Banking On Governance, Insuring Sustainability

BANKING ON
GOVERNANCE,
INSURING
SUSTAINABILITY
Mak Yuen Teen and Richard Tan
BANKING ON
GOVERNANCE,
INSURING
SUSTAINABILITY
A Report on Corporate Governance,
Remuneration, Risk Management and
Emerging Trends in Major Asia-Pacific
Banks and Insurance Companies
WRITTEN BY:i
Mak Yuen Teen
Richard Tan
RESEARCHERS/CO-WRITERS:
Ho Hyui Shan Trenna
Koay Xin Yi, Junie
Neo Zhi Qi
Ng Shi Ya Rachel
JULY 2020
i Mak Yuen Teen and Richard Tan are respectively Associate Professor and Adjunct Associate Professor, and Ho Hyui Shan Trenna, Koay
Xin Yi, Junie, Neo Zhi Qi and Ng Shi Ya Rachel are BBA (Accountancy) Honours students, all in the Department of Accounting at the NUS
Business School.
First published July 2020
Copyright ©2020 Mak Yuen Teen and CPA Australia
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission
of the publisher, except for inclusion of brief quotations in a review.
The views expressed in this publication are those of the authors and do not necessarily represent the views of, and
should not be attributed to, CPA Australia Ltd.
BANKING ON GOVERNANCE, INSURING SUSTAINABILITY
Authors : Mak Yuen Teen, PhD, FCPA (Aust.) Email: bizmakyt@nus.edu.sg
Richard Tan MBA, FCA (S’pore) Email: biztclr@nus.edu.sg
Published by : CPA Australia Ltd

1 Raffles Place
#31-01 One Raffles Place
Singapore 048616
Website : cpaaustralia.com.au
Email : sg@cpaaustralia.com.au
ISBN : 78-981-14-6592-5
CONTENTS
FOREWORD
INTRODUCTION
PROFILE OF THE ASIA-PACIFIC BANKS AND

INSURANCE COMPANIES
ABOUT THE BANKS AND INSURANCE COMPANIES 1
CORPORATE GOVERNANCE, REMUNERATION AND

RISK MANAGEMENT PRACTICES
BOARD PRACTICES 5
REMUNERATION PRACTICES 30
RISK GOVERNANCE AND MANAGEMENT 44
EMERGING AREAS
CORPORATE CULTURE 52
TECHNOLOGICAL DISRUPTION 57
CYBERSECURITY 62
SUSTAINABILITY 66
CONCLUDING SUMMARY 72
FOREWORD
High profile company failures in recent years have We hope this report, and the accompanying
led to inquiries and analyses of the root causes and compilation of corporate governance case studies
reasons for corporate collapses. Often cited as key focused on financial institutions, will facilitate robust
problems are poor corporate cultures and a lack of discussions on the importance of good governance
ethical behaviour; matters that can be addressed by and contribute to advancing corporate governance
having a robust corporate governance framework. standards within the financial services industry in the
Asia-Pacific region.
Good corporate governance comprises a broad
range of appropriate, high-quality policies, We thank Associate Professor Mak Yuen Teen FCPA
procedures and behaviours within an organisation (Aust.) and Associate Prof Richard Tan, both from
that govern and guide the actions and activities of the NUS Business School in Singapore, for their
directors, management and staff. It covers matters contributions in writing the report; as well as their
of accountability, transparency, stewardship, ethics, students for their research work. We are grateful for
assurance and stakeholder relationships. their efforts and acknowledge the long partnership
between CPA Australia and Prof Mak.
With new and emerging disruptions to the global
economy, such as the Covid-19 pandemic, growing
global trade tensions, technological advances and
cybersecurity, financial institutions should be more
aware than ever of the importance of having and
enforcing high standards of corporate governance
and behaviour.
Banking on Governance, Insuring Sustainability

analyses specific corporate governance issues
affecting the financial services industry. Financial
institutions require independent, diverse and
committed boards of directors, who ensure that
critical issues, such as those discussed in this report,
are appropriately considered and embedded into
their strategic decision-making and day-to-day
activities.
Chng Lay Chew FCPA (Aust.) Dr Gary Pflugrath CPA (Aust.) Melvin Yong
Divisional President – Singapore Executive General Manager Country Head – Singapore
CPA Australia Policy and Advocacy CPA Australia
CPA Australia
July 2020
INTRODUCTION
As this report was written, the world witnessed Together with this report, we are releasing a
what is arguably the biggest crisis in living special financial services edition of the annual
memory. What started with reports of several flu- corporate governance case studies publication.
like cases in Wuhan, China, was later identified This special edition comprises 22 case studies
as the coronavirus Covid-19, becoming a global involving financial institutions around the world,
pandemic causing serious health problems and and they are a reminder of what can go wrong when
deaths. It wreaked havoc on financial markets and these institutions fail to pay sufficient attention
caused massive disruption to supply chains and to corporate governance, remuneration and risk
business activities all over the world, and is widely management practices and to some of the emerging
expected to trigger a worldwide recession. The issues covered in the report.
global financial crisis in the late 2000s is looking
like a minor market correction in comparison. One finding from this report tells us how unprepared
the world was for the Covid-19 pandemic. Only
The Covid-19 crisis adds to the growing risks that 1 out of the 50 largest banks and 3 out of the 50
companies have to deal with. In times of crises, largest insurance companies in the Asia-Pacific
good corporate governance and risk management had identified a pandemic as one of the key risks.
are more important than ever. Economies and As most financial institutions were grappling with
organisations which have good governance are key risks such as technological disruption and
more trusted by stakeholders and are better able cybersecurity, they were blindsided like many others
to respond and weather the storm. Companies by a much bigger risk.
with good business continuity planning face less
disruption to their operations. But risk evolves and never sleeps. And neither
should governance.
This report examines the corporate governance,
remuneration and risk management practices of
the largest banks and insurance companies in the
Asia-Pacific region (APAC), and how these financial
services companies are responding to new
and emerging challenges relating to corporate
culture, technological disruption, cybersecurity,
environmental, social and governance issues, and
responsible lending and investing.
PROFILE OF THE
ASIA-PACIFIC BANKS
AND INSURANCE
COMPANIES
ABOUT THE BANKS AND

INSURANCE COMPANIES
We selected the 50 largest listed banks and 50 GOVERNMENTS, INSTITUTIONAL

largest listed insurance companies by market INVESTORS AND FINANCIAL
capitalisation which are headquartered in APAC CORPORATES ARE MOST COMMON
and for which sufficient and up-to-date information SUBSTANTIAL SHAREHOLDERS
was publicly available. The final sample of banks
Twelve of the banks are held by a holding company
and insurance companies come from 15 economies:
and 38 are parent companies to subsidiaries in
Australia, China, Hong Kong, India, Indonesia,
industries such as insurance and asset management.
Japan, Malaysia, New Zealand, Philippines,
Among the twelve banks held by a holding company,
Singapore, South Korea, Sri Lanka, Taiwan, Thailand
China Everbright Bank and Hang Seng Bank are
and Vietnam.ii,1
subsidiaries of parent banks.
Data were collected primarily from the companies’
2018 and 2019 annual reports, supplemented
by other sources such as company websites and
statutory filings. It should be noted that this report
is based on the public disclosures made, and some
companies may implement certain practices without
disclosing them.
BANKS ARE SUBSTANTIALLY LARGER

THAN INSURANCE COMPANIES
Overall, the mean (median) market capitalisation of
the 50 banks is USD48.4 billion (USD36.7 billion), and
the mean (median) total assets is USD794.1 billion
(USD408.4 billion). The smallest and largest banks
have total assets amounting to USD56.1 billion and
USD4,027.0 billion respectively.
The insurance companies are considerably smaller,

with the mean (median) market capitalisation of
USD17.2 billion (USD6.8 billion) and mean (median)
total assets of USD110.1 billion (USD25.7 billion).
The smallest insurance company has total assets of
USD0.3 billion while the largest has total assets of Of the 50 insurance companies, 18 are owned by
USD1,038.5 billion holding companies and 32 are parent companies
to subsidiaries in industries such as fintech, asset
management, and insurance. In addition, three of
UNITARY BOARDS ARE MORE COMMON the insurance companies are subsidiaries of other
insurance companies.
Nineteen banks from China and Indonesia, and
14 insurance companies from China, Japan and
Vietnam, have a two-tier board structure. In such
cases, the study uses information for the board of
directors, when analysing board and remuneration
practices, except for Indonesia where we use
information on the board of commissioners because
its responsibilities are similar to those of a board of
directors in a unitary board system.
ii The complete lists of the 50 banks and 50 insurance companies are provided in Appendices A and B.
2 ABOUT THE BANKS AND INSURANCE COMPANIES
Figure 1 shows the types of substantial shareholders (owning 5% or more of the voting shares) for the
50 banks.iii,iv
FIGURE 1: TYPES OF SUBSTANTIAL SHAREHOLDERS IN BANKS
Government 52%
Institutional Investors 22%
Financial Corporates 26%
Insiders 12%
Others 16%
0% 10% 20% 30% 40% 50%
Note: Institutional investors include investment management firms, mutual, pension and trust funds. Insiders
include directors, CEOs, senior management, families as well as promoters for India. “Others” include
companies which are neither institutional investors, banks nor insurance companies (i.e. not operating in the
financial sector).
Governments are the most common substantial “Insiders” comprising directors, CEOs, senior
shareholders, being present in 52% of banks, with management, families and promoters (in the case
mean (median) ownership of 38.78% (32.92%) for of India) are substantial shareholders in six banks,
the banks having them.v This is followed by financial with mean (median) ownership of 32.40% (22.50%).
corporates including other non-state owned banks However, this is skewed by the inclusion of
and insurance companies, which are substantial promoters who hold significant stakes in the Indian
shareholders in 26% of the banks, with mean banks.
(median) ownership at 25.86% (19.99%). Institutional
investors which include investment management
firms, mutual, pension and trust funds are the third
most common type of substantial shareholder,
being present in 22% of the banks. Institutional
investors have mean (median) ownership of 11.45%
(10.00%) in banks.
iii We use information on direct and deemed ownership of directors and disclosure of substantial shareholders to determine the percentage
of beneficial ownership of substantial shareholders. We do not use nominee ownership as a nominee shareholder may hold shares on behalf
of many different shareholders.
iv For economies like Japan and Thailand, they usually list major shareholders but not the details of substantial shareholders (i.e. 5% or more).
v The mean and median ownership reported for each type of substantial shareholder is based only on those banks and insurance companies
which have that type of substantial shareholder.
For the insurance companies, institutional investors Insiders are substantial shareholders in 10 (20%) of
are the most common substantial shareholders the insurers, with a mean (median) ownership of
(Figure 2), being present in 36% of the insurers, 58.88% (62.84%) for these 10 insurers. Once again,
with a mean (median) ownership at 15.86% this higher level of ownership stake in insurance
(10.69%). This is followed closely by financial companies is due to the ownership by promoters in
corporates, with 32% of insurers having them as Indian insurers. There is a mean (median) ownership
substantial shareholders, owning a mean (median) of 70.78% (74.98%) by promoters for the Indian
of 32.11% (16.83%) of the shares. Governments insurers, which heavily skews insider ownership.
are less likely to be substantial shareholders in These 10 insurers include seven Indian insurers,
insurance companies compared to banks, being and the following non-Indian ones: LPI Capital, DB
present in 28% of insurance companies, with a Insurance and Hyundai Marine & Fire Insurance. LPI
mean (median) ownership of 41.71% (41.75%). Capital and Hyundai Marine & Fire Insurance have
significant director ownership of 45.11% and 21.90%
respectively. DB Insurance has significant family
ownership of 25.84%.
FIGURE 2: TYPES OF SUBSTANTIAL SHAREHOLDERS IN INSURANCE COMPANIES
Government 28%
Institutional Investors 36%
Financial Corporates 32%
Insiders 20%
Others 16%
0% 5% 10% 15% 20% 25% 30% 35% 40%

CORPORATE
GOVERNANCE,
REMUNERATION AND
RISK MANAGEMENT
PRACTICES
BOARD PRACTICES 5
BOARD PRACTICES
Poor corporate governance of financial institutions board size across the APAC banks. Banks in China,
can result in their failure and pose significant risk Japan and Thailand tend to have larger boards.
to the economy and impose considerable costs on Supervisory boards in banks with two-tier structure
stakeholders. Having sufficient truly independent have a mean (median) size of 8.11 and 8.00
directors on boards is critical for good governance.vi respectively.
However, equally important is having directors with
different skills and experience. Increasingly, new
areas of skills and experience are sought, such as
technology-related experience relating to digital
transformation or cybersecurity.
HAVING
Also important is diversity in perspectives, which
calls for diversity in gender, age and nationalities,
DIRECTORS WITH
among others. In addition, other board issues such DIFFERENT SKILLS
as size of the board and its leadership also affect
board effectiveness. Boards also need to plan for
AND EXPERIENCE,
renewal and assess their effectiveness. AS WELL AS
DIVERSITY, IS
BOARDS OF ASIA-PACIFIC BANKS ARE IMPORTANT FOR
ON AVERAGE LARGER THAN THEIR GOOD CORPORATE
INSURANCE COUNTERPARTS, BUT
SMALLER THAN MAJOR GLOBAL BANKS GOVERNANCE.
The boards of the 50 banks have a mean (median)
size of 12.32 (12.00) directors, ranging from seven
to 17 members. Figure 3 shows the distribution of
FIGURE 3: DISTRIBUTION OF BOARD SIZE FOR BANKS
18
16
16
14
12
Number of Banks
12
10
10
8 8
8
6
4 4 4
4 3
2
0 0 0
0
6 or less 7 to 8 9 to 10 11 to 12 13 to 15 16 to 18
Number of Directors
Board of Directors Supervisory Board
vi For South Korea, most companies use the term “outside directors” rather than “independent directors” and we treat “outside directors” as
independent directors in our analysis. For Japan, only those directors specifically designated as “independent directors” are treated as such.
6 BOARD PRACTICES
The board sizes of Globally Systemically Important Banks (G-SIBs) from America and Europe are generally
slightly larger in comparison. Table 1 shows the board sizes of 13 G-SIBs.2 These have a mean (median) board
size of 13.91 (13.50) and range from nine to 19 members.
TABLE 1: BOARD SIZE OF G-SIBS ACROSS US AND EUROPE
Board Structure
Bucket G-SIBs Board Size
(Unitary or Two-Tier)
4 JP Morgan Chase Unitary 11
HSBC Unitary 13
3
Citigroup Unitary 17
Bank of America Unitary 17
2 Barclays Unitary 13
Deutsche Bank Unitary 19
Goldman Sach Unitary 11
Wells Fargo Unitary 14
Bank of New York Mellon Unitary 9
Credit Suisse Unitary 13
1 UBS Unitary 12
Morgan Stanley Unitary 14
Santander Unitary 15
Boards of insurance companies tend to be smaller than for banks, with a mean (median) board size of 9.84
(10.00) directors, ranging from five to 16 members.vii For insurance companies with a dual board structure, the
mean (median) size of the board of supervisors is 4.29 (4.50). Figure 4 shows the distribution of board size for
the insurance companies. Boards are generally larger in China, Japan, Taiwan and Thailand.
By way of comparison, boards of the 15 largest insurance companies in the world based on net premiums
underwritten have a mean (median) of 12.73 (12.00), and range from nine to 20 members.3
FIGURE 4: DISTRIBUTION OF BOARD SIZE FOR INSURANCE COMPANIES
15 14 14
Number of Insurance Companies
11
10
10
6 6
0 0 0 0 0
0
6 or less 7 to 8 9 to 10 11 to 12 13 to 15 16 to 18
Number of Directors
Board of Directors Supervisory Board
Note: All of the supervisory boards have board sizes of 6 and less.
vii Korean Reinsurance did not disclose its board of directors in its annual report. While the current directors are disclosed on its website, most
of them are newly appointed and are thus excluded from parts of our analysis on insurance companies.
BOARD PRACTICES 7
BOARD LEADERSHIP PATTERNS ARE SIMILAR FOR BANKS AND INSURANCE

COMPANIES
Eighty-four percent of the banks have appointed separate individuals for the roles of Chairman and CEO.
Figure 5 shows that 70% of the banks have a non-independent Chairman and 46% have a Chairman who is an
executive (either an Executive Chairman or also holding the CEO position or equivalent).
Only BDO Unibank, Maybank, CIMB Group Holdings, DBS Group Holdings, Mitsubishi UFJ Financial Group
and Kasikornbank disclosed that they have appointed a lead independent director. Apart from CIMB Group
Holdings, these banks all have a non-independent Chairman.
FIGURE 5: SEPARATION OF CHAIRMAN AND CEO ROLES IN BANKS
ED 46%
NINED 24%
ID 30%
0% 10% 20% 30% 40% 50%
Note: ED: Executive Director; NINED: Non-Independent Non-Executive Director; ID: Independent Director
The bank chairmen have a mean (median) tenure of 5.98 (3.00) years, with the maximum of 34 years for the two
Thailand banks, Bangkok Bank and Siam Commercial Bank. Five banks from Indonesia and the Philippines did
not disclose the date of appointment for their chairmen. There should be planned succession of the Chairman
position.
Eighty percent of the insurance companies have separated the roles of the Chairman and CEO. Nineteen
and 17 insurers respectively have appointed an executive and non-executive Chairman, while the remaining
companies have appointed an independent Chairman. Four insurers – General Insurance Corporation of India,
LPI Capital, DB Insurance and Orange Life Insurance - have appointed a lead independent director and in all
these cases, the Chairman is non-independent.
For the 46 insurance companies which have disclosed the initial date of appointment of their chairmen, the
mean (median) tenure is 5.70 (3.00) years, with a maximum of 30 years for Ping An Insurance.
8 BOARD PRACTICES
PROPORTION OF INDEPENDENT DIRECTORS IS COMPARABLE FOR BANKS AND

INSURANCE COMPANIES
Figure 6 shows the proportion of independent directors on the boards of the banks. The mean (and median)
percentage of independent directors on the board of directors and board of supervisors is 53.57% (48.33%)
and 53.89 (52.78%) respectively.viii
Overall, all bank boards comprise at least a third of independent directors except those for Mega Financial
Holding and State Bank of India.ix
FIGURE 6: PROPORTION OF INDEPENDENT DIRECTORS IN BANKS
10.53%
2/3 or more 35.48%
24.00%
15.79%
≥ 1/2 but < 2/3 35.48%
24.00%
73.68%
≥ 1/3 but < 1/2 22.58%
48.00%
10.53%
Less than 1/3 6.45%
4.00%
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00%
Two-tier BOD Unitary BOD All BOD
The mean (median) percentage of independent directors in unitary boards for the insurance companies is
51.71% (50.00%). Unlike the analysis done for banks, there is no analysis for independence on dual boards
given that the supervisory boards in China and Vietnam do not disclose the independence of its supervisors.
Overall, 90% of the insurance companies have at least a third of independent directors, as shown in Figure 7.
The exceptions are Bao Viet Holdings, BIDV Insurance, Cathay Financial Holding, T&D Holdings and Bangkok
Life Assurance.
viii The definition of independence may vary across different economies and this analysis is based on independence as determined by the banks.
ix For State Bank of India, it has complied with the requirement of at least one-third independent directors. However, as we classified
government nominees as non-independent, these directors have been reclassified into non-independent for our analysis.
BOARD PRACTICES 9
FIGURE 7: PROPORTION OF INDEPENDENT DIRECTORS IN INSURANCE COMPANIES
0
2/3 or more 25.71%
18.37%
0
≥ 1/2 but < 2/3 51.43%
36.73%
78.57%
≥ 1/3 but < 1/2 17.14%
34.69%
21.43%
Less than 1/3 5.71%
10.20%
0.00% 20.00% 40.00% 60.00% 80.00% 100.00%
Two-tier Board Unitary Board All BOD
Note: This is based on only 49 insurance companies; Korean Reinsurance did not disclose information on the
independent directors.
SLIGHTLY LESS THAN HALF OF INDEPENDENT DIRECTORS/COMMISSIONERS

OF BANKS HAVE PRIOR WORKING EXPERIENCE IN THE BANKING OR RELATED
SECTORS
Having at least one independent director with prior working experience in the banking or other related
sectors would arguably enhance the board’s oversight capabilities. Figure 8 shows the number of independent
directors in the banks with financial services experience such as banking and related sectors, and the nature of
that experience.x
The mean (median) percentage of independent directors/commissioners with prior working experience in
the banking or other related sectors is 47.12% (43.65%). As for independent directors/ commissioners with
banking-specific working experience, the mean (median) stands at 24.98% (25.00%). Slightly less than half of
the independent directors (36.91%) have prior senior management experience in the banking and related
sectors. Independent directors with consultancy and regulatory experience in the banking or related sectors
were found in seven and 13 banks respectively.
Economies such as Japan and Taiwan have a higher proportion of directors without relevant working
experience in the banking or related sectors.
x A director is defined as having related financial industry experience if he/she has worked in firms such as insurance companies, mutual
funds, hedge funds, private equity, pension funds and investment-related businesses. Experience solely as a non-executive/independent
director is not considered.
10 BOARD PRACTICES
FIGURE 8: FINANCIAL SERVICES EXPERIENCE OF INDEPENDENT DIRECTORS IN BANKS
50
43
40 37
Number of Banks
30
23
20
13 12
10 11 10 10
10
7 1 2 0 1 0 0
6 6
4 4
0
0 1 2 3 4 or more
Number of Independent Directors
No Experience Senior Management Consultant / Advisory Regulator
Note: Financial services refers to both banking-specific experience as well as other financial services related
experience (e.g. fund management, private equity).
A mix of expertise and skills is recommended to facilitate constructive debate and discourage groupthink.
Most directors have working experience in senior management of financial and non-financial companies with a
small number possessing expertise in areas such as journalism.
2 IN 5 BANKS HAVE INDEPENDENT DIRECTORS WITH TECHNOLOGY EXPERIENCE

BUT CYBERSECURITY EXPERIENCE IS ALMOST NON-EXISTENT
With the growing importance of technology and the opportunities and threats that come with it, it is
important for financial services companies to include directors who are knowledgable about technology.
Figure 9 shows that only 19 banks have appointed at least one independent director with experience in
technology, with another bank (DBS Group Holdings) having an independent director with experience in
technology and also cybersecurity.
BOARD PRACTICES 11
FIGURE 9: TECHNOLOGY VS BANKING INDUSTRY EXPERIENCE OF INDEPENDENT DIRECTORS

IN BANKS
60
49
50
Number of Banks
40
31
30
20
14
12 13 12
10
10
5
1 1 2
0 0 0 0
0
0 1 2 3 4 or more
Banking Technology (General) Cybersecurity
Note: Technology (general) refers to areas of technology such as IT, computer science, and disruptive
technology (e.g. artificial intelligence, blockchain), excluding cybersecurity.
Directors should constantly keep themselves abreast of new developments relevant to the operations of
the business so as to provide effective oversight and guidance. Thus, policies to encourage directors/
commissioners to attend on-going or continuous professional education programmes are crucial. Thirty-six
of the banks disclosed the existence of such policies; however only 17 disclosed the directors’ attendance in
such programmes.
A MAJORITY OF INSURANCE COMPANIES HAVE INDEPENDENT DIRECTORS

WITH FINANCIAL SERVICES EXPERIENCE
Most boards of insurance companies have independent directors with financial services experience as shown
in Figure 10. Senior management experience in the financial services industry is the most common type of
experience.
12 BOARD PRACTICES
FIGURE 10: FINANCIAL SERVICES EXPERIENCE OF INDEPENDENT DIRECTORS IN INSURANCE

COMPANIES
50
43 44
Number of Insurance Companies
40
30
20 16
13 12 13 12
10
10
7 0 0 0 0 6 0 0
6 5 5
4
0
0 1 2 3 4 or more
No Experience Senior Management Consultant / Advisory Regulator
Note: Financial services refers to both insurance-specific experience as well as other financial services related
experience (e.g. fund management, private equity).
LESS THAN HALF OF THE INSURANCE COMPANIES HAVE AT LEAST

ONE INDEPENDENT DIRECTOR WITH INSURANCE SECTOR EXPERIENCE
SLIGHTLY MORE THAN 1 IN 5 INSURANCE COMPANIES HAVE INDEPENDENT
DIRECTORS WITH TECHNOLOGY OR CYBERSECURITY EXPERIENCE
In relation to working experience in the insurance sector, 44% of the insurers have appointed independent
directors with prior experience as seen in Figure 11.
BOARD PRACTICES 13
FIGURE 11: TECHNOLOGY VS INSURANCE INDUSTRY EXPERIENCE OF INDEPENDENT DIRECTORS OF

INSURANCE COMPANIES
50 46
40
40
Number of Insurers
30 28
20
12
10 6
3 4 3 3
2
0 0 0 0 0
0
0 1 2 3 4 or more
Insurance Technology (General) Cybersecurity
Note: Technology (general) refers to areas of technology such as IT, computer science, and disruptive
technology (e.g. artificial intelligence, blockchain), excluding cybersecurity.
Of the 50 insurance companies, only nine have appointed at least one independent director with technology
experience. Insurance Australia Group and Great Eastern Holdings have performed well in this respect with
at least 20% of their independent directors having technology backgrounds. In the case of cybersecurity
expertise, Great Eastern Holdings, Challenger and QBE Insurance are the only insurance companies with a
director possessing cybersecurity experience.
Although 76% of the companies have disclosed a policy to encourage directors/commissioners to attend on-
going or continuous professional education programmes, only about 28% disclosed the attendance in these
programmes.
CHINESE BANKS HAVE RELATIVELY YOUNGER DIRECTORS, WHILE JAPANESE

AND KOREAN BANKS HAVE OLDER ONES
Board diversity is important to prevent groupthink and encourage constructive debate. Age and gender
diversity are two important aspects of board diversity.
Seventy six percent of banks disclosed a board of directors/commissioners’ diversity policy.
Figure 12 shows the age diversity for different economies in terms of the average age of bank directors,
difference in age between the oldest and youngest directors, as well as the difference between the median
age of the board and age of the youngest director. The mean and median age of the bank boards are
approximately 60 years. Chinese banks have the youngest directors on average, with a mean age of 56.30
years. In contrast, Japanese and Korean banks have older directors with a mean age of 65 years.
14 BOARD PRACTICES
AUSTRALIAN BANKS HAVE THE LEAST AGE DIVERSITY BASED ON

DIFFERENCE BETWEEN MEDIAN BOARD AGE AND AGE OF YOUNGEST
DIRECTOR, FOLLOWED BY SINGAPOREAN AND INDONESIAN BANKS
Chinese banks have the smallest mean age difference (10.47 years) between the oldest and youngest director
while Thai banks have the widest age disparity (31.67 years), However, the latter is due to banks such as
Siam Commercial Bank and Bangkok Bank which have directors of 86 and 88 years at the oldest end of the
spectrum and the youngest at 50 years of age.
Using the difference between the median age of the board and age of the youngest director, Australian banks
have the smallest difference on average, followed by South Korean and Singaporean banks.
FIGURE 12: AVERAGE AGE AND AGE DIVERSITY OF BANK DIRECTORS ACROSS ECONOMIES
80.00
70.58
64.79 63.04 64.79 65.06
60.99 60.80 60.58 62.20
59.25 56.92
56.30
60.00
40.00 31.67
30.00
23.60 23.00
21.00 19.33 21.00 19.67
20.00 13.33 14.50
10.47
18.00 16.00
11.00 13.50
5.83 10.00 10.67 8.88 10.67 8.83 7.00
0.00
Average Age
Average Age Difference Between the Median Age of Board and Youngest Director
Average Age Difference Between the Oldest and Youngest Director
Note: The age difference for Taiwanese banks cannot be computed as individual directors’ ages are not
disclosed. The statistics for Indonesian banks are based on the companies’ independent commissioners
instead of independent directors.
LESS THAN 7% OF INDEPENDENT DIRECTORS OF BANKS ARE YOUNGER

THAN 50 YEARS OLD
Figure 13 shows the average age distribution for the 45 banks which disclosed the age of its directors. It
shows that over four in 10 banks have directors whose average age is more than 60 years. Public Bank, BDO
Unibank and Bangkok Bank have directors whose average age is more than 70 years.
BOARD PRACTICES 15
FIGURE 13: AVERAGE AGE OF DIRECTORS ACROSS BANKS
Sixty-eight percent of insurers disclosed a board of directors/commissioners diversity policy.
55 or below 13.33%
56 - 60 42.22%
61 - 65 26.67%
66 - 70 11.11%
> 70 6.67%
0.00% 10.00% 20.00% 30.00% 40.00% 50.00%
Percentage of Banks
Note: This is based on 45 banks. Five banks did not disclose the age of their directors. Taiwanese banks
disclosed the average age of their directors without disclosing individual ages.
For the 45 banks that disclosed individual ages of directors, only 57 directors are aged below 50 across
26 banks, making up only 9.25% of the total number of directors. Of these, 20 are independent directors,
constituting 6.31% of all independent directors.
Ping An Bank has the youngest director aged 41 with technology experience.
AVERAGE AGE OF DIRECTORS OF INSURANCE COMPANIES IS SIMILAR TO BANKS

Sixty-eight percent of insurers disclosed a board of directors/commissioners diversity policy. Figure 14 shows
the age diversity for different economies in terms of the average age of insurance directors, difference in age
between the oldest and youngest directors, and the difference in age between the median age of board and
youngest director.
SINGAPOREAN INSURERS HAVE OLDER DIRECTORS ON AVERAGE BUT ALSO HAVE

BETTER AGE DIVERSITY
For directors of insurance companies, the overall mean (median) age is 59.93 (60.64). Again, the directors
on Chinese boards are relatively younger with a mean age of 55.44. In contrast, Singaporean insurers have
the highest mean board age of 65.88 although it should be noted that there is no age disclosure by any
Australian, New Zealand, Sri Lanka or Taiwanese insurer.
KOREAN INSURERS HAVE THE LEAST AGE DIVERSITY

Korean insurers have the smallest mean age difference (nine years) between the oldest and youngest
directors. They also have the smallest difference between median board age and age of the youngest director,
followed by Hong Kong and then Japan. In contrast, insurers in Singapore, India and Thailand fare better in
this regard.
16 BOARD PRACTICES
FIGURE 14: AVERAGE AGE AND AGE DIVERSITY OF INSURANCE DIRECTORS ACROSS ECONOMIES
80.00
64.29 65.88
62.62 61.80 62.99
60.31 60.49
60.00 55.44
46.89
40.00 33.00 32.50

30.00
27.14
24.25
21.00 22.00
18.50
20.00
9.00
18.00
15.00 14.25
11.07 10.00 11.25 11.00
7.75 3.67
0.00
Average Age
Average Age Difference Between the Median Age of Board and Youngest Director
Average Age Difference Between the Oldest and Youngest Director
Note: No disclosures of age were made by insurers from Australia, New Zealand, Sri Lanka and Taiwan. The
number of insurers in each economy are as follows: China (7), Hong Kong (2), India (1), Japan (6), Malaysia (4),
Singapore (2), South Korea (3), Thailand (2) and Vietnam (1).
For the 28 insurance companies which disclosed

the age of their directors, 19 have directors with
mean ages ranging from 56 to 65, and only four
BOARD DIVERSITY have average age of 55 or below. The remaining
IS IMPORTANT five insurance companies have directors with mean
ages over 65 years old.
TO PREVENT
GROUPTHINK For directors whose age is disclosed, only 9.22%
are aged below 50. Less than five percent of
AND ENCOURAGE independent directors are below 50 years of age.
CONSTRUCTIVE There are five directors aged below 40 years,
DEBATE. AGE with the youngest being a 26 year-old executive
AND GENDER director at ZhongAn Online P&C Insurance. This
executive director has some working experience
DIVERSITY ARE in technology-focused firms and is also the son
TWO IMPORTANT of the Chairman. It also has an independent
director aged 38 years. Allianz Malaysia has an
ASPECTS OF independent director aged 36 years. In addition,
BOARD DIVERSITY. Bangkok Life Assurance and Bao Viet Holdings
have non-executive directors aged 38 and 35 years
respectively.
BOARD PRACTICES 17
FIGURE 15: AVERAGE AGE OF DIRECTORS ACROSS INSURANCE COMPANIES
55 or below 14.29%
56 - 60 32.14%
61 - 65 35.71%
66 - 70 17.86%
> 70 0.00%
0.00% 10.00% 20.00% 30.00% 40.00%
Percentage of Insurance Companies
Note: This is based on 28 insurers. 22 insurers did not disclose the age of their directors.
ALL 4 AUSTRALIAN BANKS HAVE AT LEAST 30% OF FEMALE DIRECTORS

Turning to gender diversity, Figure 16 shows the percentage of female directors across the banks in various
economies. Although 76% of banks disclosed having a board diversity policy, the mean (median) percentage
of female directors was only 17.83% (15.38%) across the 50 banks.
All four Australian banks have at least 30% of female independent directors. In addition, four other banks,
China CITIC Bank (33.33%), Hang Seng Bank (38.46%), Kasikornbank (35.29%), and Maybank (36.36%) also
have at least 30% of female directors. Following the board restructuring in response to a series of scandals,
the board of Commonwealth Bank of Australia now comprises 50% independent directors, including a female
Chairman.
18 BOARD PRACTICES
AUSTRALIAN BANKS, FOLLOWED BY MALAYSIAN BANKS, FARE BEST IN HAVING

FEMALE INDEPENDENT DIRECTORS
FIGURE 16: PROPORTION OF FEMALE DIRECTORS AND INDEPENDENT DIRECTORS FOR BANKS
ACROSS ECONOMIES
40.00%
35.83%
33.06%
35.83%
30.00%
26.41%
24.79%
23.38%
20.00% 18.18%
15.89% 18.18% 15.69%
14.29%
12.55% 13.25% 12.91%
12.42%
9.37% 8.71%
10.00% 12.91% 6.25% 7.84%
6.36% 6.25%
4.60%
0.00%
0.00%
Average % of Female Directors Average % of Female IDs
Figure 17 shows the percentage of banks with different number of female directors and female independent
directors.
FIGURE 17: PERCENTAGE OF BANKS WITH DIFFERENT NUMBER OF FEMALE DIRECTORS AND IDS
45.00%
40.00%
40.00%
36.00%
35.00%
30.00%
30.00%
26.00%
25.00%
20.00% 18.00%
16.00%
15.00%
12.00%
10.00%
10.00%
4.00% 4.00%
5.00% 2.00% 2.00%
0.00% 0.00%
0.00%
0 1 2 3 4 5 6
% of Banks with n Female Directors % of Banks with n Female IDs

BOARD PRACTICES 19
SIMILAR TO BANKS, AUSTRALIAN, FOLLOWED BY MALAYSIAN, INSURANCE

COMPANIES FARE BEST IN HAVING FEMALE INDEPENDENT DIRECTORS
FOUR KOREAN INSURANCE COMPANIES HAVE NO FEMALE DIRECTORS,
AND SINGAPOREAN INSURANCE COMPANIES ALSO FARE POORLY IN
GENDER DIVERSITY
Boards of the insurance companies have a mean (median) of 17.17% (14.29%) of female directors. Australian
insurance companies generally performed better. For instance, 55.56% of Medibank’s independent directors
are female. Overall, as shown in Figure 18, Australian and Malaysian insurance companies are leading in
the appointment of female directors. In contrast, all five Korean insurers except for Samsung Fire & Marine
Insurance have not appointed any female directors.
FIGURE 18: PROPORTION OF FEMALE DIRECTORS AND INDEPENDENT DIRECTORS FOR INSURANCE
COMPANIES ACROSS ECONOMIES
40.00%
32.56% 33.57%
30.00% 30.56% 27.62% 27.78%

26.43%
20.00%
20.00% 17.36%
14.59%
12.49% 13.85% 12.50% 12.50%
9.55% 9.23%
10.00% 8.33%
5.70% 4.34%
4.55% 3.33% 3.57% 3.57%
0.00%
Average % of Female Directors Average % of Female IDs
Figure 19 shows the percentage of insurance companies with different number of female directors and female
independent directors.
20 BOARD PRACTICES
FIGURE 19: PERCENTAGE OF INSURANCE COMPANIES WITH DIFFERENT NUMBER OF FEMALE

DIRECTORS AND INDEPENDENT DIRECTORS
45.00%
40.82% 40.82%
40.00%
34.69%
35.00%
30.00%
25.00%
20.41%
20.00%
16.33%
14.29% 14.29%
15.00%
10.00% 8.16%
4.08%
5.00% 2.04% 2.04% 2.04%
0.00%
0 1 2 3 4 5
% of Insurance Companies with n Female Directors

% of Insurance Companies with n Female Independent Directors
ON AVERAGE, INDEPENDENT DIRECTORS OF BANKS HAVE TENURE OF ABOUT

4 YEARS
Long tenures may result in a lack of objectivity in assessing past decisions and determining whether changes
are needed. There may also be a lack of relevant skills and experience needed to navigate emerging
challenges. For independent directors, long tenures may also result in familiarity risks and impair their
independence.
Figure 20 shows the distribution of tenure for the different categories of directors of banks.
The independent directors in the banks have a mean (median) tenure of 4.21 (3.33) years. The mean tenure of
independent directors in three banks exceeds nine years - Bangkok Bank (11.70 years), BDO Unibank (10.40
years) and Hang Seng Bank (12.50 years). Three directors have served on the Hang Seng Bank’s board since
before 2000, which increases the mean tenure of the independent directors. However, for BDO Unibank, the
mean tenure is skewed by an independent director with a tenure of 34 years. For Bangkok Bank, most of the
independent directors have tenures of 12 to 20 years, with only two having tenure of less than five years.
For the non-independent non-executive directors and executive directors, they have mean (median) tenures
of 5.88 (3.33) and 5.35 (3.00) years respectively.
BOARD PRACTICES 21
FIGURE 20: DISTRIBUTION OF AVERAGE TENURE OF BANK DIRECTORS
25
23
20 20
20
18
15
11 11
10
5 4
3 3 3
2 2
0 0 0
0
3 years or less 4 - 6 years 7 - 9 years 10 - 12 years More than 12 years
NINED ID ED
Note: NINED: Non-Independent Non-Executive Director; ID: Independent Director; ED: Executive Director
INDEPENDENT DIRECTORS OF HONG KONG AND PHILIPPINES BANKS HAVE

AVERAGE TENURE OF MORE THAN 10 YEARS
Figure 21 shows the distribution of average tenure of independent directors across the banks.
FIGURE 21: DISTRIBUTION OF AVERAGE TENURE OF IDS ACROSS BANKS
12
10.38 10.40
10
Average Tenure of IDs
8 7.61
6 5.36
4.67
4.13 4.33
4 3.37
2.80 2.88
2.53 2.36
2
Note: The number of banks in each economy are as follows: Australia (4), China (14), Hong Kong (2), India (5),
Indonesia (3), Japan (5), Malaysia (3), Philippines (1), Singapore (3), South Korea (2), Taiwan (2) and Thailand (3).
22 BOARD PRACTICES
AVERAGE TENURE OF INDEPENDENT DIRECTORS OF INSURANCE COMPANIES

IS SIMILAR TO BANKS
Executive directors of insurance companies have the shortest tenure with a mean and median of 4.30 and
2.50 years respectively across all the insurance companies. Independent directors have mean (median) tenure
of 4.54 (3.88) years, while non-executive non-independent directors have the longest mean (median) tenure of
6.87 (4.00) years.
Figure 22 shows the distribution of average tenure of independent directors across the insurance companies.
FIGURE 22: DISTRIBUTION OF AVERAGE TENURE OF INDEPENDENT DIRECTORS ACROSS

INSURANCE COMPANIES
14
12.60
12
Average Tenure of IDs
10
8.71
8
6.43 6.50
5.75 6.00
6 5.30
4.62 4.40
4 3.36
2.91 2.93
2.27
2
Note: This is based on 44 insurers as follows: Australia (5), China (6), Hong Kong (2), India (5), Japan (7),
Malaysia (4), New Zealand (1), Singapore (3), South Korea (4), Sri Lanka (1), Taiwan (4), Thailand (1), Vietnam (1).
MOST NON-EXECUTIVE AND INDEPENDENT DIRECTORS OF BANKS

AND INSURANCE COMPANIES HAVE OTHER FULL-TIME JOBS
It is not uncommon for directors to hold concurrent directorships in other companies. This may lead to issues
such as a lack of time and commitment, as well as possible conflicts of interest if the companies transact with
each other.
Some economies have introduced regulations, rules or guidelines on the number of directorships.
All 50 banks disclosed the current and recent directorships of their directors. Apart from concurrent
directorships, many non-executive and independent directors have concurrent full-time positions. Overall,
the mean (median) number of non-executive directors and independent directors with full time positions for
the banks is 1.93 (1.00) and 2.31 (2.00) respectively. Mega Financial Holding has 10 non-executive directors
with full time positions while Huaxia Bank and Hang Seng Bank have six independent directors with full time
positions. The non-executive Chairman of Malaysia’s Public Bank also chairs LPI Capital, a Malaysian insurance
company.
BOARD PRACTICES 23
All 50 insurance companies except Korean Apart from the typical committees that companies
Reinsurance and BIDV Insurance disclosed the are expected to establish, Chinese companies are
recent and current directorships of directors. recommended to establish a board level Corporate
Twenty-six and 34 insurers respectively disclosed Strategy Committee which should comprise of
that their non-executive directors and independent only directors.5 Chinese and Philippines banks are
directors have full-time positions. Three insurers did also required to have a separate board committee
not make any disclosures regarding the number of dealing with related party transactions. For Indian
non-executive directors or independent directors banks, all have a Stakeholders’ Relationship
with full-time positions. Committee, Corporate Social Responsibility
Committee and Customer Service Committee as
Overall, the mean (median) number of non- required by their local listing rules.6
executive directors and independent directors
with full time positions is 1.89 (1.00) and 1.81 (2.00) The chairmen of board committees are generally
respectively. All the non-executive directors (both independent directors/commissioners as shown in
independent and non-independent) of Fubon Figure 23. However, State Bank of India has a non-
Financial Holding have full time positions in other executive Chairman for its Audit, Remuneration and
companies. Nominating Committees, who is a nominee director
of the Government of India (whom we consider to
be non-independent in this report). China Everbright
NEARLY HALF OF THE BANKS HAVE A Bank and Japan Post Bank have a non-executive
BOARD-LEVEL EXECUTIVE COMMITTEE Chairman for their Remuneration Committee and
Nominating Committee respectively. Ping An Bank
All the banks have established Audit and
and Huaxia Bank from China did not disclose details
Remuneration Committees, and most also have
about their board committees.
Nominating and Risk Committees. However,
Mega Financial Holding and Japan Post Bank did The Risk Committees of Bangkok Bank, China CITIC
not establish a Nominating Committee and Risk Bank, Siam Commercial Bank and Sumitomo Mitsui
Committee respectively. Financial Group have executive chairmen.
Taiwan’s Code of Corporate Governance does not

require a Nominating Committee as companies
have to use a different type of Board Nominating
System.4 According to the Company Act, elections
of independent directors are conducted using
the new candidate nomination system to allow
shareholders with at least one percent of shares
to nominate directors instead of the Nominating
Committee.
Japan Post Bank has established a management-

level committee as one of its Special Committees to
assist its Executive Committee in risk management
matters as it is allowed to do so under the
“company with three committees” model.
In addition, 23 banks have established a board-

level Executive Committee. Banks which establish
an executive committee should carefully consider
the need for it, as it may be a symptom of either
the board being too large or being too involved
in “executive” matters. There is also a risk of it
becoming a “board within a board”, making key
decisions without the involvement of the full board.
24 BOARD PRACTICES
FIGURE 23: BOARD COMMITTEE CHAIRMEN OF BANKS
50
45 44
41
40
31
30
20
11
10
6 6
4
1 2 2 2
0 0 0
0
Audit Committee Remuneration Nominating Risk Committee Executive
Committee Committee Committee
Independent Directors/Commissioners Non-Executive Directors Executive Directors
Note: The details of the Chairman were not disclosed for: Audit Committee (4), Remuneration Committee (4),
Executive Committee (4), Nominating Committee (7), Risk Committee (9).
NEARLY HALF OF THE BANKS HAVE A COMBINED NOMINATING AND

REMUNERATION COMMITTEE
None of the banks have a combined Audit and Risk Committee. However, 44% have a combined Nominating
and Remuneration Committee. Almost all the banks in India, Indonesia, Malaysia and Thailand have combined
these two committees, with some banks from China and Hong Kong having done so as well. Combining the
committees may improve effectiveness and efficiency given the somewhat overlapping responsibilities of the
two committees. However, it is important that sufficient time is available to undertake the broader remit of a
combined committee.
INSURANCE COMPANIES ARE LESS LIKELY TO HAVE ESTABLISHED A BOARD-LEVEL

EXECUTIVE COMMITTEE COMPARED TO BANKS
Almost all the insurance companies have established Audit, Remuneration, Nominating, and Risk
Committees. Eleven of them also have an Executive Committee. Indian insurance companies generally have
more than eight board committees.7 However, BIDV Insurance has only established one board committee - an
Investment Committee. For Chinese insurance companies, there is a separate board committee specialising in
related party transactions.
The chairmen of the board committees are generally independent directors/commissioners as shown in Figure
24. However, while Bao Viet Holdings stated that the Chairman of its Audit Committee is independent, the
annual report listed this Chairman as an executive who also holds the position of chief audit executive of
internal audit.
BOARD PRACTICES 25
United Overseas Insurance and Bao Viet Holdings have a non-independent non-executive Chairman for its
Remuneration Committee. Japan Post Insurance, Cathay Financial Holding and Bao Viet Holdings have a
non-independent non-executive Chairman for their Nominating Committee. China Taiping Insurance has an
executive Chairman for its Nominating Committee. The Risk Committees of People’s Insurance Co Group of
China and General Insurance Corporation of India have executive chairmen.
FIGURE 24: BOARD COMMITTEE CHAIRMEN OF INSURANCE COMPANIES
50
44 44
40
40
30
26
20
10
6 5
2 3 2 2 3
0 1 0 1
0
Audit Committee Remuneration Nominating Risk Committee Executive
Committee Committee Committee
Independent Directors/Commissioners Non-Executive Directors Executive Directors
Note: Five insurers did not disclose the Chairman of their Audit Committees, four for their Remuneration
Committees, six for their Nominating Committees, 16 for their Risk Committees and one for its Executive
Committee.
It is common for insurance companies to have combined Nominating and Remuneration committees, with
42% of the insurers doing so. Only Tower Insurance and Ping An Insurance have a combined Audit and Risk
committee.
THE ONLY 2 BANKS THAT HELD 5 OR FEWER MEETINGS DURING THE YEAR ARE
SINGAPOREAN BANKS
All banks disclosed the number of board meetings held during the year. Of the 50 banks, 74% disclosed
individual director attendance at both board and committee meetings. There is considerable variation in the
number of board and board committee meetings across the banks (Figure 25).
The mean (median) of board meetings is 13.52 (12.00). While banks such as DBS Group Holdings and Oversea-
Chinese Banking Corporation held only five meetings, the board of commissioners of Bank Negara Indonesia
held 41 meetings during FY2018. These internal board of commissioners meetings are usually held to table
agenda which includes reviewing the composition of board-level committees, following up on the proposal of
remuneration thresholds (and subsequent review) to the evaluation of key performance indicators (KPIs) to be
implemented for the next financial year.xi
Most board committees met 10 or fewer times during the financial year.
xi These meetings organised by the Board of Commissioners may also include the Sectoral Director, the respective board-level committees as
well as joint meetings with the Board of Directors as well.
26 BOARD PRACTICES
It is not necessarily the case that more frequent meetings equate to better governance or oversight, as too
many meetings could also mean that the board is too involved with management matters. Factors such as the
duration of meetings, the extent of delegation to board committees and management, and other forms of
interactions and reporting between the board and management, could also affect the number of meetings.
The wide variation in number of meetings may also reflect differences in complexity, risk and performance.
Although it is difficult to establish what is an appropriate number of meetings per year, boards which meet
relatively infrequently should ensure that their agendas are not overloaded and that they are sufficiently
involved in important strategic issues.
BANKS WITH A BOARD EXECUTIVE COMMITTEE MET LESS REGULARLY THAN

THOSE WITHOUT SUCH A COMMITTEE
For 23 banks with an executive committee, the mean (median) number of board meetings held was 11.04
(11.00). In contrast, those which do not have an executive committee had a mean (median) of 15.63 (13.00)
meetings. Banks with executive committees may be relying more on this committee to help discharge the
board’s responsibilities with less involvement of the full board, which may lead to governance risks.
FIGURE 25: DISTRIBUTION OF BOARD AND BOARD COMMITTEE MEETINGS FOR BANKS
25
21
20 19 19
17
16 16 16 16
15
15 14
11
10
10 9 9 9
7
6
5 4
2 2 2 2
1 1
0
5 or less 6 to 10 11 to 15 16 or more
Board Meetings Audit Committee Meetings

Remuneration Committee Meetings Nominating Committee Meetings
Risk Committee Meetings Executive Committee Meetings
Note: Disclosures were only made for: Audit Committee (45), Remuneration Committee (45), Nominating
Committee (42), Risk Committee (40), Executive Committee (22). The board and board-level committee
meetings for the Board of Commissioners (BOC) were used for Indonesian banks.
BOARD PRACTICES 27
BOARDS OF INSURANCE COMPANIES MEET LESS REGULARLY THAN

THOSE FOR BANKS, WITH 2 SINGAPOREAN INSURANCE COMPANIES
AMONG THE 3 COMPANIES THAT MET LEAST OFTEN
Two Korean insurance companies – Hyundai Marine & Fire Insurance and Korean Reinsurance - did not
disclose the number of board meetings held during the year.
Figure 26 shows the distribution of board and board committee meetings for insurance companies. The
mean (median) of board meetings is 9.42 (9.00). United Overseas Insurance, Singapore Reinsurance and BIDV
Insurance held only four board meetings. In comparison, 20 board meetings were held by the T&D Holdings
during the financial year.
Most board-level committees held fewer than 10 meetings. For 11 insurance companies with an executive
committee, the mean (median) of board meetings held is 8.64 (9.00), compared to 9.65 (9.00) for those without
an executive committee.
Individual director attendance at board and committee meetings was disclosed by 76% of the insurance
companies.
FIGURE 26: DISTRIBUTION OF BOARD AND BOARD COMMITTEE MEETINGS FOR INSURANCE
COMPANIES
40
30 29
30 27
23 23
20
13 13
11 10 11
10
6 5
4 3 4
2 1 1 1 1 0 0 0 0
0
5 or less 6 to 10 11 to 15 16 or more
Board Meetings Audit Committee Meetings

Remuneration Committee Meetings Nominating Committee Meetings
Risk Committee Meetings Executive Committee Meetings
Note: Disclosures were only made for: Audit Committee (42), Remuneration Committee (43), Nominating
Committee (40), Risk Committee (35), Executive Committee (11).
JUST OVER A THIRD OF BANKS USE AN EXTERNAL PARTY TO FACILITATE

BOARD-RELATED ASSESSMENTS, USUALLY ONCE EVERY 3 YEARS
Overall board assessments were undertaken by 76% of the banks based on their disclosures (Figure 27).
Approximately 36% disclosed that an external party was engaged for this, usually once every three years.
About 68% disclosed an annual performance assessment for board committees, with 34% disclosing that an
external party was used. Slightly more banks (74%) disclosed performance assessment for individual directors,
with 34% using an external party. However, only 20% of the banks disclosed that an annual performance
assessment was conducted for the Chairman, and half of these disclosed that an external party was engaged.
28 BOARD PRACTICES
FIGURE 27: ANNUAL BOARD PERFORMANCE ASSESSMENT FOR BANKS
10%
Chairman
20%
34%
Directors
74%
34%
Board Committees
68%
36%
Board of Directors / Commissioners
76%
0% 10% 20% 30% 40% 50% 60% 70% 80%
% Facilitated by External Parties Total % of Banks with Assessments
Approximately 60% of the banks disclosed the process followed in conducting the board assessment
but only 42% disclosed the criteria used which generally include financial and non-financial objectives
such as availability, preparedness for meetings, skills, experiences, and other directorships and principal
commitments. Board assessment methodologies include questionnaire and one-on-one interviews.
INSURANCE COMPANIES ARE LESS LIKELY TO USE EXTERNAL PARTIES

TO FACILITATE BOARD-RELATED ASSESSMENTS
Of the 50 insurers, 88% disclosed undertaking overall board assessment (Figure 28), with 32% disclosing
that an external party was engaged, usually once every three years. In addition, 72% disclosed performance
assessment of committees and individual directors, with less than half of the companies using an external
party. Assessment of Chairman effectiveness was carried out by 20% of insurers, with only three insurers
disclosing that they used an external party for this. A majority (60%) disclosed the process followed in
conducting board assessments, but only around 42% disclosed the criteria used.
BOARD PRACTICES 29
FIGURE 28: ANNUAL BOARD PERFORMANCE ASSESSMENT FOR INSURANCE COMPANIES
6%
Chairman
20%
24%
Directors
72%
22%
Board Committees
72%
32%
Board of Directors/Commissioners
88%
0% 25% 50% 75% 100%
% Facilitated by External Parties Total % of Insurance Companies with Assessments
BOARDS OF BANKS AND INSURANCE COMPANIES ARE FACING HEIGHTENED

