MoneyGram Agrees to Extend Deferred Prosecution Agreement, Settle FTC Allegations, Forfeit $125 Million for Anti-Money Laundering and Anti-Fraud Compliance Failures

On November 8, federal authorities in the United States took two coordinated actions pertaining to MoneyGram, a global money services business headquartered in Dallas, and its reported failure to comply with prior anti-money laundering and anti-fraud related obligations.

First, the U.S. Department of Justice announced that MoneyGram “agreed to extend its deferred prosecution agreement and forfeit $125 million due to significant weaknesses in MoneyGram’s anti-fraud and anti-money laundering (AML) program resulting in MoneyGram’s breach of its 2012 deferred prosecution agreement (DPA).”  In addition to the monetary payment and extension of the DPA for an additional 30 months, MoneyGram agreed to enhance its anti-fraud and AML compliance programs.

The DPA dates back to 2012, when MoneyGram agreed to forfeit $100 million and admitted to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program.  According to court documents related to the DPA and a criminal information filed in the Middle District of Pennsylvania, MoneyGram “was involved in mass marketing and consumer fraud phishing schemes, perpetrated by corrupt MoneyGram agents and others, that defrauded tens of thousands of victims in the United States.  MoneyGram also failed to maintain an effective anti-money laundering program in violation of the Bank Secrecy Act.”

The Justice Department’s 2012 release about the DPA further stated:

Despite thousands of complaints by customers who were victims of fraud, MoneyGram failed to terminate agents that it knew were involved in scams.  As early as 2003, MoneyGram’s fraud department would identify specific MoneyGram agents believed to be involved in fraud schemes and recommended termination of those agents to senior management.  These termination recommendations were rarely accepted because they were not approved by executives in the sales department and, as a result, fraudulent activity grew from 1,575 reported instances of fraud by customers in the United States and Canada in 2004 to 19,614 reported instances in 2008.  Cumulatively, from 2004 through 2009, MoneyGram customers reported instances of fraud totaling at least $100 million.

As part of the DPA, MoneyGram had agreed to enhanced compliance obligations and structural changes to prevent a repeat of the conduct charged in the information, including:

  • “Creation of an independent compliance and ethics committee of the board of directors with direct oversight of the chief compliance officer and the compliance program;
  • “Adoption of a worldwide anti-fraud and anti-money laundering standard to ensure all MoneyGram agents throughout the world will, at a minimum, be required to adhere to U.S. anti-fraud and anti-money laundering standards;
  • “Adoption of a bonus system which rates all executives on success in meeting compliance obligations, with failure making the executive ineligible for any bonus for that year; and
  • “Adoption of enhanced due diligence for agents deemed to be high risk or operating in a high-risk area.”

Despite MoneyGram’s agreement to a five-year monitorship – an exceptionally long duration for a corporate monitorship – the Justice Department’s 2018 release about the DPA extension stated that according to the joint motion that it and MoneyGram filed to extend and amend the DPA,

MoneyGram breached its 2012 DPA.  During the course of the DPA, MoneyGram experienced significant weaknesses in its AML and anti-fraud program, inadequately disclosed these weaknesses to the government, and failed to complete all of the DPA’s required enhanced compliance undertakings.  As a result of its failures, MoneyGram processed at least $125 million in additional consumer fraud transactions between April 2015 and October 2016.

As part of the amendment to and extension of the DPA, MoneyGram agreed to additional enhanced compliance obligations.  These included creating policies or procedures

  • “to block certain reported fraud receivers and senders from using MoneyGram’s money transfer system within two days of receiving a complaint identifying those individuals;
  • “to require individuals worldwide to provide government-issued identification to send or receive money transfers;
  • “to monitor all money transfers originating in the United States in its anti-fraud program; and
  • “to terminate, discipline, or restrict agents processing a high volume of transactions related to reported fraud receivers and senders.”

Second, the Federal Trade Commission (FTC) announced that MoneyGram agreed to pay $125 million to settle allegations that it failed to take steps required under a 2009 FTC order “to crack down on fraudulent money transfers that cost U.S. consumers millions of dollars.”  The FTC alleged “that MoneyGram failed to implement the comprehensive fraud prevention program mandated by the 2009 order, which requires the company to promptly investigate, restrict, suspend, and terminate high-fraud agents.”

