By Brian Monroe
January 16, 2020
Quote of the Day: “Act as if what you do makes a difference. It does.” – William James
In today’s briefing, Goldman Sachs sees profits drop on 1MDB costs, expected penalty, Canada chided on fincrime for shutting down unit investigating laundering at casinos, expert looks at compliance lapses at Boeing, Equifax to spend $1 billion tied to data breach, and more.
Goldman profit plummets as bank braces for incoming 1MDB penalty expected to breach $2 billion
Eight years ago, Goldman Sachs Group Inc. bankers sold bonds on behalf of a little-known Malaysian investment fund – a move that contributed to what many in hindsight have called the largest fraud the world has ever seen with the pilfering of nearly $3 billion.
On Wednesday, the fallout from that deal wiped out about 13% of the bank’s 2019 profits and darkened otherwise strong results.
Goldman socked away an extra $1.1 billion late last year to help pay for an expected settlement with regulators, who allege the bank overlooked signs of corruption at the Malaysian fund, known as 1MDB, in pursuit of fees.
The Wall Street Journal previously reported that Goldman is negotiating to pay the U.S. Justice Department a fine of about $2 billion and plead guilty to violating antibribery laws.
The legal reserves pushed Goldman’s return on equity—a closely watched measure of shareholder value—to 10% for the year, the worst among big banks that have reported financial results so far.
In the fourth quarter, Goldman’s investment bankers posted their second-best quarter ever and its struggling bond-trading arm showed signs of life. But both were overshadowed by the 1MDB legal charge and higher expenses. Goldman fourth-quarter profit fell 24% to $1.92 billion, even as revenue rose to $9.96 billion, (via the WSJ and KYC 360).
Monroe’s Musings: This case is yet another example of what happens when rampant greed meets lax compliance controls. And for Goldman, this lapse is expected to cost them $2 billion or more – and that’s not even counting the expected and expansive remediation costs.
Talk to any longtime fincrime compliance professionals and they will tell you that an aggressive remediation can be triple, quadruple or more of the original penalty. These lessons, and eye-popping figures, should not be lost on other large banks, investment firms and financial institutions of all types and sizes.
Because whether you are dealing with a small low-risk business, or an exotic and possibly highly-profitable sovereign wealth fund, compliance always must come first – or it will come later at a much higher cost, both financially and reputationally.
In all, the sprawling corruption scheme has jolted many of the jurisdictions where money flowed to scrutinize the banks and individuals involved, with some banks and officials penalized or sanctioned.
The United States, Switzerland, Hong Kong, Luxembourg, Singapore and Malaysia have all undertaken formal investigations.
Banks used by the group or connected to the case include, Deutsche Bank, AmBank, Wells Fargo, Bank Negara, RBS Coutts, DBS, UBS, BSI, Credit Suisse and a JPMorgan Chase correspondent account.
The tendrils of corruption snaked as high as Najib Razak, the country’s prime minister, who created the 1MDB fund to supposedly spur development in Malaysia and entice foreign investors.
But with the scandal spiraling ever higher, Razak lost a campaign to be re-elected with U.S. investigators stating more than $700 million looted from the fund made its way to Razak’s own bank accounts.
REGIONAL COMPLIANCE SPOTLIGHT: CANADA
B.C. disbanded RCMP unit after report warned possible crime figure bought stake in casino: report
A businessman “connected to Asian organized crime” was allowed by a British Columbia government employee to buy part of a B.C. Lottery Corp. casino, according to a confidential RCMP report obtained by Global News.
And the government employee was later hired in a B.C. casino.
The explosive accusation is just one example of organized crime’s alleged infiltration and corruption of B.C. government casinos, according to a January 2009 RCMP anti-illegal gaming unit report.
Shocking new allegations about gambling in B.C.
The report also contained jarring allegations of victimization, including that women with gambling debts in Asia were being trafficked to B.C. and forced into sex work, and that children in B.C. had been thrown in the trunk of a car and warned at gun-point that their father owed $300,000.
The report argued the RCMP anti-illegal gaming unit (IIGET) should target the drug cartels using B.C. Lottery Corp. casinos in combination with illegal casinos, to launder money.
At the time the IIGET was funded by B.C. Lottery Corp., and was only permitted to target illegal casinos.
But three months later, instead of following the report’s recommendations, B.C.’s government defunded and disbanded the illegal gaming unit.
B.C. government announces public inquiry into money laundering
Critics of B.C.’s casino industry have long questioned the decision to kill the RCMP unit.
