Earlier this year Goldman Sachs (GS) reached settlements with regulators in the US, UK, Singapore, and Hong Kong over 1MDB. On 22 October 2020, the Chief Executive Officer (CEO) of GS sent an email to all employees globally reflecting on the lessons learned.
1. Follow up
When GS first established its relationship with 1MDB individuals at GS attempted to make Jho Low a client. Compliance could not determine Low’s source of wealth and so refused to approve the relationship. However, those GS individuals continued working with Low because of Low’s connections and influence.
The lesson learned here is that advice not to proceed or not to do something needs follow up. This can be as simple as reporting up the chain when to ensure management are aware of the decision, and the basis for the decision.
The second action is to check what happened next. What happened with that relationship? It doesn’t matter who follows up, really it should be the head of sales as they exercise oversight of their area of the business. Compliance advisory should also have picked up that the relationship had continued, as part of their ongoing engagement with the business.
GS has added another dimension which is to create a new Insider Threat Program that will use GS surveillance analytics to prevent and detect potentially harmful action by employees. Having an internal function performing this oversight and scanning of employee behaviour has been a trend since LIBOR and FX issues and is becoming more common in larger firms. Using those internal investigative functions to assess the representations made by deal team members is a risk that should be in scope of their work.
2. Role and mandate
Taking the follow up point a step further, GS has expanded the role and mandate of Compliance by creating a new Compliance Forensics Program. The program brings together surveillance activities across financial crime, market abuse and expands surveillance to look internally.
The newly created function would have a mandate to conduct reviews on people, places, events, and processes that could present risk. It would further enhance the data analytics capability developed within GS for the purpose of checking adherence to sanctions, preventing fraud and money laundering, and market abuse surveillance.
Whilst the risks the program is looking to uncover are diverse and require different data sets, GS must believe there are synergies in the underlying approach and technology they are deploying. Certainly, the forensic and investigative skill sets, and legal and regulatory expertise they need will be similar.
The SEC found one of GS senior people, Tim Leissner, guilty of money laundering and breach of the Foreign Corrupt Practices Act. In reaching that verdict, the SEC found that Leissner had deliberately withheld information from Compliance.
Leissner had, for example, concealed from Compliance that he was working with Low to secure the deal to advise on the takeover of TIA, 1MDB’s predecessor entity. The representations made by Leissner and colleagues were sufficiently persuasive that GS continued its relationship with 1MDB.
Had Compliance been appropriately resourced, and had the forensics capabilities since created by GS, it may have identified Leissner’s continued relationship with Low.
Leissner was able to exert influence on the deal committees at GS because the principal inputs to the committee were memos from members of the deal team that he supervised.
Addressing the lack of independent input on deal’s GS has set up a Firmwide Reputational Risk Committee. This new committee will provide independent challenge and risk assessment outside of the deal committee. Mitigating the risk of individual employees deliberately ignoring advice from Compliance, as happened in 1MDB.
The committee members are mostly from control-side areas such as Risk and Compliance. Crucially the committee has the authority to stop any transaction. This raises the question whether Compliance should more generally have a right of veto.
It is clear from guidance about Compliance the Bank for international Settlements and IOSCO that the role of Compliance is to identify, mitigate and prevent risks. In Europe MiFID2 has further clarified this risk-focus for role of Compliance.
This guidance does not suggest that Compliance needs any right of veto because the authors expect Compliance to have the right skills, knowledge, and gravitas. If the business ignored the advice from Compliance, then the issue becomes broader than the matters originally advised upon; it broadens to a cultural and behavioural matter.
GS is now doing a look back over the compensation received by its management in light of the 1MDB settlements. This after the event compensation review will be challenging to execute. Ensuring fairness across all those employees and ex-employees will be equally challenging.
Compliance could not have prevented GS from making those compensation payments unless they were already aware of the underlying issues and employee misconduct. The new committees, roles, and responsibilities that Compliance is taking on at GS will provide it with greater insights to identify risks.
The changes being made provides Compliance with far greater authority within GS and should better embed the acceptance of Compliance, and move employee’s attitude towards Compliance, away from being a function that can be ignored and mislead.