In particular, the FTC alleged that MoneyGram’s failures included:

  • Noncompliance of MoneyGram’s standards for taking disciplinary actions with the 2009 order, “because those standards required agents to have unreasonably high fraud rates before they could be suspended or terminated[.]”
  • Frequent failure “to promptly conduct the required reviews or to suspend or terminate agents, particularly those from larger locations with high levels of fraud.”
  • Failure to “place any restrictions on one large chain agent until approximately mid-2013, even though the chain was the subject of more fraud complaints than any other MoneyGram agent worldwide. Some of the chain’s locations had fraud rates as high as 50 percent of the money transfer activity. When it did take disciplinary action, MoneyGram focused on lower-volume, ‘mom and pop’ agents with high levels of fraud, while treating large chain agents differently[.]”
  • “MoneyGram’s computerized monitoring system, aimed at blocking known fraudsters from using its service, malfunctioned for an 18-month period in 2015 and 2016. During that time, MoneyGram failed to block individuals that the company knew or should have known were using its service for fraud or to obtain fraud-induced money transfers.”
  • Failure “to properly vet its agents and by not providing appropriate training on how to detect and prevent consumer fraud for all its agents, including locations with high fraud rates.”
  • Failure, in some cases, to record the complaints that it received about fraud-induced money transfers and to share that information with the FTC.

In addition to the $125 million payment, MoneyGram agreed with the FTC to “an expanded and modified order that will supersede the 2009 order and apply to money transfers worldwide. The modified order requires, among other things, that the company block the money transfers of known fraudsters and provide refunds to fraud victims in circumstances where its agents fail to comply with applicable policies and procedures. In addition, the modified order includes enhanced due diligence, investigative, and disciplinary requirements.”

Note: In a November 8 MoneyGram press release, MoneyGram Chairman and Chief Executive Officer Alex Holmes stated that “we have taken significant steps to improve our compliance program and have remediated many of the issues noted in the agreements.”  Those reported steps include investment of invested more than $100 million since 2012 in compliance technology, agent oversight, and training programs; implementation of “new, industry-leading consumer verification standards” that prevented approximately $1.5 billion in fraudulent transactions; and engagement of “a leading global consulting firm to support the company’s efforts to enhance its compliance program.”

The fact remains that the information set forth in the amended and extended DPA and the modified FTC order, and public documents related to both actions, indicates an unusually broad range of compliance failures by MoneyGram – the more unusual because the failures relate to specific commitments to which MoneyGram had acceded in 2009 with the FTC and agreed in 2012 with the Justice Department.  Moreover, the list of those failures is likely to be particularly frustrating to law enforcement authorities in the United States and in multiple countries.  As one point of reference, in 2010 the International Mass-Marketing Fraud Working Group (which I once co-chaired), in a threat assessment on mass-marketing fraud, identified the critical role of money-transfer systems such as MoneyGram in receiving funds from mass-marketing fraud victims.  The fact that MoneyGram, over the next eight years, displayed such substantial compliance failures makes it all the more important that it uses the next 30 months to demonstrate to the Justice Department that it is wholeheartedly committed to a culture of compliance.

United Kingdom High Court Upholds Extraterritorial Reach of Serious Fraud Office Notices

On September 6, the United Kingdom High Court, in KBR Inc v. The Director of the Serious Fraud Office, [2018] EWHC 2368 (Admin), upheld the use of a notice by the United Kingdom Serious Fraud Office (SFO) to obtain information located outside the United Kingdom from a company incorporated in the United States.  Because this decision appears to have received comparatively little attention to date, this post will summarize the decision and highlight its significance for global enterprises.

Subsection 2(3) of the Criminal Justice Act 1987 vests the SFO Director with broad authority to issue written notices that “require the person whose affairs are to be investigated (“the person under investigation”) or any other person whom he has reason to believe has relevant information to answer questions or otherwise furnish information with respect to any matter relevant to the investigation at a specified place and either at a specified time or forthwith.”  In April 2017, in relation to its ongoing investigation into the activities of Unaoil, the SFO announced that it had opened an investigation into the activities of the United Kingdom subsidiaries of KBR Inc., as well as their officers, employees, and agents, for suspected bribery and corruption offences.