SCRUTINY AND CALLS FOR ACCOUNTABILITY AND NEED TO IMPROVE THEIR
APPOINTMENT PROCESS AND CRITERIA FOR DIRECTORS
In terms of board appointments and re-election, 60% of the banks disclosed the process in appointing new
directors but less than half disclosed the selection criteria used. Generally, directors are subject to re-election
every three years. The Australian Council of Superannuation Investors is pushing for annual re-elections for
Australian companies to improve accountability.8
One Taiwanese bank, Mega Financial Holding, underwent a big change (more than 50% turnover) in its board
of directors. No clear reason was given in the annual report and annual general meeting (AGM) minutes.
However, this may be related to the violation of U.S. anti-money laundering laws in 2016 by its New York-
based subsidiary.
There were other banks which experienced significant board changes after major incidents. In 2017,
Commonwealth Bank of Australia had a money laundering scandal, following other earlier scandals, which
led to the resignation of the CEO. Two other independent directors also retired from the board during the
financial year. In late 2019, Westpac Banking Corporation was also hit by a money laundering scandal, which
resulted in the resignation of its CEO and Chairman. Another long-standing director of Westpac Banking
Corporation will not be seeking re-election in the upcoming AGM.9 Clearly, bank boards are facing increasing
demands for accountability.
Sixty-two percent of insurance companies disclosed the process in appointing new directors but only
around 56% of them disclosed the criteria used in nominating new directors. Directors are generally subject
to re-election every three years, although for some insurance companies (Bao Viet Holdings and HDFC Life
Insurance), directors are subject to re-election every five years. For some Japanese insurance companies
(Tokio Marine Holdings, MS&AD Holdings, Dai-ichi Life Holdings and Sompo Holdings), directors’ term of
office is one year.
During the year covered by our study, the board of directors of three companies (Allianz Malaysia, Orange
Life Insurance and Bao Viet Holdings) underwent board turnover of more than 50%. As part of its commitment
to improve gender diversity, Allianz Malaysia appointed three new directors and a new Chairman, with three
being female directors. Orange Life Insurance replaced two non-executive directors and four independent
directors who were due to retire given the limit of six consecutive years. For Bao Viet Holdings, a few
members were transferred from the board of management to the board of directors.
30 REMUNERATION PRACTICES
REMUNERATION PRACTICES
Executive remuneration has been under scrutiny causes of misconduct in the Australian financial
in recent years. Many governance experts services industry. The Royal Commission found that
have attributed the global financial crisis to significant inadequacies in existing remuneration
inappropriate remuneration and incentive systems. structures has allowed a culture of greed and
CEOs were often seen to have an undue influence misconduct to manifest within financial institutions.
over the design and approval of their own
remuneration packages.10 In many economies, “Say on Pay” reforms now
allow shareholders to vote on remuneration policies
Concerns over remuneration practices have and/or packages of key executives on a binding or
resulted in extensive regulations such as the Basel advisory basis, with comprehensive remuneration
Committee’s principles and remuneration reforms disclosures for shareholders to make informed
in economies such as Australia, United Kingdom decisions on remuneration matters.12
and United States. The global financial crisis
highlighted the need for remuneration structures In this section, we look at executive and director
to be aligned with business and risk strategies remuneration practices of the banks and insurance
of financial institutions in ways that ensure that companies.
the long-term interests of stakeholders are
safeguarded.11
REMUNERATION DISCLOSURES
Yet, a decade on, executive remuneration has been FOR BANKS AND INSURANCE
singled out by the Australian Royal Commission COMPANIES ARE THE MOST DETAILED
into Misconduct in the Banking, Superannuation IN AUSTRALIA, UNDERPINNED BY
and Financial Services Industry as one of the key EXTENSIVE REGULATIONS
Remuneration disclosures across the banks vary
widely. Those from Indonesia, Japan, South
Korea and Taiwan generally do not disclose much
information about the remuneration of directors
REMUNERATION and key executives. Some of these economies,
STRUCTURES particularly Japan and South Korea, only require

disclosure if the remuneration exceeds a certain
SHOULD BE threshold. For instance, Japanese banks are only
ALIGNED WITH required to disclose the remuneration of those

directors and corporate executives whose total
BUSINESS AND remuneration exceeds 100 million yen for the
RISK STRATEGIES year (approximately USD910,000). In contrast, the

remuneration disclosures required in Australia are
IN WAYS THAT very detailed due to the “Say on Pay” regulations
SAFEGUARD and the recently imposed regulations on senior

banking executives.13
THE LONG-TERM
In the case of the Singaporean banks, all three banks
INTERESTS OF did not disclose remuneration for the top five key
STAKEHOLDERS. management personnel, citing the competitiveness
of the industry in addition to confidentiality
concerns.
CHINESE BANKS LISTED ONLY ON for the CEO. Some banks disclosed the amount in
CHINESE STOCK EXCHANGES HAVE bands.xiii Out of the 38 banks which disclosed the
POORER REMUNERATION DISCLOSURES amount of CEO remuneration, the mean (median)
THAN THEIR COUNTERPARTS ALSO remuneration is USD1,798,603 (USD652,064). The
LISTED IN HONG KONG top three highest-paid CEOs are from DBS Group
Holdings (USD8,675,520), Public Bank (USD8,340,250)
In the case of Chinese banks, the disclosures
and Oversea-Chinese Banking Corporation
depended on whether they are listed on both
(USD7,825,320).
the Chinese and Hong Kong stock exchanges, or
only on a Chinese stock exchange.xii As the listing Most corporate governance codes recommend
rules of the Hong Kong Stock Exchange require that CEOs and executive directors should have
companies to disclose remuneration for individual a significant element of pay which is linked to
directors,14 Chinese banks listed on the Hong Kong individual and corporate performance, including a
Stock Exchange disclosed such figures. However, mix of short- and long-term incentives.
there was little disclosure for Chinese banks which
are listed only on the Chinese stock exchanges.
THE PERCENTAGE OF CEO
Similar to banks, remuneration disclosures for
REMUNERATION THAT IS “AT RISK”
the insurance companies vary greatly across
DECREASES WITH THE SIZE OF THE
the different economies, with those from Japan,
BANK ALTHOUGH GREATER STATE
South Korea and Taiwan generally not disclosing
OWNERSHIP OF LARGER BANKS MAY
much information about remuneration. Besides
BE INFLUENCING THIS RELATIONSHIP
“competitive reasons”, most companies do not
provide other reasons for non-disclosure. For the 31 banks which disclosed the breakdown of
CEO total remuneration, annual (base) salary made
up an average of 58.19% of the total remuneration.
REMUNERATION AMOUNTS FOR CEOS Tables 2(a) and 2(b) show the mean and median
MAY NOT BE COMPARABLE ACROSS remuneration for banks in different market
FINANCIAL INSTITUTIONS capitalisation percentiles, with the higher percentile
comprising larger banks.
In this section, we examine the remuneration
amounts and breakdown (mix) of remuneration for There are two key observations. First, the total
CEOs of the banks and insurance companies. Some remuneration does not increase linearly with
cautionary notes are in order. First, companies market capitalisation as the mean and median total
may not be consistent in how they are reporting remuneration for banks in the 0th - 25th percentile,
remuneration – for example, some may be which comprises banks in the bottom 25% of market
reporting realised (actual) remuneration when it capitalisation, is higher than banks in the 25th – 50th
comes to variable remuneration, while others may percentile. Second, the percentage of variable
be reporting realisable remuneration. Second, remuneration or “pay at risk” declines as market
the variable remuneration is affected by the capitalisation increases.
performance (individual and/or corporate) for the
year under review, which may not be representative This is likely due to the fact that the five largest
of typical variable remuneration of the CEO. banks, and seven of the top 11 banks, are Chinese
banks, which are state-owned. Remuneration of
CEOs of these banks are likely to be benchmarked
2 OF THE 3 HIGHEST-PAID BANK CEOS to remuneration in other Chinese state-owned
FOR THE YEAR ARE FROM SINGAPORE enterprises and government agencies.
Sixty-two percent of banks disclosed details on the
total amount as well as the amount or percentage
breakdown of different remuneration components
xii The Chinese banks which are only listed on the Chinese Stock Exchange are Bank of Ningbo, Huaxia Bank, Industrial Bank, Ping An Bank.
xiii For banks which disclosed remuneration in bands, we took the midpoint of the band in calculating remuneration.
TABLE 2(A): MEAN DISTRIBUTION OF BASE SALARY AND INCENTIVES FOR CEOS OF BANKS (IN USD)
Market
Base salary Incentives Total remuneration % Pay at Risk
Capitalisation
0th - 25th percentile 375,906.53 495,134.33 871,040.86 56.84%
25 - 50
th th
percentile 294,738.36 377,931.67 672,670.03 56.18%
50 - 75
th th
percentile 828,656.06 824,719.10 1,653,375.16 49.88%
75 - 100
th th
percentile 968,508.13 877,535.52 1,846,043.65 47.54%
TABLE 2(B): MEDIAN DISTRIBUTION OF BASE SALARY AND INCENTIVES FOR CEOS OF BANKS (IN USD)
Market
Base salary Incentives Total remuneration % Pay at Risk
Capitalisation
0th - 25th percentile 405,592.02 368,629.00 774,221.02 47.61%
25th - 50th percentile 129,362.45 53,007.55 182,370.00 29.07%
50 - 75
th th
percentile 694,253.90 302,556.60 996,810.50 30.35%
75 - 100
th th
percentile 1,141,169.36 609,506.77 1,750,676.13 34.82%
Note: Table 2(a) and 2(b) are based respectively on mean and median base salaries, incentives and total
remuneration of CEOs of the banks. The banks are segmented into the various percentiles based on
their market capitalisation (e.g., banks included in the 75th – 100th percentile have the top 25% of market
capitalisation). Four banks have been excluded from the analysis due to their relatively higher remuneration
figures, which could potentially skew the results. They are the Singaporean banks, DBS Group Holdings,
Oversea-Chinese Banking Corporation and United Overseas Bank, as well as Malaysian bank, Public Bank.
SHARE-BASED REMUNERATION IS USED BY JUST UNDER HALF THE BANKS WHICH

DISCLOSED REMUNERATION MIX
Figure 29 shows that CEOs of the larger banks have lower incentive-based remuneration, such as bonuses and
share awards. Table 3 shows the distribution of different remuneration components in percentage terms for
the CEO.
Short-term incentives commonly given to CEOs include annual bonus, perks or allowance and cash bonus
paid immediately. Banks may also use various forms of long-term incentives to remunerate their CEO. Such
long-term incentives include share options, restricted share awards and/or performance shares. As seen from
Table 3, six banks utilised restricted share awards and nine banks utilised performance shares. In contrast,
only Sumitomo Mitsui Trust Holdings disclosed the use of share options.15 In addition, other forms of
remuneration for banks include, for example, long service leave accrued during the year and deferred variable
remuneration.
FIGURE 29: PAY MIX OF BANK CEOS
100%
Proportion of Remuneration Paid
33.51% 32.64% 34.51%

75%
58.95%
50%
Incentives
66.49% 67.36% 65.49% Base Salary

25%
41.05%
0%
0-25th percentile 25th-50th 50-75th percentile 75th-100th
percentile percentile
Percentile of the Bank's Market Capitalisation
TABLE 3: DISTRIBUTION OF DIFFERENT REMUNERATION COMPONENTS FOR BANK CEOS IN

PERCENTAGE TERMS
Remuneration Component Mean (%) Median (%) Max (%) Min (%) Total
Salary 58.19% 51.32% 100.00% 10.12% 32
Annual Bonus 52.16% 42.72% 88.33% 28.73% 11
Perks / Allowance 10.77% 9.90% 27.49% 0.31% 18
Cash bonus paid immediately 20.40% 17.15% 35.33% 10.13% 9
Other short-term incentives - - - - 0
Share options 13.59% 13.59% 13.59% 13.59% 1
Restricted share awards

30.55% 25.38% 51.55% 17.61% 6
(only employment related)
Performance shares 27.06% 28.18% 38.64% 10.13% 9
Others 5.76% 1.43% 15.54% 0.12% 6
THE HIGHEST-PAID CEO OF AN INSURANCE COMPANY WAS PAID MORE THAN THE
HIGHEST-PAID CEO OF A BANK AND MEDIAN CEO REMUNERATION WAS HIGHER
FOR INSURANCE COMPANIES THAN BANKS, BUT THIS MAY REFLECT MORE STATE
OWNERSHIP FOR BANKS
For insurance companies, 58% disclosed the total amount as well as the amount or percentage breakdown of
different remuneration components for the CEO.xiv Out of the 39 insurers which disclosed CEO remuneration,
the mean (median) remuneration is USD1,427,066 (USD789,818). The top three highest-paid CEOs for
insurance companies are from AIA Group (USD9,667,069), New China Life Insurance (USD4,791,970) and Great
Eastern Holdings (USD4,154,000).
xiv Likewise for insurance companies which disclosed remuneration in bands, we took the midpoint of the band in calculating remuneration.
The range of remuneration varied greatly as well. Larger insurance companies (based on market capitalisation)
received higher total base salary remuneration on average, with annual (base) salary averaging 54.65%. In
certain cases, the full amount of the remuneration was in the form of salary.
As seen from Tables 4(a) and 4(b), the inverse relationship between percentage of remuneration at risk and
market capitalisation that we see for banks is not as evident for insurance companies.
TABLE 4(A): MEAN DISTRIBUTION OF BASE SALARY AND INCENTIVES FOR CEOS OF INSURERS IN USD
Market Capitalisation Base salary Incentives Total remuneration % Pay at Risk
0th - 25th percentile 396,368.16 412,115.84 808,484.00 50.97%

25 - 50 percentile
th th
484,191.47 610,483.29 1,094,674.76 55.77%
50 - 75 percentile
th th
703,174.32 1,064,109.82 1,767,284.14 60.21%
75th - 100th percentile 983,026.83 527,073.10 1,510,099.93 34.90%
TABLE 4(B): MEDIAN DISTRIBUTION OF BASE SALARY AND INCENTIVES FOR CEOS OF INSURERS IN USD
Market Capitalisation Base salary Incentives Total remuneration % Pay at Risk
0th - 25th percentile 335,168.79 438,984.21 774,153.00 56.71%

25th - 50th percentile 413,820.30 463,541.49 877,361.80 52.83%
50 - 75 percentile
th th
825,580.28 584,265.77 1,409,846.05 41.44%
75 - 100 percentile
th th
501,066.42 593,385.00 1,094,451.42 54.22%
Note: Table 4(a) and 4(b) are based on taking the mean base salaries, incentives and total remuneration of
the CEOs in insurance companies. The distribution has been segmented into the various percentiles based
on market capitalisation (i.e. insurance companies included in the 75th percentile have the top 25% of
market capitalisation). Of the 50 insurers, three have been excluded from the analysis due to the extremity
in remuneration figures, which could potentially skew the mean results. They are AIA Group, New India
Assurance as well as Bao Viet Holdings.
This is further borne out by Figure 30, which shows that while CEOs of the larger insurers have lower incentive-
based remuneration, this is as not as pronounced as for banks. Table 5 shows the distribution of different
remuneration components in percentage terms for the CEO.
Common forms of short-term incentives given to CEOs include annual bonus, perks or allowance and cash
bonus paid immediately. In some insurance companies, other form of short-term incentive such as deferred
short-term incentive is also given to CEOs. Insurance companies may use a combination of long-term
incentives for the CEO’s remuneration. Such long-term incentives include share options, restricted share
awards and/or performance shares.
As seen from Table 5, five insurers utilised performance shares, three utilised share options and two used
restricted share awards. In addition to share related remuneration, long term incentive grants and awards are
also used by insurance companies as forms of other long term incentives.
FIGURE 30: PAY MIX OF INSURANCE COMPANY CEOS
100%
Proportion of Remuneration Paid
44.94% 46.66% 43.83%

75%
56.24%
50%
Incentives
Base Salary
55.06% 53.34% 56.17%
25%
43.76%
0%
0-25th percentile 25th-50th 50-75th 75th-100th
percentile percentile percentile
Percentile of the Insurance Company's Market Capitalisation
SHARE-BASED REMUNERATION FOR CEOS IS NOT COMMONLY USED BY

INSURANCE COMPANIES AS WELL
Table 5 shows the distribution of different remuneration components in percentage terms for the CEO. About
18% of the insurance companies include share-based remuneration in the form of share options, restricted
share awards and performance share awards. Some insurance companies utilised more than one type of
share-based remuneration. The most common form of share-based incentive used by insurance companies
is performance shares with five insurance companies disclosing its use. Four insurance companies have other
forms of remuneration, which include long service leave accruals.
TABLE 5: DISTRIBUTION OF DIFFERENT REMUNERATION COMPONENTS FOR INSURANCE COMPANY

CEOS IN PERCENTAGE TERMS
Remuneration Components Mean (%) Median (%) Max (%) Min (%) Total
Salary 54.65% 49.53% 100.00% 18.51% 30
Annual Bonus 36.88% 38.98% 53.80% 14.00% 15
Perks / Allowance 10.80% 5.81% 73.67% 0.28% 18
Cash bonus paid immediately 28.34% 26.07% 44.57% 11.46% 8
Other short-term incentives 20.28% 15.96% 34.83% 8.67% 6
Share options 30.67% 29.02% 36.46% 26.51% 3
Restricted share awards

29.87% 29.87% 36.05% 23.69% 2
(only employment related)
Performance shares 28.73% 25.57% 48.42% 20.55% 5
Others 13.30% 5.53% 41.62% 0.51% 4

FEW BANKS AND INSURANCE COMPANIES DISCLOSED KEY PERFORMANCE

INDICATORS FOR THEIR CEOS
Only seven banks disclosed the KPIs for the CEO. They are Australia & New Zealand Banking, Commonwealth
Bank of Australia, HDFC Bank, Kasikornbank, Mitsubishi UFJ Financial Group, National Australia Bank and
Siam Commercial Bank. Some disclosed weightings for different KPIs.
Leading Practice in Disclosure of KPIs by a Bank
HDFC Bank in India disclosed the following KPIs for its CEO:16
a) Business Growth: This includes growth in advances and deposits;
b) Profitability: This includes growth in profit after tax;
c) Asset Quality: Gross Non-Performing Asset (NPA), Net NPA and % of Restructured assets to net
advances;
d) Financial Soundness: Capital Adequacy Ratio Position and Tier I capital;
e) Shareholder value creation: Return on equity; and
f) Financial Inclusion: Growth in number of households covered, growth in the value of loans disbursed
under this category and achievement against priority sector lending targets.
Most of the above parameters are evaluated in two steps:
A. Achievement against the plans of the Bank; and
B. Achievement against the performance of peers.
Apart from the factors related to business growth, there is also a key qualitative factor of regulatory
compliance. Compliance acts as the moderator in the entire organisation evaluation process. A low
score on compliance can significantly moderate the other performance measures and depending on
severity may even nullify their impact.
Nine insurance companies - mostly from Australia and Japan - disclosed KPIs for the CEO. They are
Challenger, Dai-ichi Life Holdings, HDFC Life Insurance, Insurance Australia Group, Medibank, MS&AD
Holdings, QBE Insurance, Sompo Holdings and Suncorp. KPIs are usually based on a balanced scorecard
covering financial, customer, and operational indicators of performance at an individual and organisation
level, with some disclosing weightings for individual KPIs.
Leading Practice in Disclosure of KPIs by an Insurance Company
Insurance Australia Group (IAG) disclosed that performance is measured against the Group Balanced
Scorecard using both financial and non-financial goals as follows:17
Financial Measures (60% of scorecard)

1. Earnings: Net profit after tax shows IAG’s overall earnings after all expenses and taxation
attributable to shareholders of the Company.
2. Controlled Operating Expense: IAG’s continued focus on optimisation of its operating model and
related cost-out initiatives improve the efficiency with which IAG deploys its resources.
3. Profitability: IAG has adopted underlying profit as the measure as it provides a more holistic view
of the absolute earnings power of IAG’s core insurance-related businesses. It provides a view of
underlying profitability (in dollars) of the underwriting, fee-based and associate businesses and is an
important measure of how IAG generates value for shareholders.
4. Growth: IAG continues to expand its product and service offerings to its markets, measured
through Gross Written Premium growth, creating value for its shareholders, customers and partners.
Non-Financial Measures (40% of scorecard)

1. Customer Advocacy: IAG uses the Customer Net Promoter Scores to measure the impact of these
initiatives for its customers.
2. Employee Advocacy: IAG uses the Employee Net Promoter Score to measure its effectiveness in
fostering a strong organisational culture.
Risk Appetite: IAG has a clear articulation of its risk appetite, which the Board approves to uphold the
expectations of IAG’s stakeholders for how IAG employees conduct themselves. Due to the importance
of risk management to IAG, it is included as an explicit measure on the scorecard.
ABOUT 1 IN 3 BANKS AND 1 IN 7 INSURANCE COMPANIES DISCLOSED CLAWBACK

PROVISIONS
Regulators now often require or recommend that clawback provisions be put in place to deter CEOs and
senior executives from focusing on short-term results at the expense of long-term results. Such provisions may
be triggered by misconduct or poor financial performance.
Sixteen banks disclosed that they have clawback provisions for CEO and executives, with 15 banks disclosing
the clawback conditions.
Examples of Clawback Provisions
At the National Australia Bank, the Board has absolute discretion to adjust rewards downwards, or to
zero, where appropriate (including as a result of malus).18 This includes varying the vesting of rewards.
The Board’s considerations may include the Group’s financial performance, the quality of financial results,
management of risks and shareholder expectations. Board discretion may apply to any employee across
the Group, by division, by role or individual, depending on circumstances.
Clawback (recovery of paid and vested rewards) may apply to executives, other accountable persons and
some UK employees. This ability to reduce the vesting outcome for variable rewards (VR) deferred shares
along with the assessment undertaken when determining an executive’s VR outcome effectively replace
the performance conditions applying to rewards allocated under the previous executive remuneration
framework. At the end of the deferral period, the executive can deal with their VR deferred shares
provided those VR deferred shares have vested and not been forfeited.
At Singapore bank DBS Group Holdings, malus of unvested awards and clawback of vested awards will
be triggered by:19
– Material violation of risk limits
– Material losses due to negligent risk-taking or inappropriate individual behaviour
– Material restatement of DBS’ financials due to inaccurate performance measures
– Misconduct or fraud
Awards may be clawed back within seven years from the date of grant.
Seven insurance companies disclosed that they have clawback provisions in place.
Example of Clawback Provisions
For example, Medibank in Australia disclosed that clawback applies under the following
circumstances:20
– serious misconduct or fraud by employee;
– unsatisfactory performance by employee to detriment of strategic objectives;
– error in calculation of performance measure related to performance-based remuneration;
– misstatement in financial statements;
– board becomes aware of any action that has employee receiving inappropriate benefit.
ALTHOUGH FINANCIAL INSTITUTIONS APART FROM THE OUTGOING

ARE EXPECTED TO TAKE INTO CHAIRMAN OF A MALAYSIAN BANK,
ACCOUNT RISK IN THEIR THE 3 HIGHEST-PAID CHAIRMEN OF
REMUNERATION POLICIES, FEW BANKS ARE ALL FROM SINGAPORE
DISCLOSED HOW THEY DO SO
For the remuneration of board chairmen, we focus
Financial institutions are expected to take into on non-executive chairmen. We excluded executive
account risk in their remuneration policies for chairmen because they are likely to be performing
senior executives. both Chairman and CEO roles in many cases and, in
any case, have at least a partial management role.
Fewer than 10 banks disclosed how they took
into account risk in their remuneration policies for Of the 27 banks that have non-executive chairmen,
CEOs and/or senior executives. Some examples 15 are independent. Of the 27 banks, only 19
of risk-adjustment in remuneration are the use of separately disclosed the remuneration of their
returns on risk-adjusted capital; setting the bonus chairmen. If we exclude the remuneration of the
pool according to risk-adjusted results or partly non-executive non-independent Chairman of Public
as a function of risk-weighted metrics; including Bank in Malaysia which is USD9.95 million comprising
risk measures among the KPIs; and adjusting largely of “other emoluments”,xv the mean (median)
performance measures for market, credit and remuneration of the non-executive chairmen of the
operational risks. remaining 18 banks is USD403,366 (USD246,053) and
the highest remuneration is USD1,460,940 for DBS
Thirteen insurers disclosed that they took into Group Holdings. At the other end of the spectrum,
account risk in determining remuneration for their six banks paid their non-executive Chairman less
senior executives and/or CEOs. For example, than USD100,000.
QBE Insurance said that short-term and long-term
incentives may be adjusted by the board based Table 6 shows the ranking of remuneration for
on a formal review of risk and behaviours, and non-executive chairmen for the 18 banks (excluding
incentive plans recognise adherence to its risk Public Bank). The wide distribution of remuneration
management processes. may be due to factors such as ownership (such as
whether it is state-owned), size and complexity of the
Great Eastern Holdings said that in determining business, and the level of involvement or time spent
remuneration of key senior management by the Chairman.
executives, risk and control indicators as well as
audit findings and compliance issues are taken into
account when assessing their overall performance,
in addition to their achievement in business and
operation performance.
xv With effect from 1 January, 2019, Public Bank has appointed an independent Chairman.
TABLE 6: REMUNERATION FOR NON-EXECUTIVE CHAIRMEN OF BANKS
ID Chairman NED Chairman

Rank Bank
(USD) (USD)
1 DBS Group Holdings - 1,460,940
2 Oversea-Chinese Banking Corporation 1,213,290
3 United Overseas Bank 702,085
4 Commonwealth Bank of Australia 620,384 -
5 Westpac Banking Corporation 599,108 -
6 Australia & New Zealand Banking 595,369 -
7 National Australia Bank 570,111 -
8 Malayan Banking - 304,520
9 CIMB Group Holding 286,848 -
10 Siam Commercial Bank 205,259 -
11 Bangkok Bank - 195,562
12 Hang Seng Bank 102,150 -
13 Huaxia Bank - 99,679
14 HDFC Bank - 93,216
15 IndusInd Bank - 71,021
16 Kotak Mahindra Bank 67,369 -
17 ICICI Bank 51,378 -
18 Axis Bank 22,290 -
Note: This ranking (from highest to lowest) is based on 18 banks with non-executive chairmen that disclosed
their directors’ remuneration, excluding Public Bank.
THE AVERAGE REMUNERATION OF NON-EXECUTIVE CHAIRMEN OF INSURANCE

COMPANIES IS LOWER THAN FOR BANKS, BUT HIGHEST-PAID NON-EXECUTIVE
CHAIRMAN OF AN INSURANCE COMPANY IS PAID AS MUCH AS 20 TIMES THE
MEDIAN REMUNERATION FOR THE SECTOR
Thirty-one insurers have a non-executive Chairman of whom 14 are independent. Of these 31 companies, 22
separately disclosed the remuneration of their chairmen. Two Taiwanese insurers - Fubon Financial Holding
and Mercuries Life Insurance - disclosed in bands, and for these two insurers, we took the midpoint as the
Chairman’s remuneration.
Table 7 shows the ranking of remuneration for the 22 non-executive chairmen. The mean (median)
remuneration is USD376,684 (USD157,332) and the highest remuneration was paid to the Chairman of Fubon
Financial Holding, with remuneration in the range of USD1.63 million to USD3.27 million.
TABLE 7: REMUNERATION FOR NON-EXECUTIVE CHAIRMEN OF INSURANCE COMPANIES
ID Chairman NED Chairman

Rank Insurance Company
(USD) (USD)
1,632,850 - 3,265,710
1 Fubon Financial Holding -
Midpoint: 2,449,280
2 Dai-ichi Life Holdings - 946,901
3 AIA Group 752,005 -
489,856 - 979,712
4 Mercuries Life Insurance -
Midpoint: 734,784
5 QBE Insurance 595,000 -
6 Insurance Australia Group 554,137 -
7 Suncorp 405,055 -
8 Great Eastern Holdings - 392,729
9 Challenger 369,542 -
10 Medibank 298,874 -
11 Allianz Malaysia 192,515 -
12 Dhipaya Insurance 122,149 -
13 Bangkok Life Assurance 113,795 -
14 Tower Insurance 91,880 -
15 LPI Capital - 72,193
16 MNRB Holdings - 40,152
17 United Overseas Insurance - 38,395
18 ICICI Prudential Life Insurance 37,803 -
19 ICICI Lombard General Insurance 35,511 -
20 Manulife Holdings 25,268 -
21 HDFC Life Insurance - 14,374
22 Max Financial Services - 4,712
Note: This ranking (from highest to lowest) is based on 22 insurance companies which have a non- executive
or independent Chairman and which disclosed remuneration.
THE MEAN REMUNERATION FOR NEDS OF BANKS IS ABOUT 50 PERCENT HIGHER

THAN FOR NEDS OF INSURANCE COMPANIES
The most common method to remunerate NEDs is through directors’ fees. In order to derive the average
remuneration of NEDs, the total director remuneration/fees were averaged by number of NEDs. Using this
method, the average remuneration would also include the remuneration paid to a non-executive/independent
Chairman.
Figure 31 shows the distribution of average NED remuneration for the 38 banks for which information is
available. This excludes the average NED remuneration of Public Bank which is USD1,772,550, due to the
very large amount paid to the outgoing non-executive Chairman. Twelve banks (31.60%) paid average NED
remuneration of less than USD50,000. The mean (median) remuneration for NEDs (including non-executive or
independent chairmen) is USD148,266 (USD77,312). The highest average NED remuneration is USD606,200 at
Bank Mandiri in Indonesia.
FIGURE 31: AVERAGE NED REMUNERATION FOR BANKS
7.90%
0.00%
5.30%
< USD 50,000

31.60%
USD 50,000 - USD 100,000
> USD 100,000 - USD 200,000
21.10%
> USD 200,000 - USD 300,000
> USD 300,000 - USD 400,000
> USD 400,000 - USD 500,000
> USD 500,000
10.50%
23.70%
Note: This is based on 38 banks for which information is available and excluding Public Bank.
JUST OVER HALF OF BANKS AND INSURANCE COMPANIES DISCLOSED THE FEE
STRUCTURE OF NEDS
Twenty-seven banks disclosed the fee structure for NEDs. Other than director fees, there is a superannuation
component for Australian banks; commission for Indian banks; bonus and allowance for Indonesian banks;
benefits-in-kind and other emoluments for Malaysian banks; benefits-in-kind and share based remuneration
for Singapore banks; and bonuses for Thai banks.
FOR BOTH BANKS AND INSURANCE COMPANIES, 1 IN 10 HAVE A POLICY FOR

NEDS TO BUY SHARES AND HOLD THEM UNTIL THEY LEAVE THE BOARD
Five banks disclosed a policy for NEDs to buy some shares and hold them till they leave the board. They
are Commonwealth Bank of Australia, National Australia Bank and Australia & New Zealand Banking from
Australia, and DBS Group Holdings and Oversea-Chinese Banking Corporation from Singapore. NEDs are
generally also given a certain period to attain the requisite shareholding level.
Figure 32 shows the distribution of average NED remuneration for the 34 insurance companies for which
information is available. Half of the insurers paid an average NED remuneration of less than USD50,000. The
mean (median) remuneration for NEDs (including non-executive or independent Chairman) is USD91,093
(USD53,596). NEDs of QBE Insurance are the most well-paid, with an average fee of USD330,125.
FIGURE 32: AVERAGE NED REMUNERATION FOR INSURANCE COMPANIES
14.70%
< USD 50,000

50% USD 50,000 - USD 100,000
20.60%
> USD 100,000 - USD 200,000
> USD 200,000
14.70%
Note: This is based on 34 insurance companies for which information is available.
Twenty-eight insurers disclosed fee structure for NEDs. Besides director fees, there is a superannuation
component for the Australian insurers, profit-related commission for Indian insurers as well as benefits-in-kind
and other emoluments for Malaysian insurers.
Five Australian insurance companies disclosed a policy in place for NEDs to buy some shares and hold them
till they leave. For the insurance sector, Australia is the only economy in which insurers impose a minimum
shareholding requirement for their NEDs.
44 RISK GOVERNANCE AND MANAGEMENT
RISK GOVERNANCE AND

MANAGEMENT
Following the global financial crisis, risk governance In our study, 10 banks disclosed that they have
and management have received considerable adopted an Enterprise Risk Management (ERM)
attention from regulators of not only financial framework, with most other banks adopting a range
institutions, but companies generally. Today, of other frameworks (the most commonly referred
financial institutions are generally expected to adopt to includes an individually, internally developed
comprehensive risk management frameworks, have “Risk Management Framework”) (Figure 33). Siam
dedicated board-level risk committees, appoint Commercial Bank explicitly disclosed the adoption
chief risk officers, and put in place strong lines of of the COSO framework.
defence to deal with an increasing array of risks.
Even as they continue to grapple with reputational

and regulatory risks, they have to deal with
emerging risks such as cyber risks and conduct risks,
and more recently risks associated with trade wars FINANCIAL
and pandemics. INSTITUTIONS
In light of the recent Covid-19 situation, we note HAVE TO DEAL
that most economies have not imposed regulations WITH EMERGING
or guidelines on pandemic preparedness for
financial institutions. The exceptions to this include RISKS SUCH AS
Malaysia, which requires insurers to carry out a CYBER RISKS,
multi-year solvency stress test exercise against
prescribed severe but plausible risk events such CONDUCT RISKS,
as pandemics.21 Similarly in Singapore, financial AND RISKS
institutions are required to participate in an
industry- wide business continuity planning test to ASSOCIATED WITH
assess their crisis management procedures against TRADE WARS AND
scenarios including pandemics.22 In Hong Kong, a
first, smaller scale exercise was conducted in 2013, PANDEMICS.
when a group of financial institutions individually but
simultaneously responded to a simulated, unfolding
pandemic crisis.23
1 IN 5 BANKS DISCLOSED THE USE OF

AN ERM FRAMEWORK (SUCH AS COSO)
BUT BANKS USE AN ARRAY OF RISK
MANAGEMENT FRAMEWORKS
Risk management functions in banks will need to
reinvent themselves especially in light of digital
transformation.24 According to EY, there are a few
broad challenges which banks must consider, one
of which is the management of emerging risks and
increased competition. For instance, the rise in
financial technology (fintech) companies offering
new products presents competition to banks.
Consumer banking, once viewed as a bastion of
stability in financial services, would likely be heavily
impacted by these fintech companies.25
FIGURE 33: RISK MANAGEMENT FRAMEWORKS OF BANKS
16%
20%
ERM e.g. COSO
Risk Management Framework /

System
Others e.g. Compliance

Management System,
Risk Appetite Framework,
Risk Management Policy
64%
All 50 banks except China Minsheng Bank, disclosed the key risks to which they are materially exposed to.
China Minsheng Bank discussed potential risks and stated that it has no foreseeable material risks.
Seventy-six percent of the banks described the governance processes around information technology and
60% included a risk management policy describing their tolerance for various risks.
ABOUT HALF THE BANKS DISCLOSED A FORMAL RISK APPETITE STATEMENT,

WITH ABOUT A QUARTER DISCLOSING QUALITATIVE ONES
Twenty-six of the banks disclosed a formal risk appetite statement (RAS), with 12 being qualitative in nature.
Examples of how risk appetite is communicated to business management include through capital allocations
to the different business lines, establishment of individual risk appetite limits for specific business units such
as credit and market risks.
Half of the banks disclosed having a process to ensure that the material risk activities being undertaken by
management are approved by the board. Sixty-six percent of the banks evaluate and communicate potential
exposure to geopolitical events.
Unlike most other banks which have a separate Board Risk Committee (BRC), the risk management committee
in Japan Post Bank is formed as a special advisory committee that reports to its management level Executive
Committee.
2 BANKS DISCLOSED THAT INTERNAL CONTROLS WERE INADEQUATE AND/OR

INEFFECTIVE AND HAVE PUT IN IMPROVEMENT MEASURES
All banks except Mitsubishi UFJ Financial Group, Japan Post Bank and KB Financial Group disclosed that a
review of the company’s material controls and risk management systems has been conducted by the board.
The board of directors in 18 banks further commented on the adequacy and effectiveness of internal controls
established over key risks.
Two banks disclosed that their internal controls were inadequate and/or ineffective and that measures have
been established to enhance internal controls - Mega Financial Holding and CTBC Financial Holding. Both
Mega Financial Holding and CTBC Financial Holding are from Taiwan.
MORE THAN ONE-THIRD OF BANKS DISCLOSED THAT THEY ARE USING ANALYTICS
TO HELP MANAGE RISKS
Fifteen banks disclosed that they employ analytics in managing risks across the bank whereas only DBS Group
Holdings mentioned that they are using predictive analytics to identify emerging risk areas.
ONLY 1 BANK IDENTIFIED A PANDEMIC AS A KEY RISK

In March 2020, the World Health Organisation declared the coronavirus outbreak a pandemic.26 Among
the banks, only Sumitomo Mitsui Trust Holdings had specifically identified a pandemic outbreak as a key
risk, disclosing mitigation strategies such as developing business continuity plans (BCPs) to ensure the
continuation of business in the event of a crisis arising from such an outbreak. It periodically conducts
exercises and updates its BCP to ensure its preparedness. Besides having an emergency response centre
headed by the President in the event of a crisis, it also works towards strengthening human resources and
enhancing the management system through collaboration with external specialised agencies.
MORE THAN HALF OF INSURANCE COMPANIES DISCLOSED THAT THEY HAVE

ADOPTED AN ERM FRAMEWORK
Compared to banks, more insurance companies refer specifically to having adopted an ERM framework, with
28 insurance companies (56%) doing so. The remaining describes to a range of other frameworks, of which,
the most commonly referred to includes “Risk Management Framework” (Figure 34).
FIGURE 34: RISK MANAGEMENT FRAMEWORKS OF INSURANCE COMPANIES
8%
ERM
Risk Management Framework /

System
36% 56%
Others eg. Risk Management

Strategy, Comprehensive Risk
Management Policy, Group Risk
Management Mechanism,
Compliance risk management
and supervisory framework
Eighty-two percent of insurance companies disclosed the key risks to which the company is exposed to
whereas 58% focused on the governance process around information technology.
Twenty-eight of the insurers included a risk ONLY 3 INSURANCE COMPANIES

management policy describing their tolerance on IDENTIFIED PANDEMIC RISK AS
various risks as well as disclosing a formal RAS, A KEY RISK
of which 18 are qualitative. Examples of how risk
Only three insurers (AIA Group, Tokio Marine
appetite is communicated to business management
Holdings and MS&AD Holdings) had identified
include allocation of capital, asset allocation, a
pandemic risk as a key risk. AIA Group rely on
breakdown of risk appetite and tolerance into
reinsurance to reduce concentration and volatility
risk limits under different category of risks, new
risk, especially with new risks, and as protection
business budgeting and liquidity management.
against catastrophic events such as pandemics.
Thirty-eight percent of the insurers have a
In terms of qualitative risk management, Tokio
process to ensure that material risk activities
Marine Holdings have a process to comprehensively
being undertaken by management are approved
assess and report emerging risks that result from
by the board. Half of the insurers evaluate and
changes in their business environment. They not only
communicate potential exposure to geopolitical
assess quantitative elements of the risks identified,
events.
such as economic loss and frequency, but also
qualitative elements such as business continuity
and reputation. Pandemic risk is identified as a
ONLY 19 INSURANCE COMPANIES material risk as it can seriously impact the financial
DISCLOSED THE BOARD OF soundness, business continuity, and other aspects of
DIRECTORS’ COMMENTS ON THE Tokio Marine Holdings.
ADEQUACY AND EFFECTIVENESS
OF INTERNAL CONTROLS, WITH 3 MS&AD Holdings has formulated a BCP and
DISCLOSING THAT THEY WERE NOT prepared a crisis management framework to respond
ADEQUATE AND/OR EFFECTIVE to events including outbreak of disease, such as a
Thirty-seven insurance companies have a separate novel influenza virus.
board risk committee (BRC). In addition, 39
companies disclosed that a review of the company’s In addition, two other insurers disclosed mitigation
material controls and risk management systems measures against pandemics. For example, Sompo
has been conducted by the board of directors. Holdings has pandemic derivatives. Based on the
However, only 19 of the insurance companies’ blueprint cascaded from Allianz Group, Allianz
board of directors commented on the adequacy Malaysia has localised six cyber-related crises
and effectiveness of internal controls. Three scenarios and plans relevant to their operating
insurers disclosed that their internal controls are environment in Malaysia, including a Crisis Scenario
not adequate and/or not effective – Mercuries Life Plan for pandemics.
Insurance, Cathay Financial Holding and Fubon
Financial Holding – and disclosed the reason(s) for
the control inadequacy/ineffectiveness. All three THE RESPONSIBILITIES OF THE CHIEF
are from Taiwan. RISK OFFICER (CRO) OF FINANCIAL
INSTITUTIONS CONTINUE TO EVOLVE
As the risk landscape continues to become more
INSURANCE COMPANIES ARE LESS challenging, the responsibilities of the CRO are
LIKELY THAN BANKS TO DISCLOSE evolving rapidly. CROs are expected to oversee
THAT THEY ARE EMPLOYING an expanding range of risks—from conduct,
ANALYTICS TO HELP THEM compliance, strategic, and reputation risk to a new
MANAGE RISKS set of operational risks due to the increasing reliance
Eight insurance companies disclosed that they on emerging technologies and potential disruption
employ analytics in managing risks across the by fintech players.27 Financial institutions also have
insurer whereas three companies (Insurance to face more stringent regulations around corporate
Australia Group, China Reinsurance and SBI Life governance, risk appetite, capital adequacy, stress
Insurance) use predictive analytics to identify tests, technology, and risk culture.
emerging risk areas.
to the CEO, followed by six banks reporting jointly

to Board Risk Committee (BRC) and CEO, and four
banks directly to the BRC.
TECHNOLOGY CAN
PROVIDE CROS Six banks (Axis Bank, ICICI Bank, Kotak Mahindra
Bank, Mizuho Financial Group, Oversea-Chinese
WITH GREATER Banking Corporation and Siam Commercial Bank)
EFFICIENCY AND disclosed that their CROs review risk models before
these are implemented by user departments. The
EFFECTIVENESS IN CRO is not primarily responsible for overseeing
RISK ASSESSMENT the Internal Capital Adequacy Assessment Process
(ICAAP), with six banks disclosing that it is the BRC’s
AND CONTROLS. responsibility instead.
ONLY 1 BANK DISCLOSED THE KPIS

OF THE CRO
However, with regards to the assessment of
The risk function, and especially the CRO, has to performance for CROs, only Commonwealth Bank
be comfortable with the use of technology to not of Australia disclosed KPIs for its CROs. The KPIs
only automate and streamline processes from risk constitute 10% of financial measures and 90% of non-
identification to the eventual resolution, but also financial measures. These are further split between
potentially utilising such digital tools for risk triage customer, people and strategy, with 40% weighted
analyses. For example, the CRO in DBS Group towards delivering future fit risk management.
Holdings highlighted that the bank is leveraging on
technology to manage their financial crime risk and
strengthen cyber security.28
SLIGHTLY MORE THAN 70 PERCENT
OF INSURANCE COMPANIES HAVE
One of the many challenges facing CROs is how
APPOINTED A CRO BUT UNLIKE
to enable organisations to produce and use
BANKS WITH DEDICATED CROS,
high-quality risk information in a fast, reliable
ABOUT ONE-FIFTH OF THE CROS OF
and insightful way.29 Advanced analytics can give
INSURANCE COMPANIES HOLD OTHER
faster and more frequent analysis of the key risk
MANAGEMENT POSITIONS
indicators and metrics, allowing management to
update capital model projections quickly so as to Thirty-six of the insurance companies have
make better capital allocation and more informed appointed a CRO, with six of them holding other
business decisions.30 By improving efficiency and management positions within the company such
effectiveness in risk management activities such as Group Risk Management Executive Committee
as risk identification, assessment and control of (RMEC) Chairman in Ping An Insurance, Responsible
emerging risks, this allows companies to be more Compliance Officer in People’s Insurance Co Group
confident in assuming and managing risks. of China, Chief Compliance Officer and Chief Legal
Councillor in China Pacific Insurance, Compliance
Controller in China Reinsurance, Assistant General
TWO-THIRDS OF BANKS HAVE Manager in ZhongAn Online P&C Insurance and
APPOINTED A DEDICATED CRO, Chief Compliance Officer in ICICI Prudential Life
WITH A VARIETY OF REPORTING Insurance. As the role of a CRO is crucial as a
RELATIONSHIPS second line of defence, it is important that insurance
companies ensure their responsibilities do not
In our study, 33 banks disclosed that they have
conflict with other roles.
appointed a CRO and none of the banks’ CRO hold
concurrent managerial level positions within the
Group. Eighteen banks also disclosed the CRO’s
reporting line. Eight banks have CROs reporting
ONLY 1 INSURANCE COMPANY 48 BANKS DISCLOSED HAVING A

DISCLOSED KPIS OF ITS CRO SEPARATE INTERNAL AUDIT FUNCTION
AND JUST OVER A THIRD OF THESE
However, the KPIs for these officers are generally
DISCLOSED THE IDENTITY OF THE
not disclosed, except for QBE Insurance which
HEAD OF INTERNAL AUDIT
is based on 19.2% group cash return-on-equity,
30.8% group combined operating ratio and 50% An independent, competent and adequately
strategic performance objectives. resourced internal audit function, reporting primarily
to the audit committee, is a critical component of
the third-line of defence in risk management.
JUST OVER A THIRD OF INSURANCE
COMPANIES WITH A CRO DISCLOSED All 50 banks, except Shanghai Pudong Development
THE REPORTING RELATIONSHIP, Bank and Huaxia Bank, disclosed that they have a
WITH MOST REPORTING PRIMARILY separate internal audit function. Though Shanghai
OR JOINTLY TO THE BOARD RISK Pudong Development Bank briefly stated that
COMMITTEE internal audit is the third line of defence, it does
not disclose having a separate internal audit
In addition, only 13 insurance companies function. Likewise, Huaxia Bank does not make such
disclosed the CRO’s reporting line. Eight disclosure.
companies have CROs reporting to the BRC,
followed by three companies reporting to the Forty-two banks disclosed the reporting relationship
CEO, and two insurers reporting jointly to the but only 17 banks identified the head of internal
BRC and CEO. audit. Fifty-six percent of the banks disclosed that
the appointment and removal of the internal auditor
The CRO at China Pacific Insurance updates the requires the approval of the Audit Committee.
board quarterly on risk areas, such as major risk
positions and emerging risk issues. Four insurers Twenty-two percent indicated that their internal
(Suncorp, Ping An Insurance, China Pacific audit function has unfettered access to the Audit
Insurance and Hyundai Marine & Fire Insurance) Committee, board and management. The Audit
disclosed that the CRO is involved in reviewing Committee approves the annual internal audit plan
risk models before these are implemented by user in 54% of the banks and that internal audit function
departments. adopts a risk-based approach to their auditing
activities in 50% of the banks.
1 IN 5 BANKS DISCLOSED THAT A report indicates having a separate internal audit

QUALITY ASSURANCE REVIEW IS DONE function, we note that the Chairman of its Audit
FOR INTERNAL AUDIT AT LEAST ONCE Committee is also the chief audit executive of
EVERY 5 YEARS internal audit.
In addition, 20% of banks disclosed that a Quality Though 41 insurance companies disclosed their
Assurance Review is conducted on internal audit reporting line for internal audit, only 24 insurers
at least once every five years. Twenty percent of identified the head of internal audit or the external
banks stated that their Audit Committee meets with firm providing the internal audit service. The
the internal auditors and external auditors at least appointment and removal of the internal auditor
annually without the presence of management. requires the approval of the Audit Committee in
Though 42% of the banks’ Audit Committee about 64% of the companies.
assess the competency and independence of
the internal auditors, only 32% disclosed that the Twenty percent disclosed that their internal
internal auditor meets or exceeds IIA /National IA audit function has unfettered access to the Audit
standards. Committee, board and management. Although half
of the insurance companies disclosed that the Audit
Committee approves the annual internal audit plan,
ONLY ABOUT 1 IN 5 BANKS DISCLOSED only 32% disclosed that their internal audit adopts a
THAT THEIR INTERNAL AUDIT IS risk-based approach to their auditing activities.
LEVERAGING ON DATA ANALYTICS
AND TECHNOLOGY FOR THEIR AUDIT Twenty-eight percent indicated that their Audit
Nine banks stated that their internal audit Committee meets with the internal auditors and
leveraged on the use of data and technology in external auditors at least annually without the
their auditing activities to provide greater audit presence of management. However, none of the
assurance. By leveraging on data analytics for insurers disclosed that a Quality Assurance Review
transactional and low-value activities, auditors has been conducted on the internal audit function at
can focus on high-risk items that require critical least once every five years.
judgement, thereby enhancing audit quality, and
Though half of the companies’ Audit Committee
providing stronger assurance to Board and senior
assess the competency and independence of the
management.31 For instance, the internal audit of
internal auditors, only 24% disclosed that the internal
DBS Group Holdings leverages on the use of data,
auditor meets or exceeds IIA standard / National IA
technology and automation to provide greater
standard.
insights and to enhance DBS’ audit assurance.
Since 2017, it has operationalised its Future of
Auditing roadmap with the use of digital tools,
rule-based and predictive analytics, coupled with ONLY 2 INSURANCE COMPANIES
the continuous monitoring approach to perform DISCLOSED THAT THEIR INTERNAL
risk assessments and controls testing and provide AUDIT IS LEVERAGING ON DATA
better risk management insights.32 ANALYTICS AND TECHNOLOGY IN
THEIR WORK
Two insurance companies, Ping An Insurance and
ALL 50 INSURANCE COMPANIES Bao Viet Holdings, mentioned that their internal
DISCLOSED HAVING A SEPARATE audit leveraged on the use of data analytics and
INTERNAL AUDIT FUNCTION AND technology in their auditing activities to provide
ABOUT HALF DISCLOSED THE HEAD greater audit assurance.
OF INTERNAL AUDIT OR THE
OUTSOURCED FIRM
All 50 insurance companies disclosed having a
separate internal audit function. However, for Bao
Viet Holdings, though its corporate governance
EMERGING
AREAS
52 CORPORATE CULTURE
CORPORATE CULTURE
Financial institutions exist to serve the needs of 60% OF BANKS DISCLOSED THAT THEY
society. However, financial crises and scandals have REVIEWED THEIR VISION AND MISSION
crippled markets and harmed stakeholders, mostly STATEMENTS, WHILE ONLY 54% OF
because of mismanagement and weak oversight in INSURANCE COMPANIES DID SO
financial institutions. This has led to the collapse of
Fifty-four percent of the insurers disclosed that their
some large financial institutions.
boards reviewed the vision and mission during the
At the heart of most scandals involving financial past financial year. Sixty-eight percent alluded to
institutions is poor corporate culture. This is clearly a strong focus on “stakeholder” interest whereas
evident in the findings of the Royal Commission 76% focused on “performance” in their vision and
into Misconduct in the Banking, Superannuation mission statements. Given the rise of Insurtech,
and Financial Services Industry in Australia. It is insurers need to pay more attention to technological
important that banks and insurance companies innovation, as a means of improving their operations
have an appropriate corporate culture in place and services for their customers.34
which encourages the right behaviour and reduces
the risk of misconduct.
EXCEPT FOR 8 CHINESE BANKS, ALL
Boards are now expected by regulators to set and THE OTHER BANKS DISCLOSED HAVING
monitor corporate culture. Financial institutions are A CODE OF CONDUCT OR ETHICS FOR
expected to “audit” their corporate culture and EMPLOYEES BUT LESS THAN HALF
ensure that their actions, policies and systems are DISCLOSED HOW THEY IMPLEMENT
aligned to an appropriate corporate culture. AND MONITOR COMPLIANCE WITH
THE CODE
Major institutional investors, such as Blackrock, A large majority of the banks, except for eight
are also urging boards to consider their purpose. Chinese banks, disclosed a code of conduct or ethics
Organisations, including financial institutions, for employees. These eight Chinese banks include
which establish clarity through their purpose and China Construction Bank, Bank of Communications,
purpose statement would not only ensure that their Industrial Bank, Postal Savings Bank of China, China
strategies are well-informed, but also allow for a Minsheng Bank, Ping An Bank, Bank of Ningbo and
trickle-down effect to their culture, which is the Huaxia Bank. Most banks have incorporated ideals
bedrock for sustainable financial performance.33 of anti-corruption, honesty and the need to maintain
the professional reputation of the organisation into
the code.
98% OF BANKS EXPLICITLY STATED
THEIR PURPOSE However, less than half of the banks disclosed how
Eighty-four percent of banks disclosed their they implement and monitor compliance with the
vision and mission statements, with 76% having code as well as the actions taken to deal with those
an emphasis on strengthening financial and/ in breach of company rules.
or non-financial performance; 68% stressing
the importance of meeting the expectations
of stakeholders such as customers, employees
and community; and 20% citing the need for
technological innovation in their business
operations. Sixty percent disclosed that they
perform a periodic board-level review of their
vision and mission statements in the last financial
year. In addition, 98% of banks explicitly stated
their purpose.
ABOUT 4 IN 5 BANKS HAVE in handling whistleblowing complaints, so as to

