but that they’re also adequately resourced; functioning properly; tested; and that they can actually identify, stop, and mitigate the type of conduct that led to these significant criminal charges and the significant resolution with the bank.”

The SEC’s order found Goldman Sachs violated the anti-bribery, internal accounting controls, and books-and-records provisions of federal securities laws. “From our perspective, this case highlights the continuing need for public companies to understand who they are doing business with, as well as to have controls that are tailored to the risk presented by employees at all levels, including senior employees,” said Stephanie Avakian, director of the SEC’s Division of Enforcement. “This is particularly important where, as here, the transactions at issue involve billions of dollars of corporate assets.”

Compliance enhancements

The Federal Reserve Board’s settlement describes a long list of compliance failures by Goldman Sachs, including “failure to maintain appropriate oversight, internal controls, and risk management with respect to Goldman’s involvement,” said Jason Gonzalez, assistant general counsel for enforcement at the Federal Reserve. In addition to the $154 million civil penalty, the Federal Reserve is imposing a cease-and-desist order directing Goldman Sachs Group to improve its risk management and oversight of significant and complex transactions (SCTs), improve its anti-bribery compliance program, and enhance its due diligence related to these transactions.

According to the Federal Reserve, “While certain business personnel at times provided false, misleading or inadequate information to the firm’s control functions and senior personnel responsible for assessing and approving the 1MDB offerings, such control functions and senior firm personnel failed sufficiently to challenge the business line, address adequately red flags regarding the 1MDB offerings, insist on adequate information and documentation regarding key aspects of the offerings prior to execution, and effectively supervise a senior business employee about whom certain firm personnel had expressed integrity concerns in the past.”

The compliance enhancements Goldman Sachs must make as a result, as spelled out in the cease-and-desist order, are described in detail below.

Corporate governance and management oversight. Under the cease-and-desist order, Goldman Sachs must set forth a plan that must describe, among other things:

• What actions the board and senior management will take to maintain effective control over, and oversight of, firmwide compliance with legal requirements in connection with SCTs;
• What measures will be taken to ensure, on an ongoing basis, compliance issues regarding SCTs are appropriately tracked, escalated, and reviewed by senior management and any investigation and/or resolution of issues is documented in writing;
• Measures to ensure that the person or groups within the firm’s committees and associated control functions charged with the responsibility of reviewing and approving SCTs possess appropriate subject-matter expertise and are actively involved in carrying out such responsibilities;
• Measures to ensure review by the compliance officer and/or appropriate control personnel of material changes to SCTs prior to closing and execution and measures to ensure appropriate final committee review of material issues prior to transaction closing;
• Policies and procedures to ensure the elevation of SCTs, as applicable, to the firmwide Reputational Risk Committee for consideration of the reputational risks posed to the firm; and
• Allocation of adequate staffing levels and resources to ensure compliance with the order and applicable legal requirements.

Anti-bribery compliance. Among the enhancements Goldman Sachs must make to its existing anti-bribery compliance program for SCTs include:

• A system of internal controls reasonably designed to ensure compliance with U.S. anti-bribery laws;
• A comprehensive risk assessment that identifies and considers the anti­-bribery risks posed by any SCT and relationships around such products, including, but not limited to governments, government-affiliated entities, and politically exposed persons in determining inherent and residual risks;
• Enhancement of the firm’s policies and procedures for identifying finders, intermediaries, and other third parties involved in SCTs, regardless of how they are compensated, procedures for the investigation and escalation of red flags regarding intermediaries, and appropriate surveillance of business-side personnel who work on SCTs;
• Comprehensive and timely independent testing for compliance with applicable anti-bribery legal requirements for SCTs; and
• Effective, ongoing training of all personnel, including targeted training for personnel responsible for executing SCTs, in all aspects of the anti-bribery policies and procedures and applicable legal requirements.

Transaction due diligence. The cease-and-desist order further directs Goldman Sachs Group’s board and senior management to ensure implementation of the enhanced due diligence program, which should include, at a minimum:

• Policies and procedures to ensure that firm personnel conduct appropriate anti-bribery and corruption due diligence and, where necessary, enhanced due diligence on entities involved in SCTs, as well as their subsidiaries, special purpose vehicles, and principals;
• Measures to ensure due diligence issues regarding SCTs, including red flags defined in the firm’s policies and procedures, are appropriately tracked, escalated, and reviewed by senior management and any investigation and/or resolution of issues is documented in writing; and
• Measures to ensure that the firm has obtained and documented appropriate corporate authority from clients, counter-parties, guarantors or other relevant parties, as appropriate, to execute SCTs and that firm personnel with decision-making authority have sufficient understanding of trade economics, client motivation and expected use of proceeds, as appropriate, prior to approval in order to make a reasonable business decision.

“The Federal Reserve’s actions send a strong message to the banking industry to make compliance with the law a priority,” Gonzalez said. “The action also highlights the importance of banks effectively managing operational risk and the consequences of failing to do so.”

Individual actions

Individual charges have also been brought in the case. Previously, Tim Leissner, the former Southeast Asia chairman and participating managing director of Goldman Sachs, pleaded guilty to conspiring to launder money and to violate the FCPA. Ng Chong Hwa, also known as “Roger Ng,” former managing director of Goldman and head of investment banking for GS Malaysia, has been charged with conspiring to launder money and to violate the FCPA.

Ng was extradited from Malaysia to face these charges and is scheduled to stand trial in March 2021, the Justice Department announced. The cases are assigned to U.S. District Judge Margo Brodie of the Eastern District of New York.

In March 2019, the Federal Reserve prohibited from banking Leissner and Ng for their roles in the scheme. Leissner was also fined $1.4 million. In January 2020, the Federal Reserve also prohibited former Goldman employee Andrea Vella for “unsafe and unsound practices in connection with the bond offerings.” Leissner also faced charges by the SEC in December 2019.

“This has been a long process and we are pleased to be putting these matters behind us,” Goldman Sachs Chairman and CEO David Solomon said in a statement. “But, we are not putting the lessons learned from this experience behind us.”

Goldman’s board of directors approved action to claw back compensation from past and current senior management, including Solomon, in response to the record fine. “The Board’s announcement is an important reminder that we are all responsible for each other’s actions, including our collective failures,” Solomon said.