In April 2017, the SFO issued a section 2 notice to a KBR Inc. United Kingdom subsidiary, Kellogg Brown & Root Ltd (KBR Ltd.), seeking documentation.  In response, according to the High Court, KBR Ltd. provided three categories of documents: (1) documents that were already under KBR Ltd.’s custody or control that were located in the United Kingdom prior to the issuing of the April notice; (2) documents located outside the United Kingdom and sent to KBR Ltd. at KBR Inc.’s direction to forward to the SFO; and (3) on a “voluntary basis” in respect of documents located outside the United Kingdom that KBR Inc. had disclosed to the United States Department of Justice and the Securities and Exchange Commission (SEC) as a result of their inquiries into Unaoil.

In July 2017, the SFO issued a section 2 notice, directing KBR Inc. to produce documents that it held outside the United Kingdom, and served that notice on KBR Inc.’s Executive Vice President, General Counsel and Corporate Secretary, Eileen Akerson, who was temporarily present within the jurisdiction (i.e., for a meeting with the SFO concerning the investigation).  KBR then challenged the notice on three grounds.  First, it asserted that the July notice was ultra vires because it requested material held outside the jurisdiction of the United Kingdom from a company (KBR Inc,) that was incorporated in the United States.  Second, it asserted the Director had made an error of law to exercise his section despite the fact that he also had the power to seek Mutual Legal Assistance (“MLA”) under the bilateral MLA treaty from the US authorities.  Third, it asserted that the SFO did not effectively serve the July notice by handing it to Ms. Akerson.

The opinion by Lord Justice Gross considered and rejected each of the three grounds in turn.  On the matter of jurisdiction and ultra vires action, the court, after an extended discussion of various United Kingdom decisions bearing on various aspects of jurisdiction, said regarding the extraterritorial reach of section 2 that:

the legislative purpose and the mischief at which s.2(3) is aimed permits of no such doubt. As already indicated, the SFO’s business is ‘…top end, well-heeled, well-lawyered crime…’. By their nature, most such investigations will have an international dimension, very often involving multinational groups conducting their business in multiple jurisdictions, whether through a branch or subsidiary structure (it should matter not). It follows that the documents relevant to the investigation of a UK subsidiary of such a group may well be spread between the UK and one or more overseas jurisdictions. The simplicity of document transfer and access has of course been massively enhanced by internet and web technology post-dating 1987 but, as already discussed, it cannot be suggested that the international dimension of the SFO’s mandate was unknown or not appreciated at the time of the enactment of s.2(3). For my part, putting to one side for the moment, any questions of MLA, there would be a very real risk that the purpose of s.2(3) would be frustrated . . . if, as a jurisdictional bar, the SFO was precluded from seeking documents held abroad from any foreign company.”

The Lord Justice concluded that “s.2(3) extends extraterritorially to foreign companies in respect of documents held outside the jurisdiction when there is a sufficient connection between the company and the jurisdiction.”  He further stated that he was “amply satisfied that there was here a sufficient connection between KBR Inc and the jurisdiction so as to fall within the extraterritorial reach of s.2(3).”

On the matter of the availability of the MLA process, Lord Justice Gross addressed three main points:

  1. The use of the MLA procedure pursuant to the Criminal Justice (International Co-operation) Act 1990 or the Crime (International Co-operation) Act 2003 “is an additional power to that contained in s.2(3), CJA 1987. The availability of MLA gives the Director additional options; it does not curtail his discretion to use the separate power of issuing s.2(3) notices. . . . [A] State is entitled but not obliged to proceed by way of the MLA route. It follows that KBR Inc has failed to demonstrate any error of law on the part of the Director in the exercise of his discretion to issue the July Notice.”
  2. “[E]ven where there is an available MLA regime, there may be good practical reasons for the Director preferring to proceed by way of s.2(3) notices” (i.e., the risk of delay in the formal MLA process).
  3. The 1994 U.S.-UK MLA treaty “has not been enacted in domestic UK law,” but in any event article 18.2 of that Treaty – which pertains to consultation regarding matters for which assistance could be granted under the Treaty, — “inferentially reinforces the SFO’s case in respect of jurisdiction (Issue I above) – by contemplating extraterritorial action, albeit subject to the terms of the Article.”