IMPLEMENTED WHISTLEBLOWING ensure objectivity and independence in treatment
POLICIES BUT ONLY HALF OF ALL of the complaints. Twenty-five of the 41 insurers
THE BANKS DISCLOSED HAVING that disclosed having a whistleblowing policy said
POLICIES THAT ALLOW FOR that they allow for anonymous complaints and 18
ANONYMOUS COMPLAINTS disclosed that their policy covers whistleblowing by
external parties.
Whistleblowing policies have been implemented
in 78% of the banks to allow for complaints Like the banks, the whistleblowing policy is
made by employees and other stakeholders for usually administered by committees such as Audit
alleged illegal or unethical behaviour. However, Committee or Compliance Committee.
only 25 of these 39 banks disclosed that their
whistleblowing policies allow for anonymous
complaints while only 24 disclosed that their
8 BANKS HAVE A DEDICATED
policies cover whistleblowing by external parties.
BOARD-LEVEL COMMITTEE WITH
The whistleblowing policy is usually administered
RESPONSIBILITY FOR OVERSIGHT
by committees such as the Audit Committee or
OF CORPORATE CULTURE
Compliance Committee.
Eight banks have a dedicated board-level
committee with terms of reference that includes
ALL EXCEPT 2 INSURANCE responsibility for oversight over corporate culture.
COMPANIES DISCLOSED HAVING These include Bank Mandiri, Bank Negara Indonesia,
A CODE OF CONDUCT/ETHICS BUT Bank of China (Hong Kong), China Construction
ONLY ABOUT HALF DISCLOSED HOW Bank, China Minsheng Bank, Commonwealth Bank of
THEY IMPLEMENT AND MONITOR Australia, Oversea-Chinese Banking Corporation and
COMPLIANCE WITH THE CODE Siam Commercial Bank.
All 50 insurance companies, except for China Typically, the Corporate Culture Department,
Taiping Insurance and BIDV Insurance, disclosed Human Capital Management or Risk Management
having a code of conduct and/or ethics, with 38 Committee is charged with the ongoing assessment
disclosing the details of the code. However, only and monitoring of culture.
26 disclosed how they implement and monitor
compliance with the code. Twelve companies
disclosed the actions taken when dealing with
employees in breach of company rules and/or
the code.
STRONG
MORE THAN 4 IN 5 INSURERS
CORPORATE
DISCLOSED HAVING A CULTURE
WHISTLEBLOWING POLICY BUT
CHANNELS WERE ONLY DISCLOSED
ENCOURAGES THE
BY LESS THAN 3 IN 5 INSURERS, RIGHT BEHAVIOUR
AND ONLY HALF OF ALL INSURERS
DISCLOSED HAVING POLICIES THAT
AND REDUCES
ALLOW ANONYMOUS COMPLAINTS THE RISK OF
Eighty-two percent of the insurers disclosed MISCONDUCT.
having a whistleblowing policy, however only 58%
of those which disclosed the policies included
channels for stakeholders to voice their concerns.
Several insurers also disclosed the specific
function, individual or external firm engaged
21 BANKS HAVE CONDUCTED A REMUNERATION POLICIES MUST BE

RISK CULTURE ASSESSMENT ALIGNED WITH CORPORATE CULTURE
A majority of banks disclosed the actions taken to For financial institutions, key areas such as
reinforce culture in the past year. However, only performance culture and customer centricity are
21 of the banks disclosed conducting risk culture important. A mere emphasis on the tone at the top
assessments. Meanwhile, 28 banks have set a mix and leadership is insufficient to embed a strong
of financial and non-financial KPIs to establish corporate culture within the whole organisation.
objectives and drive behaviour. Training, compliance, and appropriate remuneration
policies which take into consideration both financial
and non-financial KPIs when assessing and rewarding
9 INSURANCE COMPANIES HAVE A employees are also critical.
DEDICATED BOARD COMMITTEE WITH
RESPONSIBILITY FOR OVERSIGHT With an increasing proportion of financial institutions
OVER CORPORATE CULTURE devoting attention to the needs and welfare of
stakeholders such as customers in their vision
Nine insurance companies have a dedicated and mission statements, it is clear that there is a
board-level committee with terms of reference that recognition of the need to move towards more
includes responsibility for oversight over corporate customer-centric attitudes. Financial institutions
culture. The companies include Suncorp, QBE should consistently demonstrate that fair treatment
Insurance, Medibank, Challenger, Ping An of customers is at the heart of their business model,
Insurance, General Insurance Corporation of India, as this symbiotic relationship will help ensure better
Bangkok Life Assurance, Dhipaya Insurance and returns for both parties.
Great Eastern Holdings. For insurers, it is typically
the Compliance Department or Human Resource
functions which is charged with the ongoing
JUST OVER HALF THE BANKS
assessment and monitoring of culture.
DISCLOSED KPIS FOR THEIR
EMPLOYEES, WITH 40% DISCLOSING
KPIS THAT INCLUDE CUSTOMER
18 INSURANCE COMPANIES HAVE WELFARE
CONDUCTED A RISK CULTURE
ASSESSMENT Only 56% of banks disclosed KPIs to drive desired
performance and behaviour for their employees
Sixty percent of insurers also disclosed the actions (Figure 35). Despite the importance of customer
taken to reinforce culture in the past financial year. welfare, only 40% of the banks disclosed that they
However, only 18 insurers disclosed undertaking have implemented KPIs relating to the welfare of
a risk culture assessment. There are 24 insurers customers and demonstrated customer centricity in
which disclosed the setting of a mix of financial their operations and strategic objectives.
and non-financial KPIs to establish desirable
objectives and behaviour within the firm.
FIGURE 35: KEY PERFORMANCE INDICATORS (KPIS) FOR BANKS
KPIs accounting for customer centricity 40%
Disclosure of KPIs as a mix of both financial and

52%
non-financial indicators
Disclosure of KPIs 56%
0% 20% 40% 60%
All the banks disclosed that they have complied

with regulations to protect the financial system
against financial crimes, including “Know Your
Customers’ and “Anti Money Laundering laws”.
Failure to comply with such regulations may
result in scrutiny and penalties imposed by
regulators. For instance, the Australian Transaction
Reports and Analysis Centre has imposed heavy
financial penalties on Commonwealth Bank of
Australia, National Australia Bank and Westpac
Banking Corporation for breaches in anti-money
laundering laws.
Eighty-six percent of banks disclosed a

comprehensive training programme for new and
existing employees, which is customised for their
specific role and function within the organisation.
JUST UNDER HALF OF INSURANCE COMPANIES DISCLOSED KPIS FOR EMPLOYEES,

WITH ONLY ABOUT TWO IN FIVE DISCLOSING KPIS RELATING TO CUSTOMERS
Sixty-six percent of insurers disclosed the existence of a comprehensive and customised training programme
for both new and existing employees.
Only 48% of the insurance companies disclosed KPIs, with all these companies disclosing that their KPIs
include both financial and non-financial metrics, but only 42% disclosed having a component for customer
centricity.
FIGURE 36: KEY PERFORMANCE INDICATORS (KPIS) FOR INSURANCE COMPANIES
KPIs accounting for customer centricity 42%
Disclosure of KPIs as a mix of both financial and

48%
non-financial indicators
Disclosure of KPIs 48%
0% 20% 40% 60%
For insurance companies, customer centricity revolves around critical dimensions such as speed and
convenience for claims processing leading to the eventual settlement; the quality (and error-free rate) of the
settlement process; as well as the level of transparency throughout the entirety of the process.35
TECHNOLOGICAL
DISRUPTION
The financial services industry is facing

considerable disruption, with banks and insurers
facing the dilemma of being a disruptor or
becoming disrupted. The traditional business 1 IN 3 BANKS
models of financial institutions are now being HAVE APPOINTED
reimagined as technological innovations threaten
to radically transform the industry. For instance, A CHIEF
banks have to grapple with new payment methods INFORMATION
using blockchain, while insurers have to come to
terms with losing their monopoly over assessing, OFFICER.
pricing and limiting risks, thereby forcing them to
reinvent traditional underwriting models.36
With the increasing threat from digital disruption,

banks have taken an active approach in revamping
their digital strategy, ranging from improving the organisation from a physical to a virtual one.
customer experience and engagement to With the readiness on the employee front, banks are
enhancing efficiencies and innovation. better positioned to adopt an omnichannel delivery
approach as part of their strategic goals moving
In many APAC economies, central banks are issuing
forward.
digital banking licenses, whereby players would
have substantially lower customer acquisition and
transaction costs due to the increase in automation
for processes such as credit checks and verification
BANKS ARE ADOPTING MYRIAD
of identity. In contrast, traditional banks have
STRATEGIES TO ADDRESS
higher operational costs due to infrastructure and
TECHNOLOGICAL DISRUPTION
physical branches.37 In terms of digital strategy, although all the banks
stated their objectives, only 54% disclosed external
The consolation for traditional banks is that these threats that can potentially disrupt their business.
newer digital-only rivals are generally targeting However, it is clear that many banks have kept
the underbanked demographic, which are usually themselves abreast of industry developments,
small, medium enterprises (SMEs) which might with 78% engaging in external collaboration or
have faced difficulties in securing credit, or partnerships, mostly with fintech start-ups or by
individuals who are unable to afford the credit.38 pioneering incubators to spur innovation. This is
In addition, market research has shown that followed by 68% which develop existing employees’
incumbent banks may have an advantage over digital capabilities, as well as 46% and 40% which
their digital counterparts due in part to their wealth recruit employees and leaders with digital talent
of historical customer data. This access to data respectively. Efforts to improve digital disruption
affords the banks in-depth knowledge of customer engagement through the aforementioned initiatives
behaviours and preferences based on their long are essential, and banks should consistently continue
banking relationship with the bank.39 to direct resources and capital towards such
investments, so as to ensure the fruition of their
digital strategies.
JUST OVER HALF THE BANKS
DISCLOSED EXTERNAL THREATS
THAT COULD POTENTIALLY DISRUPT
THEIR BUSINESS
Fifty-six percent of banks disclosed that they have
access to a talent pool which could be tapped on
to execute the digital roadmap of the company,
including the need to shift the legacy systems of
58 TECHNOLOGICAL DISRUPTION
INSURANCE COMPANIES ARE ALSO JUST OVER 1 IN 3 BANKS DISCLOSED

FACING SIGNIFICANT THREATS FROM THAT THEY HAVE APPOINTED A CHIEF
TECHNOLOGICAL DISRUPTION INFORMATION OFFICER BUT FEW
DISCLOSED THE REPORTING LINE
According to McKinsey, customers are embracing
digital platforms, and technologies have introduced Thirty-six percent of banks disclosed that they have
new products built on data and analytics. There are appointed a Chief Information Officer (CIO), with
some disruptors which provide insurance services only 8% disclosing the reporting line for the CIO,
by relying on pure digital business models. Through which includes an Information Technology Strategy
the use of digital applications such as chatbots, Committee and CEO.
buying a policy or filing a claim becomes a fast,
simple, and satisfying experience.40 Therefore, For the 50 banks, 40% of the boards actively stay
incumbent firms with traditional business models informed of new trends and keep up with the
must accelerate to incorporate digital technologies understanding of potential of new technologies,
in their operations. through relevant digital committees as well as
attending training programmes and seminars.
Fifteen banks consulted with outside experts with
ONLY HALF THE INSURANCE regards to technological issues.
COMPANIES DISCLOSED HOW
THEY EVALUATE THE APPLICATION
OF EMERGING TECHNOLOGIES SUCH DIRECTORS WITH TECHNOLOGICAL
AS BLOCKCHAIN IN THEIR BUSINESS EXPERTISE REMAIN RARE
STRATEGIES Most banks have not appointed directors with
Most of the insurance companies have disclosed technological expertise or working background in
plans to review their information technology this area. Australian and Indian banks seem to be
operating model. However, only half disclosed doing more in this respect, as compared to banks in
a methodology to evaluate how and where China, the Philippines and Taiwan (Figure 37).
emerging technologies such as blockchain may
be applied to their business strategies. In terms
of digital leadership and talent, only half of the
insurers have identified key specific areas to
retrain their workforce. Slightly less than half of
the companies disclosed that outside experts
are consulted regarding technological issues and
these companies receive regular updates from
management.
To ensure that there is a firm-wide understanding

on the significance of the digital strategy and to
help handle technological disruption, leadership
and employees alike should be sufficiently skilled.
ABOUT 1 IN 4 BANKS HAVE A

BOARD-LEVEL TECHNOLOGY
COMMITTEE WHILE 3 IN 5 BANKS
HAVE A MANAGEMENT-LEVEL
TECHNOLOGY COMMITTEE
In our study, we found that most of the banks (76%)
do not have a board-level technology committee.
Sixty percent have a management-level committee
instead.
FIGURE 37: DIRECTORS IN BANKS WITH TECHNOLOGY BACKGROUNDS
2.5
2
2
Average no. of Directors
1.67
1.5
1
1
0.75
0.67
0.5 0.5
0.5 0.33
0.2
0.13
0 0
0
Note: The number of banks in each economy are as follows: Australia (4), China (15), Hong Kong (2), India (6),
Indonesia (4), Japan (5), Malaysia (3), Philippines (1), Singapore (3), South Korea (2), Taiwan (2) and Thailand (3).
LESS THAN HALF THE BANKS LESS THAN 1 IN 5 INSURANCE

DISCLOSED RESPONSIBILITY FOR COMPANIES HAVE A BOARD-LEVEL
OVERSIGHT AND IDENTIFICATION TECHNOLOGY COMMITTEE BUT JUST
OF DIGITAL OPPORTUNITIES OVER HALF HAVE A MANAGEMENT-
LEVEL TECHNOLOGY COMMITTEE
Most of the banks did not disclose the personnel
or function which has responsibility for oversight Board level committees that are focused on
and identification of digital opportunities. Of the 21 technology are also sparse in insurance companies,
banks which disclosed, several included the board- with only four disclosing the existence of such a
level technology committee, innovation or research committee. Only 18% of the companies disclosed
and development management-level committee. that the boards have means to stay informed and
Only a small fraction consider the responsibility to understand the evolving digital threats. For these
be held by individual business owners, such as Bank companies, the common method is for the boards to
Rakyat Indonesia and DBS Group Holdings. Several attend training relating to digital transformation or
others also delegated the responsibility to the technology.
Group Chief Information Officers (CIOs).
More insurance companies, about 52%, have a
technology-related committee at the management
ONLY 1 IN 5 INSURANCE COMPANIES level. Thirty percent of the insurers disclosed that
HAVE DIRECTORS WITH TECHNOLOGY there is a CIO who is in charge of information
BACKGROUNDS technology of the company and supporting the
companies’ digital progress. However, only 8% of the
Only 20% of the insurance companies have companies disclosed the reporting lines of the CIO.
appointed directors with technology backgrounds.
Insurance Australia Group has the highest
percentage of directors with technology
background, at 20%.
60 TECHNOLOGICAL DISRUPTION
A MAJORITY OF BANKS ARE FOCUSED

ON ARTIFICIAL INTELLIGENCE,
MACHINE LEARNING AND BLOCKCHAIN
FOR TECHNOLOGICAL INVESTMENTS
Despite the fact that digital-only rivals may
take some time to find their footing, incumbent
banks should continue to improve on their use of
technology either by developing data-intensive
business models or rethinking their digital strategy.
This will necessitate technological investments.
In response to the emerging threat of digital

disruption, a majority of the 50 banks have indeed
increased their investment appetite and adoption
rate for technologies, with the highest relating to
fields of artificial intelligence, machine learning
and blockchain (Figure 38). Meanwhile, based on
disclosures, more highly specialised areas such as
Application Programming Interface (API)xvi only
has a 48% adoption rate with Robotics Process
Automation (RPA)xvii at 32%.
FIGURE 38: TECHNOLOGY INVESTMENTS BY BANKS
Robotics Process Automation (RPA) 32%
Application Programming Interface (API) 48%
Artificial intelligence/Machine Learning/Blockchain 98%
Automation 50%
Robotics 42%
0% 25% 50% 75% 100%
xvi Application Programming Interface (API) is an interface or communication protocol between different parts of a computer program
intended to simplify the implementation and maintenance of software.
xvii Robotics Process Automation (RPA) is a form of business process automation technology based on metaphorical software robots or artificial
intelligence workers.
LIKE BANKS, MOST TECHNOLOGY INVESTMENTS BY INSURANCE COMPANIES

ARE IN THE AREAS OF ARTIFICIAL INTELLIGENCE, MACHINE LEARNING AND
BLOCKCHAIN
Digitalising claims (especially for the Property & Casualty line of insurance) can generate much value for
insurance companies as it can improve customer experience, efficiency, and effectiveness. Therefore, most
companies have implemented a digital strategy to tackle the threat of digital disruption.
From Figure 39, we note that the majority of companies have disclosed their plans as well as existing
implementation in areas such as artificial intelligence, machine learning and blockchain in their operations.
Other common areas of investments include automation, robotics, and RPA.
FIGURE 39: TECHNOLOGY INVESTMENTS BY INSURANCE COMPANIES
Robotics Process Automation (RPA) 36%
Application Programming Interface (API) 12%
Artificial intelligence/Machine Learning/Blockchain 62%
Automation 40%
Robotics 32%
0% 20% 40% 60% 80%

62 CYBERSECURITY
CYBERSECURITY
Cybersecurity risk has become a key risk for financial ABOUT 1 IN 3 BANKS HAVE SENT
institutions. As a result, many regulators across the THEIR DIRECTORS FOR TRAINING
APAC region have stepped up their guidelines on ON CYBERSECURITY ISSUES
cybersecurity. Whilst financial institutions attempt
Half of the banks disclosed measures to deal with
to strike the balance between being open and
cybersecurity such as equipping the workforce
being secure, the threat could potentially stem from
with training. Forty-four percent of the banks
within. With outsourcing and use of contractors
send employees for regular training, with a lower
and temporary workers to handle cyber risks
percentage of 32% sending directors for training
predominant in most financial institutions, financial
on cybersecurity. However, less than half of the
institutions should be aware that they might be
banks or 46% disclosed those responsible for
handing over more than a mere security badge,
cybersecurity. Amongst the banks that disclosed
and could be exposing their systems to more
responsibility, only 28% of the banks identified a
vulnerabilities and prying eyes.41 Hence, directors
person at the management level with the ultimate
and senior management should increase their focus
responsibility for cyber-related risks.
on the management of cybersecurity risks.
JUST OVER 3 IN 5 BANKS DISCLOSED HALF THE INSURANCE COMPANIES

CYBERSECURITY AS A KEY BUSINESS DISCLOSED CYBERSECURITY AS A
RISK KEY BUSINESS RISK
Half of the insurers communicated that
In our study, 62% of the banks communicated that
cybersecurity is a key business risk. A report by
cybersecurity is a key business risk. In addition to
KPMG suggests that insurance companies are
acknowledging the significance of cybersecurity
lagging behind other financial institutions such
risks, the board and senior management should
as banks in terms of cybersecurity measures.
also have a comprehensive understanding of the
As the other financial sectors strengthen their
cybersecurity strategy undertaken by the bank.
cybersecurity, attackers may look for easier and
According to BCG, one of the weaknesses in banks’ more vulnerable targets and this places insurance
defences against cyber threats is the lack of talent in companies at higher risks of becoming cyber-attack
cybersecurity.42 victims.43 Furthermore, the insurance providers
have vast access to customer-sensitive information,
which must be safeguarded to not only comply with
the relevant privacy laws, but more importantly, to
uphold customer trust.44 Therefore, cybersecurity
should be a key area of focus for the insurance
companies.
CYBERSECURITY 63
However, in our study, only about half of the insurers there is a clear line of sight between the cyber
disclosed that there is someone who is responsible security risk and the business.45 Leaders of the
for cybersecurity and only 40% disclosed a policy to company should consider procedures or measures
deal with it. In addition, only 24% of the companies such as training and drills to make sure that the
regularly send their employees for cybersecurity- organisation is prepared for cyber threats.
related training and 18% of companies send their
directors for regular training. Insurers should ideally
increase participation and firm-wide involvement THREE-QUARTERS OF BANKS SAID
of its employees as well as management, as THEY ARE ACTIVELY INVESTING IN
cybersecurity management cannot be merely left to CYBERSECURITY MEASURES
the information technology function, to be handled
About 76% of the banks disclosed that they are
in isolation. In order for cybersecurity to be effective,
actively investing in cybersecurity measures, which
such concerns should be elevated to the boardroom,
is a sign that the banks are treating cybersecurity
with clear responsibility designated to an individual
threats seriously. In Figure 40, 66% of the banks
for decision-making processes around cybersecurity
disclosed that there is a team or budget that
to be carried out more efficiently and decisively,
is dedicated to cybersecurity and information
especially in the event of a cyberattack.
security. Slightly fewer banks (58%) disclosed that
the board engages with relevant industry initiatives
pertaining to cybersecurity. However, more can be
TWO-THIRDS OF INSURANCE
done to manage cyber risk such as collaboration
COMPANIES DID NOT IDENTIFY
with regulators or external parties, or through the
WHO HAS OVERALL RESPONSIBILITY
establishment of security operation centre (SOC)
FOR CYBERSECURITY RISKS
and appointment of directors with cybersecurity-
Most insurance companies (66%) do not name a related skills.
specific person at senior management or executive
committee level with the overall responsibility for Out of the 50 banks, only DBS Group Holdings
cybersecurity-related risks. According to KPMG, disclosed that they have appointed or are looking to
successful insurers will have their Chief Security appoint directors with backgrounds in cybersecurity.
Officer report directly to the COO, ensuring that
FIGURE 40: RESOURCES, SKILLS AND ENGAGEMENT FOR CYBERSECURITY ISSUES FOR BANKS
Appointment of directors with skills 2%

Initiatives undertaken by banks
Establishment of security operation centre (SOC) 22%
Collaboration with regulators 30%
Board engagement with industry initiatives 58%
Dedicated cyber/information team 66%
0% 20% 40% 60% 80%

Proportion of banks
64 CYBERSECURITY
INSURANCE COMPANIES ARE LESS LIKELY THAN BANKS TO HAVE THE RESOURCES,
SKILLS AND ENGAGEMENT FOR CYBERSECURITY ISSUES
In terms of the measures adopted, 46% of insurance companies disclosed a dedicated cybersecurity or
information security team, and or a dedicated budget (Figure 41). There is room for improvement in managing
cyber risk such as collaboration with regulators or external parties (16%), establishment of security operation
centre (SOC) (4%) and appointment of directors with cybersecurity-related skills (2%).
Insurers could consider including a SOC in their operations as it consists of a dedicated team, which operates
in shifts in a facility, primarily to identify, assess, respond and ultimately prevent cybersecurity threats and
attacks, therefore fulfilling regulatory compliance, by restricting breaches in data and security.46 Insurance
companies could consider this option given the high sensitivity of information they deal with, and therefore
an internal SOC could provide insurance companies with more control over cybersecurity monitoring and a
shorter response time in the event of cyberattacks.
FIGURE 41: RESOURCES, SKILLS AND ENGAGEMENT FOR CYBERSECURITY ISSUES FOR INSURANCE
COMPANIES
Appointment of directors with skills 2%

Initiatives undertaken by insurance
Establishment of security operation centres

4%
(SOC)
companies
Collaboration with regulators 16%
Board engagement with industry initiatives 34%
Dedicated cyber/information team 46%
0% 20% 40% 60%

Proportion of insurance companies
ONLY ABOUT HALF THE BANKS HAVE PUBLICLY COMMITTED TO COMPLIANCE

WITH DATA PROTECTION LAWS AND TWO-THIRDS DISCLOSED HAVING A PRIVACY/
DATA PROTECTION POLICY
Fifty-two percent of the banks publicly commit to compliance with data protection laws. In terms of internal
policy, 68% disclosed having a privacy and/or data protection policy but only 48% explicitly cover its entire
operations, including third parties.
BCG pointed out that poor third-party management was also one of the weaknesses of banks.47 Some
banks outsourced their information technology services to third parties, but ultimately the responsibility and
accountability for the cybersecurity still lies with the banks. Therefore, banks need to monitor and supervise
the work of the third-party partners and ensure that these providers are performing up to expectations.
CYBERSECURITY 65
INSURANCE COMPANIES ARE Though 31 banks established an incident

COMPARABLE TO BANKS ON PUBLIC management plan, only 25 disclosed information or
COMMITMENT TO DATA PROTECTION cyber security as a key part of its risk assessment/
LAWS AND PRIVACY/DATA business continuity plan.
PROTECTION POLICY
Only 19 insurers disclosed having conducted a cyber
Slightly less than half of the insurance companies security risk assessment. However, 64% are actively
publicly commit to compliance with data protection investing in cybersecurity measures. Most insurance
laws. In terms of internal policy, 72% of the insurers companies disclose a privacy or data protection
publicly disclose a privacy and/or data protection policy (72%) and half of them publicly commit to
policy but only 56% explicitly cover their entire compliance with data protection laws.
operations, including third parties.
About 28% of the insurance companies have
also conducted audits of information relating
ONLY 56% OF BANKS DISCLOSED to information and cybersecurity policies, and
HAVING DONE A CYBERSECURITY 24% conducted drills to prepare employees for
RISK ASSESSMENT WHILE ONLY cyberattacks. Though 22 companies established
ABOUT 40% OF INSURANCE an incident management plan, only 19 disclosed
COMPANIES HAVE DONE SO information or cyber security as a key part of its risk
BCG suggested that banks should perform “a assessment/business continuity plan.
comprehensive health check” on their operating
model to ensure that they are prepared for the
worst.48 Regular assessment of the cybersecurity
measures undertaken by banks can help to identify
weaknesses and areas of improvements. However,
only 56% of the banks in our study disclosed
that cybersecurity risk assessment is conducted,
with a mere seven banks disclosing that they
have conducted audits on the information or
cybersecurity policies and systems. These banks are
Ping An Bank, Kotak Mahindra Bank, State Bank of
India, Bank Mandiri, Public Bank, Oversea-Chinese
Banking Corporation and Siam Commercial Bank.
Thirty-four percent of the banks disclosed that they

conducted drills to prepare themselves in case of
potential cyberattacks.
Public education on cybersecurity is also important

to ensure that customers do not fall prey to cyber
criminals. However, only 24% of the banks disclosed
measures to increase customer awareness to
safeguard their data.
66 SUSTAINABILITY
SUSTAINABILITY
In his annual letter to CEOs, Larry Fink, the Financial institutions should be prepared for an
Chairman and CEO of the world’s largest asset overhaul in investment attitudes and practices, and
manager BlackRock, highlighted the need to treat shift towards sustainable finance, by rethinking the
climate risk as a form of investment risk, as he chase for financial returns and instead invest with an
believes that investments with a commitment to eye for environmental and social concerns.51
sustainability and climate-integrated portfolios are
better positioned to provide risk-adjusted returns
for its investors.49 Companies, including financial 25 BANKS HAVE OBTAINED
institutions, should be prepared for the significant INDEPENDENT ASSURANCE FOR
reallocation of capital and credit towards projects THEIR SUSTAINABILITY REPORTS
which champion sustainability.
All 50 banks except for three Chinese banks
Meanwhile, there is an increasing need for financial (China Minsheng Bank, Huaxia Bank and Shanghai
institutions to communicate and report on their Pudong Development Bank) have a separate
sustainability initiatives. Previously, sustainability section/report on sustainability. DBS Holdings,
reporting was deemed as a corporate tool to for example, publishes a standalone report that
build trust and improve companies’ reputation. provides an expanded account of progress in terms
However, it has since evolved into a strategic of supporting the United Nations’ Sustainable
tool that could be used to support sustainable Development Goals (UNSDGs) and material
decision-making processes, enhance internal sustainability matters. Some of the banks from
organisation development, stimulate performance, China, Malaysia and Thailand also have very
engage stakeholders in the overall inclusive detailed sustainability reports, such as Bank of
growth of the company and ultimately, attract Communications, China Everbright Bank, CIMB
better investments.50 Therefore, it is essential that Group Holdings, Siam Commercial Bank and
financial institutions recognise the importance and Kasikornbank.
demand for improved reporting and communication
Twenty-five of the banks have obtained independent
practices, to support sustainable development.
assurance for their Sustainability Report, with 16
of the banks engaging Big 4 accounting firms to
provide sustainability reporting assurance. Of these
16 banks, 12 used the same Big 4 accounting firm as
SUSTAINABILITY their external auditors.
REPORTING IS
A STRATEGIC COMMUNITY ENGAGEMENT,
CUSTOMER WELFARE AND
TOOL THAT SUSTAINABLE DEVELOPMENT ARE
COULD BE USED THE TOP THREE AREAS OF FOCUS IN
SUSTAINABILITY REPORTS OF BANKS
TO STIMULATE When it comes to the specifics of sustainability
PERFORMANCE, reporting, many banks focus on areas such as
ENGAGE community engagement (96%), customer welfare
(90%) and sustainable development (90%). However,
STAKEHOLDERS areas pertaining to anti-corruption (72%); borrowers
AND ATTRACT and lenders selection procedures (66%) and
safeguarding of creditors’ rights (50%) tend to lag
BETTER somewhat behind.
INVESTMENTS.
SUSTAINABILITY 67
However, as part of the nationwide poverty 1 OUT OF 3 INSURANCE COMPANIES

alleviation campaign, most Chinese banks made WITH A SEPARATE SUSTAINABILITY
extensive disclosures around their internal poverty REPORT/SECTION HAVE OBTAINED
alleviation programmes. Some included the INDEPENDENT ASSURANCE FOR IT
development of an industry value chain, integrating
Fifteen insurance companies have also obtained
employment opportunities with environmental
independent assurance over their sustainability
protection effort, as seen for China Everbright Bank.
reporting practices, with eight of the companies
Other banks such as the Agricultural Bank of China
engaging Big 4 accounting firms to provide
also extended credit provision for related projects,
sustainability reporting assurance. Of the eight
in support of the 2020 goal of eliminating residual
companies, three (AIA Group, MS&AD Holdings
poverty in the rural areas of China.
and T&D Holdings) used the same Big 4 accounting
firm as their external auditors.
90% OF BANKS DISCLOSED POLICIES More consideration and focus are given to areas
AND PRACTICES ON TRAINING AND such as community engagement (94%), customer
DEVELOPMENT PROGRAMMES FOR welfare (88%) and sustainable development (84%).
EMPLOYEES BUT ONLY HALF OF THESE However, when it comes to areas regarding anti-
DISCLOSED STATISTICS SUCH AS corruption (58%), safeguarding of creditors’ rights
EMPLOYEE PARTICIPATION RATE AND (46%) and policy holder selection (42%), insurance
AVERAGE TRAINING HOURS companies tend to lag behind.
Regarding its employees, 80% disclosed the policies
and practices on health, safety and welfare for its Separately, 86% of insurance companies disclosed
employees. Although 90% of banks disclosed the the policies and practices implemented for
policies and practices on training and development employee health, safety and welfare. Although
programmes for its employees, only half of them 74% of companies disclosed the policies and
published relevant statistics of employees’ training practices on employee training and development
and development programmes such as employee programmes, only 34% published relevant results of
participation and average training hours per employees’ training and development programmes
employee. such as employee participation and average
training hours per employee.
ALL 50 BANKS PROVIDED DETAILS FOR

STAKEHOLDERS TO VOICE CONCERNS ALL 50 INSURANCE COMPANIES
PROVIDED DETAILS FOR
All 50 banks provided contact details via the
STAKEHOLDERS TO VOICE CONCERNS
company’s website or Annual Report which
stakeholders can use to voice their concerns and/or All 50 insurance companies provided contact
complaints for possible violation of their rights. details via the company’s website or Annual Report
which stakeholders can use to voice their concerns
and/or complaints for possible violation of their
9 OUT OF 10 INSURANCE COMPANIES rights.
HAVE A SEPARATE SECTION/REPORT
ON SUSTAINABILITY, WITH INDIAN
INSURANCE COMPANIES OFTEN NOT
HAVING IT
All 50 insurance companies, except for four Indian
companies and one South Korean company, have a
separate section/report on sustainability.
Some of the insurance companies from China,

Japan and Vietnam have very detailed sustainability
reports, such as Ping An Insurance, Tokio Marine
Holdings, MS&AD Holdings and Bao Viet Holdings.
68 SUSTAINABILITY
12 BANKS HAVE ADOPTED THE EQUATOR PRINCIPLES AS A FRAMEWORK FOR

ASSESSING ENVIRONMENTAL AND SOCIAL RISKS IN THEIR FINANCING PRACTICES
In recent years, banks have begun to rethink their sustainability commitments, aimed at reducing
environmental, social and governance (ESG) risk by way of exiting or rejecting certain investments or
restricting access to credit for projects or portfolios which present a high ESG risk. More financial institutions
are committing to responsible lending practices.
There has been a rise in the number of frameworks which aim to provide guidance for companies to adhere
to. One of these is the Equator Principles (EPs), which is essentially a risk management framework used by
financial institutions to assess their environmental and social risks, thereby promoting responsible decision-
making in their evaluation process.52 When banks adhere to the EPs, there is also a streamlined and consistent
framework for annual reporting purposes, which helps ensure that disclosures by banks are comparable across
economies and markets.
Twelve of the banks in our study declared their compliance with EPs during the period of our study – or are
Equator Principles Financial Institutions (EPFIs). Amongst these, four are from Australia, one each from China
and Hong Kong respectively, four from Japan, and two from Taiwan, as shown in Table 8.
TABLE 8: LIST OF 12 BANKS ADOPTING EQUATOR PRINCIPLES
Australia China Hong Kong Japan Taiwan
Commonwealth Bank of Industrial Hang Seng Mitsubishi UFJ Mega Financial

Australia Bank Bank Financial Group Holding
Westpac Banking Sumitomo Mitsui CTBC Financial

Corporation Financial Group Holding
Mizuho Financial
National Australia Bank
Group
Australia & New Zealand Sumitomo Mitsui

Banking Trust Holdings
Note: DBS Group Holdings adopted EP after the period covered by our study.
4 IN 5 BANKS DISCLOSED A RESPONSIBLE FINANCING POLICY AND TWO-THIRDS

HAVE COMMITTED TO UNSDGS IN TERMS OF SUSTAINABILITY PRINCIPLES
In spite of the low adoption rate, a majority (78%) of banks disclosed their commitment towards responsible
lending and have integrated principles/guidelines on responsible financing in their business model. This was
made apparent as part of sustainability reporting initiatives, with 66% committed to lending based on ESG
factors.
Even though a majority of banks have not yet adopted the EP framework, 80% disclosed a responsible
financing policy in place. A higher percentage of banks (66%) are instead committed to the equivalent UN
Sustainable Development Goals (UNSDGs) in terms of sustainability principles.
SUSTAINABILITY 69
NOTABLE EXAMPLE (I): SHINHAN FINANCIAL GROUP, SOUTH KOREA

The South Korean banking corporation has recently integrated sustainability into one of its leading
principles for management and strategic objectives, by declaring its commitment to combating climate
change. It has sought to expand its financing of businesses and projects with green initiatives, whilst
balancing the need for appropriate risk governance and management measures to mitigate and reduce
emerging climate risks.53 This translated into a 20 trillion won (USD17.3 billion) pledge by the group in green
investments to achieve a 20% reduction in greenhouse gas emissions (GHG) by 2030 - and this is in addition
to the existing 16.8 trillion won (USD14.6 billion) worth of funds injected in support of green industries in the
prior financial year.
NOTABLE EXAMPLE (II): KASIKORNBANK, THAILAND

Kasikornbank incorporated ESG factors into its business operations with several key features including
the processes around customer due diligence. Kasikornbank implemented validation processes to ensure
that its customers are granted a proper credit limit. However, the bank establishes the appropriateness of
the credit limit at a level which is ascertained to produce no adverse impact on the economy, society and
the environment. After approval of credit limits, the bank continues to monitor its customers as well as the
usage of the credit facilities extended, to prevent any misalignment of credit usage with the objectives of
the bank, and assess the repayment capabilities of customers in the event of disastrous circumstances. In
addition, an Exclusion List has also been established for ineligible projects which the bank has refused credit
to. These efforts reinforce the significance of sustainability and responsible lending to Kasikornbank, which
has committed itself to business growth and advancement without necessarily compromising long term
returns for stakeholders, society and the environment at large.
15 INSURANCE COMPANIES DISCLOSED THEIR COMMITMENT TO PRINCIPLES OF

SUSTAINABLE INSURANCE
In 2012, the United Nations Environment Programme Finance Initiative (UNEP FI) Principles for Sustainable
Insurance (PSI) was launched. This is essentially a strategic approach for activities in the insurance value chain.
Given that the insurance industry is risk-driven and focused, the sustainable angle emphasises the need for
companies to consistently reduce risk whilst minimising their adverse impact on environmental, social and
economic aspects.54 However, in spite of the importance of aligning insurers in a global, concerted effort for
better risk management, most APAC insurance companies do not disclose their commitment to the PSI, with
only 15 companies in our study doing so (Table 9).
TABLE 9: LIST OF 15 INSURANCE COMPANIES DISCLOSING COMMITMENT TO PRINCIPLES FOR

SUSTAINABLE INSURANCE
Principles for Sustainable Insurance
Australia China Japan Singapore South Korea Taiwan
Insurance Ping An Tokio Marine Great Eastern Samsung Fire & Cathay Financial
Australia Group Insurance Holdings Holdings Marine Insurance Holding
Fubon Financial
QBE Insurance MS&AD Holdings DB Insurance
Holding
Dai-ichi Life
Medibank
Holdings
Challenger Sompo Holdings
T&D Holdings
70 SUSTAINABILITY
23 INSURANCE COMPANIES HAVE A SUSTAINABILITY STEERING COMMITTEE

AND ALMOST TWO THIRDS DISCLOSED PLANS AND STRATEGIES TO DEAL WITH
MATERIAL ESG ISSUES
On the flip side, 46% of insurance companies disclosed a separate Sustainability Steering Committee,
which is responsible for making recommendations and exercising oversight over sustainability strategies
and solutions. In addition, 64% disclosed their plans and strategies to deal with material ESG issues. Hence,
insurance companies appear to be largely committed to ensuring sustainability in their business practices,
without necessarily being a signatory. Sixty-two percent of insurance companies disclosed that they do
evaluate their responsible investment activities. However, only 36% of them disclosed the need to invest with
external asset managers who support ESG principles.
ONLY 12 INSURANCE COMPANIES DISCLOSED THAT THEY ARE UN PRI SIGNATORIES

In addition to the UNEP FI PSI framework, there is also the Principles for Responsible Investment (PRIs), which
comprise six principles as guidance for companies when incorporating ESG issues into investment decision-
making.55 Generally, the PRIs focus on encouraging asset owners to not only become responsible investors but
ultimately also address the unsustainable aspects of the financial market. However, progress is slow as only 12
insurance companies are identified as UN PRI signatories. This underlines the need for insurance companies
to take more active measures in ensuring that their responsible investment practices are concerted and
transparent for stakeholders.
The only economies with insurers adopting the UN PRIs are Australia, Hong Kong, Japan and Taiwan, with
Japanese insurers accounting for 6 out of the 12 doing so.
NOTABLE EXAMPLE: QBE INSURANCE, AUSTRALIA

As part of its sustainability reporting practices, QBE Insurance disclosed several key measures
which facilitated its progress towards responsible investment. Firstly, it has a dedicated Responsible
Investments (RI) team, with a direct reporting line to both the Group Chief Investment Officer and Group
Chief Financial Officer. The insurer also ensures that its approach towards credit selection is appropriate
with the integration of various ESG considerations into its credit analysis process. In addition, 85% of
the external asset managers engaged with QBE Insurance are PRI signatories. Internally, QBE Insurance
also strengthened its external fund manager review process as part of its manager selection and due
diligence approach.56
15 BANKS AND 13 INSURANCE COMPANIES HAVE ADOPTED INTEGRATED

REPORTING
In recent years, integrated reporting (IR) is being recognised as an essential framework for companies to
improve and streamline their reporting practices. An integrated report represents a concise communication
about the overall strategy, governance, performance and prospective performance, with the objective of
sustained value creation.57 Only 15 banks practised integrated reporting for their respective annual reports
(Table 10).
SUSTAINABILITY 71
TABLE 10: LIST OF 15 BANKS WITH INTEGRATED REPORTING
Integrated Reporting <IR>
Australia India Japan Malaysia Singapore Taiwan
Australia & New Mitsubishi UFJ DBS Group CTBC Financial

HDFC Bank Maybank
Zealand Banking Financial Group Holdings Holding
Sumitomo United
National
ICICI Bank Mitsui Financial Overseas
Australia Bank
Group Bank
Axis Bank Japan Post Bank
Mizuho Financial
IndusInd Bank
Group
Sumitomo Mitsui
Trust Holdings
For insurance companies, only 13 practised integrated reporting in its annual report as shown in Table 11.
TABLE 11: LIST OF 13 INSURANCE COMPANIES WITH INTEGRATED REPORTING
Integrated Reporting <IR>
India Japan Malaysia South Korea Sri Lanka Taiwan Vietnam
Fubon
SBI Life Tokio Marine DB Union Bao Viet
LPI Capital Financial
Insurance Holdings Insurance Assurance Holdings
Holding
ICICI Lombard
MS&AD Allianz
General
Holdings Malaysia
Insurance
Dai-ichi Life
Holdings
Sompo Holdings
T&D Holdings
72 CONCLUDING SUMMARY
CONCLUDING SUMMARY
On the whole, the large APAC financial institutions This report also identified several emerging areas
have been making the right strides in improving which boards and senior management of financial
corporate governance and risk management institutions should pay more attention to - corporate
practices. Compared to earlier reports on banks58 culture; technological disruption; cybersecurity; and
and insurance companies59, there is more diversity sustainable financing, investing and reporting.
on boards, and better disclosures in remuneration,
among others. Nevertheless, there is room for Consumers no longer look towards financial
improvement and some financial institutions institutions for the sole purpose of accessing
continue to lag. credit facilities or insurance cover. Rather, they
are increasingly concerned about risks relating to
their impact on the environment and society, and
corporate misconduct. Stakeholders are now more
insistent in holding banks and insurance companies
accountable for their lending and investment
decisions, and in doing so, have called for better
disclosure and communications.
Banks and insurance companies have to

acknowledge that corporate governance and risk
management are not checklist exercises or mere
compliance with capital market regulations. Rather,
they are important tools in supporting value-
creation on a sustainable basis. Financial institutions
must elevate their strategies to create socially
beneficial impacts for communities they operate
in. This requires independent, competent, diverse
and committed boards to place many of the issues
discussed in this report onto their agendas and
ensure that they are considered and embedded into
strategic decisions.
APPENDICES
APPENDIX A: LIST OF BANKS BASED ON MARKET CAPITALISATION
(SOURCE: BLOOMBERG)
Market Latest
Total Assets
Rank Bank Economy Capitalisation Accounts
(USD)
(USD) Date
Industrial and Commercial Bank of China
1 CN 261.49B 4026.97B 12/2018
Ltd
2 China Construction Bank Corp CN 184.66B 3376.13B 12/2018
3 Agricultural Bank of China Ltd CN 167.10B 3286.98B 12/2018
4 Bank of China Ltd CN 137.51B 3091.85B 12/2018
5 China Merchants Bank Co Ltd CN 122.33B 980.70B 12/2018
6 Commonwealth Bank of Australia AU 93.86B 721.04B 06/2019
7 HDFC Bank Ltd IN 84.24B 169.36B 03/2019
8 Mitsubishi UFJ Financial Group JP 66.09B 2889.64B 03/2019
9 Westpac Banking Corporation AU 65.90B 636.38B 09/2018
10 Bank of Communications Co Ltd CN 54.56B 1385.65B 12/2018
11 Industrial Bank Co Ltd CN 53.87B 975.74B 12/2018
12 National AU Bank Ltd AU 53.78B 583.51B 09/2018
13 Bank Central Asia Tbk PT ID 52.19B 57.17B 12/2018
14 Australia & New Zealand Banking AU 51.43B 681.99B 09/2018
15 Sumitomo Mitsui Financial Group Inc JP 48.47B 1873.93B 03/2019
16 DBS Group Holdings Ltd SG 46.35B 404.07B 12/2018
Shanghai Pudong Development Bank Co
17 CN 46.06B 914.39B 12/2018
Ltd
18 Postal Savings Bank of China Co Ltd CN 44.85B 1383.47B 12/2018
19 Japan Post Bank Co Ltd JP 43.30B 1982.96B 03/2019
20 Hang Seng Bank Ltd HK 42.19B 200.62B 12/2018
21 Kotak Mahindra Bank Ltd IN 39.65B 51.85B 03/2019
22 BOC Hong Kong Holdings Ltd HK 37.29B 377.02B 12/2018
23 Mizuho Financial Group Inc JP 37.25B 1930.22B 03/2019
24 ICICI Bank Ltd IN 37.18B 172.59B 03/2019
25 Bank Rakyat Indonesia Persero ID 36.92B 89.89B 12/2018
26 State Bank of India IN 36.50B 555.18B 12/2018
27 China CITIC Bank Corp Ltd CN 34.95B 881.98B 12/2018
28 Oversea-Chinese Banking Corp Ltd SG 34.57B 343.02B 12/2018
29 China Minsheng Banking Corp Ltd CN 34.33B 871.53B 12/2018
30 Ping An Bank Co Ltd CN 32.96B 497.00B 12/2018
31 United Overseas Bank Ltd SG 31.28B 284.73B 12/2018
32 China Everbright Bank Co Ltd CN 26.20B 633.47B 12/2018
33 Axis Bank Ltd IN 24.32B 108.03B 03/2019
34 Bank Mandiri Persero Tbk PT ID 24.16B 83.33B 12/2018
35 Malayan Banking Bhd MY 23.08B 195.21B 12/2018
36 Public Bank Bhd MY 19.73B 101.52B 12/2018
37 Bank of Ningbo Co Ltd CN 16.83B 162.31B 12/2018
38 Shinhan Financial Group Co Ltd KR 16.44B 412.75B 12/2018
39 Huaxia Bank Co Ltd CN 15.73B 389.70B 12/2018
40 Siam Commercial Bank PCL TH 14.50B 98.59B 12/2018
41 IndusInd Bank Ltd IN 13.90B 34.02B 03/2019
42 KB Financial Group Inc KR 13.61B 430.70B 12/2018
43 Mega Financial Holding Co Ltd TW 13.40B 115.72B 12/2018
44 Sumitomo Mitsui Trust Holdings JP 13.16B 643.54B 03/2019

45 Kasikornbank PCL TH 13.02B 97.60B 12/2018
46 BDO Unibank Inc PH 12.55B 57.70B 12/2018
47 CTBC Financial Holding Co Ltd TW 12.40B 187.97B 12/2018
48 CIMB Group Holdings Bhd MY 11.75B 121.94B 12/2018
49 Bangkok Bank PCL TH 10.63B 96.41B 12/2018
50 Bank Negara ID Persero ID 10.31B 56.05B 12/2018
APPENDIX B: LIST OF INSURANCE COMPANIES BASED ON MARKET CAPITALISATION

(SOURCE: BLOOMBERG)
Market Total Latest

Rank Insurance company Economy Capitalisation Assets Accounts Category
(USD) (USD) Date
Ping An Insurance Group Co of CN
1 CN 225.76B 1038.45B 12/2018 Life
Ltd
2 AIA Group Ltd HK 121.89B 229.81B 12/2018 Life
3 China Life Insurance Co Ltd CN 105.28B 473.13B 12/2018 Life
People’s Insurance Co Group of
4 CN 49.51B 149.98B 12/2018 P&C
China Ltd
5 China Pacific Insurance Group CN 45.91B 194.22B 12/2018 Life
6 Tokio Marine Holdings Inc JP 36.81B 215.87B 12/2018 P&C
7 New China Life Insurance Co Ltd CN 19.59B 106.70B 12/2018 Life
8 MS&AD Insurance Group Holdings JP 18.92B 211.57B 12/2018 P&C
9 Dai-ichi Life Holdings Inc JP 16.69B 504.64B 12/2018 Life
10 Cathay Financial Holding Co Ltd TW 16.21B 301.37B 12/2018 Life
11 Sompo Holdings Inc JP 15.39B 112.49B 12/2018 P&C
12 HDFC Life Insurance Company Ltd IN 15.15B 16.96B 03/2019 Life
13 Fubon Financial Holding Co Ltd TW 14.32B 252.06B 12/2018 Life
14 Insurance Australia Group Ltd AU 12.78B 22.009B 12/2018 P&C
15 Suncorp Group Ltd AU 12.12B 73.447B 12/2018 P&C
16 SBI Life Insurance Co Ltd IN 11.57B 18.684B 03/2019 Life
17 QBE Insurance Group Ltd AU 11.08B 39.58B 12/2018 P&C
18 Sony Financial Holdings Inc JP 9.44B 116.75B 12/2018 Life
Samsung Fire & Marine Insurance
19 KR 9.00B 71.32B 12/2018 P&C
Co Ltd
China Taiping Insurance
20 HK 8.66B 96.03B 12/2018 Life
Holdings Co Ltd
ICICI Prudential Life Insurance Co
21 IN 8.522B 21.771B 03/2019 Life
Ltd
22 Japan Post Insurance Co Ltd JP 8.11B 723.32B 12/2018 Life
23 Great Eastern Holdings Ltd SG 8.00B 62.39B 12/2018 Life
ICICI Lombard General Insurance
24 IN 7.37B 4.567B 03/2019 P&C
Co Ltd
25 China Reinsurance Group Corp CN 7.04B 49.56B 12/2018 Reinsurance
26 T&D Holdings Inc JP 6.62B 143.69B 12/2018 Life
27 Medibank Pvt Ltd AU 6.45B 2.621B 06/2018 Life
General Insurance Corporation of
28 IN 4.20B 17.268B 03/2019 P&C
India
ZhongAn Online P&C Insurance
29 CN 3.61B 3.83B 12/2018 P&C
Co Ltd
30 DB Insurance Co Ltd KR 2.86B 45.74B 12/2018 P&C
31 Challenger Ltd AU 2.78B 18.71B 12/2018 Life

32 New India Assurance Company Ltd IN 2.46B 13.067B 03/2019 P&C
33 Bao Viet Holdings VN 2.30B 4.88B 12/2018 Life
Hyundai Marine & Fire Insurance
34 KR 1.81B 39.60B 12/2018 P&C
Co Ltd
35 Orange Life Insurance Ltd KR 1.76B 29.406B 12/2018 Life
36 Max Financial Services Ltd IN 1.57B 8.49B 03/2019 Life
37 LPI Capital Bhd MY 1.48B 1.03B 12/2018 P&C
38 Bangkok Life Assurance PCL TH 1.13B 10.04B 12/2018 Life
39 Korean Reinsurance Co KR 821.01M 9.65B 12/2018 P&C
40 Mercuries Life Insurance Co Ltd TW 807.88M 37.37B 12/2018 Life
41 Allianz Malaysia Bhd MY 628.30M 4.21B 12/2018 Life
Dhipaya Insurance Public Company
42 TH 490.60M 1.391B 12/2018 P&C
Limited
43 Central Reinsurance Co Ltd TW 338.7M 1.218B 12/2018 Reinsurance
44 United Overseas Insurance Ltd SG 306.8M 0.448B 12/2018 P&C
45 MNRB Holdings Bhd MY 197.6M 2.055B 03/2019 Reinsurance
46 TOWER Ltd NZ 166.5M 0.445B 12/2018 P&C
47 Manulife Holdings Bhd MY 131.3M 1.339B 12/2018 Life
48 Singapore Reinsurance Corp Ltd SG 124.5M 0.600B 12/2018 Reinsurance
49 BIDV Insurance Corporation VN 120.8M 0.221B 12/2018 P&C
50 Union Assurance PLC LK 110.1M 0.269B 12/2018 Life
APPENDIX C: LIST OF BANKS’ ABBREVIATIONS