In an interview, former Crown prosecutor Sandy Garossino said the confidential RCMP report — obtained through extensive freedom of information requests by Global News — “is shocking to the conscience” and points to “the appearance of corruption in the regulatory system.”
“I always believed in this report we would finally find this kind of detail, and it is so important it is finally coming to light,” Garossino said.
“I can’t imagine why there should not be an investigation into what were the circumstances of disbanding the IIGET unit.”
B.C. government documents claim the decision was based on funding pressures in the B.C. Lottery Corp. and that IIGET was ineffective.
‘Illegal and legal gaming have been interlinked’
The January 2009 RCMP report stressed that money laundering between legal and illegal casinos was an integrity concern for B.C.’s government.
It said that organized crime could make big money in underground casinos, and “through the infiltration of legitimate gaming venues” easily launder and transfer the criminal proceeds.
And B.C. government and criminal casinos had become intertwined in a dirty economic loop, the report said, even sometimes sharing the same card dealers and loan-shark networks.
“Illegal and legal gaming share the same issues, such as loan-sharking, extortions, assaults, kidnappings and murders,” the report says. “And illegal and legal gaming have been interlinked when, in some cases, casino staff have directed patrons to loan sharks or to common gaming houses.”
These links between government facilities and underground casinos suggested that “corruption undermines the integrity of gaming in British Columbia,” the report said.
But in the case of one B.C. casino that is not identified in the report obtained by Global News, the organized crime connection was more fundamental and damaging to the integrity of gaming.
“More specific connections to Asian Organized Crime is/was through a subject, connected to Asian organized crime, who was allowed to buy into a casino,” the report said, pointing to an unidentified investor whose “casino business associates also have Asian Organized Crime connections.”
“The regulatory investigator, involved in the share transfer process, is alleged to have known about these connections when this subject originally bought into a casino,” the report said. “The regulatory investigator is now retired from the provincial government. However, he still appears to be involved in the legitimate gaming industry,” (via Global News).
Leaked Boeing emails show slippery slope of a bad compliance culture
In this analysis of the overarching culture of compliance at Boeing, one expert notes that a recent push for transparency coming after the fact of a public scandal that has resulted in the deaths of hundreds of people is no substitute for a powerful culture of compliance on the front end – one that can stand up to powerful, profit-hungry business lines.
Today’s hyper-transparent environment has given the public stunning opportunities to review internal communications from executives at leading companies and to pass real-time judgments on the strengths and vulnerabilities of their cultures.
In others, as with Boeing late last week, internal emails have been released voluntarily in an effort to demonstrate a renewed commitment to transparency.
Boeing aims to set a baseline from which it might launch the herculean task of rebuilding public trust. Such summaries of internal communication used to become available long after the fact, mostly as a result of regulatory investigations and legal judgments.
But corporate confidentiality has effectively died. Employees everywhere would be wise to recognize that anything they put in writing could become public knowledge at any time—and proceed accordingly.
For those among us interested in learning how and why company cultures can become corrupt, Boeing’s emails are revealing. My 2015 study of red flags in unethical corporate cultures suggested characteristics common to teams and organizations facing integrity challenges. Boeing exhibits several of them.
First, companies that overwhelmingly emphasize the need for market dominance at any cost instill a mindset that the ends justify the means.
As one interviewee in my study commented: “There are techniques to exaggerate the urgency and seriousness of the need to win— the sense that ‘this is what it takes to survive’—which short-circuits ethical reasoning.”
Another common characteristic of unethical culture comes in leadership efforts to achieve plausible deniability by selectively blinding itself to what is taking place below.
Creation of a narrative of urgency and necessity that undermines stated values is a further common trait in unethical cultures.
Finally, the development of powerful in-group cultures, with group bonding techniques that crowd out any individual sense of shame, clearly occurred at Boeing.
My study found that norms at corrupt companies are characterized by low transparency, secrecy, fear, and a lack of pride in the organization.
The most striking emails denigrate the competence and professionalism within Boeing (one says that the MAX 737 was “designed by clowns who are in turn supervised by monkeys”) and among the regulators (“I just jedi mind tricked the fools, … I save this company a sick amount of $$$$”).
Employees bonded with one another over their efforts to deflect external attention, with one remarking that “I still haven’t been forgiven by God for all the covering up I did last year.” Another remarked on a “culture of good enough.”
The dark tones of these comments suggest the authors considered it pointless to raise concerns, (via the FCPA Blog).
Monroe’s Musings: This story has a lot of parallels for both corporate and bank compliance departments. It also gave voice to the historical and current battleground of the business line versus the compliance function.
But in this case, the stakes were the highest they ever could be because people’s lives were literally on the line – and the pursuit of profits at all costs cost some families everything.
