Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Goldman Sachs: Five takeaways for compliance officers everywhere

With Goldman Sachs’ $3.3 billion settlement, we see the failure of a sophisticated and influential financial institution to maintain strong internal controls. How did it happen? Here are the five biggest takeaways every company in any industry can benefit from.

A company’s compliance and control functions must be prioritized and executed. On a daily basis, compliance teams have to insist on the proper inspections before onboarding of third parties, raise red flags, follow up to ensure recommendations are carried out, and withstand occasional pressure from sales functions to close deals at any cost. In the Goldman Sachs case, for example, the unexplained presence of Jho Low (who turned out to be the alleged ringleader) emerged as a problem in the early stages of planning the Malaysian mega deals and bond offerings. Still, the compliance and legal departments didn’t for Goldman Sachs to cut ties with him, or receive satisfactory explanations of how these transactions could be carried out without his significant involvement.

Like in poker, if you can’t spot the fool around the table, it’s probably you. To avoid being that fool, compliance officers and their teams should think outside the box and assume that some company personnel are interested in circumventing the route outlined by the control functions. The compliance officers should also build alliances with senior and mid-level management to nurture the right ethical atmosphere and intercept such circumventions. Otherwise, they may find themselves (as demonstrated in the current case) isolated from relevant company news that is known to everyone in the corridor but them.

Building compliance controls that aim to hedge against FCPA violations is not enough. In my Airbus post, I stressed the need for the 2020 compliance officers to be acquainted with all regulatory perils relevant to their companies. The 1MDB case, in which Goldman Sachs and other parties were seriously involved in money laundering and civil forfeiture procedures, demonstrates that feeling safe about FCPA risks is not enough for itself. The compliance team should adopt a “360” approach about the entire regulatory surroundings, including money laundering, trade sanctions, the False Claims Act, wire fraud, and more. As it tends to be, some risks are coupled with other ones, e.g., money laundering charges follow bribe charges. After all, one has to somehow wash the dirty money.

Any activity involving offshore and tax-sheltered companies should raise red flags until a satisfactory explanation about the deal structure is obtained. Any company purchasing a service from an individual who has no reason to work through a network of shell companies should thoroughly check all surrounding circumstances and backgrounds of those involved. Such “payment chains” are an open door to covert money transfers and related hazards.

Third-party compliance does not end with onboarding. According to the DOJ’s fact statement of the case, suspicions regarding Jho Low, the focal point of bribes and covert payments, were raised inside Goldman Sachs after it became deeply involved with 1MDB and its financial ventures. However, the company’s control functions did not act upon these suspicions to try and learn more about the evolution of the deals and the roles of third parties working with 1MDB or Goldman or receiving payment through various and complex arrangements. Again, acting upon such suspicions may have prevented the compliance headache the company experienced.

– – – – –

As in other cases where companies have paid huge FCPA settlements, this won’t destroy Goldman Sachs, but it may seriously disrupt its ongoing and anticipated business worldwide and cause profound changes across its management and operations.

In light of strong voices calling for greater corporate social responsibility amid the Covid-19 crisis, companies should take it upon themselves to reform their organizational culture, strongly tackle unpleasant issues, and resolve compliance and control concerns before authorities come knocking on their door. 

Share this post



  1. I think Goldman Sachs will want to take control of its faults. But it is an American company – which helps with realizing the gravity of the situation. In many aspects.

    But, there are other foreign “institutions” with huge presence in NYC, that such fines (which have been paid) with no negative results, other than the money itself, would seem to sharpen their wit’s for the next one – after the apropriate cosmetic retouches.
    Thank you.

  2. A really excellent piece. The point about Jho Low’s unexplained presence brought to mind the great line from The Wizard of Oz, “Pay no attention to that man in the corner!”

    Keith Hennessee

  3. Increasingly, a “risk based” approach is mandated by regulators. However, there seems to be a lack of standard risk management tools and techniques being used to manage compliance risk. This disconnect between the financial risk infrastructure(that uses a robust qualitative and quantitative risk tool box, historical data, likelihood and impact measures, etc), and the tools used in compliance departments(and quite frankly among regulators) is concerning. They are pushing risk based compliance, but I see a lack of maturity in practice.

Comments are closed for this article!