Rank Bank Abbreviation
1 Industrial and Commercial Bank of China Ltd Industrial and Commercial Bank of China
2 China Construction Bank China Construction Bank
3 Agricultural Bank of China Ltd Agricultural Bank of China
4 Bank of China Ltd Bank of China
5 China Merchants Bank Co Ltd China Merchants Bank
6 Commonwealth Bank of Australia Commonwealth Bank of Australia
7 HDFC Bank Ltd HDFC Bank
8 Mitsubishi UFJ Financial Group Mitsubishi UFJ Financial Group
9 Westpac Banking Corporation Westpac Banking Corporation
10 Bank of Communications Co Ltd Bank of Communications
11 Industrial Bank Co Ltd Industrial Bank
12 National AU Bank Ltd National Australia Bank
13 Bank Central Asia Tbk PT Bank Central Asia
14 Australia & New Zealand Banking Australia & New Zealand Banking
15 Sumitomo Mitsui Financial Group Inc Sumitomo Mitsui Financial Group
16 DBS Group Holdings Ltd DBS Group Holdings
17 Shanghai Pudong Development Bank Co Ltd Shanghai Pudong Development Bank
18 Postal Savings Bank of China Co Ltd Postal Savings Bank of China
19 Japan Post Bank Co Ltd Japan Post Bank
20 Hang Seng Bank Ltd Hang Seng Bank
21 Kotak Mahindra Bank Ltd Kotak Mahindra Bank
22 Bank of China (Hong Kong) Holdings Ltd Bank of China (Hong Kong)
23 Mizuho Financial Group Inc Mizuho Financial Group
24 ICICI Bank Ltd ICICI Bank
25 Bank Rakyat Indonesia Persero Bank Rakyat Indonesia
26 State Bank of India State Bank of India
27 China CITIC Bank Corp Ltd China CITIC Bank
28 Oversea-Chinese Banking Corp Ltd Oversea-Chinese Banking Corporation
29 China Minsheng Banking Corp Ltd China Minsheng Bank
30 Ping An Bank Co Ltd Ping An Bank
31 United Overseas Bank Ltd United Overseas Bank
32 China Everbright Bank Co Ltd China Everbright Bank
33 Axis Bank Ltd Axis Bank
34 Bank Mandiri Persero Tbk PT Bank Mandiri
35 Malayan Banking Bhd Maybank
36 Public Bank Bhd Public Bank
37 Bank of Ningbo Co Ltd Bank of Ningbo
38 Shinhan Financial Group Co Ltd Shinhan Financial Group
39 Huaxia Bank Co Ltd Huaxia Bank
40 Siam Commercial Bank PCL Siam Commercial Bank
41 IndusInd Bank Ltd IndusInd Bank
42 KB Financial Group Inc KB Financial Group
43 Mega Financial Holding Co Ltd Mega Financial Holding
44 Sumitomo Mitsui Trust Holdings Sumitomo Mitsui Trust Holdings
45 Kasikornbank PCL Kasikornbank
46 BDO Unibank Inc BDO Unibank
47 CTBC Financial Holding Co Ltd CTBC Financial Holding
48 CIMB Group Holdings Bhd CIMB Group Holdings
49 Bangkok Bank PCL Bangkok Bank
50 Bank Negara Indonesia Persero Bank Negara Indonesia
APPENDIX D: LIST OF INSURANCE COMPANIES’ ABBREVIATIONS
Rank Insurance company Abbreviation

1 Ping An Insurance Group Co of CN Ltd Ping An Insurance
2 AIA Group Ltd AIA Group
3 China Life Insurance Co Ltd China Life Insurance
4 People’s Insurance Co Group of China Ltd People’s Insurance Co Group of China
5 China Pacific Insurance Group China Pacific Insurance
6 Tokio Marine Holdings Inc Tokio Marine Holdings
7 New China Life Insurance Co Ltd New China Life Insurance
8 MS&AD Insurance Group Holdings MS&AD Holdings
9 Dai-ichi Life Holdings Inc Dai-ichi Life Holdings
10 Cathay Financial Holding Co Ltd Cathay Financial Holding
11 Sompo Holdings Inc Sompo Holdings
12 HDFC Life Insurance Company Ltd HDFC Life Insurance
13 Fubon Financial Holding Co Ltd Fubon Financial Holding
14 Insurance Australia Group Ltd Insurance Australia Group
15 Suncorp Group Ltd Suncorp
16 SBI Life Insurance Co Ltd SBI Life Insurance
17 QBE Insurance Group Ltd QBE Insurance
18 Sony Financial Holdings Inc Sony Financial Holdings
19 Samsung Fire & Marine Insurance Co Ltd Samsung Fire & Marine Insurance
20 China Taiping Insurance Holdings Co Ltd China Taiping Insurance
21 ICICI Prudential Life Insurance Co Ltd ICICI Prudential Life Insurance
22 Japan Post Insurance Co Ltd Japan Post Insurance
23 Great Eastern Holdings Ltd Great Eastern Holdings
24 ICICI Lombard General Insurance Co Ltd ICICI Lombard General Insurance
25 China Reinsurance Group Corp China Reinsurance
26 T&D Holdings Inc T&D Holdings
27 Medibank Pvt Ltd Medibank
28 General Insurance Corporation of India General Insurance Corporation of India
29 ZhongAn Online P&C Insurance Co Ltd ZhongAn Online P&C Insurance
30 DB Insurance Co Ltd DB Insurance
31 Challenger Ltd Challenger
32 New India Assurance Company Ltd New India Assurance
33 Bao Viet Holdings Bao Viet Holdings
34 Hyundai Marine & Fire Insurance Co Ltd Hyundai Marine & Fire Insurance
35 Orange Life Insurance Ltd Orange Life Insurance
36 Max Financial Services Ltd Max Financial Services
37 LPI Capital Bhd LPI Capital
38 Bangkok Life Assurance PCL Bangkok Life Assurance
39 Korean Reinsurance Co Korean Reinsurance
40 Mercuries Life Insurance Co Ltd Mercuries Life Insurance
41 Allianz Malaysia Bhd Allianz Malaysia
42 Dhipaya Insurance Public Company Limited Dhipaya Insurance
43 Central Reinsurance Co Ltd Central Reinsurance
44 United Overseas Insurance Ltd United Overseas Insurance
45 MNRB Holdings Bhd MNRB Holdings
46 TOWER Ltd Tower Insurance
47 Manulife Holdings Bhd Manulife Holdings
48 Singapore Reinsurance Corp Ltd Singapore Reinsurance
49 BIDV Insurance Corporation BIDV Insurance
50 Union Assurance PLC Union Assurance
ABOUT THE AUTHORS:
MAK YUEN TEEN RICHARD TAN

Professor Mak Yuen Teen is Associate Professor of Professor Richard Tan is an Adjunct Associate
Accounting at the NUS Business School, National Professor with the NUS Business School, National
University of Singapore and a former Vice Dean University of Singapore. He has about 40 years of
of the School, where he founded Singapore’s governance, risk and control experience in both
first corporate governance centre in 2003. He the financial services and non-financial services
holds first class honours and master degrees in industries, and in risk consulting. He retired
accounting and finance and a doctorate degree in from KPMG as an Advisory Partner where he led
accounting, and is a fellow of CPA Australia. in the provision of governance, internal audit,
and enterprise risk management services. He
Professor Mak served on committees and councils has advised boards and senior management on
that developed and revised the Code of Corporate corporate governance, risk and control assurance,
Governance for listed companies in Singapore and risk management matters. Richard has worked
in 2001, 2005 and 2018. He is a member of the extensively across the Asia Pacific region and has a
Corporate Governance Advisory Committee set up good knowledge of risks in these markets and in key
by the Monetary Authority of Singapore in 2019. industry sectors such as banking, real estate, REITS
He has developed several corporate governance & business trusts, construction, consumer, charitable
rankings and served on various corporate organisations/IPCs, and education.
governance awards committees.
Prior to KPMG, Richard worked in the banking
Professor Mak is a regular commentator and industry where he held senior management
speaker on governance issues and conducts positions either in internal audit or in technology
professional development programmes for new and operational risk management. He is currently
and experienced directors, including those in an independent director with several SGX-listed/
financial institutions, and also for regulators and foreign-listed entities in the capacity of either the
other professionals. Chairman or a member of their Audit and Risk
Committee. In voluntary services, he serves on
Professor Mak received the Corporate Governance the board of several charities/IPCs and on the
Excellence Award from The Securities Investors management committee of two schools.
Association (Singapore) in 2014, in recognition
of his contributions to corporate governance in Richard is a fellow member of the Institute of
Singapore. In 2015, he received the Regional Singapore Chartered Accountants and a Certified
Recognition Award for Corporate Governance Internal Auditor (CIA). He holds the Certification
Contribution from the Minority Shareholders in Risk Management Assurance (CRMA) and the
Watchdog Group of Malaysia and was recognised Certification in Control Self Assessment (CCSA) from
by the Singapore Institute of Directors as a CG The Institute of Internal Auditors Inc (USA), and a
Pioneer. Master of Business Administration (MBA) degree
from Henley Management College/ University of
For more information about Professor Mak’s work, Reading.
please visit his website at
www.governanceforstakeholders.com.
ENDNOTES
1 The complete lists of the 50 banks and 50 insurance 17 Annual Report 2018. Insurance Australia Group Limited.
companies are provided in Appendix A and B, with the (2018, August 25). Retrieved from https://www.iag.com.au/
abbreviations used in this report are spelt out in Appendix C sites/default/files/Documents/Results%20%26%20reports/
and D. The-Numbers-2018-annual-report.pdf
2 Financial Stability Board (FSB). (2019, November 22). 2019 list 18 National Australia Bank Annual Financial Report 2018. (2018,
of globally systemically important banks (G-SIBs). Retrieved November 16). Retrieved from https://www.nab.com.au/
from: https://www.fsb.org/wp-content/uploads/P221119-1. content/dam/nabrwd/documents/reports/corporate/2018-an-
pdf nual-financial-report.pdf
3 Moorcraft, B. (2019, January 29). These are the top 25 largest 19 DBS Group Holdings Ltd Annual Report 2018. (2019,
insurance companies in the world. Retrieved from: https:// February 17). Retrieved from https://www.dbs.com/annual
www.insurancebusinessmag.com/asia/guides/these-are-the- reports/2018/downloads/dbs-annual-report-2018.pdf
top-25 -largest-insurance-companies-in-the-world-123334.
aspx 20 Medibank Annual Report 2018. (2018, August 24). Retrieved
4 from https://www.medibank.com.au/content/dam/retail/
Institutional Shareholder Services (ISS). (n.d.) Taiwan Policy about-assets/pdfs/investor-centre/annual-reports/Medi
- Director Elections. Retrieved from: https://www.iss bank_Annual_Report _2018.pdf
governance.com/file/policy/tw-director-elections.pdf
21 Financial Stability and Payment Systems Report 2018. (2018).
5 China Securities Regulatory Commission (CSRC). (n.d.) Code Retrieved from https://www.bnm.gov.my/files/publication/
of Corporate Governance for Listed Companies. Retrieved fsps/en/2018/fs2018_book.pdf
from: http://www.csrc.gov.cn/pub/csrc_en/laws/rfdm/
DepartmentRules/201804/P020180427400732459560.pdf 22 Singapore’s Financial Sector Wraps Up Two-day Exercise to
6 Strengthen Business and Operational Resilience against
Securities and Exchange Board of India. (2015, September, 2). Cyber Threats. (2019, November 22). Retrieved from https://
Securities and Exchange Board of India (Listing Obligations www.mas.gov.sg/news/media-releases/2019/two-day
and Disclosure Requirements) Regulations, 2015. Retrieved -exercise-to-strengthen -business-and-operational-resilience
from: https://ecgi.global/sites/default/files/codes/docu- -against-cyber-threats
ments/securities_and_exchange_board_of_india.pdf
23 WISE2017: Whole Industry Simulation Exercise Evaluation
7 Insurance Regulatory and Development Authority of India. Report. (2018, January). Retrieved from https://nebula.wsimg.
(2016, May 18). Guidelines for Corporate Governance for com/6dce1a06c1da8fc95e9ba25fc7121387?AccessKeyId=11D
insurers in India. Retrieved from: https://ecgi.global/sites/ 4A2D8D2558 F561D83&disposition=0&alloworigin=1
default/files/codes/documents/CG%20guidelines_2016.pdf
24 Watson, M., Bellens, J., Bedford, D. & Schlich, B. (2018, June
8 Maley, K. (2019, April 28). ACSI calls for directors to face 15). Five challenges for banks as they evolve risk manage-
annual elections. Retrieved from https://www.afr.com/ ment. Retrieved from: https://www.ey.com/en_gl/banking
companies/financial-services/acsi-calls-for-directors-to-face- -capital-markets/five-challenges-for-banks-as-they-evolve-risk
annual-elections-20190428-p51hxc -management
9 CEO of Australia’s Westpac Bank resigns over money-laun- 25 PwC. (2016). Customers in the spotlight: How FinTech is
dering scandal. (2019, November 26). Retrieved from: https:// reshaping banking. Retrieved from: https://www.pwc.com/
www.marketwatch.com/story/ceo-of-australias-westpac-bank gx/en/financial -services/fintech/assets/fin-tech-banking
-resigns -over-money-laundering-scandal-2019-11-25 -2016.pdf
10 Organisation for Economic Co-operation and Development 26 Hermes. (2020, March 12). WHO declares Covid-19 outbreak
(OECD). (2009, June). Corporate Governance and Financial a pandemic. Retrieved from https://www.straitstimes.com/
Crisis: Key Findings and Main Messages. Retrieved from: singapore/who-declares-covid-19-outbreak-a-pandemic
https://www.oecd.org/corporate/ca/corporategovernance-
principles/43056196.pdf 27 Deloitte. (2016). Taking the reins: Managing CRO transitions
11 in the financial services industry. Retrieved from: https://
Bank for International Settlements. (2015, July). Guidelines: www2.deloitte.com/content/dam/Deloitte/nl/Documents/
Corporate governance principles for banks. Retrieved from: financial-services/deloitte-nl-risk-cro-taking-the-reins.pdf
https://www.bis.org/bcbs/publ/d328.pdf
28 DBS Group Holdings. (2019). CRO Statement. Retrieved
12 Ganu, S. (n.d.). When Shareholders Have A “Say On Pay” from: https://www.dbs.com/annualreports/2018/cro
Retrieved from: https://www.sid.org.sg/images/PDFS/ -statement.html
Publications/BoardroomMatters/BM3/37.%20Boardroom%20
Matters%20Vol%20III-When%20Shareholders%20Have%20 29 Boukens, R., Martin, C., Challoner, A. & Eekelen, J. v. (2014).
a%20Say%20on%20Pay.pdf Leveraging technology and data for cost effective risk
13 management. Retrieved from EY: https://www.ey.com/
Deloitte. (2018). Australian financial reporting guide. Publication/vwLUAssets/EY-leveraging-technology-and
Retrieved from: https://www2.deloitte.com/content/dam/ -data-for-cost-effective -risk-management/$File/EY
Deloitte/au/Documents/audit/deloitte-au-audit-australian -Leveraging-technology-and-data -for-cost-effective
-financial-reporting -guide-june-2018-220618.pdf -risk-management.pdf
14 The Stock Exchange of Hong Kong Limited. (n.d.) Rules 30 Willis Towers Watson. (2019, July 24). 7 factors that could
Governing the Listing of Securities on The Stock Exchange of drive enterprise risk management in 2030. Retrieved from:
Hong Kong Limited. Retrieved from: https://en-rules.hkex. https://www.willistowerswatson.com/en-US/Insights/2019/07/
com.hk/sites/default/files/net_file_store/new_rulebooks/c/o/ seven-factors-that-could-drive-enterprise-risk-management-
consol_mb.pdf in-2030
15 Bachelder, J. & McCarter & English LLP. (2019, March 26) 31 Institute of Chartered Accountants in England and Wales.
Longer-Term Restricted Share Plans in Executive Pay. (n.d.) Internal audit in the age of data analytics. Retrieved
Retrieved from: https://corpgov.law.harvard.edu/2019/03/26/ from: https://www.icaew.com/technical/audit-and-assurance/
longer-term-restricted-share-plans-in-executive-pay/ assurance/what -can-assurance-cover/internal-audit
16 HDFC Bank Limited Annual Report 2018 - 2019. (2019, June -resource-centre/internal -audit-in-the-age-of-data-analytics
7). Retrieved from https://www.hdfcbank.com/content/api/ 32 DBS Group Holdings Ltd Annual Report 2018. (2019,
contentstream-id/723fb80a-2dde-42a3-9793-7ae1be57c87f/ February 17). Retrieved from https://www.dbs.com/annual
6a4197fb-80aa-4eb0-a3b7-d634e3ae313b reports/2018/down loads/dbs-annual-report-2018.pdf
33 47 Grasshoff, G., Bohmayr, W., Papritz, M., Leiendecker, J.,
BlackRock. (2019). Larry Fink’s 2019 Letter to CEOs: Purpose
& Profit. Retrieved from: https://www.blackrock.com/ Dombard, F. & Bizimis, I. (2018, August 1). Banking’s
corporate/investor-relations/2019-larry-fink-ceo-letter Cybersecurity Blind Spot - and How to Fix It. Retrieved from
BCG: https://www.bcg.com/en-sea/publications/2018/
34 Insurtechs are technology-led companies that enter the banking-cybersecurity-blind-spot-how -to-fix-it.aspx
insurance sector, taking advantage of new technologies to
48 Grasshoff, G., Bohmayr, W., Papritz, M., Leiendecker, J.,
provide coverage to a more digitally savvy customer base
(https://www.mckinsey.com/industries/financial-services/our Dombard, F. & Bizimis, I. (2018, August 1). Banking’s
-insights/insurtech-the-threat-that-inspires) Cybersecurity Blind Spot - and How to Fix It. Retrieved from
BCG: https://www.bcg.com/en-sea/publications/2018/
35 BCG. (n.d.). Customer-Centricity in Insurance. Retrieved from: banking-cybersecurity-blind-spot-how -to-fix-it.aspx
https://www.bcg.com/industries/insurance/customer
49 BlackRock. (2020). Larry Fink’s 2020 Letter to CEOs: A
-centricity-in-insurance.aspx
Fundamental Reshaping of Finance. Retrieved from: https://
36 Deloitte. (n.d.). What new trends will disrupt financial www.blackrock.com/corporate/investor-relations/larry-fink-
services? Retrieved from: https://www2.deloitte.com/us/en/ ceo-letter
pages/financial -services/articles/disruptive-forces-are
50 Global Reporting Initiative (GR), UN Global Compact &
-changing-the-financial -services-industry.html
WBCSD. (2015). SDG Compass. Retrieved from: https://
37 Williams, A. (2020, January 11). Access to good data ‘key to sdgcompass.org/wp-content/uploads/2015/12/019104_SDG_
winning digital bank licence’. Retrieved from: www.straits Compass_Guide_2015.pdf
times.com/business/banking/access-to-good-data-key-to-
51 K.K. (2018, April 17). What is sustainable finance? Retrieved
winning-digital-bank-licence
from The Economist: https://www.economist.com/the
38 Aw, C. W. (2019, December 31). Look Back 2019: Disruption -economist -explains/2018/04/17/what-is-sustainable-finance
ahead in financial sector as digital-only banks loom.
52 The Equator Principles Association 2019 (n.d.). Retrieved
Retrieved from: https://www.straitstimes.com/business/
banking/disruption-ahead-in-financial-sector-as-digital-only- From: https://equator-principles.com/
banks-loom 53 Kim, B. (2020, January 5). Financial firms incorporate ESG into
39 Dahl, J., Giudici V., Sengupta, J., Kim, S. & Ng, E. (2019, July). business strategies. Retrieved from: https://www.koreatimes.
Asia-Pacific Banking Review 2019 - Bracing for consolidation: co.kr/www/biz/2020/01/126_281427.html
The quest for scale. Retrieved from McKinsey & Company: 54 United Nations Environment Programme Finance Initiative
https://www.mckinsey.com/~/media/mckinsey/industries/
(UNEP FI). (n.d.) The UNEP FI Principles for Sustainable
financial%20services/our%20insights/bracing%20for%20
Insurance. Retrieved from: https://www.unepfi.org/psi/the
consolidation%20in%20asia%20pacific%20banking%20the
-principles/
%20quest%20for%20scale/asia-pacific-banking-review
-2019-vf.ashx 55 Principles for Responsible Investment (PRI) Association (n.d.).
40 McElhaney, D., Lodolo, M. & Varney, S. (2018, December). What are the Principles for Responsible Investment?
Claims in the digital age: How insurers can get started. Retrieved from: https://www.unpri.org/pri/an-introduction
Retrieved from McKinsey & Company: https://www.mckinsey. -to-responsible-invesment/what-are-the-principles-for
com/~/media/mc kinsey/industries/financial%20services/ -responsible-investment
our%20insights/digital%20insurance%20in%202018%20 56 QBE Insurance Group Limited (2018). QBE Insurance Group
driving%20real%20impact%20with%20digital%20and%20 Principles for Sustainable Insurance 2018. Retrieved from:
analytics/digital-insurance-in-2018.ashx https://www.unepfi.org/psi/wp-content/uploads/2019/06/
41 PwC. (n.d.) Cybersecurity in financial services. Retrieved from: QBE-Insurance-Group-Limited_PSI-Report-June-2019.pdf
https://www.pwc.com/us/en/industries/financial-services/ 57 International Integrated Reporting Council (IIRC). (n.d.).
research -institute/top-issues/cybersecurity.html Retrieved from: https://integratedreporting.org/what-the-
42 Grasshoff, G., Bohmayr, W., Papritz, M., Leiendecker, J., tool-for-better-reporting/
Dombard, F. & Bizimis, I. (2018, August 1). Banking’s 58 Mak, Y. T., & Bennett, C. (2013, July). Corporate Governance
Cybersecurity Blind Spot - and How to Fix It. Retrieved from of 50 Top Asian Banks. Retrieved from https://governancefor-
BCG: https://www.bcg.com/en-sea/publications/2018/ stake holders.com/wp-content/uploads/2013/03/Executive
banking-cybersecurity-blind-spot-how-to-fix-it.aspx -Summary -CG-of-50-Top-Asian-Banks.pdf
43 KPMG. (2017, July). Closing the Gap: Cyber security for the 59 Mak, Y. T., & Bennett, C. (November, 2014). Insuring the
insurance sector. Retrieved from: https://assets.kpmg/ Future: Improving the Corporate Governance of Major
content/dam/kpmg/uk/pdf/2017/08/cyber_security_and_ Asia-Pacific Insurance Companies. Retrieved from https://
insurance_sector.pdf governanceforstakeholders.com/wp-content/uploads/
44 Asia Pacific Security Magazine. (2018, August 5). The growing 2013/07/insuringthefuture-.pdf
importance of cybersecurity in the insurance sector. Retrieved
from: https://www.asiapacificsecuritymagazine.com/the-
growing -importance-of-cybersecurity-in-the-insurance
-sector/
45 KPMG. (2017, July). Closing the Gap: Cyber security for the
insurance sector. Retrieved from: https://assets.kpmg/
content/dam/kpmg/uk/pdf/2017/08/cyber_security_and_
insurance_sector.pdf
46 Gartner. (2017, October 12). Security Operations Centers and
Their Role in Cybersecurity. Retrieved from: https://www.
gartner.com/en/newsroom/press-releases/2017-10-12
-security-operations-centers -and-their-role-in-cybersecurity
SINGAPORE
1 Raffles Place
Singapore 048616
P: +65 6671 6500

E: sg@cpaaustralia.com.au
ISBN: 978-981-14-6592-5
Scan this QR code to download

a soft copy of this report.
cpaaustralia.com.au
CORPORATE
GOVERNANCE
CASE STUDIES
FINANCIAL SERVICES EDITION
CORPORATE GOVERNANCE
CASE STUDIES
Financial Services Edition

Editors
First published July 2020
Copyright ©2020 Mak Yuen Teen and CPA Australia
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publisher,
except for inclusion of brief quotations in a review.
The views expressed in this publication are those of the authors and do not necessarily represent the views of, and should not
be attributed to, CPA Australia Ltd.
CORPORATE GOVERNANCE CASE STUDIES: FINANCIAL SERVICES EDITION
Authors : Mak Yuen Teen, PhD, FCPA (Aust.) Email: bizmakyt@nus.edu.sg
Richard Tan MBA, FCA (S’pore) Email: biztclr@nus.edu.sg
Published by : CPA Australia Ltd

1 Raffles Place
Singapore 048616
Website : cpaaustralia.com.au
Email : sg@cpaaustralia.com.au
ISBN : 978-981-14-6595-6
CONTENTS
PREFACE
ABOUT THE EDITORS
BOARD RESPONSIBILITIES AND PRACTICES

GOLDMAN SACHS: HELLO LLOYD, MEET BLANKFEIN 1
HSBC: WHO’S THE BOSS? 6
THE CO-OPERATIVE BANK: THE WITHERING FLOWERS 10
FINDING THE WHISTLE AT BARCLAYS 14
MISCONDUCT
COMMONWEALTH BANK OF AUSTRALIA: ROGUE ONE 20
WELLS FARGO: FORGONE REPUTATION? 26
COMMINSURE: NO ONE’S COVERED 33
UNAUTHORISED TRADING
ANOTHER DAY, ANOTHER TRADING SCANDAL:
THE CASE OF NATIONAL AUSTRALIA BANK 46
JP MORGAN AND THE LONDON WHALE 50
UBS: ALL BETS ARE ON 56
TAX EVASION AND KYC

MIZUHO FINANCIAL GROUP: DOING BUSINESS WITH THE YAKUZA 62
THE TAX-FILES: HSBC GROUP 67
MONEY LAUNDERING
HSBC: THE WORLD’S LOCAL (LAUNDRY) BANK 75
MEGA BANK, MEGA FAILURE? 79
DEUTSCHE BANK: A RUSSIAN AFFAIR 85
COMMONWEALTH BANK OF AUSTRALIA: THE UNWITTING MULE 91
DANSKE BANK: HUNG OUT TO DRY 99
A SWEDBANK AFFAIR 107
BRIBERY
JP MORGAN: PRINCE UN-CHARMING 120
GOLDMAN SACHS: HUNGRY LIKE A WOLF 125
CYBERSECURITY BREACH
CENTRAL BANK OF BANGLADESH: THE BIGGEST CYBER HEIST IN ASIA 140
CAPITAL ONE: A BREACH IN THE CLOUD 145
PREFACE
Over the past eight years, CPA Australia has published eight volumes of corporate governance case studies edited by
Associate Professor Mak Yuen Teen. A number of these cases involve financial institutions.
In conjunction with the launch of our report “Banking on Governance, Insuring Sustainability” covering how the largest
banks and insurance companies in Asia-Pacific are addressing corporate governance, remuneration, risk management
and emerging issues, we decided to release this special collection of case studies relating to companies in the financial
services industry. These case studies show what can go wrong when financial institutions fail to pay sufficient attention to
good practices in board governance, remuneration policies and risk management practices.
This special collection is co-edited by Adjunct Associate Professor Richard Tan, who like Prof Mak, is from the NUS
Business School. Prof Tan has extensive working experience in financial institutions and as a partner in one of the Big 4
accounting firms, where he specialised in risk consulting.
This special edition includes 22 cases from Asia-Pacific, Europe and United States. Eighteen of these cases have been
published earlier, with some updated for recent developments. There are four new cases on Capital One, CommInsure
(the only case involving an insurance company), Goldman Sachs and Swedbank.
We have organised the cases into those dealing with Board Responsibilities and Practices; Misconduct; Unauthorised
Trading; Tax Evasion/KYC; Money Laundering; Bribery; and Cybersecurity Breaches. Clearly, some cases span across a
number of issues.
Based on these cases and those relating to other organisations, we can observe ethical failures, failures in board
governance, and failures in the three lines of defence as common themes. Undoubtedly, poor corporate culture is often
the overriding reason for these failures. Complexity in organisations, cross-border challenges, and compensation are
also important contributors.
We trust you will find this special collection interesting and useful.
Associate Professor Mak Yuen Teen and Adjunct Associate Professor Richard Tan
NUS Business School
July 2020
ABOUT THE EDITORS
MAK YUEN TEEN RICHARD TAN

Professor Mak Yuen Teen is Associate Professor of Professor Richard Tan is an Adjunct Associate Professor
Accounting at the NUS Business School, National with the NUS Business School, National University of
University of Singapore and a former Vice Dean of the Singapore. He has about 40 years of governance, risk
School, where he founded Singapore’s first corporate and control experience in both the financial services and
governance centre in 2003. He holds first class honours non-financial services industries, and in risk consulting.
and master degrees in accounting and finance and a He retired from KPMG as a Risk Consulting Partner
doctorate degree in accounting, and is a fellow of CPA where he led in the provision of governance, internal
Australia. audit, and enterprise risk management services. He has
advised boards and senior management on corporate
Professor Mak served on committees and councils governance, risk and control assurance, and enterprise
that developed and revised the Code of Corporate risk management matters. Richard has worked
Governance for listed companies in Singapore in extensively across the Asia Pacific region and has a good
2001, 2005 and 2018. He is a member of the Corporate knowledge of risks in these markets and in key industry
Governance Advisory Committee set up by the Monetary sectors such as banking, real estate, REITS & business
Authority of Singapore in 2019. He has developed several trusts, construction, consumer, charitable organisations/
corporate governance rankings and served on various IPCs, and education.
corporate governance awards committees.
Prior to KPMG, Richard worked in the banking industry
Professor Mak is a regular commentator and speaker for 20 years where he held senior management positions
on governance issues and conducts professional either in internal audit or in technology and operational
development programmes for new and experienced risk management, and was a member of several
directors, including those in financial institutions, and group-wide operational risk and new products review
also for regulators and other professionals. committees. His latter role also included managing the
group-wide business continuity management, and the
Professor Mak received the Corporate Governance group-wide technology and operational risk control self
Excellence Award from The Securities Investors assessment.
Association (Singapore) in 2014, in recognition of his
contributions to corporate governance in Singapore. In Richard currently sits on the board of several SGX-listed
2015, he received the Regional Recognition Award for and foreign-listed entities as an independent director
Corporate Governance Contribution from the Minority in the capacity of either the chairman or a member of
Shareholders Watchdog Group of Malaysia and was their Audit and Risk Committee. In voluntary services,
recognised by the Singapore Institute of Directors as a he serves on the board of several charities/IPCs and on
CG Pioneer. the management committee of two government-aided
schools.
For more information about Professor Mak’s work, please
visit his website at www.governanceforstakeholders.com. Richard is a fellow member of the Institute of Singapore
Chartered Accountants, and a Certified Internal
Auditor (CIA). He holds the Certification in Risk
Management Assurance (CRMA) and the Certification
in Control Self Assessment (CCSA) from The Institute
of Internal Auditors Inc (USA), and a Master of Business
Administration (MBA) degree from Henley Management
College/ University of Reading.
BOARD
RESPONSIBILITIES
AND PRACTICES
GOLDMAN SACHS: HELLO

LLOYD, MEET BLANKFEIN
CASE OVERVIEW1 A series of changes in leadership, mergers and
The duality of the Chairman and CEO roles is a acquisitions, and changes in the financial environment
longstanding controversy in corporate governance. have shaped its structure, with its main divisions of
Having been at the helm as Goldman Sachs’ Chairman investment banking, securities, investing and lending
and CEO since 2006, Lloyd Blankfein has drawn and investment management, and offices in more than
much flak from shareholders concerned with the 40 locations across the globe. In 2012, Goldman ranked
independence of the board. The rise of shareholder 80th on Forbes Fortune 100 list, with revenue of US$36.79
activism in recent years has put pressure on Goldman billion and profits of US$4.44 billion.3
Sachs to review its leadership structure and generous
executive compensation. The objective of this case is
to enable a discussion of issues such as Chairman-CEO 2013: WITHDRAWAL OF SHAREHOLDER
duality; shareholder activism as a corporate governance PROPOSAL TO SEPARATE THE CHAIRMAN
mechanism; executive remuneration; and the possible AND CEO ROLES
measures that can be taken to ensure good corporate It was 11 April 2013. CtW Investment Group had just
governance. confirmed the withdrawal of its shareholder proposal
after Goldman had agreed to widen the authority
and responsibilities of James Schiro, its board’s lead
THE GOLDMAN WAY independent director. Schiro will determine the board’s
Founded in 1869 by Marcus Goldman, the bank was agenda at future meetings and pen his own statements
named Goldman Sachs & Co. after his son-in-law Samuel to shareholders within the annual proxy statement to be
Sachs became part of the firm in 1882 and Goldman’s issued.
son, Henry and another son-in-law Ludwig Dreyfuss,
Four months earlier, CtW Investment Group had sent
joined in 1885. The firm carved a name for itself as
a letter to Goldman Sachs asking for the company to
originators of commercial paper within the money
separate the roles of Chairman and CEO by appointing
markets. Through the years, Goldman Sachs grew from
an independent Chairman – one who has been neither
being the firm that completed one of the biggest IPOs
an executive officer nor has had other relations with the
(of Sears, Roebuck and Company) in 1906 to becoming
investment bank.4
a company listed on the New York Stock Exchange in
1999, renaming itself Goldman Sachs Group Inc. That
Lloyd Blankfein won the battle to retain both the
same year, Henry Paulson assumed the role of Chairman
Chairman and CEO roles - for the third time in a row
and CEO. In 2006, Lloyd Blankfein took over the reins as
since he was appointed to both positions in June 2006.5
Chairman and CEO after Paulson left the post to become
The year before, the American Federation of State,
the U.S. Treasury Secretary.
County and Municipal Employees (AFSCME), a labor
union pension fund, had put up a similar proposal
It was one of the World’s Most Admired Companies,
to separate the roles, only to drop its proposal after
ranked 39th by Fortune,1 and 2nd amongst the megabanks
Goldman compromised, agreeing to reorganise its
in 2012. The firm has, through its 144-year history,2
board structure by introducing a lead director.6 This year
portrayed itself as being superior to its competitors.
marked yet another victory for Blankfein, but with the rise
It paints an image as being more intelligent, more
of shareholder activism over the years, an uphill battle
internally symbiotic, and as one of the best at money-
laid ahead.
making. It has traditionally prided itself on its business
model known as “The Goldman Way”, which rests
fundamentally on hiring the “most talented” and then
engaging these talents in Goldman’s tough corporate BOARD OF DIRECTORS
environment where these hires learn to embrace the At the end of 2012, Goldman Sachs had 13 directors, of
firm’s “14 Principles” - for instance, that “our clients whom 10 were independent.7 While the average tenure
interests always come first”. of each director was approximately five years, three had
This is the abridged version of a case prepared by Chan Rui Qi, Baldwin Choy Ching Fai, Nicole Lim Sing Rong, Zhao Pengcheng under the supervision of Professor Mak Yuen Teen and
Dr Vincent Chen Yu-Shen. The case was developed from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective management or
governance. The interpretations and perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version
was edited by Ng Jun Yan under the supervision of Professor Mak Yuen Teen.
Copyright © 2014 Mak Yuen Teen and CPA Australia.

2 GOLDMAN SACHS: HELLO LLOYD, MEET BLANKFEIN
held their directorships for more than 10 years. Two of program. Goldman had structured and marketed
the directors at that time, David Viniar and Stephen synthetic collateralised debt obligations (CDOs) that
Friedman, were also previous employees of Goldman relied on the performance of subprime mortgage-backed-
Sachs. securities. It had allegedly defrauded investors by not
disclosing how the bank had worked with Paulson & Co.,
a hedge fund, in selecting the portfolio and that the same
REMUNERATION fund had intended to short the CDO. Goldman received
fees of US$15 million from Paulson & Co. for its work.14
The issue of remuneration has undoubtedly been one of
the most hotly debated corporate governance issues in
The proposals were based on the view that it was the
financial institutions.8 Blankfein was compensated with
duty of the board of directors to act independently when
US$13.3 million in restricted shares in 2012, alongside
overseeing management, and a conflict of interest existed
a US$5.7 million cash bonus and a US$2 million salary.
since Blankfein was essentially chaperoning his own duties
This was US$9 million more than the previous year. At its
as CEO in his capacity as Chairman. It was also argued
peak in 2007, his total compensation was US$68 million.
that separating the two roles would improve Goldman’s
Blankfein was on a long-term incentive plan, which
image following the subprime mortgage crisis.15
would pay him shares depending on his performance.
The shares were worth approximately US$5 million as of
At the shareholders meeting, few shareholders queried
January 2013. Blankfein was known to be the best-paid
the Goldman board over the SEC suit, and the Board
banker across the globe. His lavish paycheck had earned
recommended voting against the separation of the roles.
him the title of “Most Outrageous CEO” in a 2009 Forbes
Eventually, one of the proposals was removed from the
ranking.9
proxy for being a duplication and the other was voted
down. Blankfein retained both his roles.
RISE OF SHAREHOLDER ACTIVISM

Shareholder activism has been apparent in many U.S. 2011: THE SECOND CALL FOR SEPARATION
companies in recent years. A point of contention OF ROLES
between shareholders and financial institutions is the
On 14 September 2011, AFSCME,16 a labor union with
lack of separation between the Chairman and CEO
assets of more than US$850 million, which held 7,101
roles. As at November 2012, only 43% of firms listed on
Goldman shares at that time,17 launched a proxy proposal
the Standard & Poor’s 500 index had split Chairman-
for Goldman to split the Chairman and CEO roles
CEO roles, and only 18 firms had policies in place
through the appointment of an independent Chairman.
necessitating such a split.10
To back its proposal, the union cited the 2010 SEC suit
Goldman Sachs was a prominent example of companies
over the “Abacus deal” which eventually cost Goldman
that had not separated those roles. Shareholders have
US$550 million in penalties; contingent liabilities of up
been proposing to split the Chairman and CEO roles of
to US$3.4 billion in law suits according to a March 2011
Lloyd Blankfein since 2010, citing the potential conflict of
10-K filing; and the 2011 Levin-Coburn Report on the
interests.
Subprime Mortgage Crisis, which pointed that conflicts
of interest was the driving force behind Goldman putting
its own monetary interests in front of its customers’.
2010: BEGINNING OF THE CALL FOR The 2011 Levin-Coburn Report noted how during the
SEPARATION OF THE CHAIRMAN AND tenure of Paulson and Blankfein, Goldman’s business
CEO ROLES focus had turned to that of a trading house from its
In 2010, Goldman Sachs was faced with two proposals fundamental investment banking role. Under Paulson’s
from shareholders, Christian Brothers Investment Inc. tenure, Goldman had canvassed regulators to exempt
and Needmor Fund, calling on the firm to split the roles investment houses from having to keep reserve funds,
of Chairman and CEO.11,12 This came at a time when the which would have played the role of limiting the firm’s
Securities and Exchange Commission (SEC) had filed leverage and risks undertaken. AFSCME thought the
a civil fraud suit against the firm for bilking investors in exposure to risks was potentially detrimental to the
the mortgage deal, Abacus 2007-AC1, merely weeks bank’s stock price, and that the adoption of its proposal
before the shareholder meeting.13 The deal was one of could mitigate such risky behavior, serving the long-term
25 mortgage-backed securities in Goldman’s “Abacus” interest of investors.18
On 28 March 2012, the AFSCME announced that it had CtW went a step further, defining “independence” as
withdrawn its proposal the month before, after talks with follows:
Goldman’s Board Secretary, John Rogers. It was agreed
that Goldman would put in place a lead director, allaying “A chairman cannot have had a financial relationship with
concerns over the dual role of Blankfein.19 Goldman Sachs valued at more than US$100,000 annually
in the last three years, been employed by a public
On 3 April 2012, James Schiro was appointed lead company at which a Goldman Sachs executive serves
director of the Goldman board. Schiro had been on the as a director, or be a direct relative of a Goldman Sachs
board since 2009. A Goldman spokesperson told The director”.26
Huffington Post that the independent directors decided
to elect Schiro. There was no involvement on the part of Following CtW’s proposal, Goldman Sach’s Associate
management, and that Goldman was confident Schiro General Counsel, Beverly O’Toole, sent a letter to
would “serve shareholders well”.20 the SEC on 16 January 2013 seeking approval for the
proposal to be excluded from its proxy statement
AFSCME was not satisfied with Goldman’s decision to because the bank thought it was “inherently vague
appoint Schiro, and claimed Goldman went against its and indefinite” on six counts, including how the term
recommendations regarding the candidates that would “affiliate” was not clearly defined and could take on more
be “less desirable” on its board. Schiro was the former than a single meaning.27 The firm also questioned the
CEO of Goldman’s auditor, PricewaterhouseCoopers. clarity of the fourth independence criterion proposed
He also sat on the board of PepsiCo Inc., a firm that by CtW. That is, whether a director had a ‘’business
has received much flak over the years for its CEO relationship with Goldman Sachs worth at least
compensation practices. A lead independent director US$100,000 annually”. Goldman Sachs rebutted that it
was undoubtedly not as compelling as having an was overarching, blankets all business relationships worth
independent chairman. “This is a step in the right a minimum of US$100,000, and that the type of business
direction. But it remains to be seen if it is enough,” relationship and measurement of the US$100,000 was not
commented Lisa Lindsley, AFSCME’s director of defined.
capital strategies on Goldman’s appointment of a lead
independent director.21. On 12 March 2013, the SEC replied, refusing Goldman’s
request on grounds that it did not concur with Goldman’s
view that CtW’s proposal was “inherently vague or
2012: THE THIRD CALL FOR SEPARATION indefinite”.28
OF ROLES
“We are unable to conclude that the proposal is
On 13 December 2012, CtW Investment Group sent
so inherently vague or indefinite that neither the
a letter to Goldman Sachs with regard to its proposal
shareholders voting on the proposal, nor the company in
to separate the roles for inclusion in the year’s proxy
implementing the proposal, would be able to determine
statement. It recommended putting in place an
with any reasonable certainty exactly what actions or
independent chairman, one with no current or prior
measures the proposal requires. Accordingly, we do not
executive role or having any other affiliation with
believe Goldman Sachs may omit the proposal from its
Goldman. CtW is an investment firm that advises union
proxy materials.”
pension funds, had US$200 billion in assets and 5.5
million members,22 and owned 25 Goldman shares.23
On 11 April 2013, Goldman Sachs reached an agreement
According to CtW:24
with CtW. The company would widen the authority
and responsibilities of James Schiro, its board’s lead
“The chairman should be an independent director to
independent director. Schiro will determine the board’s
promote the robust oversight and accountability of
agenda at future meetings and pen his own statements
management, and to provide effective deliberation of
to shareholders within the next issue of the annual proxy
corporate strategy, something we believe is difficult to
statement.29 The board would also increase the frequency
accomplish when the most senior executive also serves
of its independent director annual meetings, from 2 to 4.
as the board’s leader. Even with robust responsibilities,
In return, CtW withdrew its proposal. Blankfein kept his
we believe the position of a lead independent director is
dual roles once again.
inadequate to this task because competing or conflicting
responsibilities for board leadership remain with the
chairman/CEO”25.
4 GOLDMAN SACHS: HELLO LLOYD, MEET BLANKFEIN
Governance experts like independent governance DISCUSSION QUESTIONS

analyst Paul Hodgson and Amy Borrus, deputy director
1. Shareholder activism has often been argued to be an
at the Council of Institutional Investors in Washington,
important corporate governance mechanism. Do you
believed that the shareholders had achieved significant
agree?
progress considering the high percentage of Goldman
shares owned by its employees.30 As of 1 February 2013, 2. Do you think CEO duality is necessarily bad corporate
partners of Goldman Sachs, who were its most senior governance? What are its pros and cons, if any? How
staff, owned approximately 11.6% of the company’s different are codes or regulations over the Chairman-
shares. CEO role for U.S, UK and Singapore firms?
3. What is your view about CEO duality in the case
of Goldman Sachs? What has its impact been for
EPILOGUE Goldman shareholders? Can CEO duality be justified
After the SEC had turned down Goldman’s request to with Goldman’s good financial standing?
keep CtW’s proposal off as an item to be voted upon,
4. Amy Borrus, deputy director at the Council of
Goldman’s lead independent director met with CtW.
Institutional Investors in Washington had said “It’s a
There, CtW executive director Dieter Waizenegger
significant improvement…Persuading a board to take
laid out concerns as to whether Schiro would act as
away the chairmanship from a CEO-Chair is one of
an effective balance of power to Blankfein. The latter
the hardest ‘asks’ in corporate governance”. Should
appeared attentive toward shareholder interests.
AFSCME and CtW have withdrawn their proposals
German-born Waizenegger shared common ground
after a compromise with Goldman Sachs rather than
with Schiro who served as the CEO of Zurich Financial
allow shareholders to vote on them?
Services from 2002 to 2009. Waizenegger told the
Reuters that CtW has a commitment to continue the 5. What do you think are possible measures that can
dialogue and engage with Goldman in the future, be taken by stakeholders (e.g., regulators, board
including discourse over other environmental and social of directors and shareholders) or management in
issues.31 curbing the perceived problems of CEO duality, if
any?
With regards to CEO compensation issues, Blankfein’s
2013 remuneration saw an overall 11% increase from
2012. The restricted shares held by Blankfein were worth
US$14.7 million as of January 2014, and his cash bonus
was US$6.3 million.32 His raise came in a year when many
at Goldman Sachs took a pay cut, with an estimated four
percent drop in the average worker’s salary.33 In view of
the flak Blankfein has received over his pay, this latest
increment is set to rile critics and attract objections from
corporate governance pundits.
Fast forward to July 2018, the company announced

Blankfein’s retirement as Chairman and CEO by
September that year. Goldman’s president and co-
chief operating officer, David Solomon took over from
Blankfein. Like Blankfein, he will also hold both Chairman
and CEO roles.34
In the meantime, Goldman has been caught right in the

middle of the 1MDB scandal. Critics may wonder – did
the fact that it did not separate those roles contribute to
this latest and its biggest scandal yet?
ENDNOTES
1 CNN. (2012, March 19). World’s Most Admired Companies 2012. 19 The Wall Street Journal (2012, March 28). Union backs off call to
Retrieved from http://money.cnn.com/magazines/fortune/ split chairman and CEO role at Goldman. Retrieved from http://
most-admired /2012/snapshots/10777.html. www.efinancialnews.com/story/2012-03-28/afscme-backs-off
-goldman.
2 Cohan, William D. (2011). Money and Power: How Goldman Sachs
Came to Rule the World. Retrieved from http://getebook.org/?p 20 Rexrode, C. & Skidmore S. (2012). AFSCME To Goldman Sachs:
=159339. Appointing Shareholder Advocate Not Enough To Curb CEO Pay.
Huffington Post. Retrieved from http://www.huffingtonpost.com/ 2012
3 Fortune 500. (2012). Goldman Sachs. Retrieved from http://money. /04/04/afscme-goldman-sachs-shareholder-advocate_n_1402361.html.
cnn.com/magazines/fortune/fortune500/2012/snapshots/10777.html.
21 Rappaport, L. (2012). Goldman Bows to Pressure on Board. The
4 Moyer, L. (2013, January 23). Goldman Fights Independent Wall Street Journal. Retrieved from http://online.wsj.com/news/
Chairman. The Wall Street Journal. Retrieved from http://online.wsj. articles/SB10001424052702303816504577307871991956472.
com/article/SB10001424127887324539304578259672462866776.html.
22 U.S. Securities and Exchange Commission (2013). Retrieved from
5 Goldman Sachs. (2014). Lloyd C. Blankfein. Retrieved from http:// http://www.sec.gov/comments/s7-07-13/s70713-385.pdf.
www.goldmansachs.com/who-we-are/leadership/executive
-officers/lloyd-c-blankfein.html. 23 Lacapra, L. T. (2013, March 9). SEC Says Goldman Cannot Ignore
Shareholder Proposal That Lloyd Blankfein Not Be All Things To
6 The Indian Express. (2012). Goldman Sachs rejig may split CEO, The Bank. Business Insider. Retrieved from http://www.business
chairman roles. Retrieved from http://www.indianexpress.com/ insider.com/goldman-cant-ignore-ctw-on-blankfein-2013-3?IR=T&.
news/goldman-sachs-rejig-may-split-ceo-chairman-roles/929801/1.
24 U.S. Securities and Exchange Commission (2013). Retrieved from
7 Goldman Sachs Corporate Governance. (2014). Board of Directors. http://www.sec.gov/divisions/corpfin/cf-noaction/14a-8/2013/ctw
Retrieved from http://www.goldmansachs.com/who-we-are/ investment030513-14a8.pdf.
leadership/board-of-directors/index.html.
25 Ibid.
8 Neate, R. (2013, April 12). Lloyd Blankfein’s $21m haul makes him
the world’s best paid banker. The Guardian. Retrieved from http:// 26 Ibid.
www.guardian.co.uk/business/2013/apr/12/goldman-sachs-lloyd-
blankfein-pay.
27 Reuters (2013, March 8). SEC: Goldman cannot ignore proposal to
split chairman, CEO roles. Retrieved from http://www.reuters.com/
9 Forbes (2009, November 25). The Biggest CEO Outrages Of 2009. article/2013/03/08/goldman-proxy-idUSL1N0C0II920130308.
Retrieved from http://www.forbes.com/2009/11/25/ceo-outrages
-shame-leadership-ceonetwork-governance.html.
28 Brown, A. (2013, March 12). SEC rejects Goldman Sachs’ attempt to
head off proxy vote. IR Magazine. Retrieved from http://www.ir
10 Spencer Stuart (2012). Spencer Stuart Board Index. Retrived from magazine.com/articles/proxy-voting-annual-meetings/19370/sec
http://content.spencerstuart.com/sswebsite/pdf/lib/Spencer -rejects-goldman-sachs-attempt-head-proxy-vote/.
-Stuart-US-Board-Index-2012_06Nov2012.pdf.
29 Alden, W. (2013). Goldman Reaches Deal to Let C.E.O. Be
11 Dealbook (2010, May 7). Blankfein, in Victory, Remains Goldman’s Chairman. The New York Times. Retrieved from http://dealbook.
Chairman. The New York Times. Retrieved from http://dealbook. nytimes.com/2013/04/10/goldman-reaches-deal-to-let-c-e-o-be-
nytimes.com/2010/05/07/blankfein-remains-goldmans-chairman/. chairman/?_php=true&_type=blogs&_r=0.
12 U.S. Securities and Exchange Comission (2010). Retrieved from 30 Buhaya, N. & Harper, C. (2013, March 27). Berkshire to Pay Nothing
http://www.sec.gov/divisions/corpfin/cf-noaction/14a-8/2010/ to Be Among Top Goldman Sachs Holders. Bloomberg. Retrieved
united association030910-14a8.pdf. from http://www.bloomberg.com/news/2013-03-26/berkshire-to-get-
goldman-stock-tied-to-warrants-from-2008-deal.html.
13 Story, L. & J. de la Mercred, M. (2010, April 9). U.S. Said to Open
Criminal Inquiry Into Goldman. The New York Times. Retrieved 31 Kerber, R. (2013, April 10). Exclusive: Goldman deal with union
from http://www.nytimes.com/2010/04/30/business/30case.html? group lets Blankfein keep dual roles. Reuters. Retrieved from
dbk&_r=1&. http://www.reuters.com/article/2013/04/10/us-bank-goldmansachs-
board-idUSBRE9390U920130410.
14 U.S. Securities and Exchange Comission (2010). SEC Charges
Goldman Sachs With Fraud in Structuring and Marketing of CDO 32 Moore, M. J. (2014, January 31). Goldman Said to Boost CEO’s
Tied to Subprime Mortgages. Retrieved from http://www.sec.gov/ Bonus 11% to $21 Million. Bloomberg. Retrieved from http://www.
news/press/2010/2010-59.htm. bloomberg.com/news/2014-01-30/goldman-increases-blankfein-s-
stock-bonus-11-to-14-7-million.html.
15 Villegas, C. (2010, May 18). Goldman Sachs Shareholders Flex Their
Muscle. Eyes on Wall Street. Retrieved from http://www.eyeson 33 Jerreat, J. (2014, April 4). Wall Street’s highest paid CEO is Lloyd
wallstreet.com/Goldman-Sachs-Shareholders-Flex.cfm Blankfein who was paid $23 million by Goldman Sachs last year …
but pay is only half what he earned just seven years ago. Daily Mail.
16 Fleming, C. (2011, September 14). AFSCME Plan to Goldman Retrieved from http://www.dailymail.co.uk/news/article-2597361/
Sachs: Adopt Independent Board Chair. AFSCME. Retrieved from Wall-Streets-highest-paid-CEO-Lloyd-Blankfein-paid-23-million-
http://www.afscme.org/news/press-room/press-releases/2011/ Goldman-Sachs-year-pay-half-earned-just-seven-years-ago.html#
afscme-plan-to-goldman-sachs-adopt-independent-board-chair. ixzz36K2BU74R.
17 Harper, C. (2012, March 29). Goldman Sachs Preserves Blankfein’s 34 McElhaney, A. (2018, July 17). Lloyd Blankfein Steps Down as
Dual Role. Bloomberg. Retrieved from http://www.bloomberg. Goldman Sachs CEO. Institutional Investor. Retrieved from https://
com/news/2012-03-27/goldman-sachs-preserves-blankfein-s-dual www.institutionalinvestor.com/article/b193jlhny0g68c/Lloyd-Blank-
-role-with-lead-director.html. fein-Steps-Down-as-Goldman-Sachs-CEO.
18 Fleming, C. (2011, September 14). AFSCME Plan to Goldman
Sachs: Adopt Independent Board Chair. AFSCME. Retrieved from
http://www.afscme.org/news/press-room/press-releases/2011/
afscme-plan -to-goldman-sachs-adopt-independent-board-chair.
6 HSBC: WHO’S THE BOSS?
HSBC: WHO’S THE BOSS?