Part and parcel of this issue is that the company failed to have a “culture of compliance” and support from executives, or the C-suite leading with a compliance “tone at the top,” key buzzwords that have peppered high-profile bank anti-money laundering (AML) penalties.
Unless compliance officers – whether at a bank, corporate or any entity – get the resources, authority and technology they need to adequately identify, mitigate and report on risks and instances of potential illegal activity, in or out of an operation, the failures that have, at times, caused the loss of lives on a dramatic scale will continue.
Equifax ordered to spend $1 Billion on data security under data breach settlement
On January 13, 2020, a federal court approved the proposed settlement for the class action suit filed against Equifax over the massive data breach it disclosed in September 2017.
Roughly 147 million people had their personal information compromised in the incident, which was likely the result of Equifax’s negligence, as per a Staff Report from the United States Senate’s Permanent Subcommittee on Investigations published in March last year.
The court also revealed that Equifax has agreed “to spend a minimum of $1 billion for data security and related technology over five years and to comply with comprehensive data security requirements,” which should reduce the likelihood of a similar data breach in the future.
“Equifax’s binding financial commitment to spend $1 billion on data security and related technology substantially benefits the class because it ensures adequate funding for securing plaintiffs’ information long after the case is resolved,” the court says.
The credit reporting agency announced in July 2019 it was prepared to pay up to $700 million to settle charges brought by the U.S. Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 states.
At the time, the company told customers that they could receive free credit monitoring or $125 in cash, and that they were also eligible for up to $20,000 in cash for the time spent dealing with the breach.
A couple of weeks later, the FTC warned that Equifax customers affected by the breach were unlikely to receive the full $125 cash payment, because payments would come from a fixed pot of $31 million.
By late September, over 200,000 people signed a petition to force Equifax to pay more to the affected people.
This week, the settlement was approved in the U.S. District Court for the Northern District of Georgia, Atlanta Division, after only 388 people of the approximately 147 million class members directly objected to the settlement.
There were also 2,770 requests for exclusion from the settlement.
As per the settlement, the credit reporting agency “will pay $380,500,000 into a fund for class benefits, attorneys’ fees, expenses, service awards, and notice and administration cost.” Attorneys have been awarded nearly $80 million.
If the amount proves insufficient, the company will pay an additional $125 million for claims for out-of-pocket losses, “and potentially $2 billion more if all 147 million class members sign up for credit monitoring,” the court’s final approval order reads (PDF).
As announced in July 2019, impacted individuals have until January 22, 2020, to submit claims for the free credit monitoring services or the alternative reimbursement compensation offered in the settlement, to receive reimbursement for Equifax services, or to receive reimbursement for out-of-pocket losses and/or time spent dealing with the data breach.
In its final order and judgment (PDF), the court also notes that Equifax has timely informed affected individuals (via email, digital media, and other means) about the settlement, as well as state and federal officials, and that the company came up with a reasonable method to allocate the settlement benefits.
Individuals who might have been impacted by the data breach can head over to the Equifax data breach settlement website to file a claim.
“Based on the number of potentially valid claims that have been submitted to date, payments for time spent and alternative compensation of up to $125 likely will be substantially lowered and will be distributed on a proportional basis if the settlement becomes final. Depending on the number of additional valid claims filed, the amount you receive may be a small percentage of your initial claim,” Equifax notes on that website, (via Security Week).
Monroe’s Musings: When the news of the Equifax data breach broke, ACFCS looked at the aftermath of one of the worst data breaches in U.S. history, an incursion that exposed the sensitive personal and financial details of more than half the country’s population – as there were tendrils to more than just individual exposure points.
ACFCS concluded that it was not only consumers that must be wary – financial institutions could also find themselves even more vulnerable to targeted phishing and malware attacks.
Even now, financial, business and personal aftershocks are still reverberating from the revelation by Equifax – part of the triune of credit reporting bureaus – that hackers took advantage of an unpatched security flaw to steal data on 143 million people.
The historic breach is largely the result of human error, reportedly due to an employee not patching a system when one was available months prior.
The attack likely impacted financial institutions both indirectly and directly.
As criminal groups parse through the data, they may find employees working at large financial institutions – particularly those with executive positions, purview over large wires or staffers with high-level cyber clearances – and barrage them with mass phishing attacks, or more targeted spear phishing and business email compromise attacks.
So financial crime compliance departments have to be ready to be more sensitive to aberrant transactions alerting in their monitoring systems as that might be a fraudster who captured enough data on a customer to empty their account or worse, take out loans in their name.