What happened?
1Malaysia Development Berhad (1MDB) was a Malaysian state investment vehicle created in 2009. In 2015, documents leaked to journalists evidenced widespread corruption and the embezzlement, on an unprecedented scale, of Malaysian state funds via 1MDB. Hundreds of millions of dollars (USD) were taken out of 1MDB illegally and went to Razak, the then prime minister of Malaysia, and his immediate family, as well as their close associates. Notoriously, tens of millions of dollars of 1MDB money was used to fund the Hollywood production of the Wolf of Wall Street. According to the US Department of Justice, the estimated total money embezzled from 1MDB is c.USD4.5bn.
In 2015, the Malaysian Anti-Corruption Commission began investigating allegations of criminal behaviour relating to 1MDB and there were separate law enforcement and regulatory investigations opened in Australia, Hong Kong, Singapore, Switzerland, the UK and the US. Eventually, the scandal led to the demise of Razak's government and his arrest and imprisonment. Following the subsequent law enforcement and regulatory investigations, it became clear that a number of banks and financial institutions (FIs) across the globe had been utilised by the protagonists in the scandal and were, therefore, involved in numerous regulatory and criminal breaches that occurred via 1MDB. Many institutions were initially involved with 1MDB legitimately, either to raise funds for the vehicle, or to manage its investments. However, many of those same institutions were subsequently used to misappropriate funds from 1MDB and / or to launder that money around the globe.
How did it happen?
There are a myriad of reasons as to how and why the scandal managed to engulf established global FIs. There have been various root causes suggested by regulators and commentators globally regarding the failures of FIs involved in the scandal. These have ranged from weak compliance cultures and insufficiently designed and maintained compliance controls, to the deliberate and complicit criminal acts of certain individuals within FIs.
One of the highest profile financial institutions engulfed in the scandal was Goldman Sachs International (GSI). GSI was subject to a financial penalty by the UK regulator, the Financial Conduct Authority (FCA). The FCA's investigation relating to 1MDB identified material failures by GSI to:
- Assess and sufficiently manage financial crime risks;
- Ensure that appropriate information regarding financial crime risks was escalated to the relevant committees approving the 1MDB transactions;
- Manage allegations of bribery and misconduct regarding individuals involved in or associated with the 1MDB transactions; and
- Keep sufficient records to illustrate how the relevant committees had assessed the risks arising out of the 1MDB transactions or the reasons for approving them.
Key Learnings
1. Risk Management
The FCA highlighted that due consideration was not given to the risks associated with the 1MDB transactions, which involved clients and counterparties in jurisdictions with known higher financial crime risks. The risk factors surrounding the transactions were also not assessed on a sufficiently holistic basis.
All firms should have in place an anti-money laundering (AML) business wide risk assessment (BWRA) that is proportionate to the nature, scale and complexity of the firm, to enable senior management to understand the inherent and residual risk exposure of their firm, particularly as a result of its client relationships. BWRAs must take into account risk factors relating to: customers, jurisdictions, distribution channels, transactions, and products and services. The results of any BWRA should then feed into a firm's calculation of a risk appetite statement, which acts as a benchmark and guide for senior management to measure business risks.
Firms that lack sufficiently detailed risk appetite and risk management frameworks inhibit the ability of senior management to make informed decisions on risk. Senior Management of FIs should be able to evidence that they have considered higher risk situations (e.g. higher risk clients or particularly complex transactions) against their firm's risk appetite statement and accordingly, have made considered decisions. This is particularly the case in light of the obligations imposed under the Senior Managers and Certification Regime (SMCR).
2. Customer Due Diligence
Customer due diligence (CDD) failings have been identified by several regulators as a key issue for 1MDB exposed firms that led to illicit activity going undetected. Several banks in Singapore, for example, were found by the Monetary Authority of Singapore (MAS) not to have performed sufficient CDD at on-boarding or throughout the course of the business relationship. This resulted in an inaccurate picture of the level of risk posed by customers and inadequate relationship monitoring based upon the true risk that those relationships and connected activity posed. In a number of cases highlighted by regulators, firms were unable to demonstrate that they had identified the beneficial owners of corporate clients, a crucial requirement to help firms ensure they know who they are dealing with and quantify the level of risk posed.