CASE OVERVIEW1 OVERHAULING HSBC’S MODEL OF
In September 2010, the business world was shocked SUCCESSION
by a public boardroom debacle at HSBC. Incumbent In May 2006, Michael Geoghegan replaced Stephen
Chairman, Stephen Green, had announced his pre- Green as CEO of HSBC, while Green was promoted to
mature departure from HSBC ahead of schedule, putting Chairman. Despite executing another smooth CEO-to-
HSBC’s succession plan into the spotlight. An unforeseen Chairman hand-over,1 HSBC was criticised for its tradition
and public power struggle ensued, with speculation as of promoting its CEO to Chairman, as this was perceived
to whether incumbent CEO Michael Geoghegan or one to impair the Chairman from independently and objectively
of several other possible candidates would get the top monitoring the company. The handover was thrown
job. The chaotic succession process undermined HSBC’s into focus in part due to a growing focus on corporate
stellar reputation for smooth management succession, governance.
and damaged the credibility of the board. The objective
of this case is to allow a discussion of issues such as the The roles at HSBC had traditionally been such that the
importance of board and senior management succession Chairman functioned more as a CEO, while the CEO
planning and what it entails; the difference between served as the deputy. Following the handover, Green
a Chairman’s and CEO’s roles; attributes of a good concurred with governance critics that the operational
Chairman; and whether former senior executives should management and oversight roles should be separate
become board chairmen. and distinct. He spent the next few years of his term
as Chairman taking significant steps to re-define these
two roles,2 transferring the responsibility for strategy
A MODEL OF SMOOTH SUCCESSION development from Chairman to CEO in 2009 and taking
on more of a monitoring and ambassadorial role as
HSBC has a long history of smooth board and senior
Chairman. Besides paving the way to a more palatable
management succession underpinned by clear
corporate structure within the bank, these actions
succession plans. Regular review of these plans by
emphasised HSBC’s renewed commitment to corporate
independent non-executive directors also serves to
governance.
strengthen its robustness.
The succession process for the Board Chairman position

involves extensive benchmarking against external END OF AN ERA OF SMOOTH SUCCESSION
candidates to ensure its internal candidates are up to In late May 2010, news that Green was to step down as
standard and not simply chosen by virtue of their insider Chairman of HSBC within a year leaked out in various
status. This seeks to ensure that the best candidate is media reports. According to these reports, HSBC’s board
chosen - one who has the capacity for strategic thinking, was prepared for the transition and had spent the past
authority to run the board, and persona standing to three years putting together a succession plan.3 This
represent HSBC externally. Institutional shareholders involved ceasing the tradition of promoting the CEO
are consulted with respect to the succession plan, in to Chairman and naming possibly the bank’s first non-
addition to an independent search process for potential executive Chairman successor – John Thornton - a HSBC
candidates. non-executive director who was also a former Goldman
Sachs partner. However, these rumours were refuted by
HSBC’s past successions for the Board Chairman HSBC.
position have been low key, without major disruptions
to the business or public outcry. Successions have also Four months later, on 7 September 2010, an official
been traditionally consensus-driven, with the succession HSBC announcement confirmed that Green had agreed
receiving unanimous support from the board of to become the U.K. Minister of State for Trade and
directors. Investment.4 Following the announcement, the bank
revealed that it had always intended “to approve a
successor to Mr. Green before the end of the year, and
This is the abridged version of a case prepared by Apple Goh, Chidambara Thanu, Mabel Koh, Lew Karxieu, Oh Kai Li and Song Huizhen under the supervision of Professor Mak Yuen Teen
and Dr Vincent Chen Yu-Shen. The case was developed from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective management
or management. The interpretations and perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged
version was edited by Rachel Goh Yi Ling under the supervision of Professor Mak Yuen Teen.

that timetable remains on schedule”.5 However, Green and management, although he had perceivably less
had initially announced in May that he would stay on showmanship and experience at HSBC than Green
as Chairman until at least the spring of 20116 but he and Geoghegan13 and faced the same question on
had suddenly decided to leave before the year-end,7 independence. Media reports also mooted the idea of
leaving the bank with just three months to appoint a a temporary Chairman,14 with Simon Robertson (a senior
replacement. His premature departure forced HSBC’s independent director at HSBC) taking the role. However,
board to come to a swift decision regarding the this was widely viewed as unlikely given Robertson’s role
succession. as Chair of the Nomination Committee, designated to
appoint Green’s successor, and his existing duties at
As Green was highly regarded as a modern influence Rolls-Royce.
on the 145-year-old bank and had led it admirably
through the 2003 U.S. subprime division crisis as well as With seemingly no clear successor at the time of
the 2008 global financial turmoil, it came as no surprise Green’s announced departure, and a myriad of potential
that HSBC’s share price plunged when news of Green’s candidates that appeared to leave the public and internal
leaving first leaked in May 2010 - investors viewed his stakeholders divided, the succession looked poised to be
departure as the loss of a major asset for the bank. the most chaotic that HSBC had seen for a long time.
With no official word from HSBC on the candidates to

succeed Green, there was widespread speculation in the POWER STRUGGLE IN THE BOARDROOM
media.
To add to HSBC’s troubles, news leaked on 21 September
2010 in The Financial Times that Geoghegan had
It was reported that, within HSBC, many wished for the
threatened to resign after being informed at a meeting
bank to maintain its tradition of promoting the CEO
that the board did not intend to give him the position
to Chairman. CEO Geoghegan was a hardworking
of Chairman.15 HSBC’s executives commented that
“banker’s banker”8 who had held posts within HSBC
Geoghegan could be unhappy at the possibility of being
all around the world in his 37 years with the bank, a
passed over in favour of Thornton. HSBC eventually
decisive and quick-thinking CEO who had earned the
followed up with a strongly-worded denial of the
respect of many of his staff. However, certain factors
incident.16 However, the damage had been done – the
hampered Geoghegan’s appointment. First, it seemed
information leakage had given the public an insight into
that his aggressive management style did not sit well
the boardroom power struggle. The picture of a fractured
with investors, who did not see his adversarial ways
board and rifts over HSBC’s succession were thrust into
as suited to leading the board9 and performing the
public spotlight.
ambassadorial role of a Chairman. Second, and perhaps
more significantly, corporate governance guidelines
Even though the official stance of HSBC and its top
since 2003 had recommended that British companies
management suggests that Geoghegan’s threat to resign
should not elevate CEOs to Chairmen.10 HSBC appeared
might have been exaggerated and sensationalized,17
inclined to abandon its tradition of promoting the CEO
what the public saw at that point in time was an
to Chairman and appoint a non-executive Chairman as a
extremely disorganised and poorly conveyed succession
more independent check on the CEO-led business. This
plan within HSBC, which is ill-befitting of a large global
would leave Geoghegan out of the race.
bank. Naturally, many questions arose. If this leadership
transition had indeed been planned for, why did
Given this turn of events, the board’s final decision on
stakeholders and in particular, Geoghegan, not seem
chairmanship was very much unpredictable to observers.
aligned to the plan prior to the announcement, leading
This was apparent from the extensive list of potential
to internal confusion and the subsequent uproar? It
candidates generated through public speculation.
was clear from an external viewpoint that HSBC had
Other frontrunners for the role included John Thornton, not conveyed the plan and managed expectations
a non-executive director who was more well-received well, both internally and externally. The pressure was
by investors11 because of his independence from bank intensified for HSBC to achieve a resolution as swiftly
management, but an unpopular choice internally due as possible, in order to assuage investors’ discontent,
to his harsh management style developed from his stint prevent divisiveness within the organisation on candidate
at Goldman Sachs. Another candidate was Douglas selection, and restore its public image.
Flint, HSBC’s Finance Director, who was viewed as a
“compromise candidate”12 to placate both investors
8 HSBC: WHO’S THE BOSS?
THE DILEMMA General investor sentiment was that despite the

infighting, “the right men have ended up in the right
In selecting a new Chairman, the Nomination
jobs”.21 However, many institutional investors remained
Committee’s dilemma was obvious. Geoghegan was
upset at the poorly executed succession, and their
a long-serving HSBC banker with a wealth of intimate
disapproval manifested in numerous calls for HSBC’s non-
knowledge on HSBC’s operations. With Green already
executive directors to be replaced, to take responsibility
leaving, the loss of Geoghegan would be a double-
for the “bloody mess”22.
whammy. Yet, condoning Geoghegan’s appointment and
promoting him would undermine shareholders’ wishes
and impede HSBC’s effort to keep up with changes in the
governance landscape. DISCUSSION QUESTIONS
1. What is the purpose of a succession plan and what are
It seemed like no resolution would be able to completely the components of a comprehensive succession plan?
reconcile the interests of shareholders and management.
2. How is succession planning for the board and senior
The need and urgency for the board to arrive at a
management different for companies with controlling
resolution in keeping with the best interests of the
shareholders?
company and to quell public speculation on the internal
rift was pressing, while external perceptions of an ill- 3. Identify the problems that arose as a result of HSBC’s
conceived and ill-conveyed succession plan continued to Chairman succession. What was lacking in HSBC’s
plague HSBC.18 succession plan?
4. What is the impact of poor succession planning on
HSBC and its stakeholders?
THE RESOLUTION
5. What are the roles of the Chairman and the CEO?
On 24 September 2010, just three days after the reported
How are they different? What are the attributes of a
spat between Geoghegan and the board, HSBC unveiled
good Chairman?
a new leadership team.19 After consideration of numerous
factors, the board made a unanimous decision to appoint 6. What are the pros and cons of having the CEO
Douglas Flint to succeed Green as Chairman. Stuart becoming the Chairman? In your view, has HSBC
Gulliver was appointed Group Chief Executive, while Sir addressed the concerns of the CEO becoming
Simon Robertson remained the senior independent non- Chairman by appointing the Finance Director as
executive director and assumed the concurrent role of Chairman?
Deputy Chairman. Geoghegan would continue to serve
7. How should a company balance its needs against the
in an advisory capacity until 31 March 2011, after which
expectations of external stakeholders with respect to
he would formally retire.
compliance with good practice?
John Thornton stayed on as HSBC’s non-executive 8. Imagine you are Sir Robertson right after the news
director. The appointment of Robertson as Deputy broke about the CEO threatening to leave. How
Chairman was aimed at countering investors’ discontent20 would you resolve the situation within and outside
about the newly-installed, predominantly executive HSBC to protect the firm from adverse market
leadership team. reaction?
INVESTORS’ REACTION
Investors’ reaction to the new leadership team was
generally positive. On the day the leadership changes
were announced, HSBC shares increased by 0.4 percent
to 666.4 pence.
ENDNOTES:
1 Moore, James, Trouble at Top of HSBC as Bank Furiously Denies 14 HSBC Chairman Contenders: Sir Simon Robertson, 23 Sep 2010,
CEO Quit Threat, 23 Sep 2010. The Independent. <http://www. The Telegraph, <http://www.telegraph.co.uk/finance/newsbysec-
independent.co.uk/news/business/news/trouble-at-top-of-hsbc-as- tor/banksandfinance/8019178/HSBC-chairman-contenders-Sir
bank-furiously-denies-ceo-quit-threat-2086990.html> accessed 25 -Simon-Robertson.html> accessed 25 Dec 2012
Dec 2012
15 Jenkins, Patrick,HSBC Chief Geoghegan Threatens to Resign, 21
2 Reece, Damian, HSBC Ex-Chief Michael Geoghegan Relaxes as Sep 2011, Financial Times. <http://www.ft.com/intl/cms/s/0/ 06a
Another Marathon Looms, 20 Dec 2010. The Telegraph. <http:// 88d22-c5af-11df-ab48-00144feab49a.html#axzz2G61ehppU>
www.telegraph.co.uk/finance/newsbysector/banksandfinance/ accessed 25 Dec 2012
8212815/HSBC-ex-chief-Michael-Geoghegan-relaxes-as-another
-marathon-looms.html> accessed 25 Dec 2012
16 Milmo, Dan, HSBC Denies that Chief Executive Threatened to Quit,
22 Sep 2010, The Guardian, <http://m.guardian.co.uk/business/
3 Aldrick, Philip and Armistead, Louise, Green to Step Down as 2010/sep/22/hsbc-chief-executive-threatens-to-quit?cat=business
Chairman of HSBC, 22 May 2010, The Telegraph, <http://www. &type=article> accessed 25 Dec 2012
telegraph.co.uk/finance/newsbysector/banksandfinance/7753386/
Green-to-step-down-as-chairman-of-HSBC.html> accessed 25 Dec
17 Reece, Damian, HSBC Ex-Chief Michael Geoghegan Relaxes as
2012 Another Marathon Looms, 20 Dec 2010, The Telegraph, <http://
www.telegraph.co.uk/finance/newsbysector/banksandfinance/
4 HSBC Group Chairman to Step Down to become UK Minister of 8212815/HSBC-ex-chief-Michael-Geoghegan-relaxes-as-another
State for Trade and Investment, 7 Sep 2010, HSBC Holdings Plc, -marathon-looms.html> accessed 25 Dec 2012
<http://www.hsbc.com/1/PA_esf-ca-app-content/content/assets/
investor_relations/sea/2010/sea_100907_hsbc_green_announce-
18 Osborne, Alistair, HSBC Bust-Up Shows the Egos will Always Land
ment_hk_en.pdf> accessed 25 Dec 2012 at Britain’s Biggest Banks, 24 Sep 2010, The Telegraph, <http://
www.telegraph.co.uk/finance/comment/alistair-osborne/8024341/
5 Ibid. HSBC-bust-up-shows-the-egos-will-always-land-at-Britains-biggest-
banks.html> accessed 25 Dec 2012
6 Ibid.
19 HSBC Announces New Leadership Team, 24 Sep 2010, HSBC
7 Goff, Sharlene, Jenkins, Patrick and Parker, George, Green Swaps Holdings Plc, <http://www.hsbc.com/1/2/newsroom/news/2010/
Board Power for Political Clout, 7 Sep 2010, Financial Times, hsbc-announces-new-leadership> accessed 25 Dec 2012
<http://www.ft.com/intl/cms/s/0/b5ffc1ac-ba59-11df-8e5c-00144fe-
ab49a.html#axzz1sVDZcbQr> accessed 25 Dec 2012 20 Treanor, Jill, HSBC’s Geoghegan to get £17m After Losing Out on
Chairman Role, 24 Sep 2010, The Guardian, <http://m.guardian.
8 Olson, Parmy, HSBC Replaces an Irreplaceable CEO, 27 Sep 2010, co.uk/business/2010/sep/24/hsbc-boardroom-struggle-liberal
Forbes, 25 Dec 2012, <http://www.forbes.com/2010/09/27/hsbc -democrats?cat=business&type=article> accessed 25 Dec 2012
-geoghegan-ceo-markets-equities-chairman-executives-replace.
html> accessed 25 Dec 2012 21 Corrigan, Tracy, Ed Miliband, HSBC and Kim Jong-Un: How to Put
the Success into Succession, 29 Sep 2010, The Telegraph, <http://
9 Ibid. www.telegraph.co.uk/finance/comment/tracycorrigan/8032012/Ed
10 Ibid. -Miliband-HSBC-and-Kim-Jong-un-how-to-put-the-success-into-
succession.html> accessed 25 Dec 2012
11 Costello, Miles and Griffiths, Katherine and Hosking, Patrick, HSBC
Risks Clash with Key Investors over New Chairman, 8 Sep 2010, The
22 Ho, Geoff. “HSBC Investors Call for a Purge: Bloody Infighting over
Times New Chief Executive Causes Fury, 26 Sep 2010, Sunday Express,
12 “HSBC’s Flint Emerges as Consensus Candidate for Chairman”, 23
Sep 2010, Hurriyet Daily New, <http://www.hurriyetdailynews.com/
default.aspx?pageid=438&n=hsbc8217s-flint-emerges-as-consen-
sus-candidate-for-chairman-2010-09-23> accessed 25 Dec 2012
13 Goff, Sharlene and Jenkins, Patrick, HSBC puts ‘Safe Pair of Hands’
at Top, 24 Sep 2010, Financial Times, <http://www.ft.com/intl/cms/
s/0/ba8bb0e2-c809-11df-ae3a-00144feab49a.html#axzz1sVDZc-
bQr> accessed 25 Dec 2012
10 THE CO-OPERATIVE BANK: THE WITHERING FLOWERS
THE CO-OPERATIVE BANK:

THE WITHERING FLOWERS
CASE OVERVIEW1 PLANTING SEEDS IN THE CO-OPERATIVE
On 21 November 2013, Paul Flowers (Flowers) was BANK
arrested as part of a drug supply investigation. The Flowers was appointed to the Board of The Co-operative
drug scandal led to Flowers’ immediate suspension Bank plc (Co-op Bank) in 2009 following its merger with
from his role as a Methodist Church minister and as a the Britannia Building Society. In April 2010, he was
member of the Labour Party. Additionally, it sparked appointed as Chairman of the Co-op Bank and Vice-
a “root and branch” investigation into how the failing Chairman of The Co-operative Group Limited (Co-op
Co-operative Bank, where Flowers formerly held the role Group).
of Chairman, was run, and how the Co-operative Group
ended up with a £1.5 billion shortfall in capital. It was The rise of Flowers through the ranks of the Co-op Bank
discovered that the directors in the Co-operative Bank was not due to any banking expertise as he had a mere
were selected based on the candidates’ performance in four years of employment at National Westminster Bank
psychometric tests and on interviews by the Committee Plc. Rather, it was due to his political connections and the
which focused more on candidates’ knowledge of the tradition of the Co-op Group of “appointing a democrat
Co-op Group than their expertise and experience. from within its own numbers as the chair of that board”.1
Additionally, although Flowers was considered as an
independent Chairman, he was actively involved with
the Co-operative movement and the Labour Party, both TIES THAT BIND: CO-OPERATIVE AND
of which have strong ties with the Co-operative Bank. LABOUR
The objective of this case is to allow a discussion of
The Manchester-based Co-op Group is a mutual
issues such as board structure and composition; the role
society which traces its roots to the Rochdale Society
of different parties (i.e., board of directors, nominating
of Equitable Pioneers. In 1927, the political wing of the
committee, regulators and shareholders) in selecting and
Co-op Group, the Co-operative Party, accepted a junior
approving appointments of directors; director selection
role within the Labour Party. Since then, the Co-op Group
criteria; director competencies and independence;
has been closely aligned with the Labour Party, with £1
responsibilities and critical skills and competencies of the
million spent annually to fund pro-Labour activities, along
Chairman; politically-connected directors; and ethics.
with a total of £18 million in “soft loans” over the years at
interest rates well below that of the market.2 This support
was reciprocated in the form of advice from Labour
THE CRYSTAL METH-ODIST politicians, which often shaped the Co-op Group’s
Paul Flowers, a Bristol University theology graduate, had business decisions.
been a minister of the Methodist church in Bradford since
1976. He was a long-serving member of the Methodist
Conference and was, for a number of years, the Secretary POLITICAL CHEERLEADING
and then the President of the Consultative Conference of
In October 2008, the Co-op Bank planned to merge
European Methodist churches.
with the Britannia Building Society. However, this was
dependent upon parliamentary support for a bill that
Flowers had also been an active member of the Labour
would remove legislation prohibiting mergers between
Party since he was 16 years old. He served as a Labour
mutuals and co-operatives. In support of the merger,
councillor in Rochdale from 1988 to 1992, and was
Ed Balls, the then-Secretary of State, Children, Schools
elected as Labour councillor in Bradford in 2002. Flowers
and Families, and a Labour-Co-operative member of
had also been active in the community, serving on the
parliament, supported the bill. He also maintained
boards of various community-based organisations, such
constant contact with Len Wardle (Wardle), the Chairman
as the Lifeline Project, which works with substance abuse
of Co-op Group at that time and the “darling of the Left-
users. However, on September 2011, Flowers resigned as
wing establishment”,3 who continually encouraged the
a Labour councillor after adult content was found on his
merger. The merger between Co-op Bank and Britannia
council laptop.
This is the abridged version of a case prepared by Eugene See Wen Jie, Lan Yingli, Ng Ray Min and Ong Bee Hui under the supervision of Professor Mak Yuen Teen. The case was developed
from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective management or governance. The interpretations and perspectives
in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Isabella Ow under the supervision
of Professor Mak Yuen Teen.

Building Society, lauded by Balls as Britain’s “first-ever answer is that a lot of it stems from their positions within
‘super-mutual”,4 was completed in August 2009. the Labour Party.”10
Following this, the board of directors had to approve In 2010, Bob Burlton stepped down as Chairman of the
the merger. Flowers, then a director of the Co-op Co-op Bank. The task of appointing a new Chairman fell
Bank, approved the merger and allowed it to proceed.5 to the Remuneration and Appointments Committee,
Flowers’ cooperation eventually led to his promotion to which comprised largely of ex-Labour politicians and
Chairman of the Board of the Co-op Bank. Co-operative members. In line with the Co-op Group’s
tradition,11 Wardle, Chairman of the Co-op Group, looked
at the Group’s board for a potential successor for the
BOARD STRUCTURE Co-op Bank.
The Co-op Bank had only one executive director on its
Flowers had ticked all the right boxes. He was a long-
13-member board of directors. Barry Tootell, the Chief
serving member of the Co-operative movement, had
Executive Officer and sole executive director of the
been an active member of the Labour Party for years,
Co-op Bank, held an executive directorship not only in
and was known for his robust style of dealing with people
the Co-op Bank, but also in the Co-operative Banking
who disagreed with his views.12 After being shortlisted,
Group Limited (Co-op Banking Group), CIS Limited and
Flowers was subjected to various psychometric tests and
CIS General Insurance Limited, effectively holding four
interviews by the Committee.13 Interviewees were quizzed
executive directorships within the Co-op Group.
extensively on their knowledge of the Co-op Group,
which Flowers easily aced, resulting in a unanimous
Additionally, the majority of the Co-op Bank’s board was
decision to select him as the next Chairman of the Co-op
not independent as there were only five independent
Bank.
directors present. This was not in line with the U.K.
Corporate Governance Code’s recommendation that
“at least half the board, excluding the Chairman, should
comprise non-executive directors determined by the LABOUR PARTY TIES
board to be independent”.6 The Co-op Bank explained Out of the 13 directors on the Co-op Bank’s board, three
in its 2012 annual report that it was taking steps to recruit directors had direct relationships with the Labour Party.
new independent non-executive directors to “improve Besides Paul Flowers, Duncan Bowdler was a Labour
the Board’s independence and ensure compliance with Party and Co-operative member14 and was involved
the Code”.7 in several community organisations in Crumpsall,
Manchester. It was speculated that his appointment
Furthermore, only two out of five members on the as non-executive director in the Co-op Group, Co-op
Co-op Bank’s nominating committee were considered Banking Group15 and Co-op Bank was due to his 37 years
independent non-executive directors. In this regard, the of active involvement in the Labour and Co-operative
Co-op Bank, yet again failed to comply with the Code movements.16
that states “a majority of the nomination committee
should be independent non-executive directors”.8 This Another director, Wardle, was a former Labour councillor
could potentially have an adverse impact on the Code’s and prominent member of Labour’s sister party, the
recommendation of “a formal, rigorous and transparent Co-operative Party. Despite the lack of a discernible
procedure for the appointment of new directors to the background in business, he was the Chairman of Co-op
board”.9 Group and a non-executive director of both the Co-op
Banking Group and Co-op Bank. He was also the main
champion of the merger of Co-op Bank with the Britannia
CLIMBING THE CO-OPERATIVE LADDER Building Society in 2009, which went through with the
help of his allies in the Labour government.
The Co-op Bank’s board of directors was drawn from
the regional boards of the Co-op Group, each having
different backgrounds, ranging from plasterers to
horticulturalists. Many directors were also veterans of CO-OP GROUP TIES
the Co-operative movement and had former ties with All the directors of the Co-op Bank were also directors
the Labour Party. As David Stanbury, a member of the of the Co-op Banking Group. On top of their positions in
Co-operative movement, once commented, “How did the Co-op Banking Group, nine directors held additional
Flowers and people like him get into their positions? The directorships within other branches of the Co-op Group
12 THE CO-OPERATIVE BANK: THE WITHERING FLOWERS
umbrella.17 Peter Marks, the Group Chief Executive of The “nightmare” at the Co-op Bank led to British Prime
Co-op Group, was the “driving force” in pushing for the Minister David Cameron announcing in the House of
acquisition of the Lloyds Banking Group branches despite Commons that he would initiate an inquiry to determine
concerns about overstretching in the financial division.18 how Flowers had come to be appointed as Co-op
Bank’s Chairman.26 Not only were questions being asked
On the push for the acquisition, Andrew Tyrie, the current about Flowers’ credentials and the motivation behind
Chairman of the Treasury Select Committee, criticised his appointment, but also the process behind FSA’s
the former management of the Co-op Bank, saying that approval. There was also the issue of how the Co-op
there was “a lack of personal accountability at senior Bank spent two years attempting to acquire the 632
levels, ineffective corporate governance and insufficient Lloyds Banking Group branches, particularly as the FSA
experience and expertise among those taking the would have needed to approve the transaction. One
decisions; this has become a familiar story.” 19 thing is clear – the £1.5 billion black hole was truly a huge
price to pay for such a lesson on corporate governance.
THE FINAL HURDLE

Before Flowers could be officially appointed, he required DISCUSSION QUESTIONS
the approval of the U.K.’s Financial Services Authority 1. Evaluate the board composition and structure of the
(FSA), whose role has since been succeeded by the Co-op Bank.
Financial Conduct Authority from 1 April 2013.
2. What are the typical responsibilities of the Chairman
of a Board? What are the most critical skills and
In Flowers’ interview with the FSA, the regulators
competencies of a Chairman? Evaluate the skills,
dismissed Flowers’ past conviction for gross indecency
competencies and the independence of Paul Flowers
as irrelevant.20 The main issue was, instead, his lack of
as Chairman of the Co-op Bank.
financial experience. Flowers acknowledged this, and
proposed appointing two experienced deputy chairmen 3. Evaluate the composition of the Nominating
to assist him. The regulators accepted this proposal and Committee of the Co-op Bank. What is the role
subsequently approved his appointment as Chairman of of the Nominating Committee in screening Board
the Co-op Bank.21 candidates? How far should the Nominating
Committee go in performing due diligence on an
Flowers was officially appointed as the bank’s non- individual’s personal character and ethics?
executive Chairman on 15 April 2010. However,
4. Discuss the importance of political connections in the
problems soon surfaced. In July 2011, Flowers approved
appointment of board members in the Co-op Bank
the planned takeover of 632 Lloyds Banking Group
and the corporate governance issues that arise from
branches despite strong opposition from his deputy
such political connections. To what extent do political
chairmen, Rodney Baker-Bates and David Davis.22 The
connections matter for appointments to the boards of
progression of the deal, codenamed Project Verde, by
listed companies in your country?
the Flowers-led board led to Baker-Bates’ resignation.23
Despite losing Baker-Bates, Flowers did not appoint a 5. What role should regulators play in approving the
replacement deputy, and the issue was not pursued by appointments to boards of financial institutions? What
the FSA. This resulted in a lack of checks and balances, are the rules in your country regarding such regulatory
which came into serious question when Project Verde approvals?
eventually fell through and the Co-op Bank was found to
6. Given the prevalence of banking groups are in the
have a £1.5 billion “black hole” in its finances.24
financial sector (i.e., with a financial holding company
and subsidiary bank), do you think this particular
structure raises any corporate governance issues?
THE END OF FLOWERS Compare this with banking groups in Singapore and
Flowers subsequently stood down from all his roles within Asia.
the Co-op Group and the Co-op Bank. Following this,
The Mail on Sunday published a video footage of Flowers
allegedly boasting about his use of cocaine and other
illegal drugs.25 The Methodist Church and the Labour
Party then suspended Flowers who was investigated by
the police and the Commons Treasury Select Committee.
ENDNOTES
1 Treanor, J. (2013, November 18). Questions Were Already Being 15 Not to be confused with The Co-operative Bank plc (Co-op Bank).
Asked About Paul Flowers’s Credentials. The Guardian. Retrieved
from: http://www.theguardian.com/business/blog/2013/nov/18/
16 Duncan Bowdler. The Co-operative Membership. Retrieved from:
questions-cooperative-bank-paul-flowers http://www.co-operative.coop/membership/its-your-business/your
-representatives/Your-local-representative/North-Eastern--Cumbran
2 Tweedie, N. (2013, November 22). The Labour Party’s Unholy -region/Manchester/Duncan-Bowdler/
Alliance with the Co-operative Bank. The Telegraph. Retrieved
from: http://www.telegraph.co.uk/news/politics/labour/10467988/
17 The Co-operative Bank. (2012). 2012 Financial Statements.
The-Labour-Partys-unholy-alliance-with-the-Co-operative-Bank. Retrieved from: http://www.co-operativebank.co.uk/assets/pdf/
html bank/investorrelations/financialresults/bank-financial-statement
-2012.pdf
3 Salmon, J. (2013, August 15). IT’S TEFLON LEN! How Co-op
Chairman Wardle Has Survived the Storm. This Is Money. Retrieved
18 Salmon, J. (2013, October 23). Former Co-op Boss Lambasted by
from: http://www.thisismoney.co.uk/money/markets/article-2394952 MPs for ‘Selective Amnesia’ after Claims Bank was Victim of
/ITS-TEFLON-LEN-How-Co-op-chairman-Wardle-survived-storm. Financial Crash. This Is Money. Retrieved from: http://www.thisis
html money.co.uk/money/markets/article-2471814/MPs-launch-relent-
less-attack-Co -op-chief-Peter-Marks.html
4 The Co-operative Group. (2009). Annual Report and Accounts 2009.
The Co-operative Group. Retrieved from: https://www.co-operative.
19 N.A. (2013, October 22). Co-op Chairman Len Wardle to Step
coop/Corporate/PDFs/Annual_Report_2009.pdf Down in May. BBC News. Retrieved from: http://www.bbc.com/
news/business-24627442
5 Quinn, J. (2013, November 19). The Co-op Board and a Backroom
Deal that Backfired. The Telegraph. Retrieved from: http://www.
20 Scuffham, M. & Jones, H. (2014, January 7). FCA Admits Approval
telegraph.co.uk/finance/10461253/The-Co-op-board-and-a-back- of Ex-Co-op Bank Chairman Was Mistake. Reuters. Retrieved from:
room-deal-that-backfired.html http://.reuters.com/article/topNews/idUKBREA060CB20140107
6 The UK Corporate Governance Code (September 2012) (B.1 The

21 Quinn, J. (2014, January 28). Paul Flowers ‘Coached’ Ahead of FSA
Composition of the Board) (B.1.2.). Retrieved from: http://www.slc. Interview. The Telegraph. Retrieved from: http://www.telegraph.co.
co.uk/media/5268/uk-corporate-governance-code-september uk/finance/newsbysector/banksandfinance/10602412/Paul-Flowers-
-2012.pdf coached-ahead-of-FSA-interview.html
7 The Co-operative Bank. (2012). 2012 Financial Statements.

22 Voinea, A. (2014, February 12). Project Verde was a ‘Step Too Far’,
Retrieved from: http://www.co-operativebank.co.uk/assets/pdf/ Say Former Co-chairs. Co-operative News. Retrieved from: http://
bank/investorrelations/financialresults/bank-financial-statement www.thenews.coop/48994/news/banking-and-insurance/project-
-2012.pdf verde-step-far-say-former-co-chairs/
8 The UK Corporate Governance Code (September 2012) (B.2

23 Ibid.
Appointments to the Board) (B.2.1). Retrieved from: http://www.slc. 24 Ahmed, K. (2014, April 11). Co-op Bank Apologises and Confirms
co.uk/media/5268/uk-corporate-governance-code-september £1.3bn Losses. BBC News. Retrieved from: http://www.bbc.com/
-2012.pdf news/business-26967020
9 The UK Corporate Governance Code (September 2012) (B.2 25 Craven, N & Slater, R (2013, November 16). Crystal Meth Shame of
Appointments to the Board). Retrieved from: http://www.slc.co.uk/ Bank Chief. Mail on Sunday. Retrieved from: http://www.dailymail.
media/5268/uk-corporate-governance-code-september-2012.pdf co.uk/news/article-2508464/Crystal-meth-shame-Co-op-bank-chief-
10 Tweedie, N. (2013, November 22). The Labour Party’s Unholy Paul-Flowers.html#ixzz2l0qVkXrI
Alliance with the Co-operative Bank. The Telegraph. Retrieved from: 26 N.A. (2013, November 20). PMQs: Cameron on Paul Flowers and
http://www.telegraph.co.uk/news/politics/labour/10467988/The Co-Op Bank Inquiry. BBC News. Retrieved from: http://www.bbc.
-Labour-Partys-unholy-alliance-with-the-Co-operative-Bank.html com/news/uk-politics-25020670
11 Treanor, J. (2013, November 18). Questions Were Already Being
Asked About Paul Flowers’s Credentials. The Guardian. Retrieved
from: http://www.theguardian.com/business/blog/2013/nov/18/
questions-cooperative-bank-paul-flowers
12 Quinn, J. (2013, November 19). The Co-op Board and a Backroom
Deal that Backfired. The Telegraph. Retrieved from: http://www.
telegraph.co.uk/finance/10461253/The-Co-op-board-and-a-back-
room-deal-that-backfired.html
13 Goodley, S. (2014, January 31). Paul Flowers Became a Bank
Chairman after a Psychometric Test. Can I Try? The Guardian.
Retrieved from: http://www.theguardian.com/business/blog/2014/
jan/31/paul-flowers-psychometric-testing-bank-chairman
14 Duncan Bowdler BSc (Hons) Biochemistry. Bloomberg Business-
week. Retrieved from: http://investing.businessweek.com/research/
stocks/private/person.asp?personId=9531233&privcapId=3433747
&previousCapId=874523&previousTitle=SCHRODERS%20PLC
14 FINDING THE WHISTLE AT BARCLAYS
FINDING THE WHISTLE AT

BARCLAYS
CASE OVERVIEW1 reprisal in the firm. A month later, Staley took another
In January 2017, a whistleblower contacted Barclays’ stab at the matter by instructing the information security
board of directors, finding fault with the British bank’s team, led by Troels Oerting,5 a former Europol official,
entire whistleblowing process. According to the to track down the identity of the writer, after being
whistleblower, Barclays Group Chief Executive (CEO), Jes informed that the whistleblowing probe had been closed.
Staley, had attempted to uncover another whistleblower The security specialists at Barclays then requested
who had sent in whistleblowing letters concerning Staley for assistance from the U.S. Postal Inspection Service
himself. Following the whistleblowing incident, more through video footages. However, the hunt proved to be
questions surrounding Staley emerged, questioning his fruitless and was eventually called off.6
suitability to remain as CEO. Barclays’ history of scandals
and fines was also brought to stakeholders’ attention,
raising concerns about Barclays’ corporate governance. REFORMS IN THE U.K.
The objective of this case is to facilitate a discussion In March 2016, a new regime was introduced by the Bank
of issues such as whistleblowing and the effectiveness of England and the Financial Conduct Authority of Britain
of whistleblowers; conflict of interests; the role and (FCA) for strengthening accountability in banks and the
effectiveness of the board; and the board’s influence on financial sector.7 The regime sought to reinforce the
corporate culture. accountability of managers on an ongoing basis – entities
are required to issue an annual certificate to staff, under
prescribed functions, to deem them fit and proper to
THE WHISTLE IS BLOWN fulfil their professional duties.8
In June 2016, two anonymous letters were sent from
The purpose of the Senior Management Arrangements,
the U.S. to a number of Barclays board members and a
Systems and Controls was to encourage directors and
senior executive. The letters concerned the recruitment
senior management of companies to take appropriate
of Tim Main, the Chairman of the bank’s global financial
responsibility for the company’s arrangements on
institutions group in New York, who was also Staley’s
matters likely to be of interest to the Financial Services
friend and former colleague from JP Morgan. The letter
Authority, making them accountable for the control of the
contained complaints about Main’s behaviour during
company’s affairs.9,10
his time at JP Morgan and touched on Main’s personal
history while he was working at JP Morgan.1 They further
Additionally, under Section 60A(1) of the Financial
questioned the appropriateness of his recruitment to
Services and Markets Act, entities are required to be
Barclays.2
satisfied that the person is a fit and proper person to
perform the required function.11 A wide range of checks
Although the letters were reported not to have
are required to prove that a person is fit and proper,
contained any new information that people did not
and the onus is on the entity to show regulators that the
already know, the bank’s compliance team proceeded
applicant is a fit and proper person to perform his or her
with investigations on the whistleblowing issue. Sources
required functions.12
described the letters as being “very simple, very crude”,
and “very malicious”.3
When Staley obtained access to a copy of the letters, he WHISTLEBLOWER CHAMPION

accused the whistleblower of harassment and alleged The attempts made by Staley to uncover the
that his intent was to “maliciously smear” Main.4 He then whistleblower came as a slap to Barclays as the bank had
made multiple attempts to identify the whistleblower. just appointed a ‘whistleblower champion’, Mike Ashley,
Staley’s first attempt to identify the whistleblower was as the Chairman of its Audit Committee in 2016. As the
put to a stop after he and the information security team ‘whistleblower champion’, he is responsible for “the
were informed that their actions were inappropriate due integrity, independence and effectiveness of the Barclays’
to the protection of whistleblower anonymity and against policies and procedures on whistleblowing, including the
This is the abridged version of a case prepared by Ang Jia Xuan, Fang Zhou, Sharon Goh Xin Yi, Sitoh Zi En Pamela and Zhang Danran under the supervision of Professor Mak Yuen
Teen. The case was developed from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective management or governance. The
interpretations and perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by
Isabella Ow under the supervision of Professor Mak Yuen Teen.

procedures for protecting employees who raise concerns SHAREHOLDERS REACT

from detrimental treatment”.13 Upon his appointment,
While awaiting the decision from regulators on whether
Ashley sent all employees a video to highlight and raise
Staley should be allowed to remain as CEO, the bank’s
awareness of Barclays’ policies and procedures regarding
shareholders expressed dissatisfaction with Staley’s
whistleblowers.14
investment banking strategy and poor share price
performance.20
THE SECOND COMING Apart from the whistleblowing incident, Barclays’ share
In January 2017, Barclays’ board was contacted by yet price was negatively affected by other problems – the
another anonymous whistleblower. The whistleblower bank faced a potential multibillion-dollar U.S. civil lawsuit
touched on issues with Barclay’s whistleblowing over the alleged mis-selling of mortgage securities and
process, highlighting Staley’s treatment of the previous a criminal lawsuit in the U.K. over the controversial terms
whistleblowing letters the year prior. In light of the new of its emergency fundraising from Qatari investors during
complaint on Staley’s potential misconduct, Barclays’ the 2008 financial crisis.21
directors employed the assistance of a London legal firm
to investigate. The legal firm issued a findings statement
on 10 April, 2017, which stated that Staley had “honestly POACHING FRIENDS
but mistakenly” sought to uncover the letter writer’s
After Staley became Barclays’ CEO, there were several
identity without fully understanding the implications of
senior defections from JP Morgan, Staley’s previous firm,
his doing so. The explanation was accepted by Barclays’
to Barclays. Following the defections, an email was sent
board. In the following month at the annual shareholder
by a managing director at Barclays’ New York office to
meeting, Barclays’ Chairman, John McFarlane, defended
colleagues worldwide, including some of Barclays’ top
Staley, despite condemnation from some investors.15
managers, in September 2016. The email stated that
both parties “have agreed to a 1-year ban on hiring any
In the midst of the intense scrutiny from various
JPMC employee by Barclays” in key areas like corporate
stakeholders, Staley fell victim to emails sent by a
and investment banking. Less than a week after the
prankster who pretended to be the bank Chairman. The
initial email was sent, a follow-up email was blasted
prankster was later revealed to be a disgruntled customer
to recipients, informing them to disregard the original
of Barclays, who emailed Staley using an email address
email.22
containing the Chairman’s name. Staley responded to
the joke emails without realising he had been duped.
Under the U.S. antitrust laws, such ‘no poach’
The emails made their way onto the social media and
agreements are illegal. The claims of non-poaching
eventually got published in the media.16,17
agreements between Barclays and JP Morgan had
prompted the U.S. Department of Justice (DoJ) to
scrutinise Barclays’ actions to determine whether it
BARKING AT BARCLAYS had breached antitrust laws. On the other hand, the
Upon the eruption of Staley’s whistleblowing scandal, U.K. authorities did not pursue the affair as ‘no poach’
the FCA and the Bank of England’s Prudential Regulation agreements are included widely in U.K. contracts for
Authority (PRA) stepped in to investigate the matter. The mid-to-senior ranking employees, especially within the
Department of Financial Services in New York was also finance industry.23
looking into this incident. If Staley is found to be guilty of
the claims, the authorities could decide to ban him from
working in the financial services in the future and this CAUGHT IN THE MIDDLE
verdict would cost him his job.18
Shortly after the whistleblowing scandal came to light,
Staley was embroiled in a dispute with one of Barclays’
Amidst ongoing investigations, Jonathan Cox, Barclays’
important clients in May 2017. The dispute centred
global head of whistleblowing when the scandal took
around Kohlberg Kravis Roberts & Company (KKR), a
place, filed a lawsuit against the bank but subsequently
private equity giant, and Aceco TI (Aceco), a Brazilian
agreed on an out-of-court settlement and was set to
company founded by Staley’s father-in-law.
leave Barclays. Richard Atterbury, formerly a FCA official,
subsequently took over from Cox as global head of
whistleblowing at Barclays.19
The conflict between KKR and the Nitzan family arose Chief Executive Bob Diamonds resigned the following
due to a US$700 million investment gone wrong. In week.34 Barclays had started to collude with other banks
2014, KKR had purchased a majority stake in Aceco from to manipulate the LIBOR for the benefit of its traders
three sellers. Two of the three sellers were Staley’s wife during the global economic upturn in 2005. After the
– Debora Staley – and Staley’s brother-in-law – Jorge 2008 global financial crisis, Barclays artificially lowered
Nitzan, who was the CEO of Aceco. However, within two the LIBOR to generate an illusion of a lower borrowing
years, KKR had written off the investment and accused rate and hence the perception of a less risky bank.35
Nitzan, who had been dismissed as CEO, of foul play.
KKR further alleged accounting fraud and bribery at During the 2008 financial crisis, Barclay’s former Chief
Aceco after receiving information from an anonymous Executive John Varley and three ex-senior executives
whistleblower.24 Nitzan had denied the accusations allegedly conspired to provide a US$3 billion unlawful
and blamed Aceco’s travails on the crashing Brazilian loan facility to the Qatari investors in exchange for a
economy.25 £12 billion capital injection to the bank.36 The raised
funds partially offset Barclays’ losses and saved it from
Staley then became involved in the row in a personal accepting a government bailout while its strongest
capacity. A legal dispute between KKR and Nitzan had competitors in U.K. – Royal Bank of Scotland and Lloyds
ensued, and KKR had approached Staley to listen to Banking Group – had to do so. However, the raised
the discoveries arising from its investigation, believing funds were not fully disclosed to the market. Upon the
that he would convince Nitzan to settle. Alexander uncovering of its actions, Barclays faced three counts
Navab, KKR’s private equity chief for the Americas, also of criminal charges by the U.K. Serious Fraud Office,
asked Staley why he was aiding Nitzan despite serious including illegal financial assistance and conspiracy to
allegations of fraud. Staley countered that he was acting carry out fraud by false representation.37
not in his capacity as a Barclays representative but was
instead acting privately to defend a family member.26 In 2014, Barclays was fined £26 million by the FCA for
However, KKR, viewing the situation as a conflict of failure to manage conflicts of interest with its customers,
interests as a client of Barclays,27 dismissed the notion and systems and control faults with respect to the
and accused him of acting against client interests.28 London Gold Fixing.38 Between 2004 and 2013, Barclays
trader Daniel Plunkett exploited inherent weaknesses
Not only did Staley refuse to assist in the settlement of in the firm’s systems to influence Gold Fixing. As a
KKR and Nitzan, he even introduced a potential investor, result, Barclays did not have to pay US$3.9 million
Timothy Collins of New York firm Ripplewood Advisors, to its customer and Plunkett’s own trading book was
to Nitzan. Additionally, KKR later found out that Staley significantly improved. Plunkett was fined £95,600
had also discussed the Aceco matter with some KKR’s co- and banned from carrying out any function related to
investors in the Brazilian company. Staley had vouched regulated activities.39
for Nitzan, conveying his belief that his brother-in-law
would not be involved in fraud.29
STALEY PAY A PRICE
As a result of Staley’s actions, KKR was reported to have
In May 2018, it was reported that Staley was fined a
barred Barclays from joining potentially lucrative deals
total of £642,430 by the FCA and the PRA, and Barclays
until the dispute was resolved, dealing a huge blow to
had clawed back £500,000 of his bonus over the matter.
Barclays’ already shaky business.30
The bank would also have to report annually to the
regulators, detailing how it handles whistleblowing
matters after the watchdogs expressed concerns about
A HISTORY OF SCANDALS AND FINES its existing systems. The regulators said Staley failed to
Prior to the whistleblowing scandal, the British bank was act with due skill, care and diligence. Staley became the
already said to have “suffered from a perception of a first CEO of a major financial institution to be fined by the
flawed culture”,31 due to its role in the London Interbank financial regulators and keep his job.40
Offer Rate (LIBOR) scandal and other regulatory troubles.
Staley survived a bruising annual meeting on 10 May
On 27 June 2012, Barclays was fined £59.5 million by the 2017, which threatened the loss of his CEO position in
FSA32 and US$200 million by the U.S. Commodity Futures the bank. However, fortunately for Staley, with Chairman
Trading Commission for attempted manipulation of the McFarlane’s strong support, 95% of shareholders backed
LIBOR.33 The then-Chairman Marcus Agius and former Staley staying in his position.41
New York’s Department of Financial Services — known for ENDNOTES

its heavy penalties on banks — is still investigating and 1 Kelly, K. (2017, August 26). James Staley’s Series of Unfortunate
has yet to publish its findings. Events. New York Times. Retrieved from https://www.nytimes.com/
2017/08/26/business/dealbook/jes-staley-barclays-ceo.html?_r=0
2 Martin, B. (2017, April 10). How the whistleblowing scandal at
Barclays unfolded. Telegraph. Retrieved from http://www.telegraph.
HAVE THINGS CHANGED? co.uk/business/2017/04/10/whistleblowing-scandal-barclays
Against the backdrop of an increasingly competitive -unfolded/
banking landscape, will Barclays and its management 3 Ibid.