On the matter of service, Lord Justice Gross wrote that subsection 2(3) “does not require a notice to be ‘served’ on KBR Inc., KBR Inc. “was plainly present in the jurisdiction through Ms Akerson when the July Notice was given to her,” “it is obvious that the contents of the July Notice were communicated by Ms Akerson to KBR Inc.,” and subsection 2(3) “requires no additional formality beyond the giving of the notice and there is no basis for importing any such requirement.”  As an afterword, he commented that “there are unappealing features of the SFO’s decision to give the July Notice to Ms Akerson in the course of attending a meeting to discuss the investigation – but however those features might impact on the willingness of others to attend such meetings in the future, they do not serve to invalidate the giving of the July Notice.”

Note:  From time to time over many years, certain members of the bar whose practice includes international criminal investigations have complained about (and even formally opposed) the United States’ aggressive assertion of authority to obtain relevant evidence extraterritorially.  After the KBR decision, the United States now finds itself in august company with the United Kingdom.  Other non-UK companies with subsidiaries or operations in the United Kingdom can therefore expect that in the future they may receive section 2 notices for evidence located outside the United Kingdom, even if those companies are not themselves targets of the investigation.

The High Court’s requirement that the SFO must show “a sufficient connection” between a company from which documents are sought and the United Kingdom is sure to be a ground for future challenges to the SFO’s use of Section 2 notices, but is unlikely to be an insuperable obstacle for the SFO in all but rare cases.  In those rare cases, as indicated in the High Court’s decision, the SFO can always avail itself of MLA processes in jurisdictions that are parties to bilateral or multilateral MLA treaties with the United Kingdom.   Finally, the United Kingdom may be able to request further evidence-gathering assistance by certain jurisdictions in which domestic laws – such as 28 U.S.C. §§1782 and 1783 and the Foreign Evidence Request Efficiency Act of 2009 in the United States – provide government authorities in those jurisdictions with broad authority to compel testimony or evidence production through various means to assist the United Kingdom in its investigations.

StatCounter Targeted in Cyberattack to Facilitate Bitcoin Theft from Cryptocurrency Exchange

On November 6, the information technology company ESET disclosed that on November 3, “attackers successfully breached StatCounter, a leading web analytics platform.”  ESET stated that many webmasters use StatCounter to gather statistics on their visitors: for example, StatCounter itself reported that it has more than 2 million member sites and computes statistics on more than 10 billion page views per month.

The main purpose of the StatCounter breach appears to have been to enable the attackers to divert Bitcoins from a highly popular cryptocurrency exchange, Gate.io.  In order to gather statistics on their sites’ visitors, according to ESET, webmasters “usually add an external JavaScript tag incorporating a piece of code from StatCounter  – http://www.statcounter[.]com/counter/counter.js – into each webpage.”  The attackers’ breach of StatCounter enabled them to inject JavaScript code into all websites that use StatCounter.  That code included a script, which targets a specific Uniform Resource Identifier (URI) that, at the time of the breach, appears to have been uniquely associated only with Gate.io, and was apparently designed specifically to steal bitcoins by diverting bitcoin transfers from Gate.io to a wallet that the attackers control.  As the script generates a new bitcoin address each time a visitor loads the malicious script, ESET stated, “it is hard to see how many bitcoins have been transferred to the attackers.”

Because several million dollars, including $1.6 million in just bitcoin transactions, transit Gate.io every day, ESET suggested that “it could be very profitable for attackers to steal cryptocurrency at a large scale on this platform.”  ESET indicated that it did not know how many bitcoins may have been stolen during this attack, but added, “it shows how far attackers go to target one specific website, in particular a cryptocurrency exchange.”

In a November 7 postscript, ESET reported that on November 6, StatCounter had removed the malicious script and Gate.io had “stopped using StatCounter analytics services to prevent further infections,” meaning that both sites could be safely browsed.