Part of the CDD undertaken for establishing a commercial relationship should enable firms to understand, and evidence, the economic rationale for a client opening an account. Firms must understand the nature of their clients' activities and the rationale for the structuring of legal entities and/or transactions. This is especially important to firms in potentially higher risk circumstances, such as where a client's legal structure or transactions appear overly complex, or where transaction structures seem to lack commercial sense because they are more expensive than other available alternatives.
To mitigate potential risks, firms must implement effective policies, procedures and training regimes in relation to CDD in order to ensure that staff understand their obligations and execute internal controls effectively. These activities need to be reinforced with ongoing monitoring applied on a risk-sensitive basis, reflecting the identified and situation risks of the client relationship.
3. Transaction Monitoring
Multiple regulators around the globe found that a lack of effective transaction monitoring systems and controls meant that firms were unable to spot suspicious transactions relating to 1MDB. The Swiss Financial Market Supervisory Authority (FINMA) and the MAS have both highlighted this issue following their investigations into firms implicated in the scandal.
The MAS said its 1MDB investigations revealed a complex international trail of transactions involving numerous legal entities and individuals in multiple jurisdictions. The MAS also found that many institutions involved in 1MDB related transactions were either late in filing suspicious transaction reports, or failed to do so because their transaction monitoring systems and controls were ineffective. Results of the investigations carried out by the FINMA and the MAS showed that the transactions carried out FIs on behalf of 1MDB were often suspicious and appeared to lack economic sense. The MAS stated that its investigations revealed extensive layering of transactions aimed at disguising the true nature of certain activities and transactional flows – which went reported and undetected.
Firms must have effective transaction monitoring systems and controls in place in order to detect and report suspicious transactions in accordance with their obligations under the applicable AML regimes. It is particularly important in the current remote working environment that firms' transaction monitoring systems are reviewed periodically, and re-calibrated if necessary, in order to reflect emerging financial crime risks.
4. Second Line Monitoring
Effective second line monitoring helps FIs to understand the effectiveness of their AML controls and the financial crime risks they face. The FCA highlighted in its 1MDB findings that key information and red flags were not included in management information (MI) provided to the relevant decision-making committees, which resulted in those committees being unable to assess fully the risks involved in the transactions. It is, therefore, imperative that firms implement clear guidelines on MI being produced, it's purpose, that this is tailored where appropriate by the recipient committee and the level of detail required in the MI, to ensure that appropriate data is provided to decision makers, and that the MI accurately represent the relevant risks.
5. Escalation procedures and appropriate disclosures to regulators
Allegations surrounding bribery in relation to some of the 1MDB transactions surfaced in 2013. However, the FCA found that these concerns were not escalated in accordance with the firm's policies and procedures. It is, therefore, essential for firms to ensure that their staff are aware of, and trained on, the relevant escalation policies and procedures, particularly where financial crime risks are concerned. Implementing periodic refresher training should assist in mitigating the risk of policies and procedures not being followed.
Further, when allegations of an employee's potential misconduct relating to the 1MBD transactions came to light, these were escalated to the relevant control functions, but there was no record of how the allegations were investigated. The FCA was later notified of the same employee's non-1MBD related misconduct, but the allegations of potential misconduct surrounding 1MDB were not notified at the same time. In light of the obligations imposed on firms under the SMCR, it is now particularly important that firms:
- Accurately record and deal with allegations of misconduct; and
- Consider information that needs to be included in any notifications to the FCA, including any past allegations that have not previously been notified.
Lastly, accurate record-keeping has long been the FCA's mantra, and in its findings relating to 1MDB, the regulator stated that the minutes of the committees which assessed and ultimately approved the 1MDB transactions did not contain enough details around the committee's consideration of risks, the rationale for the action points identified and the decision to approve the transactions. Firms should not, therefore, underestimate the importance of accurate and detailed record-keeping. The importance of this has been heightened as a result of the obligations imposed on Senior Managers under the SMCR. Accordingly, clear and accurate meeting minutes are now a vital tool for all Senior Managers to be able to evidence that they met the 'Reasonable Steps' test in relation to their areas of responsibility.
If you have any questions, please get in touch with one of our experts below.