personnel be able to resist the temptations of gains 4 Kelly, K. (2017, August 26). James Staley’s Series of Unfortunate
– be it financial or otherwise – derived from unlawful Events. New York Times. Retrieved from https://www.nytimes.com/
misconduct and instead establish good corporate
governance to be accountable to all its stakeholders? 5 Morris, S. (2017, November 2). Barclays Security Head Oerting Is
Said to Depart After Absence. Bloomberg. Retrieved from https://
www.bloomberg.com/news/articles/2017-11-02/barclays-security-
Perhaps there is a glimmer of hope with Staley seeking head-oerting-is-said-to-depart-after-absence
repentance and setting the tone at Barclays in his 6 Kelly, K. (2017, August 26). James Staley’s Series of Unfortunate
statement: “I have consistently acknowledged that my Events. New York Times. Retrieved from https://www.nytimes.com/
personal involvement in this matter was inappropriate 2017/08/26/business/dealbook/jes-staley-barclays-ceo.html?_r=0
and I have apologised for mistakes which I made. I 7 Mayer Brown. (2015, September). The UK’s new regulatory regime
accept the conclusions of the board, the FCA and PRA … for individuals Part 1: How does it apply to UK branches of EEA and
non- EEA banks and PRA-designated investment rms?. Retrieved
and the sanctions which they have each applied.”42
from https://www.mayerbrown.com/files/Publication/29e2621a-b32
a-4ff0-a9a8-e3c412ff9d90/Presentation/PublicationAttachment/
88b509fb-7655-47a4-b032-b17e68b1b6c3/FSRE-update_sept15_
senior-manager-regime.pdf
DISCUSSION QUESTIONS
8 Jones, R. (2016, March 7). ‘Reckless’ senior bankers face jail under
1. What measures can an organisation put in place to new law. Financial Reporter. Retrieved from http://www.financialre-
ensure that a whistleblowing system is effective? porter.co.uk/finance-news/reckless-senior-bankers-face-jail-under-
new-law.html
How can whistleblowers be protected and should
employees be incentivised to blow the whistle? 9 Ibid.
10 Financial Conduct Authority. (2017, November). Senior manage-
2. Identify the different stakeholders involved in the ment arrangements, Systems and Controls. Retrieved from https://
whistleblowing scandal and evaluate their conduct www.handbook.fca.org.uk/handbook/SYSC.pdf
and responses to the incident. 11 Financial Conduct Authority. (2016, April 19). The Fit and Proper
test for Approved Persons. Retrieved from https://www.handbook.
3. Evaluate Staley’s conduct relating to the fca.org.uk/handbook/FIT.pdf
whistleblowing scandal and his involvement in the
12 Jones, R. (2016, March 7). ‘Reckless’ senior bankers face jail under
dispute involving KKR & Co and Aceco TI. new law. Financial Reporter. Retrieved from http://www.financialre-
porter.co.uk/finance-news/reckless-senior-bankers-face-jail-under-
4. Given the number of scandals Barclays had faced, new-law.html
comment on the board’s response. Were the directors
13 Fletcher, N. (2017, May 25). Barclays boss admits errors over
and Chairman performing their duties? Should the whistleblower and says ‘I got too personally involved’ - as it
board have fired the CEO? Explain. happened. Guardian. Retrieved from https://www.theguardian.
com/business/live/2017/apr/10/barclays-boss-investigated-over
5. What is the role of the board in setting the right -attempts-to-unmask-whistleblower-live
corporate culture in a company? How should the 14 White, L. and Cohn, C. (2017, April 10). Barclays reprimands chief
board go about doing this and ensuring that it is executive for trying to identify whistleblower. Reuters. Retrieved
embedded in the company? from https://www.reuters.com/article/us-barclays-investigation/
barclays-reprimands-chief-executive-for-trying-to-identify-whistle
blower-idUSKBN17C0IU
15 Ibid.
16 Quinn, J. (2017, May 17). Barclays chief falls victim to email
prankster pretending to be bank chairman. Telegraph. Retrieved
from http://www.telegraph.co.uk/business/2017/05/11/barclays-
chief-falls-victim-email-prankster-pretending-bank/
17 Shubber, K. and Arnold, M. (2017, May 12). ‘Thanks for sharing the
foxhole’. Financial Times. Retrieved from https://ftalphaville.ft.com/
2017/05/11/2188714/thanks-for-sharing-the-foxhole/
18 Ibid.
19 Arnold, M. (2017, September 15). Barclays’ whistleblowing chief set 36 Ring, S. (2017, June 20). Barclays, Ex-CEO Charged Over Qatar
to quit after settlement. Financial Times. Retrieved from https:// Rescue Amid 2008 Crisis. Bloomberg. Retrieved from https://www.
www.ft.com/content/e07c8cd4-9a0e-11e7-a652-cde3f882dd7b bloomberg.com/news/articles/2017-06-20/barclays-four-former
-executives-charged-over-qatar-fundraising
20 Arnold, M. (2017, October 8). Barclays chief Jes Staley faces threats
on two fronts. Financial Times. Retrieved from https://www.ft.com/ 37 Binham, C. (2017, June 21). Barclays and former executives charged
content/3f07f292-aac3-11e7-ab55-27219df83c97 with crisis-era fraud. Financial Times. Retrieved from https://www.
ft.com/content/94cc0b50-5582-11e7-9fed-c19e2700005f
21 White, L. (2017, June 21). Crisis-era fraud charges haunt Barclays as
rivals move on. Reuters. Retrieved from https://www.reuters.com/ 38 U.K. Financial Conduct Authority (2014, May 23). Barclays fined
article/us-barclays-qatar-ceo/crisis-era-fraud-charges-haunt-bar- £26m for failings surrounding the London Gold Fixing and former
clays-as-rivals-move-on-idUSKBN19B2PW Barclays trader banned. Retrieved from https://www.fca.org.uk/
news/press-releases/barclays-fined-%C2%A326m-failings-surround-
22 Binham, C. and Arnold, M. (2017, September 10). Barclays’ email ing-london-gold-fixing-and-former-barclays
raises questions on banks’ ‘no-poach agreement’. Financial Times.
Retrieved from https://www.ft.com/content/ede2ef76-94af-11e7- 39 Bentley, G. (2014, May 23). Barclays fined £26m over failure to
bdfa-eda243196c2c manage conflict of interest. City A.M. Retrieved from http://www.
cityam.com/blog/1400832514/fca-fines-barclays-26m-over-failure-
23 Patterson, J. (2017, June 16). Barclays CEO Staley Faces DoJ manage-conflict-interest
Examination Following Hires from JPMorgan. Finance Magnates.
Retrieved from https://www.financemagnates.com/institutional 40 Binham, C. and Arnold, M. (2018, May 11). Barclays chief Staley
-forex/regulation/barclays-ceo-staley-faces-doj-examination fined £640,000 over whistleblowing scandal. Financial Times.
-following-hires-jpmorgan/ Retrieved from https://www.ft.com/content/8a172758-550e-11e8-
b3ee-41e0209208ec
24 Strasburg, J., Kowsmann, P., and Colchester, M. (2017, May 2).
When Barclays’s Jes Staley Went to Bat for an In-Law, a Powerful 41 Fletcher, N. (2018, May 11). Barclays boss Jes Staley fined £642,000
Client Cried Foul. Wall Street Journal. Retrieved from https://www. over whistleblower scandal. Guardian. Retrieved from https://www.
wsj.com/articles/when-barclayss-jes-staley-went-to-bat-for-an-in theguardian.com/business/2018/may/11/barclays-jes-staley-fined-
-law-a-powerful-client-cried-foul-1493717418 whistleblower-fca
25 Davies, R. (2017, May 3). Barclays chief clashes with private equity 42 Ibid.
firm over family dispute. Guardian. Retrieved from https://www.
theguardian.com/business/2017/may/02/barclays-chief-equity-firm-
jes-staley-kkr-whistleblower
26 Strasburg, J., Kowsmann, P., and Colchester, M. (2017, May 2).
When Barclays’s Jes Staley Went to Bat for an In-Law, a Powerful
Client Cried Foul. Wall Street Journal. Retrieved from https://www.
wsj.com/articles/when-barclayss-jes-staley-went-to-bat-for-an-in
-law-a-powerful-client-cried-foul-1493717418
27 Reuters. (2017, May 3). Barclays CEO Staley in dispute with KKR
over soured deal: WSJ. Retrieved from https://www.reuters.com/
article/us-barclays-ceo-idUSKBN17Y23J
28 Davies, R. (2017, May 3). Barclays chief clashes with private equity
firm over family dispute. Guardian. Retrieved from https://www.
theguardian.com/business/2017/may/02/barclays-chief-equity-firm-
jes-staley-kkr-whistleblower
29 Ibid.
30 Ibid.
31 Kelly, K. (2017, August 26). James Staley’s Series of Unfortunate
Events. New York Times. Retrieved from https://www.nytimes.com/
32 U.K. Financial Services Authority. (2012, June 27). Barclays fined
£59.5 million for significant failings in relation to LIBOR and
EURIBOR. Retrieved from http://www.fsa.gov.uk/library/communi-
cation/pr/2012/070.shtml
33 U.S. Commodity Futures Trading Commission. (2012, June 27).
CFTC Orders Barclays to pay $200 Million Penalty for Attempted
Manipulation of and False Reporting concerning LIBOR and
Euribor Benchmark Interest Rates. Retrieved from http://www.cftc.
gov/PressRoom/PressReleases/pr6289-12
34 BBC. (2012, July 3). Barclays boss Bob Diamond resigns amid Libor
scandal. Retrieved from http://www.bbc.com/news/business
-18685040
35 McBride, J. (2016, October 12). Understanding the Libor Scandal.
Council on Foreign Relations. Retrieved from https://www.cfr.org/
backgrounder/understanding-libor-scandal
MISCONDUCT
20 COMMONWEALTH BANK OF AUSTRALIA: ROGUE ONE
COMMONWEALTH BANK OF
AUSTRALIA: ROGUE ONE
CASE OVERVIEW1 of feet away from Morris at the Chatswood Branch. He
Commonwealth Financial Planning Limited (CFPL), was one of the top writers of CFPL, amassing 1,300
the financial planning arm of Commonwealth Bank of clients4 who had invested their money with him. In 2007,
Australia (CBA), was involved in a huge fraud scheme Don was top on CFPL’s Financial Planners league table,
from 2003 to 2012. Rogue financial planners at CFPL managing portfolios worth A$39,064,657 for the bank
manipulated their clients’ files and forged documents that year alone, grossly exceeding his annual target by
to invest their clients’ monies in extremely high-risk more than three-fold.5
investments, with the aim of earning higher commissions
But Don’s ascent to the peak was a tad dubious.
and bonuses. Such fraudulent financial advice caused
Better known by his colleagues as “Dodgy Don”,6 he
hundreds of Australians to lose their life savings, some
had a sinister reputation of notching sales through
running into millions. Despite tipoffs by whistleblowers
unscrupulous means. After personally witnessing some
within CFPL, the Australian Securities and Investments
of Don’s dishonest acts, an outraged Morris alerted his
Commission (ASIC) was criticised for being inexplicably
team’s Financial Planning Manager.7 To his disbelief, the
slow and inadequate in its response. Meanwhile,
manager brushed the issue aside. Morris’ colleagues
CFPL’s efforts to compensate the victims were also
later explained that Don held the aegis of management
lambasted as covering up for their rogue planners while
protection due to his status as a top writer in CBA.8
trying to bully their victims into settling for minimal
compensation. The objective of this case is to allow for
a discussion of issues such as the impact of “pay for
performance” on behaviour; governance in company YOU GET WHAT YOU PAY FOR
groups; management’s and directors’ roles in ensuring More than half of a CBA financial planner’s total annual
compliance; role of regulators and the media in corporate remuneration depended on short-term incentives such as
governance; whistleblower protection; and ethics. bonuses. Commissions were pegged to the risk levels of
investment assets sold, hence financial planners had an
incentive to encourage their clients to opt for as risky an
DARK UNDERCURRENTS investment portfolio as possible.9 Furthermore, the tone
at the top was unforgiving - meet your sales targets, or
Commonwealth Bank of Australia (CBA) is the largest
surrender your rice bowl.10 Such was the “boiler-room”
of the big four Australian banks, holding 29% of all
culture CBA had nurtured through an aggressive sales-
household deposits in Australia.1 Commonwealth
driven and excessively short-term remuneration incentive
Financial Planning Limited (CFPL) is a subsidiary that falls
scheme - one driven by a myopic chase of bonuses with
under the wealth management division of CBA, and was
little place for honesty.
helmed by the Head of Wealth Management, Grahame
Petersen, from 2006 to 2011.2 In February 2008, as part
of a surveillance program by the regulatory body, the
Australian Securities and Investment Commission (ASIC), FIRST-CLASS COVER UP
a warning notice was sent to CFPL, indicating that 38 Clients soon started to see the value of their investment
of its planners had been classified as a “critical risk” portfolios plunge to almost nothing within a short
for non-compliance with appropriate financial planning span of months and started inundating the bank with
advice protocols.3 That was when Jeff Morris, a newly complaints. Against the backdrop of a global financial
hired financial planner at the Chatswood, New South meltdown, it made no financial sense for the clients,
Wales branch, sensed something amiss in the bank. especially the retirees, to opt for such aggressive and
risky investment portfolios. Sensing something amiss,
Morris took the matter to middle management, but once
THE LEGEND OF DODGY DON again, the response he got was one of nonchalance and
evasiveness.11
One of the 38 names highlighted in the warning notice,
Donald (Don) Nguyen, was hauntingly familiar to Morris.
Don was a fellow financial planner who sat just a couple
This is the abridged version of a case prepared by Tan Joel, Wee Wei Liang, Aaron Koh and Chua Han Lin under the supervision of Professor Mak Yuen Teen. The case was developed
in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This case was edited by Toh Jia Yun under the supervision of Professor
Mak Yuen Teen.
However, growing public pressure forced CBA into a 14 cases of forgery as early as October 2008”,20 yet did
formal investigation, and it was discovered that Don nothing to remedy the problem. CBA attributed the
had secretly manipulated the risk profiles of his clients fraud to “a few bad apples”, rather than the lack of
into adopting hyper-aggressive investment portfolios compliance within the bank, or any conflicts of interest
for his own benefit of drawing higher commissions.12 in their financial planning arm. In fact, to prevent certain
In particular, an extraordinary number of clients’ files documents from being accessed in the likely event of a
“requested” a 50% portfolio allocation to Listed Property client lawsuit, senior management arranged for these
Trusts,13 an extremely risky investment asset. Don had documents to be processed by the legal department so
deceived and manipulated his clients into thinking their that these would be given protection of legal privilege.21
monies were lost because of misfortune. In September CBA also allowed some of the fraudulent financial
2008, Don was suspended for fraud and compliance planners to resign and move on to other companies
failures. instead of giving them the boot,22 so as to avoid “bad
press”.
Meanwhile, complaints from clients of other crooked
planners in CFPL, most notably Christopher Baker14 and The whistleblowers also sent an anonymous email to CBA
Rick Gillespie,15 continued to flood in. To make matters Group Security and CBA’s Senior Management,23 alleging
worse, many of Don’s frustrated clients who were left CFPL management’s attempts to cover up for its rogue
without a planner constantly barraged the bank for planners. This time, it succeeded in triggering a massive
explanations. CFPL needed someone to douse the knee-jerk response within the bank. CBA Group Security
flames - someone who could dupe and discourage the launched a thorough investigation within CFPL, where it
clients from pursuing their complaints. Incredulously, was found that an alarming number of Don’s client files
on 15 October 2008, not only was Don reinstated, he were missing.
was also promoted to the position of a Senior Financial
Planner.16 On 3 July 2009, Don resigned citing ill health, which
allowed him to draw a lifetime A$70,000 payout per
Morris soon came to the realisation that an internal annum under CBA’s group insurance policy.24 To make
resolution to the matter would never succeed as the matters worse, the annual bonuses of Chief Risk Officer,
management themselves were covering up for the Alden Toevs, and Head of Wealth Management Division,
planners’ fraudulent acts. Yet, Morris wanted to keep his Grahame Petersen, increased by approximately A$4.5
cover as he lacked faith in the regulator’s whistleblower million and A$2.1 million respectively from 2008 to 2010.25
protection policies and required more time to continue All these came amidst dismal media stories of terminally
gathering evidence against Don’s wrongdoing. On 30 ill victims who had lost their life savings due to the rogue
October 2008, together with two other long-serving planners and were struggling to seek any reasonable
colleagues, Morris finally spilled the beans on Don. form of compensation from CBA.
Under the alias of “The Three Ferrets”,17 they faxed a
report to ASIC, voicing the need for urgent action. At the same time, Morris felt immense pressure from the
top management, which resolved to identify the source
However, months passed and there was no sign of ASIC of leaks to the media. With their covers blown and yet
taking decisive action to obtain evidence from CFPL, no action by ASIC in sight, “The Three Ferrets” were left
despite the whistleblowers’ tip-off that the clients’ defenceless.
files were already being sanitised. Instead, ASIC opted
for discussions with CFPL in December 2008, which On 24 February 2010, 16 months after the first
resulted in the joint solution to “closely supervise” Don anonymous fax Morris had sent to ASIC, the
and subject his advice to “vetting before approval”.18 whistleblowers finally stormed through the doors of
Exasperated, “The Three Ferrets” then decided to take the ASIC office, demanding that client files be seized
the issue to Darin Tyson-Chan, a journalist of the trade and decisive action be taken. “They told me I had
journal Investor Daily in May 2009.19 Whistleblower Protection from that day. He then went on
to say, basically, that it wouldn’t be worth much,” recalled
Morris of his conversation with one of the frontline
BREAKING DON officers in ASIC.26 Ironically, Australia had just revised her
Corporations Act in 2004 to provide stronger protection
A series of articles spelling out details of Don’s fraudulent
for whistleblowers. However, Morris was not surprised by
acts was published by Investor Daily from May to June
this - it was a common view in the finance industry that
2009. It was brought to light that CBA knew of “at least
ASIC was not the most trustworthy of regulators.27
DIVIDE AND CONQUER finally decided to take her story to Fairfax Media.33 The
Fairfax reports triggered a Senate Inquiry the following
On 24 March 2010, ASIC issued an order to CFPL, giving
month, on 20 June 2013, centering on two key issues -
them two weeks to hand over client files undergoing
the misconduct of financial advisers in CFPL and ASIC’s
investigation, marking the first sign of confrontation
general poor performance.
between ASIC and CFPL. CBA was also pressured to
devise a compensation scheme to pacify the affected
The final report of the Senate Inquiry was released
clients. In November 2010, CBA finally proposed
on 26 June 2014. It contained scathing criticisms
a voluntary compensation scheme for the victims.
of both ASIC and CFPL. “There was forgery and
The strategy, however, was to divide and conquer -
dishonest concealment of material facts,” as reported in
each victim was isolated so they would have limited
the inquiry.34 Committee chairman Senator Mark Bishop
knowledge of the greater scheme of things,28 allowing
said CFPL’s actions were “facilitated by a reckless, sales-
CBA to incur minimal expenses in the compensation.29
based culture and a negligent management, who ignored
or disregarded non-compliance and unlawful activity as
Janice Lee Braund and her husband Alan were two of
long as profits were being made”.35 He also commented
Don’s most famous victims. In 2002, the couple entrusted
that “ASIC appears to miss or ignore clear and persistent
A$1 million of their retirement savings to Don, on hearing
early warning signs of corporate wrongdoing, or
of his reputation as the “star planner” of CBA. Yet Don
troubling trends that place the interest of consumers or
only had his eyes fixed on maximising his commissions.
investors at great risk”.36 Among a whole host of findings
Ignoring the couple’s clear instructions of preserving
with regard to the wrongdoings of ASIC and CFPL, one
capital, Don forged Braund’s signature to transfer their
was to demand for a royal commission into the saga,
capital to high-risk products that were eventually wiped
though it was eventually rejected.
out when the financial crisis struck in 2009.
Under the compensation scheme, Braund was initially

offered A$200,000. With good fortune, she had a note EMERGING FROM HIS SHELL
that indicated that “the Braunds had a conservative The negative publicity from the Senate Report that
profile and they were extremely concerned and did not slammed CBA’s financial planning arm created ripples
wish to use any of their capital in retirement”.30 Using around Australia. Seven days later, on 3 July 2014, Ian
this note as a bargaining chip for negotiation, her Narev, CEO of CBA, who had made an effort to stay
compensation quantum was raised to A$215,000 and inconspicuous, was forced to issue a public apology
subsequently A$880,000.31 Unfortunately, not all victims for the first time and propose a new compensation
had such great bargaining power; most received a less scheme for the victims.37 The compensation scheme,
than satisfactory amount of compensation. titled the Open Advice Review Program, which became
operational in mid-August 2014, offered an assessment
of any received financial advice.38 After the assessment, a
FAIR FACTS THROUGH FAIRFAX compensation offer would be made by an “independent
customer advocate” funded by CBA. If victims still felt
ASIC’s investigation confirmed the frauds of Don and
that compensation offers were inadequate, they would
other financial planners in CFPL. On 26 October 2011,
be able to appeal to an independent panel, chaired by
CBA entered into an Enforceable Undertaking (EU) with
former High Court judge Ian Callinan, whose decision
ASIC for two years. The EU was targeted at reviewing
would then be binding.39
CBA’s risk management systems, its internal risk profiling,
and the monitoring of its financial planners. During this
Yet, questions had been asked about whether the review
time, three other financial planners were required to
process was truly independent,40 as the first stage of this
“remove themselves from the industry”.32
process was still conducted by CBA. Morris even went
so far as to dismiss CBA’s new scheme as “first-class
At the same time, Braund’s patience was running out
window-dressing” and disagreed with the “pull” nature
with the inadequate responses to her complaints at CBA
of the review process. “The problem with the process is
and ASIC. Despite Braund being granted interviews
[that] customers have to complain,” Morris said, adding,
with ASIC to tell her story, she was adamant that not
“I suspect very few will”.41
enough was being done to appease the anger and
anguish of the victims. Her repeated complaints to CBA
and ASIC had generally fallen on deaf ears, and she was
disgusted at CBA’s ostensible attempts to cover up. She
BUSINESS AS USUAL DISCUSSION QUESTIONS

Paradoxically, the share price of CBA did not experience 1. Describe the actions taken and behaviour displayed
any sustained adverse impact during the saga. The only by senior management throughout this saga. Discuss
period during which the share price saw a substantial if these actions and behaviour were inappropriate and
drop was from 20 May 2013 to 10 June 2013, when the whether they aggravated the situation. If you were in
price dipped 11.5% from A$73.49 to A$65.02.42 Since the position of Ian Narev, the CEO, what would you
then, the stock has grown from strength to strength have done differently during the crisis?
to close at A$80.48 as of 31 October 2014. An analyst
2. “Show me a company’s various compensation plans,
report by Richard Wiles of Morgan Stanley even showed
and I’ll show you how its employees behave” - Jack
calculations of both the financial impact of compensation
Welch, Former CEO of General Electric
and the potential impact on revenues due to reputational
damages with an eventual price target of A$87.20.43 Examine the key areas of concern in CBA’s
remuneration plan. To what extent do you think
these influenced the corporate culture and employee
behaviour in CBA? What changes, if any, would you
ONE STEP BACK, TWO STEPS FORWARD
make to the remuneration plan?
The reputational damage borne by CBA was coupled
with uncertain financial repercussions. Customer 3. In the Senate Inquiry Final Report, ASIC was
satisfaction ratings of CBA have suffered a drastic described as “waiting for complaints, investigating
drop. Under Roy Morgan’s “most-favoured institution” a minute proportion of them, and prosecuting even
satisfaction assessment, CBA slipped from first place at fewer.” Critically evaluate the actions taken by ASIC
the start of 2014 to third place in September 2014. This throughout the course of the Financial Planning
would cause management to lose one quarter of their Scandal, while highlighting difficulties ASIC might have
long-term bonuses.44 The introduction of CBA’s new faced during its investigations.
compensation scheme also led to new claims surfacing 4. The media played an important role in exposing
daily. At present, A$52 million in compensation has the fraud in CFPL. Discuss the role of the media in
already being paid out, with up to A$250 million possibly promoting good governance in your country. Are there
required eventually.45 factors which limit its effectiveness?
In light of the CBA Financial Planning scandal, questions 5. Briefly discuss the importance of a good whistleblower
have been asked about the integrity of the financial protection policy. Do you think the policy sufficiently
planning sector, with a lack of customer protection protected Morris and his fellow whistleblowers? What
being a major concern. The Australian government has further improvements can be made to encourage
quickly responded by putting new measures into place, those who are aware of wrongdoings in an organisation
including a proposal to establish an enhanced, industry- to come forward, instead of remaining silent?
wide public register of financial advisers to increase 6. CBA had an excellent reputation amongst its
transparency in the industry. Additionally, in September customers but CFPL severely damaged it. What are
2014, a Corporations Amendment Regulation with regard the challenges faced by an organisation like CBA in
to the Statements of Advice was made to increase promoting ethical behaviour, compliance and good
clients’ accessibility to information and to minimise governance throughout the group?
possible conflicts of interest.
ASIC has also responded quickly to the criticisms

of its role in the Senate Report, establishing an
Office of Whistleblower to allow quicker response
to whistleblowers and commencing an organisation-
wide improvement process of its communications and
transparency.46
ENDNOTES
1 Glory Global Solutions. (n.d.). Case Study on Commonwealth Bank 17 Morris J. (n.d.). Submission to Senate Inquiry. Retrieved from http://
Australia. Retrieved from http://www.gloryglobalsolutions.com/ www.aph.gov.au/DocumentStore.ashx?id=750d427e-37ca-4f47-82e
en-gb/resources/Case%20Studies/Commonwealth%20Bank%20 6-2c4a898c5919&subId=205346
Case%20Study_EN.pdf
18 Chapter 9. Commonwealth Financial Planning Limited: ASIC’s
2 Ferguson. A. & Butler. B. (2014, August 8). Commonwealth Bank Investigations of Misconduct at CFPL. (n.d). Parliament of Australia.
Executive Grahame Petersen Retires. The Sydney Morning Herald. Retrieved from http://www.aph.gov.au/parliamentary_business/
Retrieved from http://www.smh.com.au/business/commonwealth committees/senate/economics/asic/final_report/c09
-bank-executive-grahame-petersen-retires-20140808-101sk7.html
19 Ibid.
3 The Senate. (2014, June) Performance of the Australian Securities
and Investment Commission. Retrieved from http://www.aph.gov.
20 Ferguson.A. & Vedelago. C. (2013, June 22). Targets, Bonuses, Trips
au/Parliamentary_Business/Committees/Senate/Economics/ASIC/ – Inside the CBA Boiler Room. Retrieved from http://newsstore.
Final_Report/index fairfax.com.au/apps/viewDocument.ac;jsessionid=1130AEDFCD53
8A3B7EDF07AC49B09DCB?sy=afr&pb=all_ffx&dt=selectRange&dr
4 Ferguson. A. (2013, October 22). CBA Paying Banned Planner for =1month&so=relevance&sf=text&sf=headline&rc=10&rm=200&sp
Last Four Years. The Sydney Morning Herald. Retrieved from http:// =brs&cls=472&clsPage=1&docID=AGE130622374EO3MKR5F
www.smh.com.au/business/banking-and-finance/cba-paying-
banned-planner-for-last-four-years-20131022-2vym5.html
21 Ibid.
5 Ferguson. A. (2014, May 13). Banking Bad. Podcast retrieved from

22 Ferguson. A. & Butler. B. (2014, August 9). ASIC Probes Common-
http://www.youtube.com/watch?v=-xoZLzgH8pQ wealth Bank over Financial Planner Forgery. The Sydney Morning
Herald. Retrieved from http://www.smh.com.au/business/asic
6 Millan. L. (2014, March 24). Whistleblower Claims the Existence of -probes-commonwealth-bank-over-financial-planner-forgery-2014
100 CBA Rogue Advisors. Retrieved from http://www.financial 0808-1020zn.html
standard.com.au/news/view/38845015/
23 Morris J. (n.d.). Submission to Senate Inquiry. Retrieved from http://
7 Morris J. (n.d.). Submission to Senate Inquiry. Retrieved from http:// www.aph.gov.au/DocumentStore.ashx?id=750d427e-37ca-4f47-82e
www.aph.gov.au/DocumentStore.ashx?id=750d427e-37ca-4f47-82e 6-2c4a898c5919&subId=205346
6-2c4a898c5919&subId=205346
24 Ferguson. A. (2013, October 22). CBA Paying Banned Planner for
8 Ferguson. A. (2014, May 13). Banking Bad. Podcast retrieved from Last Four Years. The Sydney Morning Herald. Retrieved from http://
http://www.youtube.com/watch?v=-xoZLzgH8pQ www.smh.com.au/business/banking-and-finance/cba-paying-
banned-planner-for-last-four-years-20131022-2vym5.html
9 The Senate. (2014, June) Performance of the Australian Securities
and Investment Commission. Retrieved from http://www.aph.gov. 25 Commonwealth Bank of Australia. (n.d.). Annual Reports. Retrieved
au/Parliamentary_Business/Committees/Senate/Economics/ASIC/ from https://www.commbank.com.au/about-us/shareholders/
Final_Report/index financial-information/annual-reports.html
10 Ferguson. A. (2014, June 22). Targets, Bonuses, Trips - Inside the 26 Morris J. (n.d.). Submission to Senate Inquiry. Retrieved from http://
CBA Boiler Room. The Sydney Morning Herald. Retrieved from www.aph.gov.au/DocumentStore.ashx?id=750d427e-37ca-4f47-82e
http://www.smh.com.au/business/banking-and-finance/targets 6-2c4a898c5919&subId=205346
-bonuses-trips--inside-the-cba-boiler-room-20130621-2oo9w.
html#ixzz3HtrqSuRj
27 bid.

www.aph.gov.au/DocumentStore.ashx?id=750d427e-37ca-4f47-82e www.aph.gov.au/DocumentStore.ashx?id=750d427e-37ca-4f47-82e
6-2c4a898c5919&subId=205346 6-2c4a898c5919&subId=205346
12 The Senate. (2014, June 26). Performance of the Australian

29 Freeman, G. (2014, July 4). CBA Breaks Cover to Announce
Securities and Investment Commission. Retrieved from http://www. Expanded Advice Victim Compensation Scheme. Retrieved from:
aph.gov.au/Parliamentary_Business/Committees/Senate/ http://www.professionalplanner.com.au/featured-posts/2014/07/04/
Economics /ASIC/Final_Report/index cba-breaks-cover-to-announce-expanded-advice-victim-compensa-
tion-scheme-29161/
www.aph.gov.au/DocumentStore.ashx?id=750d427e-37ca-4f47-82e
30 Ferguson. A. (2014, May 6). Banking Bad, Transcript. ABC News.
6-2c4a898c5919&subId=205346 Retrieved from http://www.abc.net.au/news/2014-05-05/banking
-bad /5433156
14 Morris J. (n.d.). The Performance of the Australian Securities and
Investment Commission. Retrieved from http://www.aph.gov.au/
31 Ibid.
DocumentStore.ashx?id=c3ba38d5-f1d7-46a4-a485-6b10da61349 32 The Senate. (2014, June 26) Performance of the Australian
e&subId=31124 Securities and Investment Commission. Retrieved from http://www.
15 Ferguson. A. (2013, July 15). ASIC has Much to Answer at Senate aph.gov.au/Parliamentary_Business/Committees/Senate/
Inquiry. The Sydney Morning Herald. Retrieved from http://www. Economics/ASIC/Final_Report/index
smh.com.au/business/asic-has-much-to-answer-at-senate-inquiry- 33 Ferguson. A. (2014, July 5). CBA may Fall Victim to Hubris as
20130714-2py4o.html Pressure Rises over Financial Planning Scandal. The Sydney
16 The Senate. (2014, June 26) Performance of the Australian Morning Herald. Retrieved from http://www.smh.com.au/business/
Securities and Investment Commission. Retrieved from http://www. cba-may-fall-victim-to-hubris-as-pressure-rises-over-financial
aph.gov.au/Parliamentary_Business/Committees/Senate/ -planning-scandal-20140704-3bdt8.html
Economics/ASIC/Final_Report/index
34 Ferguson. A. & Butler. B. (2014, June 26). Commonwealth Bank Fac- 42 Yahoo Finance. (n.d.). Commonwealth Bank of Australia. Retrieved
ing Royal Commission Call after Senate Financial Planning Inquiry. from https://au.finance.yahoo.com/echarts?s=CBA.AX#symbol=C-
The Sydney Morning Herald. Retrieved from http://www.smh.com. BA.AX;range=
au/business/banking-and-finance/commonwealth -bank-facing
-royal-commission-call-after-senate-financial-planning-inquiry-2014
43 Morgan Stanley. (2014, July 8). Commonwealth Bank Australia,
0625-3asy6.html Financial Planning Problems: The Implications. Retrieved from
http://media.crikey.com.au/wp-content/uploads/2014/07/MS
35 McGrath. P. & Janda. M. (2014, June 27) Senate Inquiry Demands -on-CBA.pdf
Royal Commission into Commonwealth Bank, ASIC. ABC News.
Retrieved from http://www.abc.net.au/news/2014-06-26/senate
44 Eyers. J. (2014, October 21). Financial Planning Scandal Threatens
-inquiry-demands-royal-commission-into-asic-cba/5553102 CBA Customer Service Title. The Sydney Morning Herald.
Retrieved from http://www.smh.com.au/business/banking-and
36 Ibid. -finance/financial-planning-scandal-threatens-cba-customer
-service-title-20141021-119clp.html
37 Ferguson, A., & Butler, B. (2014, July 4). CBA Sorry ‘Too Little, Too
Late’ Retrieved from http://www.smh.com.au/business/banking 45 Ferguson. A. & Williams. R. (2014, June 14). Commonwealth Bank
-and -finance/cba-sorry-too-little-too-late-20140703-3bbhy.html Compensation Bill may Run to Multi Millions. The Sydney Morning
Herald. Retrieved from http://www.smh.com.au/business/banking
38 Ibid. -and-finance/commonwealth-bank-compensation-bill-may-run-to-
39 Janda. M. (2014, July 11). Commonwealth Bank Financial Planning multi-millions-20140613-3a30h.html
Compensation Scheme to be Led by Ex-High Court Judge 46 Cormann, M. (2014, October 24). Government Response to the
Callinan. ABC News. Retrieved from http://www.abc.net.au/news/ Senate Inquiry into the Performance of ASIC. Retrieved from http://
2014-07-11/commonwealth-bank-financial-planning-compensation mhc.ministers.treasury.gov.au/media-release/043-2014/
-scheme -callin/ 5589922
40 Eyers. J. & Coorey. P. (2014, July 3) CBA to Review a Decade of
Advice. Retrieved from http://www.afr.com/p/business/companies/
cba_to_review_decade_of_advice_c1ZF1Jln3SoG61PU6VbLbJ
41 Drummond. S. (2014, August 10). Commonwealth Bank Names
Former Regulator Jeff Carmichael to Oversee Financial Advice
Review. The Sydney Morning Herald. Retrieved from http://www.
smh.com.au/business/commonwealth-bank-names-former
-regulator-jeff-carmichael -to-oversee-financial-advice-review-
20140810-102ine.html#ixzz3HVVSEzST
26 WELLS FARGO: FOREGONE REPUTATION?
WELLS FARGO: FORGONE

REPUTATION?
CASE OVERVIEW1 awarded ‘Banker of the Year’ by American Banker in 2013
and ‘CEO of the Year’ by Morningstar in 2015.10 In 2015, his
On 8 September 2016, Wells Fargo announced that
remuneration amounted to US$19.3 million.11
it had agreed to pay fines amounting to US$185
million to the Consumer Financial Protection Bureau,
regarding allegations of Wells Fargo’s sales practices.
Worse was to come as in February 2020, it had to admit BROKEN TRUST
wrongdoing and pay US$3 billion to settle criminal and On 8 September 2016, it was revealed that Wells Fargo’s
civil investigations by the U.S. Justice Department and employees had opened about two million unauthorised
the Securities and Exchange Commission Given its deposit and credit card accounts since 2011 to satisfy
outstanding past performance, how did Wells Fargo sales goals and earn financial rewards under the bank’s
end up breaking its customers’ trust, and how did it incentive-compensation programme.12 Sales figures were
respond to the crisis? The objective of the case is to inflated by moving funds from existing accounts into
allow a discussion of issues such as corporate culture; unconsented new ones, and by creating unconsented
the dual roles of Chairman and Chief Executive Officer applications for credit card accounts. This also increased
(CEO); executive remuneration plans; risk management earnings from unwarranted charges such as overdraft
policies; and the role of the board, external regulators fees on original accounts.13 The fraudulent misconduct
and authorities. was attributed to the obsessive sales-driven culture at
Wells Fargo,14 which previously surfaced in a 2013 report
by the Los Angeles Times (LA Times), and may have gone
THE WELLS REPUTATION back more than 10 years.15 Wells Fargo had caught onto
the problem internally, with then-CEO and Chairman,
“Our values should guide every conversation, decision,
John Stumpf, himself unsurprised by the 2013 article.16
and interaction.”
– The Vision and Values of Wells Fargo1
Fines totalling US$185 million levied by regulators
represented a minor setback for a bank bringing in
NYSE-listed Wells Fargo is one of the world’s largest
annual profits of over US$20 billion.17 However, Wells
financial institutions, serving 70 million customers2 and
Fargo’s stock price plunged to a two-and-a-half year low
boasting total assets amounting to US$1.9 trillion.3 Its
and its reputation was damaged, as reflected in a survey
market capitalisation of around US$240 billion in early
done by consultancy firm cg42, which showed negative
September 2016 made it one of the most valuable banks
perceptions of the bank rising to 52% from 15% during
in the US.4 It also received accolades such as ‘Best Bank in
the period prior to the scandal.18
North America (2016)’ by the Global Finance Magazine.5
Being a largely conservative and conventional lender

allowed Wells Fargo to weather the financial crisis of 20086 THE “GR-EIGHT INITIATIVE”
and outperform its competitors in customer satisfaction After the scandal broke, fingers were pointed at Stumpf
surveys.7 In his 2015 letter to shareholders, then-CEO John for allowing a sales-driven culture to perpetuate in
Stumpf attributed Wells Fargo’s success to the relationships the company.19 Contrary to the prudent approach
fostered with customers, and stated that the trust placed in to managing risk described in Wells Fargo’s annual
the bank would never be taken for granted.8 report,20 one of Stumpf’s mantras was “eight is great”;21
employees were pushed to sell at least eight financial
products per household in what was known internally as
JOHN STUMPF: THE STAGECOACH DRIVER the “Gr-eight initiative”.22 This cross-selling – pushing
different products to the same customer – was a key
Stumpf worked his way up the corporate ladder in the
strategy at Wells Fargo. In 2016, the average retail
loan department of Norwest Corp and joined Wells Fargo
banking household reportedly used 6.27 Wells Fargo
when the two firms merged in 1998. He was appointed
products.23
CEO in 2007 and Chairman in 2010,9 and was subsequently
This is the abridged version of a case prepared by Dominic Wong Ngiap Chuang, Yeo Jing Wen and Lee Chang Cheng under the supervision of Professor Mak Yuen Teen. The case was
developed from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective management or governance. The interpretations and
perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Yeo Hui Yin Venetia
under the supervision of Professor Mak Yuen Teen.

WELLS FARGO: FOREGONE REPUTATION? 27
In a hearing with the Senate Banking Committee, was issued on potential clawbacks. Rafferty Capital’s
Senator Elizabeth Warren of Massachusetts said that analyst stated that this represented “the strongest
Stumpf touted cross-selling as one of the main reasons argument” for removing Stumpf as Chairman.33
for investors to buy Wells Fargo’s stock and berated him
for squeezing employees to the point that they cheated After repeated calls, Stumpf resigned as CEO and
customers.24 Chairman of Wells Fargo on 12 October 2016. Tim Sloan,
who served as Chief Operating Officer (COO) from
November 2015 to October 2016, was promoted to CEO,
CORPORATE CULTURE while lead independent director Stephen Sanger became
the non-executive Chairman of the board. In December
Former employees alleged that they were trained to
2016, Wells Fargo amended its bylaws to require a
“push customers to open multiple accounts”25 and
separate Chairman and CEO,34 as well as an independent
were even coached on how to “inflate sales numbers”.26
Chairman and Vice-Chairman of the board. These moves
Branch managers were assigned quotas that were carried
were unconventional for banks in the US but were viewed
forward if targets were not met during the period. The
favourably by analysts, such as Gerard Cassidy of RBC
number of new accounts, down to individual employees,
Capital Markets, who felt it “should help relieve some of
were collected by district managers four times a day,27
the political pressures the company has felt.”35
with warnings issued for unsatisfactory performance.
Furthermore, financial incentives were pegged to cross-
However, there were concerns regarding the promotion
selling targets, with personal bankers receiving as much
of Sloan who, as COO, was in charge of the community
as a 20% bonus.28 This resulted in a ‘pressure-cooker’
bank and consumer lending divisions, the centre of the
environment where employees sold products that
scandal. Among his critics was House Democrat Maxine
arguably did not serve the best interests of customers.29
Waters, who felt that the COO had the potential ability
to stop the misbehaviour.36 FBR Capital Markets also
However, when rumours of the aggressive sales culture
believed that new blood was required to solve the ‘toxic’
first circulated in 2013, executives like then-Chief
cultural problem.37
Financial Officer (CFO) Tim Sloan denied any form
of overbearing sales culture in Wells Fargo, adding
that there were “multiple controls in place to prevent
abuse” such as an ethics program for employees and a
EXECUTIVE REMUNERATION AND
whistleblower hotline to notify senior management of
ACCOUNTABILITY
potential violations.30 After the 2008 financial crisis, large banks promised
to recover large payouts from top bankers that were
Wells Fargo eventually announced a revamped employee obtained through unlawful conduct, underpinned by
compensation and incentive plan effected in January the Sarbanes-Oxley Act and Dodd-Frank Act. However,
2017, which would not include any sales goals, and where Stumpf was walking away with US$133.1 million38
performance evaluations would be based on customer upon his resignation, including 2.4 million shares he
service, usage and growth, instead of simply the number accumulated,39 despite forfeiting US$41 million worth of
of new accounts opened. The new head of community unvested options.40
banking, Mary Mack, described this as a milestone for
Wells Fargo to restore trust both within and outside the Stumpf’s bonus scheme was designed to be directly
organisation.31 tied to Wells Fargo’s account growth. He received
US$4 million in awards in 2015 linked to factors such as
growing “primary consumer, small business and banking
DUAL ROLES checking customers”.41 Yale’s Jeffrey Sonnenfeld believed
that Stumpf should be subject to more clawbacks of
The dual roles held by Stumpf since 2010 was another
amounts linked to meeting cross-selling targets, a view
point of contention. CtW Investments suggested that
strongly shared by Senator Warren, who had accused
splitting the roles with an independent board Chairman
Stumpf pressuring employees with sales targets to
“could help repair the bank’s broken compliance
increase the stock value.42
systems”.32 Rafferty Capital, a brokerage firm, lambasted
Stumpf’s lack of leadership as Chairman. Although there
was a board meeting and the board could have clawed
back the pay of the executives involved, no statement
Another executive under fire was the head of the Various suggestions to improve board effectiveness were
community banking division since 2008, Carrie Tolstedt, made. CtW Investment Group suggested the inclusion
who led retail operations and cross-selling efforts to of new directors with experience linking employees’
customers. Tolstedt had resigned prior to the September remuneration to corporate goals,54 while shareholders
revelation, and walked with a US$125 million payout.43 such as New York City’s pension funds, who found trouble
In 2014, Wells Fargo specifically disclosed cross-selling understanding the responsibilities of board committees,
as a factor behind her multi-million dollar pay44 Having called for fewer directors and greater clarity about their
confirmed that Tolstedt’s departure was partially linked to duties.55
the unauthorised accounts, Stumpf and the board were
criticized for allowing the huge payout instead of firing her
for the misdeed. Eventually, Wells Fargo recovered US$19 FAILURE OF THE LINES OF DEFENCE
million but Tolstedt still left with US$43 million in stock.45
All three lines of defence adopted as part of the bank’s
risk management policies had “let Wells Fargo down”,
according to the University of Maryland’s Professor
BOARD OF DIRECTORS Rossi.56 Professor Rossi also remarked that it is worrying
Wells Fargo’s board faced scrutiny, with proxy advisory for a bank “well known for its risk management prowess”
firms Institutional Shareholder Services and Glass Lewis to allow “poorly designed business objectives and
calling for shareholders to vote against some or almost incentive compensation” to overpower its strong risk
all of the incumbent directors.46 Glass Lewis also advised culture.57
against the re-election of two directors who they felt
were on too many other boards to effectively govern
Wells Fargo.47 WHISTLEBLOWING BACKFIRED
Stumpf highlighted that the whistleblowing culture at
The company’s board appeared to be well-equipped;
Wells Fargo allowed every employee, regardless of
it had a Corporate Responsibility Committee, Risk
their position in the hierarchy, to “raise their hands”
Committee and Audit Committee.48 The board
and speak out on issues,58 and the bank mentioned
composition was also perceived as “admirable”, with
confidential ethics lines as a platform for employees to
more than half the board members from minority groups,
submit constructive feedback.59 However, reports showed
and its 15 directors boasting diverse backgrounds across
otherwise. Ex-employee Bill Bado claimed to have used
industries such as banking, academia and government,
the hotline and sent an email to human resources (HR)
including two former banking regulators.49
to flag unethical sales activities but had his contract
terminated eight days later due to “tardiness”.60 At
However, the board was seen to be largely inactive. For
least five Wells Fargo employees had also sued the
instance, the Corporate Responsibility Committee met
bank or filed complaints with regulators regarding
only thrice in 2015, the minimum number set by the
similar treatment.61 An Occupational Safety and Health
board rules.50 The board also remained mainly passive
Administration investigation also revealed that a former
even when early warnings about the company’s business
bank manager’s whistleblowing activity contributed
practices surfaced in 2013. It took no action in early
to his termination in 2010. The bank was ordered to
September to fire Stumpf or clawback his remuneration.
rehire and pay US$5.4 million in compensation to the
Several reasons were cited for the board’s inactivity. For
whistleblower.62
example, directors often nominate themselves for re-
election, allowing them to remain on the board without
One former Wells Fargo HR official was also quoted
difficulty.51
saying that the bank “had a method in place to retaliate
against tipsters” and found ways to fire these employees
Another issue was the closeness of the board with the
“in retaliation for shining light” on unethical sales
CEO, which was accentuated by the fact that the CEO
practices.63 In a letter to Sloan, senators reprimanded
himself was the Chairman of the board.52 This was
the bank for filing “defamatory statements to retaliate
partially attributed to the directors’ long tenures, with
against employees who questioned the bank’s aggressive
Wells Fargo’s directors’ average tenure of 9.7 years
cross-selling practices”.64
exceeding those of other S&P 500 companies and banks
like J.P. Morgan and Citigroup, leading to an insular
board and familiarity concerns.53
REGULATORS AND AUDITORS: THE OCC and the CFPB were “asleep at the switch”.72 On the
FOURTH LINE OF DEFENCE other hand, Representative Democrat Carolyn Maloney
defended the CFPB, indicating that they had maintained
Much blame had been laid on the shoulders of Wells
data, as well as acted and investigated customer
Fargo’s officers. However, according to the Financial
complaints accordingly.73
Stability Institute of the Bank of International Settlement,
regulatory supervisors and external auditors serve as a
fourth line of defence for banks.65 The Securities and Exchange Commission (SEC)
In late September, three senators of the banking
The auditor’s role committee called for the SEC to launch an investigation
into whether Wells Fargo had violated internal control
Senator Warren questioned the quality of KPMG’s audit
provisions of the Sarbanes-Oxley Act, securities law, as
for its failure to detect the fraudulent practices at Wells
well as whistleblower protection laws during the scandal.74
Fargo.66 She took particular issue with the internal
On 3 November 2016, Wells Fargo disclosed that it was
controls over financial reporting audit, referencing
facing a probe by the SEC, but left out details on what the
KPMG’s conclusion that Wells Fargo had “maintained ...
SEC was investigating aside from its “sales practices”.75
effective internal control over financial reporting.” while
the illegal behaviour was ongoing.67
Other agencies involved in the investigation of Wells
Fargo included the US Department of Justice76 and the
Several points were offered in KPMG’s defence. As
California Attorney General Office,77 which could result in
Forbes noted, auditors are not expected to actively seek
potential criminal charges for the bank.78
out fraud if there is no material effect on the financial
statements, which the bank contended were immaterial
in this case. In addition, stricter tests on internal controls Shareholders
would unlikely have revealed a fraud either, unless there Activist shareholders like Gerald Armstrong were
was a resulting material impact on figures.68 Former also critical about the matter, calling for clawbacks
Acting Chairman of the Public Company Accounting of large payments to top executives, or for an
Oversight Board Dan Goelzer described such immaterial independent Chairman, at the time of the scandal.79
effects on the financial statements as outside the scope Institutional investors, such as the California State
of the auditors’ work.69 Teachers’ Retirement System, also mentioned that
they encountered difficulties understanding the
Regulators asleep at the switch responsibilities of board committees, and felt Wells
Fargo’s board was slow to tackle the problem and
On 8 September 2016, the Consumer Financial Protection
disclose information.80
Bureau (CFPB) announced that it had imposed a US$100
million fine on Wells Fargo for its illegal actions, along with
Warren Buffet of Berkshire Hathaway, Wells Fargo’s
a US$35 million fine by the Office of the Comptroller of the
largest shareholder, initially kept mum about the scandal,
Currency (OCC) and another US$50 million fine by the City
but broke his silence in November 2016. He revealed
and County of Los Angeles. The CFPB also required Wells
that he had not lowered his stake in the bank, calling it
Fargo to make full refunds to affected customers, and
“a great bank that made a terrible mistake”. Buffett was
to hire an independent consultant to review and ensure
also supportive of Sloan’s promotion, in direct contrast to
proper sales procedures were in place. CFPB director
critics’ preference for an outsider.81
Richard Cordray asserted that “because of the severity of
these violations, Wells Fargo is paying the largest penalty
the CFPB has ever imposed”.70 The OCC also imposed
new restrictions on the bank, such as the banning of MOVING FORWARD: WILL ALL BE WELL?
‘golden parachutes’ and allowing the government to Half a year on from the revelation on 8 September 2016,
disapprove the hiring of certain executives.71 Wells Fargo had instituted various changes, ranging
from new executives to improved company policies.
However, questions were raised as to why the agencies These have placated some observers, but others remain
had not stepped in earlier. Referring to the 2013 LA sceptical of the bank’s inherent profit-seeking nature.
Times report, Republican Jeb Hensarling, Chairman of Looking ahead, the bank can be comforted by the fact
the House Financial Services Committee, criticised the that other equally sizeable companies have recovered
agencies for failing to uncover the improper sales tactics from similar incidents. Yet, trust is something easily
at Wells Fargo in a timely manner, suggesting that the broken but not easily earned.
In February 2020, Wells Fargo agreed to pay US$3 5 Wells Fargo. (2016, November). Global finance magazine names
Wells Fargo ‘Best Bank in North America’. Retrieved from https://
billion and admit wrongdoing to settle criminal and wholesale.wf.com/global-focus/global-finance-magazine-names-
civil investigations with the Justice Department and the wells-fargo-best-bank-in-north-america/
Securities and Exchange Commission.82 6 The Economist. (2013, September 14). Riding high. Retrieved from
http://www.economist.com/news/finance-and-economics/21586295
How Wells Fargo will do in the years to come remains to -big-winner-financial-crisis-riding-high
be seen. 7 Popper, N. (2012, March 18). Wells Fargo is now the nation’s
biggest bank by market value. Retrieved from http://articles.
latimes.com/ 2012/mar/18/business/la-fi-wells-fargo-20120318
8 Wells Fargo. (n.d.). Wells Fargo Annual Report 2015. Retrieved from
DISCUSSION QUESTIONS https://www08.wellsfargomedia.com/assets/pdf/about/investor
1. How might John Stumpf’s dual role as Chairman and -relations /annual-reports/2015-annual-report.pdf
CEO have affected Wells Fargo leading up to the 9 Young, V. (2016, September 27). How Wells Fargo’s CEO pushed his
board into the political spotlight. The Street. Retrieved from
scandal? Why do you think he held both roles despite https://www.thestreet.com/story/13742167/3/how-wells-fargo-s-ceo
the potential corporate governance issues? What -pushed -his-board-into-the-political-spotlight.html
measures are necessary to mitigate the potential risks 10 Faux, Z., Keller, L. J., and Surane, J. (2016, October 13). Wells Fargo
of combining the two roles and to what extent were CEO Stumpf quits in fallout from fake accounts. Bloomberg. Retrieved
those measures in place at Wells Fargo? from https://www.bloomberg.com/news/articles/2016-10 -12/
wells-fargo-ceo-stumpf-steps-down-in-fallout-from-fake -accounts
2. What is the role of the board of directors in ensuring 11 Glazer, E. (2016, March 16). Wells Fargo CEO’s 2015 pay package
the right corporate culture? To what extent do you valued at $19.3 million. The Wall Street Journal. Retrieved from
think Wells Fargo’s corporate culture contributed to https://www.wsj.com/articles/wells-fargo-ceo-2015-pay-package-
valued-at-19-3-million-1458162163
the cross-selling scandal? What could the bank have
12 Blake, P. (2016, September 8). Wells Fargo fires about 5,300 workers
done differently to avoid this problem?
in unauthorized account scandal, officials say. Retrieved from http://
abcnews.go.com/US/wells-fargo-fires-5300-workers-unauthorized
3. What are the duties of a board of directors in light
-account-scandal/story?id=41956019
of this incident? Given the apparently admirable and
13 Egan, M. (2016, September 9). 5,300 Wells Fargo employees fired
competent board of directors at Wells Fargo, why over 2 million phony accounts. CNN Money. Retrieved from http://
did they not address the issue internally before it money.cnn.com/2016/09/08/investing/wells-fargo-created-phony-
escalated to the public? accounts-bank-fees/
14 Arnold, C. (2016, October 4). Former Wells Fargo employees
4. Examine the remuneration policies in Wells Fargo describe toxic sales culture, even at HQ. NPR. Retrieved from
for both senior executives and employees. Did they http://www.npr.org/2016/10/04/496508361/former-wells-fargo
contribute to the cross-selling scandal? What could -employees-describe-toxic-sales-culture-even-at-hq
have been done better? 15 Mount, I. (2016, October 12). Wells Fargo fake accounts may go
back more than 10 years. Fortune. Retrieved from http://fortune.
5. It was said that the three lines of defence had failed com/2016/10/12/wells-fargo-fake-accounts-scandal/
at Wells Fargo. Explain the three lines of defence 16 Koren, J. R. (2016, September 29). Wells Fargo CEO knew for years
and what factors contributed to their failure. Did about problems with unauthorized accounts. Los Angeles Times.
Retrieved from http://www.latimes.com/business/la-wells-fargo-
the federal regulators and external auditors act live-updates-stumpf-ceo-stumpf-long-aware-of-issues-with-1475
appropriately and quickly enough in response to the 166245- htmlstory.html
scandal? 17 Merle, R. (2016, September 13). Wells Fargo fired 5,300 workers for
improper sales push. The executive in charge is retiring with $125
million. The Washington Post. Retrieved from https://www.washing
tonpost.com/news/wonk/wp/2016/09/13/wells-fargo-fired-5300-
ENDNOTES workers-for-illegal-sales-push-executive-in-charge-retiring-with-125
1 Wells Fargo. (n.d.). The Vision and Values of Wells Fargo. Retrieved -million/?utm_term=.658aaf8aca92
from https://www.wellsfargo.com/about/corporate/vision-and-values/ 18 Egan, M. (2016, October 24). Wells Fargo’s reputation is tanking,
2 Wells Fargo. (n.d.). Wells Fargo Today, Corporate Culture. survey finds. CNN Money. Retrieved from http://money.cnn.com/
Retrieved from https://www08.wellsfargomedia.com/assets/pdf/ 2016/ 10/24/investing/wells-fargo-fake-accounts-angry-customers/
about/corporate/wells-fargo-today.pdf 19 Los Angeles Times. (2016, September 29). Wells Fargo updates: a
3 Wells Fargo. (2017, January 13). Wells Fargo reports $5.3 billion in parade of lawmakers rip into CEO John Stumpf. Retrieved from
quarterly net income. Retrieved from http://www.businesswire.com/ http://www.latimes.com/business/la-wells-fargo-live-updates-stumpf
news/home/20170113005120/en/Wells-Fargo-Reports-5.3-Billion- -ceo-stumpf-long-aware-of-issues-with-1475166245-htmlstory.html
Quarterly-Net 20 Wells Fargo. (n.d.). 2016 Wells Fargo annual report. Retrieved from
4 Cheng, E. (2016, September 13). JPMorgan tops Wells Fargo as https://www08.wellsfargomedia.com/assets/pdf/about/investor
biggest US bank by market cap. CNBC. Retrieved from http://www. -relations/annual-reports/2016-annual-report.pdf?https://www.wells
cnbc.com/2016/09/13/jpmorgan-tops-wells-fargo-as-biggest-us- fargo.com/assets/pdf/about/investor-relations/annual-reports/2016
bank-by-market-cap.html -annual-report.pdf
21 McGee, S. (2016, September 22). Wells Fargo’s toxic culture reveals 36 Dreier, P. (2016, October 28). Can new CEO Tim Sloan fix scandal
big banks’ eight deadly sins. The Guardian. Retrieved from https:// -plagued Wells Fargo’s corporate culture? The American Prospect.
www.theguardian.com/business/us-money-blog/2016/sep/22/wells Retrieved from http://prospect.org/article/can-new-ceo-tim-sloan-
-fargo-scandal-john-stumpf-elizabeth-warren-senate fix-scandal-plagued-wells-fargo%E2%80%99s-corporate-culture
22 Monica, P. (2016, September 9). Do more heads need to roll at 37 Reuters. (2016, October 17). Wells Fargo’s lack of new leadership
Wells Fargo?. CNN Money. Retrieved from http://money.cnn. casts doubt over its plan for change. Fortune. Retrieved from
com/2016/ 09/09/investing/wells-fargo-ceo-john-stumpf-scandal- http://fortune.com/2016/10/17/wells-fargo-scandal-management/
berkshire -hathaway-warren-buffett/
38 Shen, L. (2016, October 13). Here’s how much Wells Fargo CEO
23 Koren, J. R. (2016, September 29). Wells Fargo’s focus on ‘products’ John Stumpf is getting to leave the bank. Fortune. Retrieved from
is called out: ‘You don’t sell Veg-o-Matics’. Los Angeles Times. http://fortune.com/2016/10/13/wells-fargo-ceo-john-stumpfs
Retrieved from http://www.latimes.com/business/la-wells-fargo- -career-ends-with-133-million-payday/
live-updates-stumpf-ceo-stumpf-long-aware-of-issues-with-1475
166245 -htmlstory.html
39 Egan, M. (2016, October 13). Wells Fargo CEO walks with $130
million. CNN Money. Retrieved from http://money.cnn.com/ 2016/
24 Jr., B. L., and Vielma, A. J. (2016, September 20). Sen. Elizabeth 10/13/investing/wells-fargo-ceo-resigns-compensation/
Warren’s full grilling of Wells Fargo CEO Stumpf: ‘Gutless
leadership’. CNBC. Retrieved from http://www.cnbc.com/2016/
40 McGrath, M. (2016, September 23). How the Wells Fargo phony
09/20/senator-warren-on-wells-fargo-ceo-gutless-leadership.html account scandal sunk John Stumpf. Forbes. Retrieved from https://
www.forbes.com/sites/maggiemcgrath/2016/09/23/the-9-most
25 Cao, A. (2016, September 29). Lawsuit alleges exactly how Wells -important-things-you-need-to-know-about-the-well-fargo-fiasco/
Fargo pushed employees to abuse customers. Time. Retrieved #59af2b713bdc
from http://time.com/money/4510482/wells-fargo-fake-accounts-
class-action-lawsuit/
41 Egan, M. (2016, October 13). Wells Fargo CEO walks with $130
million. CNN Money. Retrieved from http://money.cnn.com/2016/
26 Cancialosi, C. (2016, September 15). Wells Fargo and the true cost 10/13/investing/wells-fargo-ceo-resigns-compensation/
of culture gone wrong. Forbes. Retrieved from https://www.forbes.
com/sites/chriscancialosi/2016/09/15/wells-fargo-and-the-true-cost
42 Ibid.
-of-culture-gone-wrong/#55d3e6165cbb 43 Gandel, S. (2016, September 12). Wells Fargo exec who headed
27 Cao, A. (2016, September 29). Lawsuit alleges exactly how Wells phony accounts unit collected $125 million. Forune. Retrieved from
Fargo pushed employees to abuse customers. Time. Retrieved http://fortune.com/2016/09/12/wells-fargo-cfpb-carrie-tolstedt/
from http://time.com/money/4510482/wells-fargo-fake-accounts- 44 Egan, M. (2016, September 28). Wells Fargo fake accounts head
class-action-lawsuit/ could still walk with $77 million. CNN Money. Retrieved from http://
28 Tayan, B. (2016, December 2). The Wells Fargo cross selling money.cnn.com/2016/09/27/investing/wells-fargo-carrie-tolstedt/
scandal. Stanford Closer Look Series. Retrieved from https://www. 45 Spross, J. (2016, September 29). The agonizingly familiar problem
gsb.stanford.edu/sites/gsb/files/publication-pdf/cgri-closer-look- with Wells Fargo’s board of directors. The Week. Retrieved from
62-wells-fargo-cross-selling-scandal.pdf http://theweek.com/articles/651716/agonizingly-familiar-problem
29 Cao, A. (2016, September 29). Lawsuit alleges exactly how Wells -wells-fargos-board-directors
Fargo pushed employees to abuse customers. Time. Retrieved 46 Koren, J. R. (2017, 7 April). Most Wells Fargo board members
from http://time.com/money/4510482/wells-fargo-fake-accounts- should go, says influential advisory group. Retrieved from http://
class-action-lawsuit/. www.la times.com/business/la-fi-wells-fargo-iss-20170407-story.html
30 Tayan, B. (2016, December 19). The Wells Fargo cross-selling 47 Foley, S. (2017, April 5). Wells Fargo shareholders urged to reject
scandal. Harvard Law School Forum on Corporate Governance and board reappointments. Financial Times. Retrieved from https://
Financial Regulation. Retrieved from https://corpgov.law.harvard. www.ft.com/content/cba8dd2e-1973-11e7-a53d-df09f373be87
edu/2016/12/19/the-wells-fargo-cross-selling-scandal/
48 Wells Fargo. (n.d.). 2015 Proxy Statement. Retrieved from https://
31 McCoy, K. (2017, January 11). Wells Fargo revamps pay plan after www08.wellsfargomedia.com/assets/pdf/about/investor-relations/
fake-accounts scandal. USA Today. Retrieved from https://www. annual-reports/2015-proxy-statement.pdf
usatoday.com/story/money/2017/01/11/wells-fargo-revamps-pay-
plan-after-fake-accounts-scandal/96441730/ 49 Spross, J. (2016, September 29). The agonizingly familiar problem
with Wells Fargo’s board of directors. The Week. Retrieved from
32 Foley, S. and Gray A. (2016, September 15). Activist pushes for http://theweek.com/articles/651716/agonizingly-familiar-problem
shake-up at Wells Fargo. Financial Times. Retrieved from https:// -wells-fargos-board-directors
www.ft.com/content/07f4bae0-7a88-11e6-ae24-f193b105145e
50 Gandel, S. (2016, September 20). The Wells Fargo board commit-
33 Craver, R. (2016, September 21). Wells Fargo’s stumbles raises call tee in charge of stopping phony accounts rarely met. Fortune.
for separating chairman, CEO roles. Winston-Salem Journal. Retrieved from http://fortune.com/2016/09/20/wells-fargo-scandal-
Retrieved from http://www.journalnow.com/business/business_ board-meetings/
news/local/wells-fargo-s-stumbles-raises-call-for-separating
-chairman-ceo/article_ 30fc65d9-2a8f-544e-9fd1-e8a967d3416a. 51 Zingales, L. (2016, October 20). Where was Wells Fargo’s board?
html Bloomberg. Retrieved from https://www.bloomberg.com/view/
articles/ 2016-10-20/where-was-wells-fargo-s-board
34 Kerber, R. and Freed, D. (2016, December 1). Wells Fargo amends
bylaws to separate chairman and CEO roles. Reuters. Retrieved 52 Spross, J. (2016, September 29). The agonizingly familiar problem
from http://www.reuters.com/article/us-wells-fargo-accounts with Wells Fargo’s board of directors. The Week. Retrieved from
-managementchange-idUSKBN13Q5N7 http://theweek.com/articles/651716/agonizingly-familiar-problem
-wells-fargos-board-directors
35 Keller, L. J. and Chiglinsky, K. (2016, December 2). Wells Fargo
splits chairman, CEO roles after account scandal. Bloomberg. 53 Reuters. (2016, October 17). Wells Fargo’s lack of new leadership
Retrieved from https://www.bloomberg.com/news/articles/2016 casts doubt over its plan for change. Fortune. Retrieved from
-12-01/wells -fargo-separates-chairman-and-chief-executive http://fortune.com/2016/10/17/wells-fargo-scandal-management/
-officer-roles
54 Keller, L. J. and Chiglinsky, K. (2016, December 2). Wells Fargo 70 Consumer Financial Protection Bureau. (2016, September 8).
splits chairman, CEO roles after account scandal. Bloomberg. Consumer Financial Protection Bureau fines Wells Fargo $100
Retrieved from https://www.bloomberg.com/news/articles/2016 million for widespread illegal practice of secretly opening
-12-01/wells -fargo-separates-chairman-and-chief-executive unauthorized accounts. Retrieved from https://www.consumer
-officer-roles finance.gov/about-us/newsroom/consumer-financial-protection
-bureau-fines -wells-fargo-100-million-widespread-illegal-practice
55 Freed, D. (2016, November 15). Exclusive: four large Wells Fargo -secretly-opening-unauthorized-accounts/
shareholders want more action from board. Reuters. Retrieved from
http://www.reuters.com/article/us-wellsfargo-accounts-board 71 Egan, M. (2016, November 21). Feds ‘tightening the straitjacket’
-exclusive-idUSKBN13A297 around Wells Fargo. CNN Money. Retrieved from http://money.
cnn.com/2016/11/21/investing/wells-fargo-fake-accounts-occ/
56 University of Maryland. (2016, September 13). How Wells Fargo
betrayed its customers. Retrieved from https://www.rhsmith.umd. 72 Fox, M. (2016, September 22). Wells Fargo investigation only in
edu/news/how-wells-fargo-betrayed-its-customers third inning, Rep Hensarling says. CNBC. Retrieved from http://
www.cnbc.com/2016/09/22/wells-fargo-investigation-only-in-third-
57 Rossi, C. (2016, September 12) BankThink Wells’ risk management inning-rep-hensarling-says.html
tools should have caught this sooner. American Banker. Retrieved
from https://www.americanbanker.com/opinion/wells-risk 73 Wang, C. (2016, September 29). Wells Fargo scandal ‘makes a case’
-management-tools-should-have-caught-this-sooner for CFPB and its work, says congresswoman. CNBC. Retrieved from
http://www.cnbc.com/2016/09/29/wells-fargo-scandal-makes-a
58 Egan, M. (2016, September 21). I called the Wells Fargo ethics line -case-for-cfpb-and-its-work-says-congresswoman.html
and was fired. CNN Money. Retrieved from http://money.cnn.com/
2016/09/21/investing/wells-fargo-fired-workers-retaliation-fake 74 Glazer, E. (2016, September 29). Three senators ask SEC to
-accounts/ investigate Wells Fargo. The Wall Street Journal. Retrieved from
https://www.wsj.com/articles/three-senators-ask-sec-to-investigate-
59 Kasperkevic, J. (2015, April 12). Wells Fargo workers to protest wells-fargo-1475143204
company as ‘unreasonable’ sales quotas continue. The Guardian.
Retrieved from https://www.theguardian.com/business/2015/apr/ 75 Keller, L. J., Dexheimer, E., and Robinson, M. (2016, November 3).
12/well-fargo-workers-protest-sales-quotas Wells Fargo facing SEC probe that could focus on disclosures.
Bloomberg. Retrieved from https://www.bloomberg.com/news/
60 Egan, M. (2016, September 21). I called the Wells Fargo ethics line articles/2016-11-03/wells-fargo-says-sec-is-investigating-sales
and was fired. CNN Money. Retrieved from http://money.cnn.com/ -practices -iv28suwy
2016/09/21/investing/wells-fargo-fired-workers-retaliation-fake
-accounts/ 76 Wilber, D. Q. and Puzzanghera, J. (2016, September 14). Justice
Department is investigating Wells Fargo sales tactics. Los Angeles
61 Lynch, S. (2016, September 29). Wells Fargo workers say they were Times. Retrieved from http://www.latimes.com/business/la-fi-wells
fired for reporting “gaming” of sales quotas. Reuters. Retrieved -fargo-investigation-20160914-snap-story.html
from http://www.reuters.com/article/wells-fargo-accounts-whistle
blower-idUSL2N1C41JX 77 Koren, J. R. (2016, October 19). California attorney general
investigating Wells Fargo on allegations of criminal identity theft.
62 Keller, L. J. (2017, April 4). Wells Fargo told to rehire whistle-blower, Los Angeles Times. Retrieved from http://www.latimes.com/
pay $5.4 million. Bloomberg. Retrieved from https://www.bloom business/la-fi-wells-fargo-harris-20161018-snap-story.html
berg.com/news/articles/2017-04-03/wells-fargo-told-to-reinstate-
whistle-blower-pay-5-4-million 78 Wilber, D. Q. and Puzzanghera, J. (2016, September 14). Justice
Department is investigating Wells Fargo sales tactics. Los Angeles
63 Egan, M. (2016, September 21). I called the Wells Fargo ethics line Times. Retrieved from http://www.latimes.com/business/la-fi-wells
and was fired. CNN Money. Retrieved from http://money.cnn.com/ -fargo-investigation-20160914-snap-story.html
2016/09/21/investing/wells-fargo-fired-workers-retaliation-fake
-accounts/ 79 Foley, S. and Gray, A. (2016, September 15). Activist pushes for
shake-up at Wells Fargo. Financial Times. Retrieved from https://
64 Dexheimer, E. (2016, November 4). Warren asks if reports show www.ft.com/content/769b5460-790a-11e6-97ae-647294649b28
Wells Fargo punished fired workers. Bloomberg. Retrieved from
https://www.bloomberg.com/news/articles/2016-11-03/warren- 80 Freed, D. (2016, November 15). Exclusive: four large Wells Fargo
asks-if-reports-show-wells-fargo-punished-fired-workers shareholders want more action from board. Reuters. Retrieved from
http://www.reuters.com/article/us-wellsfargo-accounts-board
65 Arndorfer, I. and Minto, A. (n.d.). The “four lines of defence model” -exclusive-idUSKBN13A297
for financial institutions. Bank for International Settlements.
Retrieved from http://www.bis.org/fsi/fsipapers11.pdf 81 Egan, M. (2016, November 11). Warren Buffett hasn’t sold a single
share of Wells Fargo following scandal. CNN Money. Retrieved
66 Bray, C. (2017, April 12). KPMG fires 6 over ethics breach on audit from http://money.cnn.com/2016/11/11/investing/warren-buffett
warnings. The New York Times. Retrieved from https://www. -wells -fargo-scandal/index.html
nytimes.com/2017/04/12/business/dealbook/kpmg-public
-company -accounting-oversight-board.html?_r=0 82 Frank, T. and Lewis, A. (2020, February 21). Wells Fargo to pay $3
billion in settling criminal and civil investigations into its fraudulent
67 United States Senate. (2016, October 27). Letter to KPMG. sales practices. CNBC. Retrieved from https://www.cnbc.com/2020/
Retrieved from https://www.warren.senate.gov/files/documents/ 02/21/wells-fargo-to-pay-3-billion-in-setting-criminal-and-civil
2016-10-27_Ltr_to_KPMG_re_Wells_Fargo_Audits_FINAL.pdf -investigations-into-its-fraudulent-sales-practices.html
68 Berger, R. (2016, October 31). Elizabeth Warren sends misguided
letter to KPMG about Wells Fargo. Forbes. Retrieved from https://
www.forbes.com/sites/robertberger/2016/10/31/elizabeth-warren
-sends-misguided-letter-to-kpmg-about-wells-fargo/#19cffa071adc
69 Rapoport, M. (2016, November 1). Wells Fargo: where was the
auditor? The Wall Street Journal. Retrieved from https://www.wsj.
com/articles/wells-fargo-where-was-the-auditor-1478007838
COMMINSURE: NO ONE’S
COVERED
CASE OVERVIEW1 since his 20s, and never thought he would ever need it.
In March 2016, Commonwealth Bank of Australia (CBA), When his claim was received by CommInsure’s HQ in
Australia’s biggest bank, was caught in a second major November, it set off a series of events eventually leading
scandal involving its insurance arm, CommInsure, just to CommInsure’s exposé.
as it was recovering from the fallout from the previous
CommInsure’s outdated heart attack definition relied
financial planning scandal. CommInsure is one of
on the measurement of a protein called troponin,
Australia’s largest life insurance companies, with about 4
which is present in one’s body when heart tissue is
million policyholders.1 The CommInsure exposé created
damaged. Kessel’s troponin concentration in his blood
a huge uproar after it was accused of denying legitimate
fell below CommInsure’s stipulated troponin level that
claims of sick Australians in their greatest time of need.2
entitles a heart attack victim to a payout. On this basis,
The scandal went beyond CBA and highlighted issues
CommInsure rejected Kessel’s claim.6
in Australia’s life insurance industry. The objective of this
case is to facilitate discussion of issues such as corporate
Unbeknown to Kessel, there was an internal dispute
culture; the role of the media; whistleblowing policy;
on his case as an email had circulated in CommInsure,
shareholder-stakeholder conflict; and regulation of the
warning that rejecting Kessel’s claims based on troponin
insurance industry.
levels alone was not in line with current medical
practices. The email recommended claims to be paid
to Kessel as acting in “utmost good faith” is a legal
(FOUR) CORNERED requirement for insurers in assessing claims.7 However,
“How can someone go to bed at night with a clear this advice was allegedly swept under the mat.
conscience, knowing that somewhere in Australia
there’s someone that’s dying in their darkest hour, and Kessel’s claims then happened to be reviewed by Dr
your organization throws up difficulties, hide behind Benjamin Koh, the then chief medical officer (CMO)
technicalities, bully their way with their medical and legal of CommInsure. Koh had realised that part of Kessel’s
experts... against a helpless and defenceless claimant. file was missing, and alerted the IT department to
How can that be right?” investigate, suspecting that a technical glitch may be
- Dr Benjamin Koh, Former Chief Medical Officer deleting files.8 After his request was declined, Koh
of CommInsure3 uncovered several more files which have been modified
or deleted. It was allegedly common for claims assessors
On 7 March 2016, Four Corners, Australia’s leading in CommInsure to pressure the medical team to omit or
investigative journalism program, aired a 50-minute modify opinions which “ran counter to a claim strategy”,
documentary following six months’ worth of and Koh found the disappearance of the crucial files
investigations accusing CommInsure of unscrupulous to seem too convenient.9 He raised his concerns to his
practices in denying the legitimate claims of sick and manager, Helen Troup, and subsequently to the board
dying policyholders. CommInsure was alleged to under CommInsure’s whistleblower protection guidelines.
have manipulated client data, used outdated medical Less than a year later, Koh was dismissed.
definitions, pressured doctors to modify opinions, and
used delaying tactics in order to deny customers their Koh later spoke to journalists of Four Corners, alleging
claims.4 that CBA had avoided paying the claims of policyholders
by using outdated medical definitions, changing or
The documentary rocked the life insurance industry as deleting customer records, and pressuring doctors to
the government scrambled to order an urgent Senate provide opinions that were not in favour of customers.10
inquiry5 into the scandal, even as the Australian Securities
and Investments Commission (ASIC) was investigating
The First Seizure
CBA’s financial advice scandal.
Despite executives’ knowledge of the bank’s usage
At the centre of the scandal was James Kessel, who of outdated definitions of heart attacks since 2012,11
had suffered a severe heart attack in September 2014. CommInsure chose not to update its policies. The
Kessel had been paying his life insurance premiums CMO before Koh had advised the executives to update
This case written by Eng Lik Hng Jethro, Gay Ling Ling, Gong Jie Hui, Lee Li Xin and Rowena Teo Yu Qi under the supervision of Professor Mak Yuen Teen. The case was developed from
published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective management or governance. The interpretations and perspectives in this
case are not necessarily those of the organisations named in the case, or any of their directors or employees. This case was edited by Professor Mak Yuen Teen and Professor Richard Tan.
34 COMMINSURE: NO ONE’S COVERED
CommInsure’s existing heart attack definition, which Misleading Advertisements