Note:  This account (which The Register first reported) provides yet another indication that cryptocurrency exchanges can be as attractive to cyberattackers as websites for financial institutions and other businesses, and therefore need to take their own cybersecurity as seriously as they do their day-to-day business activities.  As ESET correctly noted, “even if your website is updated and well protected, it is still vulnerable to the weakest link, which in this case was an external resource. This is another reminder that external JavaScript code is under the control of a third party and can be modified at any time without notice.”  Information security teams interested in the details of the malicious code should consult the November 6 post on ESET’s blog, welivesecurityTM.

U.S. Court of Appeals Reverses Bank Fraud Conviction on Evidentiary Grounds

On October 30, in United States v. Perez-Ceballos, the United States Court of Appeals for the Fifth Circuit reversed the conviction of a defendant who had been convicted at trial of bank fraud based on her defrauding a U.S. bank based solely on her transfer of certain funds to and through an account at that bank.  This post will review the key points of that decision and identify several issues of which corporate compliance officers at financial firms should take note.

The defendant, Silvia Beatriz Perez-Ceballos, is the wife of Jose Manuel Saiz-Pineda, who had been Secretary of Finance and Administration for the State of Tabasco in Mexico until his electoral defeat in 2012. Perez-Ceballos and Saiz-Pineda had a securities account with UBS Financial Services (UBS), which was aware that both were Politically Exposed Persons (PEPs) because of his political office.  In 2013, after Mexico charged Saiz-Pineda with illegal enrichment, a UBS representative informed Perez-Ceballos that she would need to transfer her and her husband’s assets elsewhere.  Perez-Ceballos consulted with an international financial advisor at Chase Investment Services Corporation (Chase Investment), Paul Arnold, about possible investment strategies for her and her husband’s UBS assets.

During that consultation, Perez-Ceballos, who had moved to the United States in May 2013 and opened an account with a Houston branch of J.P. Morgan Chase Bank in June 2013, falsely told Arnold that her primary residence was in Mexico.  That statement was material because only non-resident aliens were eligible for the tax-exempt investments that the Chase investment adviser oversaw.  Based on her false statement, Arnold recommended that she apply for a brokerage account with Sun Life Financial, an insurance company registered in Bermuda.  Neither Chase Investment nor Sun Life were financial institutions that the Federal Deposit Insurance Corporation (FDIC) insured.

In applying for a Sun Life account,  Perez-Ceballos made additional misrepresentations to Arnold and Sun Life Financial: (1) she was separated from her husband; (2) she was not a PEP; and (3) she signed the requisite documents in Mexico where they had been mailed to her (as required) when in fact she signed them in Houston after she had sent her brother to retrieve the documents and bring them back to the United States.  She also gave the Chase Investment adviser a UBS statement from August 2013, from which she had removed her husband’s name as a joint account holder.

After she had obtained a Sun Life Financial account, in October 2013, Perez-Ceballos liquidated her account at UBS and transferred more than $1.9 million to her Chase Bank savings account. At her direction, Chase Bank wired the $1.9 million to Sun Life. Thereafter, in May 2017 Perez-Ceballos attempted to withdraw funds from Sun Life Financial  – likely to return those funds to Chase Bank — and again falsely affirmed that she lived in Mexico.  The 2013 UBS-Chase-Sun Life Financial  transfer of $1.9 million and the 2017 Sun Life Financial – Chase attempted transfer of $1.9 million “formed the heart of Perez-Ceballos’s bank fraud conviction.”

The key conclusion by the Fifth Circuit panel was that “the government failed to produce sufficient evidence to convict Perez-Ceballos of defrauding Chase Bank.  Under 18 U.S.C. § 1344(1), a defendant is guilty of bank fraud if she “knowingly executes, or attempts to execute, a scheme or artifice—(1) to defraud a financial institution.” To sustain a conviction under this statute, the government must prove both intent to defraud and FDIC-insured status.”  The court, however, concisely disposed of the government’s theory:

First, the government failed to adduce evidence that Perez-Ceballos made any false statements to Chase Bank. No Chase Bank witness testified at trial. According to the evidence at trial, Perez-Ceballos’s numerous false statements were all made either to Chase Investment (through [the adviser]) or to Sun Life Financial. Neither the government’s briefing nor oral argument cites evidence that clearly established (or even directly alleged) that Perez-Ceballos fraudulently made Chase Bank believe anything.

