Goldman’s 1MDB scandal reflects highly skewed priorities and norms in tone at the top

But DoJ settlement reflects lack of systemic deficiencies in risk management evident in other large bank settlements

After lengthy negotiations in the 1MDB matter, the U.S. Justice Department on October 22 announced a settlement in which Goldman Sachs will pay the highest amount on record in a foreign bribery case. All in, Goldman will have paid over $5 billion to regulators globally, and $2.9 billion in the U.S. actions, including disgorgement of $600 million in underwriting fees for Malaysian bond offerings. In dollar terms the settlement is costly, but not so costly in terms of ongoing compliance remediation.

Unlike other recent large bank settlements, the DoJ’s terms do not mandate system-wide, intrusive remedial programs such as hiring a compliance monitor or overhauling the firm’s enterprise risk management. The lack of systematic remediation terms is also true of the related Federal Reserve Board and SEC orders against Goldman. These cease-and-desist consent agreements are limited primarily to enhancing oversight of Goldman’s diligence and approval process for significant, complex transactions such as the underwritings at issue in 1MBD and its related internal controls and anti-bribery compliance program.

Goldman was one of the few financial conglomerates to have weathered the global financial crisis of 2008 relatively unscathed, due to superior management of its subprime mortgage exposure. The OCC’s Citigroup action earlier this month involving long-standing systemic risk- and data-management deficiencies in the bank’s control infrastructure and Wells Fargo’s woes stand in stark contrast. How could 1MBD have happened?

The 1MDB scandal, the worst in Goldman’s history, cast a deep shadow over the firm for over half a decade. Until the guilty plea by Tim Leissner, the firm’s Southeast Asia chairman who orchestrated the firm’s wrongdoing with the assistance of other senior executives, no Goldman partner had been criminally prosecuted since 1989 when Robert Freeman was hauled off the trading floor in handcuffs on an insider trading charge. Leissner stole $200 million, bribed Malaysian and Abu Dhabi officials, and helped others launder some $2.7 billion from the $6.5 billion dollars raised in Malaysian wealth fund bond offerings Goldman underwrote in 2012 and 2013.

In its previous public statements, Goldman pointed to their former partners as “rogue actors”. The findings of fact in the DoJ settlement reveal the disingenuousness of Goldman’s attempt to shift the blame to a handful of executives chasing lucrative deals in emerging markets while deviously evading internal controls. Rather, the scandal reflects three major compliance and risk management failures. While not systemic in nature, these failures nonetheless reflect chronic issues of poor management of compliance and reputation risk that has surfaced periodically at Goldman in the post-crisis period.

The first failure was Goldman’s prioritizing of a high-risk business strategy without a corresponding management of the risks it entailed. The firm decided to expand aggressively in the intensely competitive Southeast Asian market well known for its money laundering risk. While this aligned with a prudent post-crisis strategy to diversify sources of revenue, it also involved targeting the top spot in bond underwriting. By 2013, Goldman ranked number two in investment banking fees in the region.

In the process of chasing market share, the firm’s business concerns overrode enforcement of policies and procedures and internal controls that otherwise appeared to be in place. While it’s true Leissner never was able to onboard Jho Low, a dubious Malaysian financier, as a Goldman client to win business due to compliance’s objections, his dogged efforts to do so to repeatedly raised red flags. Goldman’s capital commitment committee for bond underwriting was rendered toothless in mitigating compliance risk. Even compliance itself was complicit in disregarding the red flags. As the Justice Department noted in a related criminal action, Goldman’s business culture in its Southeast Asian franchise was highly focused on “consummating deals … ahead of the proper operation of its compliance function.”

Goldman’s second failure was its poor “tone at the top”. This fundamental but underappreciated compliance precept refers to the ethical standards and cultural norms that senior management sets for all of its employees. Senior managers must not only communicate their commitment to a strong compliance culture but back up their statements through ethical conduct and decisionmaking. That an employee of Leissner’s stature could so blithely brush off compliance with red flags waving and repeatedly lie without internal consequences shows how far the firm’s risk appetite had shifted in an unconstrained fashion toward the aggressive end of the spectrum.

Mr. Leissner would not have attained partnership status without a conduct and character that reflected the firm’s cultural and ethical norms. Goldman’s partners are a true reflection of the company’s tone at the top.

A 2010 SEC anti-fraud action against the firm evidences the same deeply rooted, skewed approach to its way of doing business. Goldman structured the deal at issue, the infamous ABACUS synthetic CDO transaction, at the beginning of the mortgage meltdown in 2007. In that deal, Goldman patently favored one client, John Paulson, who paid $15 million to the firm to create a vehicle allowing him to make large bet on a housing downturn. Goldman found an unsophisticated German institutional investor to be one of Paulson’s main counterparties. In the offering materials, Goldman chose not to disclose Paulson’s involvement in selecting ABACUS’s referenced subprime mortgage bonds.

The undisclosed conflict ultimately led to a $550 million fraud settlement that was highly damaging to Goldman’s reputation. ABACUS also helped pave the way to passage of the Dodd-Frank Act, which had been stalled in Congress due to partisan wrangling.

Testifying in the Senate, then-CEO Lloyd Blankfein said his firm was merely acting as a deal maker for clients who had differing views on the housing market and had done nothing wrong. But in addition to favoring Paulson in the deal, Goldman itself already had adopted a dim view of the housing market. It had begun hedging its exposure to subprime mortgages back in 2006. ABACUS is part and parcel of the aggressive risk-taking culture that led shortly thereafter to 1MDB.

The third control failure involved in the scandal, related to the first two, involved breaking with established risk management best practices. The “three lines of defense” model, called “3LOD” by the industry for short, is now nearly universal among the large financial firms. 3LOD was launched in the wake of the colossal failures in risk management that contributed to the 2008 financial crisis. Executing 3LOD properly rests squarely on the shoulders of senior and business line management – the “first line of defense”. A central lesson of the crisis was to hold business managers accountable by compelling them to “own” the risks that they created. Goldman’s 3LOD was broken at its most important link.

Compliance and risk management, the second line, and internal audit, the third line, can do little in carrying out their control functions without the business side’s active support and engagement. A weak first line, armed with disciplining and hiring and firing authority, weakens the entire control system. This system relies on management to communicate values, support action against wrongdoing, and provide adequate funds for the oversight functions. Goldman’s senior managers did not effectively supervise the executives in the Southeast Asia office, a central finding by all three federal agencies in the $2.9 billion settlement.

The 1MDB deferred prosecution agreement offers a way forward for the firm to fix the three risk management and compliance failures highlighted above. Goldman must ensure that its directors and senior management provide “strong, explicit, and visible support and commitment” to its anti-bribery policy and demonstrate “rigorous adherence by example.” Furthermore, whether or not cajoled by the regulators, the highly unusual claw back of $174 million from CEO and Chairman Solomon and Lloyd Blankfein, his predecessor, among other senior executives, reflects an effort to meet regulators’ expectations that the firm will remedy the lack of senior management oversight and poor management of compliance risk. But consequential change in the management of such risk by Goldman’s higher echelons will likely be slow in coming.