required troponin levels in the blood to be 20 times Misleading and deceptive advertisements were also
higher than those required by the current universal allegedly made on CommInsure’s websites19 from mid-
definition.12 However, this advice fell on deaf ears. Two 2013 to March 2016, where policyholders were led to
years later, the executives were warned again that CBA’s believe that if they were to suffer a heart attack, they
definitions would discriminate against policyholders, this would be entitled to a lump sum payment, when in fact
time by Koh. His advice too was ignored. only heart attacks meeting outdated and restrictive
medical criteria defined in the policy were covered.
On 12 September 2018, Troup, the Managing Director
of CommInsure, admitted that the company’s failure
in keeping medical definitions updated was due to its Aftermath
profit-making objectives.13 ASIC concluded its investigations into CommInsure
after almost two years. It was unable to find evidence
supporting allegations that CommInsure claims managers
“STAR” TREATMENT FOR STAR EMPLOYEES had applied undue pressure on doctors to alter their
medical opinions, or that medical records of customers
CommInsure had a talented medical team of
had been deleted or modified in any inappropriate way.20
professionals responsible for independent medical
underwriting, claims and product advice. This was unlike
ASIC also announced that CommInsure’s use of severely
the industry norm where companies entrusted those roles
outdated medical definitions in its trauma policies did
to non-medically trained persons.14 Koh instilled a motto
not breach any laws, even though it was unethical as
of “Evidenced, Reasoned and Utmost Good Faith” in his
consumers cannot be expected to know if a medical
medical team when he first joined the company,15 but he
definition is outdated.21 However, it prompted ASIC
would soon find out that the company did not seem to
deputy chairman Peter Kell to call for law reforms,
place any regard at all to their moral obligations.
including no longer exempting insurance claims handling
from several laws, harsher penalties for breaches of
Incriminating documents of complaints that doctors
good faith, and subjecting insurance to bans on unfair
were pressured to modify opinions to avoid payouts, and
contract terms.22 On top of this, ASIC said it is pressuring
heated emails telling doctors to “stick to the brief” were
companies to treat clients better, through better and
leaked.16 Testimonies from Koh also added to the serious
faster interaction and increased preparation and support
allegations that CommInsure bullied doctors to rectify
from claims executives.
their medical opinions in order for claims to be denied.
In response to ASIC’s request that CommInsure conduct
CommInsure was also said to have not spared even its
an independent investigation to provide reassurance,
best employees in its treatment of policyholders. One
CommInsure appointed Deloitte as an independent
of the harrowing stories featured in the documentary
expert to assess the bank’s alleged misconduct and law
was that of Matthew Attwater. He had been one of
firm DLA Piper to review ethical concerns.23 However,
CBA’s star employees before suffering major depression
Deloitte expressed that it “did not identify any systemic
and post-traumatic stress disorder in March 2013. After
issues relating to historically declined claims and did
informing his superiors about his condition, Attwater
not identify any evidence that the current and planned
was permanently medically retired from CBA and the
improvements to the claims handling processes are
workforce in general.17 Attwater had purchased his
designed in a way that could systematically deliver poor
insurance with CommInsure, but his claim for total and
customer outcomes”.24 Criticisms were raised as Deloitte
permanent disability18 was rejected on the basis that
relied only on the files provided by CommInsure, and did
he was capable of returning to work, even though he
not interview the customers or their families. Reports by
was declared unfit for work due to his “severe mental
DLA Piper remain confidential.25
symptoms”.
CommInsure also formally acknowledged that it
It was reported that in the two-and-a-half years it took for
published misleading advertisements for its Total Care
CommInsure to assess his claim, Attwater was forced to
Plan and Simple Life Insurance and was ordered to make
sleep in his car. It was only after his interview with Four
an A$300,00026 community benefit payment instead of an
Corners that his case was finally settled.
A$8 million fine.
CommInsure also updated key definitions in trauma There were several practices in CommInsure which fueled
insurance relating to heart attacks and arthritis. the firm’s culture of valuing profits above the interests of
The updated definition of heart attack was applied its stakeholders, starting from the claims department.
retrospectively to May 2014, resulting in an additional
A$2.5 million paid to 17 people.27 Remuneration of claims managers were tied to key
performance indicators (KPIs) such as the ratio of paid
A heart attack victim, having seen the media reports, claims to premiums earned. Claims staff were able to
attempted to file again for a claim previously rejected affect the amount paid for claims. Despite possessing
by CommInsure in January 2014, but was rejected very limited medical knowledge, claim assessors in
again. However, he had the backing of the Financial CommInsure could determine how long it takes to assess
Ombudsman Service (FOS) this time, which demanded a claim, the way a customer is treated while the claim
that CommInsure provides medical reports supporting is being assessed, and more importantly, have the final
its decision. After repeatedly challenging the FOS’ say on whether a claim will be paid.34 The assessors also
authority, the bank finally provided the evidence behind allegedly paid scant regard to the professional opinions
its rejection – but the document was redacted to omit and ethical obligations of CommInsure’s doctors,
medical opinions in favour of the claim.28 FOS brought bullying them to change opinions not fitting the “claims
up the matter to ASIC, accusing CommInsure of “serious strategy”.
misconduct” after CommInsure refused to explain the
redaction. CommInsure was given a warning from ASIC to “They were quite blatant about it… ‘can you please
not mislead FOS again, and CommInsure later took the change it or delete it so that we can go to someone else
definition further back to 2012.29 to provide another opinion that’s more favourable’.”35
– Dr Benjamin Koh
In addition, CBA announced the creation of a Claims
Review Panel, to “provide an additional layer of This culture was exacerbated when Troup joined
assurance for complex claim assessment and decision- CommInsure as its top executive in April 2014. Within
making processes” in CommInsure. Where CommInsure’s the medical team, there were already fears that the
claims committee recommends a complex life insurance restructuring led by Troup would give more power to
claim be declined, it will be referred to the Panel. The claims managers and underwriters, at the expense of the
Panel will consist of at least two independent panel medical team, who were meant to independently judge
members, along with Troup, and aims to provide an the condition of customers.36
independent review and assessment of each claim
to provide confidence that the outcomes are fair and A feedback presentation on Koh and his medical team
consistent. A sub-committee of the CommInsure Board, showed the lack of check-and-balance medical officers
comprising independent non-executive directors, will were able to provide on claim managers. Koh and his
monitor the outcomes of the panel.30 team were told to “stop providing opinions where not
required/requested” and “start allowing case managers
At a parliamentary hearing, Ian Narev, CBA’s then-CEO to pick the doctor they want to refer to” amongst many
and Managing Director, confirmed that no one at CBA other criticisms.37 Despite having the title of CMO, Koh’s
had been sacked for poor dealings with respect to and his predecessor’s advice to change the then-existing
individual customer insurance cases.31 definition for heart attack in May 2014 and 2012 were
disregarded on both occasions, causing heart attack
claims to continuously be denied. This was not an
CORPORATE CULTURE isolated incident but rather, one that reflected the culture
of CommInsure - where claim assessors and managers
“Profit before anything else”. This quote from Koh have
wield considerable power.
been cited in many headlines surrounding the incident
as the underlying theme of the entire scandal. Critics
such as Koh perceive CommInsure’s corporate culture
as one where the company was not just bent on earning
THE APPLE DOESN’T FALL FAR FROM THE
maximum profits, but forgone whatever ethics they had
TREE
in order to achieve them32 while trampling over the rights In this case, the apple, in the form of CommInsure, does
of both employees and policyholders.33 keep the doctor away by denying policyholders their
claims. However, it seems that CommInsure’s aggressive
profit-driven culture matches that of its parent’s, CBA.38
A short year before the CommInsure’s scandal, CBA’s then-chairman Turner recommended Narev receive 108%
misconduct in its wealth management arm was exposed. of his target bonus, on top of his fixed pay.42 Only one
The aggressive sales-driven culture had pressured executive - CBA’s then-head of wealth, Annabel Spring,
financial advisors to place their clients’ money into high- had her bonus reduced to 95% over CommInsure’s
risk investments without permission. The public brushed scandal.
the incident away, thinking that it was a one-off incident.
However, that was just the start of the damage to CBA’s Catherine Livingstone, CBA’s Chairman during the
reputation. investigations, admitted that the board’s “10-minutes
discussion” of the CEO’s remuneration recommendations
was inadequate, and the board ought to have challenged
Board of Directors
it.43 Livingstone confirmed that from 2011, CBA had
Details of CommInsure’s board are not available in CBA’s never reduced an executive’s short-term remuneration as
Annual Report. CBA’s 2015 and 2016 Annual Reports a result of a risk-related incident that had not yet been
showed that CBA’s board had 11 and 12 directors made public. Livingstone added that the board was
respectively (excluding directors who retired during the sending a message that “there will only be consequences
year). According to a report by The Korn/Ferry Institute in if there is a public event, a media event”.44
2013,39 Australia’s average board size was 8.4.
In light of the scandals faced, the bank said that it would
Directors’ Remuneration change the composition of long-term incentives of its top
executives, from the original 75% linkage to shareholder
In CBA’s 2015 Annual Report, the CEO and Group
returns and 25% linkage to customer satisfaction, to a
Executives’ pay comprised three elements: fixed
new 25% focus on “people and community”, 50% on
remuneration, short-term incentive (STI) at risk and long-
shareholder returns, and 25% on customer satisfaction.45
term incentive (LTI) at risk. They are rewarded up to 150%
of their STI target, depending on performance. The LTI is
measured against relative Total Shareholder Return (TSR) Beauty, or Rather Ethics, is Skin Deep
and customer satisfaction, with weighting of 75% and CBA often made great play of their corporate
25% respectively. The vesting period was four years. Non- governance strategies, with CBA’s executives and
financial performance criteria included the alignment to directors constantly parroting that CBA upholds high
the key business priorities of customer focus and long- ethical standards. Back in 2015, David Turner, CBA’s
term shareholder value creation. Chairman, said that “(CBA) will be the ethical bank,
the bank others look up to for honesty, transparency,
In the 2016 annual general meeting (AGM), there were decency, good management, openness”46 in response to
objections to the executive remuneration report by nearly its financial planning scandal. Subsequent scandals prove
49% of the shareholders, well above the 25% mark which that CBA’s promises and policies were all for show.
constitutes a ‘strike’. With a second strike in the next
AGM, the board would be required to disclose certain One of the corporate governance failings was in CBA’s
information for the board. The Australian Shareholders’ whistleblowing policy “SpeakUp”, which promised
Association said that the variable remuneration goals had protection to whistleblowers and assured that proper
become subjective and discretionary rather than being action will be taken to address concerns.47 Koh reported
measurable.40 For its STI, the CEO’s remuneration had a his concerns under this very policy on numerous
40% weightage based on financial outcomes, executives occasions, to Troup, key independent directors of the
managing business units had 45%, and those managing CommInsure board, and also an intermediary the board
support units had 25%, according to its annual report. had put in place. The board promised an audit but
refused to disclose details about the investigation or
Following the Royal Banking Commission’s investigations outcome.48 Shortly after, he was fired on 11 August 2015.
on CBA, it was revealed that while scandal after scandal
was being unearthed within CBA, executives continued CommInsure gave Koh an option to resign and take a
receiving multi-million-dollar short-term incentive payout, as long as he signed a gag order. Koh walked
payments of up to 150% of their base pay. In fact, while away.49 This is not the first time CBA’s whistleblowing
CBA was embroiled in its insurance arm scandal, then- policy had apparently failed and the whistleblower
CEO Narev recommended all executives receive at least fired. The previous scandal in CBA’s financial planning
100% of their short-term incentives, in part because they department saw whistleblower Jeff Morris allegedly fired
had met their risk-management objectives in 2016.41 The and subjected to a witch hunt by the bank.50 The bank
also allegedly failed to protect another whistleblower, When the largest Australian banks made the decision
Tim Cradock back in 2013.51 to move into wealth management, the string of financial
scandals that followed suggests that this may not have
CBA’s head of compliance department made a scathing served Australian consumers well. CommInsure and
remark about how the compliance department’s concerns CBA were not the only ones who have been accused of
were never taken seriously, and that compliance was seen unscrupulous behavior - other big banks like Westpac
as a “rubber stamp” exercise in CBA.52 and National Australia Bank faced similar accusations.59
The pervasive allegations of misconduct highlight real
issues in Australia’s financial services sector as a whole -
AUSTRALIA’S INSURANCE INDUSTRY that regulators may have contributed to misconduct with
their lack of oversight and slow actions.60
While CommInsure’s corporate culture has been
attributed to CBA’s own culture, such a culture was said
“It’s an industry that is in catch-up mode, where some
to be pervasive in the Australian insurance industry.
of the practices and products have not kept pace with
consumer expectations, and the very blunt message is
Insufficient Insurance that has to change.”61
“They are paying commissions to financial advisers to - Peter Kell, ASIC deputy chairman
sell product and, at the same time, they’re obviously
seeking to contain costs, obviously seeking to maximize After the exposé by Four Corners, Parliament was pushed
profitability,” to consider a bill to tighten regulations of the industry
- David Whiteley, Industry Super Australia CEO53 since ASIC’s review found that 37% of life insurance advice
failed to comply with the law.62 The Government also
The life insurance industry has an inherent conflict of ordered that ASIC conduct an urgent review into whether
interest. By promising more benefits to policyholders, the questionable practices raised were systemic in the
an insurance company can reap more revenues,54 but whole industry, rather than just isolated to CommInsure.
fulfilling those promises through claim payouts will
undermine their profit margins. There is an in-built The Watchdog Nobody Fears
propensity for insurance providers to make a lot of
ASIC’s findings in the investigation of CommInsure
promises yet fulfil as few of them as possible.
following the scandal disappointed many.63 Due to
deficiencies and loopholes in the law, CommInsure
Under CBA’s pay structure, employees received
managed to get away with their harmful products and
commissions that were pegged to the risk levels of
behaviour, and simple advice from ASIC to “treat their
investment assets sold, which incentivised financial
customers better.” This was only one case amongst many
planners to encourage their clients to opt for riskier
where ASIC failed to come down hard on companies that
products.55 This was made worse by CBA’s “boiler-room”
have committed misconduct.
culture, where high-pressure sales tactics and strategy to
sell financial products thrived.56
ASIC had often come under fire for its lenient methods
of enforcement, as the regulator often imposes
In Australia, ASIC and Australian Prudential Regulatory
administrative or negotiated sanctions, likened to
Authority (APRA) watch over the insurance industry.
regulatory parking fines, rather than taking tougher
ASIC has the responsibility to take action to enforce
action.64 ASIC has also been called a “spectator” rather
and give effect to the law that governs the industry,
than the “tough cop on the beat”65 the Minister for
to minimise misconduct and promote confident and
Financial Services had claimed it was, as it had always
informed participation by investors and consumers.57
been other parties, such as Four Corners, who sniffed out
This is enforced through two External Dispute Resolution
misconduct in the sector.66
schemes (EDRs) - the Financial Ombudsman Service
(FOS) and Credit and Investment Ombudsman (CIO),
James Shipton, head of ASIC, admitted that ASIC may
funded by members including banks, financial advisors
be too lenient and appear “too friendly” with Australia’s
and other financial service providers. This results in
major banks.67 Commissioner Kenneth Hayne also
a significant private and self-regulatory element in
frowned upon ASIC’s familial and social approach towards
Australia’s regulatory framework.58
dealing with banks, questioning why ASIC officials often
held informal meetings with the heads of Australia’s
banks, and did not take notes during those meetings.68
Back in 2014, the previous ASIC Chairman, Greg shares collectively.79 Dispersed shareholders are likely to
Medcraft, had admitted that the regulatory environment be more concerned with short-term profits like dividends
in Australia did not have harsh enough civil penalties, and the company’s earnings, due to a lack of incentive in
remarking that “(Australia) is a bit of a paradise, ... monitoring the management of the company.
for white collar (criminals) ”.69 However, Medcraft also
claimed that it did not receive enough funding and While CBA’s profits and dividends declared to
resources, which curtailed its ability to crack down on shareholders increased, the Prudential Inquiry Final
errant companies.70 Report on CBA released by APRA on 1 May 2018,80 found
that two other critical voices became harder to hear:
that of the customer, and talk of non-financial risks.81
Salvaging the Industry
APRA said that CBA’s continued financial success had
Following the financial planning scandal, Labour Senator “dulled the institution’s senses to signals that might
Mark Bishop chaired a Senate committee inquiry, which have otherwise alerted … to a deterioration in CBA’s
recommended a Royal Commission into CBA and ASIC.71 risk profile”, and this was particularly apparent in the
non-financial risks identified.82 Some of the key issues
Under political pressure and following the spate of identified included a lack of accountability and ownership
scandals, Prime Minister Malcolm Turnbull announced of risks, framework of processes that “worked better on
the formation of the Royal Commission into Misconduct paper than in practice” and a remuneration framework
in the Banking, Superannuation and Financial Services that had “little sting” for the senior management when
Industry, otherwise known as the Banking Royal issues with stakeholders occurred.83
Commission, on 14 December 2017, in order to restore
public faith in the sector.72 The Royal Commission APRA identified a widespread sense of complacency
uncovered the glaring issues behind the CommInsure and overconfidence from top down due to the bank’s
scandal that many have known for a long time.73 strong financial performance. The reactive culture and
complacency lulled CBA into a false sense of security.
The Commission’s report contained 76 recommendations, In addition, the collegial and collaborative working
with a key focus on closing legal loopholes, increasing environment lessened constructive criticisms, and with a
protection for consumers and the banning of particularly lack of reflection on past incidents, CBA became insular,
egregious sales practices in the pension and insurance limiting its ability to accurately identify risks.84
markets.74 A new oversight authority, Australian Financial
Complaints Authority (AFCA), started operations on 1 While CBA’s shareholders enjoyed their share of
December 2018 for dispute resolution in the banks and dividends, this was at the expense of CBA’s customers.
financial services sector.75 However, they are now bearing the bulk of the costs as
current CEO Matt Comyn confirms that the customer
Following the CommInsure scandal, regulatory pressure compensation amount would be borne by the bank’s
has been put on the whole industry. APRA wrote to the shareholders.85
boards of all active life insurers seeking information
about the effectiveness of their governance and oversight Besides shareholders, other key stakeholders include
mechanisms for claims handling, benefit definitions, customers, the community, CBA staff and regulatory
rejected claims and customer complaints.76 The bodies. The Group’s engagement with other stakeholders
importance of consumer protection relating to updating is less than acceptable considering the scandals that
of out-of-date medical definitions for life insurance have occurred from 2003 to 2018. The lack of customer
policies created a “legacy products” issue in the life protection and victimisation of whistleblowers who
insurance industry, and the government is currently reported misconduct issues are major areas of concern.
considering this industry-wide issue further in response to Only with the government’s intervention and the threat
recommendations from the Financial System Inquiry.77 of a royal commission were the matters then set right.
ASIC’s slow response on investigation and indecisive
action with regards to whistleblowing did not help the
FORGOTTEN VOICES situation.
CBA has a relatively dispersed shareholding structure,
with no dominant majority shareholder.78 From 2014 to Findings in the Deloitte report86 commissioned by
2017, no single shareholder held more than 20% of the CommInsure regarding accusations of their misconduct
shares, while management owned less than 0.1% of revealed no wrongdoing on their part. Notwithstanding
that, the alleged misconduct had already undermined Board now regularly reviews and refines its corporate
the trust and confidence of the policy holders and governance arrangements and practices in light of new
community. The review also found CommInsure’s heart laws and regulations, evolving stakeholder expectations
attack definitions were consistent with some but not the and the dynamic environment in which the Group
majority of players in the industry in May 2014. Executives operates.
were aware of the outdated medical definitions since
2012 but chose not to update its policies since it To monitor the bank’s culture and effectiveness of its
“ran counter to a claim strategy”. This reflects the cultural change initiatives, CBA gathers information
shareholder’s wealth maximization corporate objective from employee surveys, audit and compliance reports,
which is widely accepted barring a few exceptions. whistleblower reports and other sources. The Group’s
Code of Conduct sets the standards of behaviour
CBA Group has since been placing more focus expected of employees when engaging with and
on stakeholders under its Corporate Governance balancing the interests of stakeholders.91 Material
Framework. In its 2019 Corporate Governance Statement, breaches must be reported to the Audit Committee.
stakeholder engagement is set out as: “… providing
better outcomes for customers, earning the trust of The Group Whistleblower Policy outlines the protection
the communities we serve, ensuring our people are extended to a whistleblower from any form of retaliation
energized and accountable, and delivering sustainable, or victimisation, including termination of employment,
long-term returns for our shareholders.” harassment and discrimination.92 The Risk Management
Framework allows the Group to manage risks within a
Board-approved risk appetite and is regularly reviewed
GOVERNANCE FROM ABOVE in light of emerging risks arising from changing business
environments, better practice approaches and regulatory
ASX Corporate Governance Council’s 4th edition of
and community expectations.93 The board’s approach
Corporate Governance Principles and Recommendations
to its composition and renewal emphasises the need
published in February 2019 describes corporate
for: (i) an appropriate mix of relevant skills, expertise
governance as “the framework of rules, relationships,
and experience, and (ii) independence by adopting
systems and processes within and by which authority
Independence Standards for assessment.
is exercised and controlled within corporations. It
encompasses the mechanisms by which companies, and
those in control, are held to account.”87
LESSON LEARNT, OR NOT
CBA’s corporate governance from 2014 to 2016 was For wholly-owned subsidiary CommInsure, the corporate
described in a separate report (Corporate Governance culture in its parent company, CBA, played a significant
Statement), with brief comments on these issues in the part in influencing the corporate culture of CommInsure.
Chairman’s Statement of their Annual Reports (AR).88 Thus, when CBA’s other business units came under fire in
With the appointment of Livingstone as Chairman scandals from money laundering to hawking less than a
on 1 January 2017, the 2017 AR was revamped and a year after its insurance arm scandal, it was not a surprise.
comprehensive section on Corporate Governance was
included.
The Final Straw
Since 2017, CBA has been strengthening corporate On 3 August 2017, Federal financial intelligence agency,
governance practices for the group to meet the higher AUSTRAC, accused the bank of serious and systemic
standards expected of them in light of the APRA failures to report suspicious deposits, transfers and
Prudential Inquiry and the Final Report released by accounts, which resulted in millions of dollars flowing
the Royal Commission. A section for “Whistleblower through to drug syndicates. CBA admitted to the late
protection” was added in CBA’s 2017 Corporate filing of 53,305 reports of transactions of A$10,000 or
Governance Statement89. This section was not included more through its intelligent deposit machines (IDMs),
in their 2015 Statement. The 2019 Corporate Governance preventing AUSTRAC’s effective monitoring of money
Statement90 was further expanded and describes the key flow.94 The biggest fine to date in Australian corporate
governance arrangements and practices of the Group history of A$700 million was paid by CBA for breaches of
which met all the requirements of the fourth edition of anti-money laundering and counter-terrorism financing
the ASX Corporate Governance Council’s Corporate laws.
Governance Principles and Recommendations. The
A Change of Faces On 4 October 2019, CBA made what was becoming an

After CommInsure, it took one more scandal to prompt annual appearance in the news, when CommInsure was
CBA to take more drastic action. On 8 August 2017, one charged with breaching an anti-hawking law 87 times.101
day after AUSTRAC’s was reported in the news, CBA’s CommInsure illegally sold “Simple Life”, a life insurance
Chairman Livingstone released a statement announcing policy using unsolicited phone calls, through Aegon
that the board had decided to cut its short-term Insights Australia, its agent telemarketing firm. Hawking
variable bonuses for Narev and senior executives for is an unethical and aggressive sales strategy that has
the financial year ended 30 June 2017, as well as cut its pressured Australians into buying products they don’t
non-executive directors fees by 20% in the 2018 financial need.102
year.95 Livingstone also said that in addition to hiring
more than 50 financial crime experts and spending more Will CBA Ever Learn?
on technology, CBA will be revamping its board. This
Although CBA is in the process of selling CommInsure
included the retirement of Laura Inman and Harrison
to global group AIA as part of a plan by Comyn to strip
Young in November, Andrew Mohl who would seek re-
the company of its scandal-prone financial advice and
election for one more year, and the recruitment of former
insurance arms to return to the core business of taking
Westpac banker Rob Whitfield.96
deposits and making loans, the sales process has been
delayed and is not expected to be completed until
In January 2018, CBA announced that Comyn would
2020.103 Would the simplification of CBA’s portfolio
replace Narev as CBA CEO,97 claiming that Narev’s
of businesses through severing the insurance arm
retirement had nothing to do with the scandals.
mean “excellent customer outcomes” as promised by
Comyn?104
Once Bitten, Never Shy. The Attacks Continue
A year later, on 13 March 2018, CBA once again made As CBA and its revamped board of directors attempt to
headline news. It had breached its insurance license start afresh in the changing and ever more competitive
conditions by mis-selling credit card insurance to banking landscape, the public waits in anticipation for
customers who were ineligible for the product. The its next move. While CBA has accurately pinpointed the
Hayne Royal Commission heard that CBA should company’s culture to be the root problem, whether it is
not have sold its Creditcard Plus insurance to 64,000 able to overcome it remains to be seen.
customers,98 who were unemployed when they
purchased the credit card insurance, despite that being a
requirement under the eligibility criteria.
Comyn personally admitted under the commission’s

grilling that CBA’s culture had problems - short-term
bonuses for staff often carried an inherent risk that they
would encourage staff to put their own interests ahead of
a customer’s. However, despite the identification of such
risks, Comyn ultimately decided against ending bonuses,
stating that it was necessary to motivate and incentivise
staff.99
Other flawed practices revealed during the Royal

Commission included the charging of “ongoing service”
fees to 31,500 customers between July 2007 and June
2015 by the CBA financial planning business, despite
the lack of evidence to show that it actually provided
any services to those customers, as well as CBA’s lack
of actions taken under the 2017 Sedgwick review
to changing its volume-based commissions paid to
mortgage brokers, which encouraged them to write
larger-than-necessary loans, in turn putting customers at
risk.100
DISCUSSION QUESTIONS ENDNOTES

1. Commonwealth Bank of Australia (CBA) group 1 Fogarty, R. (2016, March 8). CommInsure: Who’s who in the
Commonwealth Bank’s life insurance scandal? ABC News.
had put a whistleblower protection policy in place Retrieved from https://www.abc.net.au/news/2016-03-07/
following the Commonwealth Financial Planning CommInsure-scandal -whos-who-four-corners/7226576
Limited (CFPL) scandal from 2003 to 2012. Provide 2 Ferguson, A. (2016, March 6). ASIC to Investigate CBA’s Life
reasons as to why CommInsure was still unable to Insurance Arm. The Australian Financial Review. Retrieved from
avert the scandal in its insurance arm? Comment https://www.afr.com/companies/asic-to-investigate-cbas-life
-insurance-arm-20160306-gnbmox
on CommInsure’s actions taken in response to its
insurance arm scandal.
3 Four Corners. (2016, March 7). Money For Nothing. ABC News.
Retrieved from https://www.abc.net.au/4corners/money-for
2. The exposé on CommInsure was a combined -nothing-promo/7217116
effort between Fairfax Media, and the investigative 4 Williams, R. (2016). Terminal Illness. The Sydney Morning Herald.
journalism programme Four Corners. Discuss the role Retrieved from https://www.smh.com.au/interactive/2016/
CommInsure-exposed/terminal-illness/?prev=2
of the media in monitoring the insurance industry’s
5 Borrello, E. (2016, March 8). Inquiry urged into ‘disgraceful’ CBA
corporate governance. Compare this with your
insurance scandal. The New Daily. Retrieved from https://the new
country. daily.com.au/news/national/2016/03/08/inquiry-urged-disgraceful
-commbank-insurance-scandal/
3. Should the parent, CBA, be responsible for the
6 Ibid.
CommInsure’s corporate governance and risk
management? Discuss this in the context of board 7 Ibid.
risk governance and the Enterprise Risk Management 8 Ferguson, A., Christodoulou, M., & Toft, K. (2016, March 8). ‘Your
(ERM) framework. In what ways have weaknesses in heart’s ripped out’. Stuff. Retrieved from https://www.stuff.co.nz/
business/world/77645165/your-hearts-ripped-out
CBA’s business and remuneration policies led to the
failures in CommInsure? 9 Four Corners. (2016, March 7). Money For Nothing. ABC News.
Retrieved from https://www.abc.net.au/4corners/money-for
4. The financial impact on CBA’s share price arising from -nothing -promo /7217116
the scandals of CFPL and CommInsure appears to be 10 Australian Government Treasure. (2018, August) Financial Services
short term and only during the period of the media Royal Commission. Retrieved from https://apo.org.au/sites/default/
files/resource-files/2018/08/apo-nid189016-1099121.pdf
reports. Discuss the significance of these scandals to
CBA’s reputation and explain the damage, if any, to 11 Myer, R. (2018, September 12). CommInsure ‘misled’ financial
ombudsman over claims details. The New Daily. Retrieved from
the CBA brand. https://thenewdaily.com.au/money/finance-news/2018/09/12/
CommInsure-misled-financial-ombudsman/
5. ASIC’s investigation report on CommInsure
mentioned that “CommInsure had trauma policies 12 Ferguson, A., Christodoulou, M., & Toft, K. (2016, March 7).
CommInsure denies heart attack claims by relying on outdated
with medical definitions that were out of date with medical definition. ABC News. Retrieved from https://www.abc.net.
prevailing medical practice, … However, this was au/news/2016-03-05/CommInsure-denying-heart-attack-claims/
not against the law…”. As this is a “legacy product” 7218818
issue in the life insurance industry, is it fair to say 13 Yeates, C. (2018, September 12). CBA admits it ignored heart attack
that CommInsure is only partly responsible for the warning for profit. The Sydney Morning Herald. Retrieved from
https://www.smh.com.au/business/banking-and-finance/cba
scandal? Discuss how a company’s business strategy -admits-it -ignored-warnings-over-heart-attack-rules-20180912-
may prevent it from upholding high ethical standards p503b3.html
and integrity. Comment on whether the regulators’ 14 Ferguson, A. (2017, August 3). ‘Why would you torment a dying
“light-touch” approach has failed to correct the person and their family?’. The Sydney Morning Herald. Retrieved
industry’s culture. from https://www.smh.com.au/money/insurance/why-would-you-
torment-a-dying-person-and-their-family-20190731-p52cpb.html
6. APRA’s Final Report dated 1 May 2018 of the 15 Ibid.
Prudential Inquiry into CBA stated that “CBA’s 16 Ferguson, A. (2017, March 7). CommInsure: Doctors pressured to
continued financial success dulled the senses of help CBA’s insurance arm avoid payouts to sick and dying, whistle
the institution” resulting in a deterioration in CBA’s blower says. ABC News. Retrieved from https://www.abc.net.au/
risk profile, in particular its operational, compliance news/2016-03-07/CommInsure-whistleblowersays-doctors
-pressured-change-opinions/7226910
and conduct risks. Discuss the importance of risk
management and its connection to corporate
17 Ferguson, A., Christodoulou, M., & Toft, K. (2016, March 6).
CommInsure accused of turning its back on its own mentally ill
governance. employee. The Sydney Morning Herald. Retrieved from https://
www.smh.com.au/business/banking-and-finance/CommInsure
-accused-of-turning-its-back-on-its-own-mentally-ill-employee-
20160304-gnakh2.html
18 Four Corners. (2016, March 7). Money for Nothing. Retrieved from 33 Ferguson, A. (2016, March 7). CommBank under fire for ‘staff
https://www.abc.net.au/4corners/money-for-nothing-promo/ treatment’. The New Daily. Retrieved from https://thenewdaily.com.
7217116 au/news/national/2016/03/07/comm-bank-under-fire-for-staff
-treatment/
19 Australian Securities & Investments Commission. (2017, December
18). 17-443MR CommInsure pays $300,000 following ASIC concerns 34 Ferguson, A & Williams, R. (2016, April 2). Conflicts at CommInsure:
over misleading life insurance advertising. Retrieved from https:// more details emerge showing it’s time for change. The Sydney
asic.gov.au/about-asic/news-centre/find-a-media-release/2017 Morning Herald. Retrieved from https://www.smh.com.au/business/
-releases/17-443mr-CommInsure-pays-300-000-following -asic banking-and-finance/conflicts-at-CommInsure-more-details-
-concerns-over-misleading-life-insurance-advertising/ emerge-showing-its-time-for-change-20160401-gnvqeo.html
20 Robertson, A. (2017, March 23). ASIC’s CommInsure report finds no 35 Ferguson, A., Toft, K., & Christodoulou, M. (2016, March 7).
breaches of the law. ABC News. Retrieved from https://www.abc. CommInsure: Doctors pressured to help CBA’s insurance arm avoid
net.au/news/2017-03-23/corporate-regulator27s-report-into payouts to sick and dying, whistleblower says. ABC News.
-CommInsure-finds-no-breach/8380494 Retrieved from https://www.abc.net.au/news/2016-03-07/
CommInsure-whistle blowersays- doctors-pressured -change
21 Ibid. -opinions/7226910
22 Ferguson, A. (2017, March 24). CommInsure report an indictment 36 Ferguson, A. & Williams, R. (2016, April 2). Conflicts at CommIn-
on the whole industry. The Sydney Morning Herald. Retrieved from sure: more details emerge showing it’s time for change. The
https://www.smh.com.au/business/banking-and-finance/ Sydney Morning Herald. Retrieved from https://www.smh.com.au/
CommInsure-report-an-indictment-on-the-whole-industry-2017 business/banking-and-finance/conflicts-at-CommInsure-more-de-
0323-gv4w8h.html tails-emerge -showing-its-time-for-change-20160401-gnvqeo.html
23 Robertson, A. (2017, March 23). ASIC’s CommInsure report finds no 37 Ibid.
breaches of the law. ABC News. Retrieved from https://www.abc.
net.au/news/2017-03-23/corporate-regulator27s-report-into 38 Janda, M. (2017, August 28). Commonwealth Bank to face
-CommInsure-finds-no-breach/8380494 independent inquiry from banking regulator APRA. ABC News.
Retrieved from https://www.abc.net.au/news/2017-08-28/
24 Ferguson, A. (2017, February 28). Deloitte’s findings on CommIn- commonwealth-bank-to-face-independent-inquiry-apra/ 8848004
sure don’t go far enough. The Sydney Morning Herald. Retrieved
from https://www.smh.com.au/business/banking-and-finance/ 39 Mak, Y. T. (2012, April 16). The Diversity Scorecard: Measuring
deloittes-findings-on-CommInsure-dont-go-far-enough-20170228- Board Composition in Asia Pacific. Retrieved from https://issuu.
gungnv.html com/kornferryinternational/docs/the_diversity_scorecard-
measuring_board_compositi
25 Montero, J. (2017, March 1). Commonwealth Bank hires Deloitte to
design a cover up over CommInsure allegations. Retrieved from 40 SBS News. (2016, November 9). Shareholders blast CBA executives’
http://the-pen.co/allegations-have-not-bee-nanswered/ pay. SBS News. Retrieved from https://www.sbs.com.au/news/
shareholders-blast-cba-s-executive-pay
26 Yeates, C. (2017, December 18). CommInsure to pay $300,000 over
misleading ads. The Sydney Morning Herald. Retrieved from 41 Janda, M. (2018, November 21). Banking royal commission: CBA
https://www.smh.com.au/business/banking-and-finance/CommIn- chairman Livingstone answers for the bank’s remuneration
sure-to-pay-300-000-over-misleading-ads-20171218-p4yxtf.html breakdown. ABC News. Retrieved from https://www.abc.net.au/
news/2018-11-21/cba-remuneration-breakdown-catherine-living
27 Ferguson, A. (2017, February 28). Deloitte’s findings on CommIn- stone/10518640
sure don’t go far enough. The Sydney Morning Herald. Retrieved
from https://www.smh.com.au/business/banking -and-finance/ 42 Ibid.
deloittes-findings-on-CommInsure-dont-go-far-enough-20170228-
gungnv.html
43 Ibid.
28 Thomson, J. (2018, September 12). Commonwealth Bank heart