Second, the government also failed to prove that Perez-Ceballos intended to “obtain money from the victim institution” or otherwise exposed Chase Bank to “risk of loss.” . . . The $1.9 million that Perez-Ceballos transferred to and through Chase Bank was her money, which she had authority to withdraw freely. . . .

Moreover, neither Arnold nor [an HSBC financial adviser who had handled a prior securities account for Perez-Ceballos and her husband] worked for Chase Bank or spoke specifically to the risks that Chase Bank faced from Perez-Ceballos’s misrepresentations. Their testimony focused primarily on the liability their own employers could face from the false statements Perez-Ceballos made to their institutions.

The court concluded (1) that the government failed to prove that Perez-Ceballos defrauded Chase Bank, absent sufficient evidence that she “had made false statements to Chase Bank or that she made false statements to another party while intending to obtain money from Chase Bank in a way that exposed Chase Bank to a risk of loss”; and (2) there was no FDIC-insured victim.

Note:  Corporate compliance officers, particularly in financial-sector firms, can take away from the Perez-Ceballos decision certain lessons beyond the narrow legal determination:

  1. Customer Due Diligence: The decision does not explain why two financial firms apparently did not determine, through their customer due diligence (CDD) processes, that various representations by Perez-Ceballos (e.g., that her primary residence was in the United States and that she was not a PEP) were false. Corporate training on CDD issues can use this case as an example of the importance of consistent adherence to CDD processes, including use of CDD information resources.
  2. Suspicious Activity Reports:  The Fifth Circuit’s decision provides some clear indications of the limits of the federal bank fraud statute’s ambit.  Those limits can be factored into a financial institution’s decision process about whether certain conduct warrants the filing of a Suspicious Activity Report (SAR).  Of course, a financial institution that is aware of a fact pattern similar to the facts in this case can always use existing statutory authority, beyond the SAR process, voluntarily to notify federal regulators and enforcement agencies of those facts.  For example, 12 U.S.C. §3403(c) provides authority for a financial institution to notify a federal government authority “that such institution, or officer, employee, or agent has information which may be relevant to a possible violation of any statute or regulation.”

Recent U.S. Developments in 1MDB Investigation

Three developments last week indicated that the U.S. Department of Justice’s investigation into possible crimes relating to the Malaysian state-owned and state-controlled investment development company, 1Malaysia Development Berhad (1MDB), has made substantial progress and is entering a new phase.

First, on November 1, the U.S. Department of Justice stated that a federal indictment was unsealed in the U.S. District Court for the Eastern District of New York, charging wealthy Malaysian businessman Low Taek Jho (also known as “Jho Low”) and Ng Chong Hwa (also known as “Roger Ng”) with conspiring to launder billions of dollars embezzled from 1MDB and conspiring to violate the Foreign Corrupt Practices Act (FCPA) by paying bribes to various Malaysian and Abu Dhabi officials.  As part of the three-count indictment, Ng is also charged with conspiring to violate the FCPA by circumventing the internal accounting controls of Goldman Sachs, which reportedly underwrote more than $6 billion in bonds issued by 1MDB in three separate bond offerings in 2012 and 2013, while Ng was employed at Goldman Sachs as a managing director.

Second, on November 1, a guilty plea relating to 1MDB was also unsealed in the Eastern District of New York.  According to the Justice Department, the former Southeast Asia Chairman and participating managing director of Goldman Sachs, Tim Leissner, pleaded guilty to a two-count criminal information, charging him with conspiring to launder money and conspiring to violate the FCPA by both paying bribes to various Malaysian and Abu Dhabi officials and circumventing Goldman Sachs’s internal accounting controls while he was employed there.  According to court filings, Leissner has also been ordered to forfeit $43.7 million as a result of his crimes.

The information to which Leissner pleaded guilty stated that Leissner,

  1. “while acting within the scope of his employment as an agent of [Goldman Sachs], with the intent, at least in part, to benefit [Goldman Sachs], conspired with others, including certain individuals and entities . . . , to obtain and retain business from IMDB for ‘[Goldman Sachs] through the promise and payment of bribes and kickbacks to government officials in Malaysia and Abu Dhabi, and by embezzling funds from, 1MDB for himself and others”; and
  2. “together with others, also conspired to launder those bribes, kickbacks and other embezzled funds from IMDB through financial systems in the U.S. and elsewhere.”

The Justice Department press release concerning the indictment and the information stated that

[a]s alleged in court filings, between approximately 2009 and 2014, as 1MDB raised money to fund its projects, billions of dollars were misappropriated and fraudulently diverted from 1MDB, including funds 1MDB raised in 2012 and 2013 through three bond transactions that it executed with [Goldman Sachs].  As part of the scheme, and as alleged in court filings, Low, Ng, Leissner, and others conspired to bribe government officials in Malaysia, including at 1MDB, and Abu Dhabi to obtain and retain lucrative business for [Goldman Sachs], including the 2012 and 2013 bond deals.  They also allegedly conspired to launder the proceeds of their criminal conduct through the U.S. financial system by purchasing, among other things, luxury residential real estate in New York City and elsewhere, and artwork from a New York-based auction house, and by funding major Hollywood films.

According to the Justice Department, Ng was arrested on November 1 in Malaysia, pursuant to a provisional arrest warrant issued at the United States’ request of the United States, while Low remains at large.  In July 2018, Low reportedly had fled Hong Kong for Macau, then China, though an unnamed Chinese official disputed Low’s entry into China.

Third, on November 2, Goldman Sachs filed its Quarterly Report for the Third Quarter of 2018 with the Securities and Exchange Commission.  With respect to the 1MDB investigation, the report briefly mentioned the firm’s receipt of “subpoenas and requests for documents and information from various governmental and regulatory bodies and self-regulatory organizations” as part of their respective 1MDB-related investigations and reviews.  It also summarized the Leissner plea and the Ng and Low indictment, and made a noteworthy set of statements that, in certain respects, acknowledge serious deficiencies in its anti-corruption compliance program:

  • “[T]he plea and charging documents indicate that Leissner and Ng knowingly and willfully circumvented the firm’s system of internal accounting controls, in part by repeatedly lying to control personnel and internal committees that reviewed these offerings.
  • “The indictment of Ng and Low alleges that the firm’s system of internal accounting controls could be easily circumvented and that the firm’s business culture, particularly in Southeast Asia, at times prioritized consummation of deals ahead of the proper operation of its compliance functions.
  • “In addition, an unnamed participating managing director of the firm is alleged to have been aware of the bribery scheme and to have agreed not to disclose this information to the firm’s compliance and control personnel. That employee, who was identified as a co-conspirator, has been put on leave.”

The report further stated that the firm “is cooperating with the DOJ and all other governmental and regulatory investigations relating to 1MDB. The firm is unable to predict the outcome of the DOJ’s investigation. However, any proceedings by the DOJ or other governmental or regulatory authorities could result in the imposition of significant fines, penalties and other sanctions against the firm.”

Note: The U.S. Department of Justice has been intensively engaged in investigating the 1MDB embezzlement and laundering scheme since at least 2016, when it filed civil forfeiture complaints seeking the forfeiture and recovery of more than $1 billion in assets associated with the conspiracy to launder funds misappropriated from 1MDB.  These latest actions by the Department, however, intensify the search for Low, who is the alleged mastermind of the 1MDB embezzlement and laundering scheme.

In announcing the Low-Ng indictment, the Justice Department specifically thanked the Attorney General’s Chambers of Malaysia, the Royal Malaysian Police, and the Malaysian Anti-Corruption Commission, as well as other named authorities in Singapore, Switzerland, and Luxembourg for their assistance in the case.  Malaysia’s active cooperation is to be expected, given its prosecution of former Malaysian Prime Minister Najib Razak on 32 money laundering, graft, and breach of trust charges over transactions linked to 1MDB, and of Razak and former Treasury Secretary-General Irwan Serigar Abdullah on criminal breach of trust charges.  The latter three countries retain an active interest in the various 1MDB investigations, in part because the funds embezzled from 1MDB were allegedly laundered through a series of complex transactions and fraudulent shell companies with bank accounts located in those three jurisdictions.