44 Ibid.
attack silliness comes back to bite in royal commission. The 45 Yeates, C. (2016, August 15). CBA chief Ian Narev receives $12.3m
Australian Financial Review. Retrieved from https://www.afr.com/ in pay. The Sydney Morning Herald. Retrieved from https://www.
companies/financial-services/commonwealth-bank-heart-attack- smh.com.au/business/banking-and-finance/cba-chief-ian-narev
silliness-comes-back-to-bite-in-royal-commission-20180912-h15acz -receives-123m-in-pay-20160815-gqsy6z.html
29 Ibid. 46 Yeates, C. (2015, November 18). CBA wants to be ‘the ethical bank’.
30 Commonwealth Bank Media. (2016, April 15). CommInsure The Sydney Morning Herald. Retrieved from https://www.smh.com.
Appoints Independent Members to Claim Review Panel. Retrieved au/business/banking-and-finance/cba-wants-to-be-the-ethical-
bank-20151117-gl11rc.html
from https://www.commbank.com.au/about-us/news/media-releas-
es/ 2016/CommInsure-appoints-independent-members-to-claims 47 CommBank. (2019). Speaking Up. Retrieved from https://www.
-review-panel.html commbank.com.au/about-us/opportunity-initiatives/opportunity
-from-good- business-practice/sustainable-business-practices/
31 Jovanovic, M. (2016, October 5). CBA boss admits no one sacked
speaking-up.html
over life insurance scandal, defends huge profits. SBS News.
Retrieved from https://www.sbs.com.au/news/cba -boss-admits-no- 48 Ferguson, A. & Danckert, S. (2016, March 9). CommInsure: Former
one-sacked-over-life-insurance-scandal-defends-huge-profits chief medical officer Benjamin Koh sues for wrongful dismissal. The
Sydney Morning Herald. Retrieved from https://www.smh.com.au/
32 McConnell, P. (2016, March 8) The CommInsure scandal highlights business/banking-and-finance/former-chief-medical-officer-sues
a conflict at the heart of all insurance. Business Insider. Retrieved -CommInsure-for-wrongful-dismissal-20160309-gnelxz.html
from https://www.businessinsider.com.au/the-CommInsure
-scandal-highlights-a-conflict-at-the-heart-of-all-insurance-2016-3 49 Ferguson, A. (2019, August 3). ‘Why would you torment a dying
person and their family?’. The Sydney Morning Herald. Retrieved
from https://www.smh.com.au/money/insurance/why-would-you-
torment-a-dying-person-and-their-family-20190731-p52cpb.html
50 Ferguson, A. (2016, March 9). On Protecting Whistleblowers. 65 Australian Government. (2018, August 28). The Hon Kelly O’Dwyer.
Retrieved from https://www.meaa.org/mediaroom/adele-ferguson Retrieved from http://ministers.treasury.gov.au/ministers/kelly
-on -protecting-whistleblowers/ -odwyer-2016
51 Butler, B. (2019, October 15). Commonwealth Bank denies CEO 66 McConnell, P. (2016, April 21). Government backflip on ASIC could
misled parliament over whistleblower’s sacking. The Guardian. be too little too late. The Conversation. Retrieved from https://
Retrieved from https://www.theguardian.com/australia-news/2019/ theconversation.com/government-backflip-on-asic-could-be-too-
oct/16/commonwealth-bank-denies-ceo-misled-parliament-over little-too-late-58210
-whistleblowers- sacking
67 Hutchens, G. & Remeikis, A. (2018, November 22). Westpac says
52 Knaus, C. (2018. November 19). CBA chief struggles to explain banks’ move into wealth management ‘clearly not’ a success for
‘significant failings’ of insurance products – as it happened. The customers. The Guardian. Retrieved from https://www.theguardian.
Guardian. Retrieved from https://www.theguardian.com/australia com/australia-news/2018/nov/22/westpac-says-banks-move-into-
-news/live/2018/nov/19/banking-chiefs-face-royal-commission wealth-management-clearly-not-a-success-for-customers
-commonwealth-live
68 Ibid.
53 Robertson, A. (2016, March 15). Life insurance commissions mean
CommInsure the tip of the financial scandal iceberg. ABC News. 69 Mitchell, S. (2014, October 21). Australia ‘paradise’ for white-collar
Retrieved from https://www.abc.net.au/news/2016-03-15/ criminals, says ASIC chairman Greg Medcraft. The Sydney Morning
CommInsure-points-towards-broader-insurance-scandals/7247408 Herald. Retrieved from https://www.smh.com.au/business/australia
-paradise-for-whitecollar-criminals-says-asic-chairman-greg
54 McConell, P. (2016, March 8). The CommInsure scandal highlights a -medcraft-20141021-119d99.html
conflict at the heart of all insurance. Business Insider. Retrieved
from https://www.businessinsider.com.au/the-CommInsure 70 Ibid.
-scandal-highlights-a-conflict-at-the-heart-of-all-insurance-2016-3
71 McGrath, P. & Janda, M. (2014, June 27). Senate inquiry demands
55 Parliament of Australia. (2014, June 26). Performance of the royal commission into Commonwealth Bank, ASIC. ABC News.
Australian Securities and Investment Commission. Retrieved from Retrieved from https://www.abc.net.au/news/2014-06-26/senate
https://www.aph.gov.au/Parliamentary_Business/Committees/ -inquiry-demands-royal-commission-into-asic-cba/5553102
Senate/Economics/ASIC/Final_Report/index
72 Letts, S. (2019, February 5). Banking royal commission: The financial
56 Ferguson, A. & Vedelago, C. (2013, June 22). Targets, bonuses, sector’s descent to the fourth circle of hell. ABC News. Retrieved
trips - inside the CBA boiler room. The Sydney Morning Herald. from https://www.abc.net.au/news/2018-09-28/banking-royal
Retrieved from https://www.smh.com.au/business/banking-and -commision-timeline/10310800
-finance/targets-bonuses-trips-inside-the-cba-boiler-room
-20130621-2oo9w.html 73 Rigney, K. (2018, January 22). Challenge and change in the
insurance industry: Three developments in prudential policy and
57 Australian Securities & Investments Commission. (2019, October legal requirements. Retrieved from https://www.minterellison.com/
18). Our role. Retrieved from https://asic.gov.au/about-asic/ articles/challenge-and-change-in-the-insurance-industry
what-we-do/our-role/
74 Andrew Beatty, Glenda Kwek. (2019, February 4). Inquiry refers
58 Schneeberger, C. (2019, January). The Impact of the Banking Royal scandal-hit Australian banks to watchdogs. Mail & Guardian.
Commission on Australian Banks. Retrieved from https://orbium. Retrieved from https://mg.co.za/article/2019-02-04-inquiry-refers-
com/orbium-insights/the-impact-of-the-banking-royal-commission- scandal-hit-australian-banks-to-watchdogs
on-australian-banks/
75 Stephanie Chalmers. (2018, December 5). There’s a new place to
59 Vercoe, P. (2019, February 5). Australia Inquiry into Financial Sector
lodge complaints about the banks — and it’s already been flooded.
Scandals Seen to Give Reprieve to Banks. Insurance Journal.
ABC News. Retrieved from https://www.abc.net.au/news/2018-12-
Retrieved from https://www.insurancejournal.com/news/
05/new-financial-complaints-authority-more-than-6500-complaints/
international/2019/02/05/516787.htm
10585690
60 Mitchell, S. (2014, October 21). Australia ‘paradise’ for white-collar 76 Australian Prudential Regulation Authority. (2018, May 1). APRA
criminals, says ASIC chairman Greg Medcraft. The Sydney Morning
releases CBA Prudential Inquiry Final Report and accepts
Herald. Retrieved from https://www.smh.com.au/business/
Enforceable Undertaking from CBA. Retrieved from https://www.
australia-paradise-for-whitecollar-criminals-says-asic-chairman
apra.gov.au/news-and-publications/apra-releases-cba-prudential
-greg-medcraft-20141021-119d99.html -inquiry -final-report-and -accepts-enforceable
61 Lannin, S. (2017, March 23). Whistleblower’s lawyer slams ASIC’s 77 Australian Securities & Investments Commission. (2017, March 23).
report finding no evidence of CommInsure pressuring doctors. 17-076MR ASIC releases findings of CommInsure investigation.
ABC News. Retrieved from https://www.abc.net.au/news/2017-03- Retrieved from https://asic.gov.au/about-asic/news-centre/find
23/whistleblowers-lawyer-slams-asics-report-on-CommInsure/ -a-media-release/2017-releases/17-076mr -asic-releases-findings
8381776 -of-CommInsure-investigation/
62 Safi, M. (2016, March 8). Asic examines claims CommInsure 78 Mitchell, C. (2019). Majority Shareholders. Retrieved from https://
avoiding payouts to sick and dying. The Guardian. Retrieved from www.investopedia.com/terms/m/majorityshareholder.asp
https://www.theguardian.com/business/2016/mar/08/asic
-examines-claims-CommInsure-avoiding-payouts-to-sick-and-dying 79 Commonwealth Bank of Australia. (2019). Annual Reports.
Retrieved from https://www.commbank.com.au/about-us/investors/
63 Lannin, S. (2017, March 23). Whistleblower’s lawyer slams ASIC’s annual -reports.html
report finding no evidence of CommInsure pressuring doctors.
ABC News. Retrieved from https://www.abc.net.au/news/2017-03- 80 Australian Prudential Regulation Authority. (2018, May 1). APRA
23/whistleblowers-lawyer-slams-asics-report-on-CommInsure/ releases CBA Prudential Inquiry Final Report and accepts
8381776 Enforceable Undertaking from CBA. Retrieved from https://www.
apra.gov.au/news-and-publications/apra-releases-cba-prudential
64 Loughlin, H. (2019, February 22). Is ASIC the watchdog that no one -inquiry -final-report-and -accepts-enforceable
fears?. Retrieved from https://sydney.edu.au/news-opinion/news/
2019/02/22/is-asic-the-watchdog-that-no-one-fears-.html
81 Pash, C. (2018, May 1). How the Commonwealth Bank lost its way. 98 Thomson, J. (2018, March 19). Commonwealth Bank’s junk
Business Insider. Retrieved from https://www.businessinsider.com. insurance scandal is as bad as Matt Comyn predicted. The
au/commonwealth-bank-culture-failure-apra-2018-5 Australian Financial Review. Retrieved from https://www.afr.com/
chanticleer/commonwealth-banks-junk-insurance-scandal-is-as-
82 Ibid. bad-matt-comyn-predicted-20180319-h0xogl
83 Ibid. 99 Knaus, C. (2018, November 19). CBA chief struggles to explain
84 Ibid. ‘significant failings’ of insurance products – as it happened. The
Guardian. Retrieved from https://www.theguardian.com/australia
85 Janda, M. (2019, March 8). Commonwealth Bank shareholders -news/live/2018/nov/19/banking-chiefs-face-royal-commission-
‘largely’ footing $1.4b customer compensation bill. ABC News. commonwealth-live? page=with:block-5bf20b1fe4b0bb700a72f-
Retrieved from https://www.abc.net.au/news/2019-03-08/bank 95b#liveblog-navigation
-bosses-front-parliament/10882560
100 Chau, D. (2019, February 4). Commonwealth Bank to stop ‘fees for
86 Eyers, J. & Uribe, A. (2017, February 28). Deloitte clears CommInsure no service’ for most customers. ABC News. Retrieved from https://
of culture problems. The Australian Financial Review. Retrieved www.abc.net.au/news/2019-02-04/asic-orders-commonwealth-bank
from https://www.afr.com/companies/financial-services/deloitte- -to-stop-charging-financial-fees/10776870
clears-CommInsure-of-culture-problems-20170228-gund1g
101 Khadem, N. (2019, October 4). CBA faces criminal charges over
87 ASX Corporate Governance Council. (2019, February). Corporate CommInsure scandal. ABC News. Retrieved from https://www.abc.
Governance Principles and Recommendations. Retrieved from net.au/news/2019-10-04/cba-faces-criminal-charges-CommInsure
https://www.asx.com.au/documents/asx-compliance/cgc-principles -scandal/11573790
-and-recommendations-fourth-edn.pdf
102 Hall, J. (2019. October 4). CBA life insurance: CommInsure arm
88 Commonwealth Bank of Australia. (2019). Annual reports. Retrieved charged for unsolicited phone calls. News.com.au. Retrieved from
from https://www.commbank.com.au/about-us/investors/annual https://www.news.com.au/finance/business/banking/cba-life
-reports.html -insurance-CommInsure-arm-charged-for-unsolicited-phone-calls/
news-story/8b8fb9fdebe334270b9a5c7313bdaf4f
89 Commonwealth Bank of Australia. (2017). 2017 Corporate
Governance Statement. Retrieved from https://www.commbank. 103 Butler, B. (2019, October 4). Commonwealth Bank insurance arm
com.au/content/dam/commbank/about-us/shareholders/ faces 87 criminal charges. The Guardian. Retrieved from https://
pdfs/2017-asx/Corporate_Governance_Statement_2017.pdf www.theguardian.com/news/2019/oct/04/commonwealth-bank
-insurance-arm-faces-87-criminal-charges
90 Commonwealth Bank of Australia. (2019). 2019 Corporate
Governance Statement. Retrieved from https://www.commbank. 104 Condie, S. (2019, August 23). CBA sells CommInsure for reduced
com.au/content/dam/commbank/about-us/shareholders/ $2.375b. 7News. Retrieved from https://7news.com.au/business/
corporate-profile/corporate-governance/corporate-governance banking/cba-sells-CommInsure-for-reduced-2375b-c-414503
-statement.pdf
91 Commonwealth Bank of Australia. (2018, September). Common-
wealth Bank Code of Conduct. Retrieved from https://www.
commbank.com.au/content/dam/commbank-assets/about-us/
2018-09/CBA-code-of-conduct.pdf
92 Commonwealth Bank of Australia. (2019, July 1). Group Whistle
blower Policy. Retrieved from https://www.commbank.com.au/
content/dam/commbank/assets/about/opportunity-initiatives/
commbank-whistleblower-policy.pdf
93 Commonwealth Bank of Australia. (2019). 2019 Annual Report.
Retrieved from https://www.commbank.com.au/content/dam/
commbank/about-us/shareholders/pdfs/annual-reports/CBA
-2019-Annual-Report.pdf
94 Doran, M. & Janda, M. (2018, June 4). Commonwealth Bank to pay
$700m fine for anti-money laundering, terror financing law
breaches. ABC News. Retrieved from https://www.abc.net.au/news/
2018-06-04/commonwealth-bank-pay-$700-million-fine-money-
laundering-breach/9831064
95 Janda, M. (2017, August 8). Commonwealth Bank to cut executive
bonuses, director fees after AUSTRAC scandal. ABC News.
Retrieved from https://www.abc.net.au/news/2017-08-08/
commonwealth-bank-to-cut-executive-bonuses-director
-fees/8784030
96 Yeates, C. (2017, September 4). Board shake-up can’t halt slide as
CBA hits new low. The Sydney Morning Herald. Retrieved from
https://www.smh.com.au/business/banking-and-finance/common-
wealth-bank-in-board-shakeup-20170904-gya3pe.html
97 Pearce, R. (2018, March 26). Commonwealth Bank CIO David
Whiteing to leave. Computerworld. Retrieved from https://www.
computerworld.com.au/article/635309/commonwealth-bank-cio
-david-whiteing-leave/
UNAUTHORISED
TRADING
46 ANOTHER DAY, ANOTHER TRADING SCANDAL: THE CASE OF NATIONAL AUSTRALIA BANK
ANOTHER DAY, ANOTHER

TRADING SCANDAL:
THE CASE OF NATIONAL
AUSTRALIA BANK
CASE OVERVIEW1 foreign currency trading department operation was split
In January 2004, an employee within the National into two main trading desks, the spot foreign exchange
Australia Bank (NAB) revealed that there were cases desk and the currency options desk, where the scandal
of unauthorised foreign currency derivatives trading and foreign exchange loss arose.
that resulted in total losses of A$360 million. The NAB
The currency options desk at that time operated on a
trading scandal was one of the largest rogue trading
24-hour basis from two places, Melbourne and London.
scandals that shook the Australian market. The traders
Trading activities occurred mainly within the interbank
had concealed losses by entering into fictitious one-
market; nonetheless, it also had several non-bank clients.
sided currency transactions. The Australian Prudential
The customer business originated from the Bank’s
Regulation Authority (APRA), the regulatory body for
branches and subsidiary banks from around the world
banks, condemned the bank for its lax management, as
and was passed to the currency options desk.
it had ignored the warning signs of irregular currency
options trading practices. The objective of this case is
to allow a discussion of issues such as the important
elements for good corporate governance; board RISK MANAGEMENT AND INTERNAL AUDIT
oversight; different lines of defence; risk management; FUNCTIONS
remuneration policies; and regulatory oversight. The organisational structure of NAB dictated that the
risk management responsibility such as the trading,
profit and risk responsibility, had to be delegated to the
BACKGROUND traders with varying layers of supervision, monitoring
and reporting procedures to be followed. This risk
Headquartered in Victoria, Australia, NAB provides
management philosophy was consistent with the
personal and business financial services, including
approach widely used by other major financial institutions
credit cards and loans. It has expanded globally and
at that time.
established its presence in New Zealand, Asia, the
United Kingdom and United States with over 12 million
Within the CIB division, the risk management function
customers and 50,000 employees.1
was disaggregated into smaller units that served the
business units. Operations were split into different desks,
which reported to CIB management and Group Risk
THE CORPORATE AND INVESTMENT Management separately. The Market Risk and Prudential
BANKING DIVISION Control Department (MR&PC) in CIB was responsible for
The Corporate and Investment Banking Division (CIB) ensuring the compliance of risk strategy.
was set up to handle large corporate clients, banks,
financial institutions and other government bodies. CIB It was the responsibility of the internal audit function
services and products include debt financing, financial to ensure effective operation and compliance with the
risk management products and investor services and bank’s policies and procedures. The head of internal
products.2 audit reported relevant information, problems and
recommendations mainly to four parties, namely the
Within the CIB, the Market Division provides clients with Principal Board Audit Committee (PBAC), Central and
various traded financial products and risk management Regional Risk Management Committees, the CEO and
solutions, covering foreign exchange, money market, the Group Risk Management.
commodities and financial derivative products. The
This is the abridged version of a case prepared by Kit Jia Min, Low Siao Chi, Ng Voon Siew Janice, Adalyn Yeap Hui Lin, Eric Yong Jun Kang and Zhang Jiaxin under the supervision of
Professor Mak Yuen Teen and Dr Vincent Chen Yu-Shen. The case was developed from published sources solely for class discussion and is not intended to serve as illustrations of effective
or ineffective management or governance. The interpretations and perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or
employees. This abridged version was edited by Lau Lee Min under the supervision of Professor Mak Yuen Teen.

ANOTHER DAY, ANOTHER TRADING SCANDAL: THE CASE OF NATIONAL AUSTRALIA BANK 47
THE METHODS OF CONCEALMENT Other methods of concealment included the revaluation

of the portfolio using incorrect rates and entering false
Three principal methods of concealment were used.
option transactions.5
Initially, smoothing of earnings was done through
entering incorrect dealing rates into the system. This
allowed profits and losses to be shifted from one day or
FAILURE OF RISK MANAGEMENT AND
one period to another. Thereafter, two more methods
INTERNAL CONTROL
were employed: processing false spot foreign exchange
and false option transactions. Risk management controls were overridden. NAB
required proper approval from Market Risk & Prudential
The traders discovered that there was a one-hour Control (MR&PC) before traders could engage in
window between the bank’s close-of-day and the review transactions that involved new products. However,
time. The bank’s end-of-day close was at 8 a.m. and the the rogue traders did not seek approval from MR&PC.
Despite this concern being raised by MR&PC to their
Operations division (back office) would start reviewing
supervisor, no action against the traders was taken. In
the transactions at 9 a.m. This one-hour period allowed
fact, MR&PC was pressured to approve the options
them to manipulate the profits recorded.
transaction. Although MR&PC eventually did not approve
these transactions, they were overridden when the head
The modus operandi was to enter genuine spot foreign of global markets gave his approval.
exchange transactions with incorrect transaction rates.
During the one-hour period, this incorrect information It was also found that the supervisors, such as the
would be amended to the actual rates. The profits or General Manager of the Markets Division, had failed to
losses recorded in the general ledger would be incorrect follow through the entire review procedure. Monitoring
because they were recorded according to end-of-day was simply limited to headline profit and loss statements,
valuations. Since the general ledger did not get re-stated suggesting that there was a lack of understanding with
after these amendments, these concealments would go regard to the underlying risks undertaken by the traders.
unnoticed.3 In fact, the management simply attributed smooth profit
to the successful implementation of the department
A second method of concealing losses was the use of investment strategy.
one-sided transactions. In September 2003, the traders
lost heavily on the bet that the Australian and New Furthermore, the reliability of Value-at-Risk (VaR) was
Zealand dollars would fall against the US dollar. The being questioned because there was a conflict of opinion
between MR&PC and the currency options desk. This
traders then entered one-sided transactions to disguise
resulted in the VaR currency trading limit breaches being
their true loss position. The one-sided transactions with
removed from the front page of daily risk reports. At the
other divisions within NAB worked by first entering a
same time, many VaR limit breaches were committed by
false transaction at only their end of the position, with the traders and these breaches were simply approved
no offsetting position created in other divisions. These by the trading and global products head. This matter
one-sided transactions were subsequently ‘surrendered’ was exacerbated by the little urgency and attention
during the one-hour window before the bank office given for the resolution of these differences in opinion.
checks took place.4 It was only in October 2003 that the issue was included
on the agenda of the CIB Risk Management Executive
By ‘surrendering’ these transactions, the back office Committee, which was then further postponed to
checks would not reveal any discrepancies. These figures January 2004. This enabled the traders to get away
would still be posted to the general ledger and used with these limit breaches as the mechanisms in place to
for management reports as well as the preparation monitor risks fell apart. In hindsight, all false one-sided
of financial statements. The accounting entries for transactions were actually captured by the VaR algorithm,
transactions that were ‘surrendered’ were reversed; but disregarded.
however, the transactions recorded remained in place.
Using this method, the traders were able to record Finally, in October 2003, MR&PC identified an unusual
sale with another bank for a premium of A$322 million.
false profits and losses on the same day. When the
The traders clarified that this transaction was required
transactions were surrendered the following day, the
to finance some other positions and the issue was not
false profit was reversed. By creating and surrendering
pursued further. The lack of supervision had enabled the
these transactions on a daily basis, the false profits or
traders to exploit the systems in place further.
losses were rolled forward and the real position could be
concealed.
48 ANOTHER DAY, ANOTHER TRADING SCANDAL: THE CASE OF NATIONAL AUSTRALIA BANK
In its May 1999 report, Internal Audit rated currency culture where the traders could flout the standards of the
options as ‘unsatisfactory’, and highlighted several 3-star bank and felt free to engage in risky behaviour because
issues, which were defined as “Serious matters for the there were seemingly no consequences.
attention of the Managing Director and reportable to the
Board Audit Committee”.6 The weaknesses identified Management seemed to focus heavily on the profits and
included the inability to reconcile profit and loss between ignore the potential problems. They were keen to protect
the front and back offices, the exclusion of volatility smile their bottom line and disregarded the risks and possible
(observed pattern of options) in revaluations and the slipups in their internal management.
lack of independent monitoring of risk concentrations.
The report further stated that review processes were The culture of poor adherence to rules, responsibility
unsatisfactory, as many of these issues surfaced due to shirking and suppression of bad results was partly a
“an inadequate control framework in currency options”. consequence of the profit-oriented culture. As such, the
risk committee chairman, Graham Kraehe, acknowledged
In its June 2000 quarterly audit report to the PBAC, that the board should bear full responsibility for the
Internal Audit stated that the weaknesses in May 1999 culture at the bank.
had been rectified by management. Following this, in
the December 2001 audit report, Internal Audit gave
an overall rating of ‘adequate’ for the foreign exchange WHERE WAS THE BOARD?
business, including currency options. Two 3-star issues
in relation to currency options were identified - limit Management simply kept the directors in the dark.
breaches occurred daily (for 61 out of 61 days), and Additionally, the directors trusted the management
incorrect VaR numbers produced. The daily limit breaches deeply and relied only on information and reports
were not explained, and the incorrect VaR was attributed supplied by management.
to the non-usage of volatility smile. At the same time, the
Head of Internal Audit introduced a new rating system Collectively, the inaction of both parties allowed the
i.e. a ‘three star plus’ for all issues in the range of A$5 to scandal to go unnoticed for a long time. The directors
A$30 million in place of the current A$1 million to A$30 were so trusting that they even failed to ask for the
million.” As a result of the new rating criteria, the number annual management letter from the external auditor
of issues for PBAC consideration was reduced from 70 to when the management did not provide it. The board
21, and the two remaining 3-star currency options issues would have been alerted to the concerns KPMG had with
were not reported to PBAC. regards to the foreign trading desks, as early as 2001
when it was first noted in the management letter, if they
In the January 2003 audit report, no significant matters had insisted on reviewing the annual management letter.
on currency options were highlighted. However, the
report raised a new issue “Currency options desk The two principal board committees – risk and audit
operating limits need to be reviewed”, rated as 1-star –also failed to probe further and provide sufficient
(thus reported only to business unit management). It was oversight for the audit and risk management activities
evident from the report that the limits were still being in the firm. During the Principal Board Risk Committee
breached. NAB held the view that the limit breaches were (PBRC) meeting in November 2003, management assured
due to inappropriate design of the limits and not due to the committee that the VaR was safely within the limits
a disregard for the limits. NAB also felt that the breaches for the Markets Divisions as a whole. The committee was
would be eliminated with better-designed limits. unaware of the currency option desk’s risk limit breaches.
Had the audit and risk committees actively sought
Due to the low ratings assigned by Internal Audit to the information and provided oversight over their areas of
currency options issues (1-star instead of 3-star), PBAC responsibilities, they probably would have discovered the
was not alerted to the limit breaches even though it warnings from internal audit and the risk management
continued to occur in 2001 and up until 2003. department.
When other Australian banks and the Australian

Prudential Regulation Authority (APRA) raised their
PROFIT-DRIVEN MANAGEMENT concerns about the large and unusual currency
Breaches of higher limits occasionally reached a higher transactions of NAB in 2002 and 2003, NAB sat on these
level of management. These transactions would then be concerns and no further investigations were conducted
approved by the head of global markets, as mentioned by management in response. Moreover, the head of
previously. Management seemed to have informally global risk management dismissed APRA’s request to
consented to these limit breaches by the traders since enforce compliance with risk management policies
nothing was done to stop their actions. This cultivated a and credit limits. In addition, a letter was sent in to
ANOTHER DAY, ANOTHER TRADING SCANDAL: THE CASE OF NATIONAL AUSTRALIA BANK 49
APRA containing misleading information to conceal DISCUSSION QUESTIONS

limit breaches committed in December 2003. All these
1. Evaluate the effectiveness of the board of directors at
decisions were made without seeking the advice of
NAB.
the board. NAB’s management downplayed both the
market’s and APRA’s warnings, along with other internal 2. Were there other aspects of corporate governance at
warnings from the internal audit and risk management NAB that were problematic?
departments.
3. In 2003, the currency option control issues were not
reported to the Principal Board Audit Committee
The feedback from APRA was directed to Chairman
(PBAC) despite it being a “3-star” problem. The
Allen. Some key issues that were highlighted included
Internal Audit function believed that the monetary
lax approach to limit management, non-adherence to
value of this issue to be less than A$5 million
risk management policies, absence of formal model
threshold. Was the reliance of the PBAC on Internal
validation, insufficient back-testing for the approved
Audit to screen the firm’s control issues reasonable?
VaR model, and valuation of NAB’s portfolio using front
Should PBAC only have reviewed issues with a “3-
office’s information. Without consulting the Board or
star” and above rating? Discuss the impact of using
the risk committee, the responsibility for preparing a
such a screening mechanism on NAB between 1999
response to APRA was delegated to the head of global
and 2004.
risk management. Although most of APRA’s feedback
given was within the Board’s area of responsibility, they 4. In your opinion, what has to be done to improve the
were not notified. Furthermore, the risk manager’s reply corporate governance at NAB?
to APRA suggested that most of the issues were either
5. Prior to the NAB trading scandal, rogue trader Nick
insignificant or had been addressed, when in fact, neither
Leeson’s unauthorised trading led to the collapse of
the Board nor the Management had done anything.
Barings Bank. More recently, Societe-Generale, UBS
and JP Morgan also reported massive losses from
unauthorised trading. Why do such trading scandals
AFTERMATH continue to happen in banks? Are banks too complex
In January 2004, the bank announced that it had to govern and manage well?
uncovered losses of up to A$185 million. The majority
of the fictitious trades had occurred between October
2003 and mid-January 2004. A revaluation of the options ENDNOTES:
portfolio raised the options losses to A$360 million. 1 About us, NAB, <http://www.nab.com.au/wps/wcm/connect/nab/
nab/home/About_Us/> accessed 20 Dec 2012
According to NAB Chief Executive Frank Cicutto, weak 2 CIB employed some 2,600 people and generated around A$1,000
internal controls enabled the traders to carry out the million in net profits before tax.
fraud. The losses had stemmed from a punt on the value 3 Investigation into foreign exchange losses at the National Australia
of Australian and New Zealand dollars, and the four Bank, 12 Mar 2004, PricewaterhouseCoopers
traders – Bullen, Duffy, Ficarra and Gray - had sought 4 Comanescu, A, An Inquiry into the Nature and Causes of National
to cover the losses with unauthorised trades on NAB’s Australia Bank Foreign Exchange Losses, Nov 2004, retrieved from
account. <http://qed.econ.queensu.ca/pub/faculty/milne/872/Comanescu
%20FinalMA%20paper.pdf> accessed 20 Dec 2012
5 NAB- FX Options, Apr 2009, PRMIA, <http://prmia.org/pdf/Case
_Studies/National_Australia_Bank_Short_Version_April_2009.pdf>
EPILOGUE accessed 20 Dec 2012
The four traders who were involved in the scandal were 6 Control issues were accorded ratings of 1-star to 4-star, with issues
given a higher star rating more serious. Only issues given a 3-star
prosecuted in court and received jail terms of between 16 rating or above were reported to PBAC.
to 44 months7. NAB was also required to comply with 81
7 Former NAB Traders Jailed, 4 July 2006, Sydney Morning Herald,
special APRA remedial requirements.8 A new executive <http://www.smh.com.au/news/business/former-nab-traders-
committee was put together9 as the firm looked towards jailed/2006/07/04/1151778911857.html> accessed 20 Dec 2012
rebuilding its culture.10 8 Report into Irregular Currency Options Trading at the National
Australia Bank, 23 Mar 2004, APRA
9 NAB names new team after rogue trading scandal, 25 Aug 2004,
Sydney Morning Herald, <http://www.smh.com.au/articles/2004/
08/25/ 1093246582914.html?from=storylhs> accessed 20 Dec 2012
10 Team player in NAB’s Cultural Revolution, 28 May 2005, The Age,
<http://www.theage.com.au/news/Business/Team-player-in-NABs
-cultural-revolution/2005/05/27/1117129898874.html> accessed 20
Dec 201
50 JP MORGAN AND THE LONDON WHALE
JP MORGAN AND THE

LONDON WHALE
CASE OVERVIEW1 sought to provide protection against credit risk and
In 2012, media released the story of the “London Whale”. adverse credit default events in the market.3
Two traders had used an atypical trading strategy which
greatly increased the size and risk of the portfolio they
were handling. This trading strategy was later described HOW THE SCANDAL UNRAVELLED
by the group’s CEO as flawed, complex, poorly reviewed, The head of credit trading of CIO, Javier Martin-Artajo,
poorly executed, and poorly monitored. More than US$2 and the credit derivatives trader Bruno Iksil, generated
billion of mark-to-market losses for these trades were billions in profits on a portfolio that featured bets on
reported. certain corporate credit indices from 2007 to 2011.4 They
were instructed by executives to reduce Risk Weighted
But who was to blame? The risk committee which Assets (RWA) in late 2011. Rather than dispose of the
was responsible for monitoring the entire company’s high risk assets in the SCP, which is the typical action
transactions, the regulator – the Office of the Comptroller taken by CIO, they purchased additional long credit
of the Currency, or the management of JP Morgan? A derivatives to offset its short derivative positions in
Task Force was set up to investigate these losses. The January 2012. This trading strategy eventually increased
objective of this case is to allow for a discussion of issues the portfolio’s size, risk and RWA, as well as eliminated
such as internal control; risk management; competencies the hedging protections.5
of the board of directors and those responsible for
the different lines of defence; and how the various Despite the fact that the SCP’s derivative holdings were
stakeholders could have played a part in preventing the increased, the portfolio was losing value. Hedge fund
massive loss. insider, Boaz Weinstein of Saba Capital Management,
found that the market in credit default swaps was
probably being affected by aggressive activities in
ABOUT JP MORGAN February 2012.6 Ina Drew suspended trading in the
JP Morgan Chase & Co. (NYSE: JPM) is a leading global portfolio on 23 March 2012.7
financial services firm and one of the largest banking
In early April, the media broke the story of the “London
institutions in the United States. It began as JP Morgan
Whale” and unmasked JP Morgan Chase’s CIO as the
& Co, a commercial bank founded in New York in 1871.
entity behind the large positions in the market. The
A series of mergers and acquisitions subsequently led to
market for the credit derivatives in the SCP was small and
the formation of JP Morgan Chase today.1
had limited players; thus CIO’s large positions and trades
JP Morgan Chase’s businesses are organised into six became very visible.
major segments – Investment Banking; Retail Financial
According to CIO’s analyses, the SCP was generally
Services; Card Services & Auto; Commercial Banking;
“balanced”, the market was dislocated, and mark-to-
Treasury & Securities Services and Asset Management;
market losses were temporary and manageable. JP
as well as a Corporate/Private Equity segment which
Morgan Chase’s Group Chief Executive Officer (CEO),
comprises Private Equity, Treasury, the Chief Investment
Jamie Dimon, who is also the Chairman, agreed that
Office (CIO), and corporate staff units and expense
the publicity surrounding the SCP was a “tempest in a
functions that is centrally managed.2
teapot” and the Chief Financial Officer (CFO), Douglas
The CIO was spun off as a separate unit within the bank Braunstein, stated that the firm was “very comfortable”
in 2005. The primary responsibility of the CIO is to invest with its positions in a 13 April analyst call.8
the bank’s excess deposits and to hedge trading risk in
other parts of the bank. Ina Drew served as the bank’s
Chief Investment Officer from 2005 to May 2012. In 2007,
CIO launched the Synthetic Credit Portfolio (SCP), which
This is the abridged version of a case prepared by Benjamin Chua Kok Lee, Lian Jiahui, Lim Meei Shin, Vanessa Poh Yun Han and Jason Tan Jia Shen under the supervision of Professor Mak
Yuen Teen and Dr Vincent Chen Yu-Shen. The case was developed from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective
management or governance. The interpretations and perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This
abridged version was edited by Trina Ling Tzi Chi under the supervision of Professor Mak Yuen Teen.

When losses continued to increase after the analyst call, the midpoint valuations. On 16 March, this difference
non-CIO personnel were directed to review and take representing unreported losses reached US$300 million,
control of the SCP in late April. It was then revealed that and Grout later stated that it could grow to US$1 billion
the portfolio’s exposure was much greater than previously by the end of the month.15 These differences would only
reported by the CIO and the market’s knowledge of begin to significantly reverse toward the end of the first
the CIO’s positions would make it even more difficult quarter, as the traders decided to report larger and larger
to reduce losses and close out their positions. A review losses by reporting valuations closer to the midpoint,
of the valuation of positions in the SCP concluded in gaining significant attention from senior management.
consultation with PwC that the SCP complied with U.S.
Generally Accepted Accounting Principles (GAAP).9 Under U.S. regulations, banks were required to have an
internal process to verify the accuracy of asset values
On 10 May 2012, Dimon disclosed that the trading reported. In JP Morgan, the CIO’s Valuation Control
strategy for the SCP was flawed, complex, poorly Group (VCG), which reported directly to the CFO of
reviewed, poorly executed, and poorly monitored. More CIO, fulfilled this requirement by conducting a review
than US$2 billion of mark-to-market losses in relation to at the end of each month, which included a check on
these trades were reported. A Task Force was formed the derivative valuations in the SCP by using data from
shortly after 10 May to investigate these losses.10 independent pricing services, actual transactions and
market quotes. In the month-end reviews during the
JP Morgan Chase stated that it was no longer confident first quarter of 2012, VCG approved CIO’s valuations for
that the 31 March valuations reflected good-faith the SCP as the bank’s policy allowed some degree of
estimates of the fair value of all the instruments in the subjective judgement, and also because the marks used
SCP after consulting with PwC for the second time. were still within the bid-ask spread and the range set
Cumulative losses of US$5.8 billion and a restatement by the oversight group.16 Thus, no requests were made
of first quarter net income (a downward adjustment of for the SCP traders to cease using their own favourable
US$459 million) were announced on 13 July.11 estimates or to revert to the midpoint valuations from
these reviews. The CIO would only do so when ordered
to in May, arising from the discovery in March that
MISMARKING OF DERIVATIVE VALUATIONS the Investment Bank, a separate line of business in JP
(INTERNAL CONTROL) Morgan, was assigning different values for the very same
credit derivatives also held by CIO.
Corporations that own derivatives, such as those held
in JP Morgan’s SCP, are required to determine their
fair values at the end of each day in accordance with
U.S. GAAP. However, GAAP allows some subjective BREACHES OF RISK LIMITS (RISK
judgement in determining what prices are most MANAGEMENT)
representative of fair values.12 While most entities use the In relation to its trades, the CIO used five different risk
midpoint price of the daily range (bid-ask spread) as their metrics to monitor its risk exposure – the Value-at-Risk
valuations, or “marks”, CIO began to deviate from this (VaR) limit, Credit Spread Widening 01 (CS01) limit, Credit
policy in the later part of the first quarter of 2012 to hide Spread Widening 10% (CSW10%) limit, stress loss limits,
fair value losses on the credit derivatives in its SCP.13 and stop loss advisories.17 From January to April 2012, all of
these limits were breached more than 330 times in total.18
The traders managing the SCP were themselves in
charge of providing the daily accounting valuations, Under the firm’s policy, breaches of these limits had to
based on the “marks” they had chosen to use. Julien be reported to their respective signatories, as well as the
Grout, a junior trader on the SCP team, would then send CIO Risk Committee, and the Market Risk Committee
out a daily communication to key CIO personnel on the or Business Control Committee. When a breach occurs,
profit-and-loss performance of the portfolio as per bank “the business unit must take immediate steps to reduce
practice. In order to show a more favourable picture by its exposure so as to be within the limit, unless a one-off
hiding some of the unrealised losses, the traders began approval is granted”.19 The one-off approval represents
using marks that differed from the midpoint.14 a temporary allowable increase of the relevant limit. The
Value-at-Risk (VaR) of the SCP was an estimate of the
For five days in the middle of March, Grout began maximum daily mark-to-market loss. As early as January
recording on an internal spreadsheet the difference 2012, the VaR had already begun to exceed its limits.20
between the values they were reporting to the bank and In response, Jamie Dimon and John Hogan, the CEO
and Chief Risk Officer (CRO) of JP Morgan respectively, Even though a new CRO was hired for the CIO in January
approved exactly such a one-off increase from US$125 2012 to build risk controls and to improve practices, it
million to US$140 million until the end of January.21 was all too late to develop structures that may curtail
the losses in CIO. Furthermore, he lacked sufficient
At that time, CIO then implemented a new VaR model experience in risk management.
which instantly reduced the VaR by close to half the
previous amount, thus allowing it to end the limit breach
via new calculation methodology. Subsequently on 10 BOARD RISK COMMITTEE26
May, the bank reverted back to the old model, with CEO
Jamie Dimon announcing that the new model it had Unlike the other largest U.S. lenders, the board risk
adopted was inadequate in portraying risk.22 committee of JP Morgan lacked directors with the
relevant banking and financial risk management
The Company later admitted during the Senate inquiry experience. The only one with the requisite experience
that the new model was rushed through internal approval had not been employed in the industry for more than 25
– the Model Review Group (MRG) of the bank had found years. Despite the severe lack of relevant financial risk
problems with the new model and requested action management experience, the composition of the risk
plans to resolve the issues. However, these were never committee had not changed since 2008. The committee
completed.23 that was headed by James Crown, with members Ellen
Futter and David Cote, was also relatively small. It met
The continuing increase in the size of the portfolio seven times in 2011.
also led to breaches in the other metrics, as the large
position taken by CIO meant that small variations could The severe lack of Wall Street experience made it almost
translate to larger losses in the SCP.24 These breaches impossible for the committee to pose critical questions
were apparently ignored by management or handled by to the CIO CRO to eliminate any potential risks in the
having their limits raised. trading strategy. The committee simply gave the bank’s
risk-appetite policy the green light.
CIO RISK COMMITTEE25

Prior to the first quarter of 2012, the CIO risk committee
OTHER CONTROLS AND OVERSIGHT27
was subjected to less scrutiny than other critical lines As with the case of the CIO risk committee, the CIO VCG
of business and this resulted in weak risk controls and faced operational shortcomings in its reviews that were
pervasive infrastructures that performed ineffectively accentuated as the SCP grew in size and complexity. At
within CIO. In addition, the committee itself was the time, they were also under criticism from JP Morgan’s
understaffed. This was made worse when the risk function internal audit group relating to issues of inadequate
of the firm did not place any emphasis on hiring more price and valuation testing. Within the firm, there was
risk personnel for CIO. Even if the risk personnel were no practice of circulating daily trading activity reports,
hired, they were seemingly more accountable to the CIO which would have allowed for easier detection of issues.
management, instead of the firm’s risk function. As such, In particular, the CFO should have noted the significant
some of the risk managers did not feel independent financial risks that resulted from the firm’s lack of control
enough from the business operations of CIO to criticise over traders.
the trading strategies used. In essence, no meaningful
checks could be done on the activities of CIO. Furthermore, the process of approving and implementing
the new VaR model was haphazard. The CEO, Jamie
Other than the fact that the Committee only met three Dimon, appeared to have provided an approval in writing
times in 2011, the composition of the attendees was without much thought, as he would later testify that he
poor, as it mainly involved only key members of CIO. As could barely recall giving the approval.28 Consumed by
such, along with its passiveness, the committee could the idea that the operational and risk infrastructures were
not update the risk structure and risk limits for CIO robust, reviews carried out by the Model Review Group
in time. As the SCP increased in size and complexity, that uncovered operational and mathematical problems
these inherent weaknesses in CIO’s risk management with the new model were largely ignored, with no
became more critical. The threats posed by these corrective actions taken before implementing the model.
weaknesses, such as permitting the pursuance of risky
trading strategies, grew in significance with the size and
complexity of the SCP.
OFFICE OF THE COMPTROLLER OF THE trading activities by federally insured banks, their
CURRENCY affiliates, and subsidiaries”.33 However, the Volcker Rule
allows hedging activities to continue.
A key regulator for JP Morgan Chase is the Office of
the Comptroller of the Currency (OCC), whose primary
On 13 April 2012, CEO Jamie Dimon dismissed the
mission is to charter, regulate, and supervise all national
media reports about the SCP as “a tempest in a teapot”.
banks and federal savings associations.29 Prior to the
In addition, JP Morgan Chase Chief Financial Officer
media reports of the “London Whale” trades in April
Douglas Braunstein reassured investors, analysts, and
2012, almost no information regarding the SCP was
the public that the SCP’s trading activities were made on
disclosed to OCC. The lack of disclosure provided by
a long-term basis, transparent to regulators, had been
JP Morgan precluded effective OCC oversight and
approved by the bank’s risk managers, and served a
hence, no reviews were conducted on the SCP prior to
hedging function that lowered risk and would ultimately
2012.30 However, there were red flags which signalled the
be permitted under the Volcker Rule whose regulations
increasing risk taken up by the CIO.
were still being developed.
In 2011, the bank had filed risk reports with OCC, which
However, on the day prior to the earnings call, Ina Drew
disclosed that the CIO had repeatedly breached its stress
wrote to Mr Braunstein, stating that “the language in
limits in the first half of 2011. This should have warranted
Volcker is unclear,” a statement that presumably refers to
attention and follow-up from the OCC. However, the
the fact that the implementing regulation was then still
OCC did not take further action. Furthermore in 2012, the
under development.34 In addition, the bank had earlier
CIO took up a US$1 billion high risk derivative bet, which
written to regulators expressing concern that the SCP’s
resulted in a US$400 million gain to the CIO. The OCC
derivatives trading would be “prohibited” by the Volcker
was aware of the US$400 million gain, but had failed to
Rule.
enquire on the reason and the extent of the trade going
on at the CIO.
Misstatements and omissions about the SCP’s
transparency to regulators, the long-term nature of
The role of SCP was further downplayed in January
its decision-making, its VaR totals, its role as a risk-
2012. The CIO misinformed the OCC claiming that it
mitigating hedge, and its supposed consistency with the
will decrease the notional size of the SCP. However, the
Volcker Rule, misinformed investors, regulators and the
notional size of the SCP was tripled over the course
public about the nature, activities, and riskiness of the
of the quarter instead.31 Furthermore, in the following
CIO’s credit derivatives during the first quarter of 2012.
months, JP Morgan began to omit key CIO performance
data from its reports to the OCC. The OCC did not
notice the missing reports and did not request for a new
CIO management report from JP Morgan.
IMPACT ON JP MORGAN’S STOCK PRICE
The announcement of the trading losses on 11 May 2012
In addition, various VaR breaches were disclosed in JP sent the stock price down by more than 9% (US$40.74
Morgan’s risk reports to the OCC. However, the OCC to US$36.96).35 It also prompted a law firm, Finkelstein
did not review the reports or question the trading Thompson LLP,36 to investigate claims on behalf of JP
activities which resulted in the breaches. Following the Morgan’s shareholders with regards to the losses. By
media reports on the “London Whale” trades, the OCC 4 June 2012, JP Morgan’s share price had dropped by
subsequently conducted a review on its own missteps. 33% from its high of US$46.27 set on 28 March 2012 to
In October 2012, the OCC released an internal report US$31.00.37 The following day, on 5 June 2012, it was
that concluded that they had failed to monitor and reported that the U.S. regulators would be reviewing
investigate multiple risk limit breaches by the CIO and the possibility of clawbacks from the staff involved in the
improperly allowed JP Morgan to submit aggregated trading losses.38
portfolio performance data that concealed the CIO’s
involvement in high-risk trading activities.32 Investors were largely supportive of this as they took
the view that it would help cover a portion of the losses,
sending the stock up slightly over 3%. On 13 July 2012,
IMPLICATIONS OF THE VOLCKER RULE at the same time second quarter earnings were reported,
JP Morgan restated its 2012 first quarter earnings and
The Volcker Rule, introduced as part of Dodd-Frank Wall
announced to the public that the problems reported in
Street Reform and Consumer Protection Act, “is intended
the media had been fixed.39 Investors, upon receiving
to reduce bank risk by prohibiting high risk proprietary
the information, were happy that measures had been 6. The breach in the regulations could have potentially
taken to avoid further losses and this brought about a 6% been avoided. If you were the trader, what would you
increase in its share price during its day trade.40 Following have done? How do you think a whistleblowing policy
the announcement of the results for the second quarter, may help prevent this?
the stock price rose back to the pre-11 May level by mid-
September and back to its 28 March-high in early January
of 2013. ENDNOTES
1 JPMorgan Chase. (2008). The History of JPMorgan Chase & Co.: 200
Years of Leadership in Banking. Retrieved from http://www.jpm
organchase.com/corporate/About-JPMC/document/shorthistory.pdf
AFTERMATH AND FURTHER
DEVELOPMENTS 2 JPMorgan Chase. (2011). 2011 Annual Report. Retrieved from
http://files.shareholder.com/downloads/ONE/2265496134x0x5561
Since the trading scandal was exposed, changes have 39/75b4 bd59-02e7-4495-a84c-06e0b19d6990/JPMC_2011_annual_
been seen in the management at CIO. Ina Drew, the report_complete.pdf
Chief Investment Officer, stepped down and retired from 3 JPMorgan CIO. (2013, January 16). Report of JPMorgan Chase & Co.
her position and also voluntarily returned two years of Management Task Force Regarding 2012 CIO Losses. Retrieved from
http://files.shareholder.com/downloads/ONE/2407510808x0x628656/
her compensation to the company.41 Several other CIO 4cb574a0-0bf5-4728-9582-625e4519b5ab/Task_Force_Report.pdf
personnel, including Martin-Artajo, Iksil and Grout, saw 4 Zuckerman, G., & Fitzpatrick, D. (2012, August 3). J.P. Morgan
their employment terminated as well.42 ‘Whale’ Was Prodded. The Wall Street Journal. Retrieved from
http://online.wsj.com/article/SB100008723963904435455045775650
Following the announcement of the trading losses in May 62684880158.html
2012, several official inquiries have been set in motion to 5 United States Senate. (2013, March 15). JPMorgan Chase Whale
examine the factors that led to such events. JP Morgan Trades: A Case History of Derivatives Risks and Abuses. Retrieved
from http://www.hsgac.senate.gov/download/report-jpmorgan-
set up a task force to examine the errors and proposed chase-whale-trades-a-case-history-of-derivatives-risks-and-abuses-
measures to prevent a repeat of the events.43 The U.S. march -15-2013
Senate also publicly investigated the issue, subpoenaing 6 Ahmed, A. (2012, May 26). The Hunch, the Pounce and the Kill. The
internal evidence and key personnel from the bank, and New York Times. Retrieved from http://www.nytimes.com/2012/05/
27/business/how-boaz-weinstein-and-hedge-funds-outsmarted
subsequently issued a comprehensive report on the
-jpmorgan.html?pagewanted=all
matter.44
7 JPMorgan CIO. (2013, January 16). Report of JPMorgan Chase & Co.
Management Task Force Regarding 2012 CIO Losses. Retrieved from
http://files.shareholder.com/downloads/ONE/2407510808x0x628656/
DISCUSSION QUESTIONS 4cb574a0-0bf5-4728-9582-625e4519b5ab/Task_Force_Report.pdf
8 Ibid.
1. What were the key corporate governance issues with
JP Morgan? What can be done to improve the risk 9 Ibid.
management and internal control in JP Morgan? 10 Ibid.
Contrast this with another financial institution in the 11 Ibid.
United States.
12 United States Senate. (2013, March 15). JPMorgan Chase Whale
2. Evaluate how JP Morgan communicated with Trades: A Case History of Derivatives Risks and Abuses. Retrieved
stakeholders following the trading scandal. chase-whale-trades-a-case-history-of-derivatives-risks-and-abuses-
march-15-2013
3. What should be the role of government in regulating
financial institutions? Compare this with your country. 13 Ibid.
14 Ibid.
4. Should the non-executive and independent directors
be held accountable for the trading losses at JP 15 DealBook. (2013, March 14). The Things Bankers Say, the London
Whale Edition. The New York Times. Retrieved from http://
Morgan? On hindsight, if you were one of the dealbook.nytimes.com/2013/03/14/the-things-bankers-say-the
directors on the board, what would you have done -london-whale-edition/
before the scandal was made public in May 2012? 16 Zuckerman, G., & Fitzpatrick, D. (2012, August 3). J.P. Morgan
‘Whale’ Was Prodded. The Wall Street Journal. Retrieved from
5. “The tone at the top significantly influences a http://online.wsj.com/article/SB100008723963904435455045775650
company’s corporate governance.” To what extent 62684880158.html
was this related to the trading losses suffered by JP
Morgan? Explain.
17 United States Senate. (2013, March 15). JPMorgan Chase Whale 34 Ibid.
Trades: A Case History of Derivatives Risks and Abuses. Retrieved
35 United States District Court. (2012). Class Action Complaint.
chase-whale-trades-a-case-history-of-derivatives-risks-and-abuses- Retrieved from http://securities.stanford.edu/filings-documents/
march -15-2013 1048/JPM00_01/2012514_f02c_12CV03852.pdf
18 Lenzner, R. (2013, March 15). J P Morgan Breached its Risk Limits

36 Finkelstein Thomspon. (2012). JP Morgan & Chase Co. Retrieved
More Than 330 Times in 2012. Forbes. Retrieved from http://www. from http://www.finkelsteinthompson.com/investigation/jp_
forbes.com/sites/robertlenzner/2013/03/15/the-cover-up-is-always- morgan.php
worse-than-the-crime/ 37 Yahoo Finance. (2012). JPMorgan Chase & Co. (JPM) – NYSE.
19 JPMorgan CIO. (2013, January 16). Report of JPMorgan Chase & Retrieved from http://finance.yahoo.com/q/hp?s=JPM&a=02&b=
Co. Management Task Force Regarding 2012 CIO Losses. 28&c=2012&d=05&e=4&f=2012&g=d
Retrieved from http://files.shareholder.com/downloads/ONE/ 38 Clarke, D. & Alper, A. (2012, June 5). U.S. regulator says looking at
2407510808x0x628656/4cb574a0-0bf5-4728-9582-625e4519b5ab/ JPMorgan clawbacks. Reuters. Retrieved from http://www.reuters.
Task_Force_ Report.pdf com/article/2012/06/05/us-jpmorgan-occ-idUSBRE8541A420120605
20 Financial Conduct Authority. (2013). Final Notice. Retrieved from 39 Silver-Greenberg, J. (2012, July 13). JPMorgan Says Trading Loss
http://www.fca.org.uk/static/documents/final-notices/jpmorgan Tops $5.8 Billion; Profit for Quarter Falls 9%. The New York Times.
-chase-bank.pdf Retrieved from http://dealbook.nytimes.com/2012/07/13/
21 JPMorgan CIO. (2013, January 16). Report of JPMorgan Chase & jpmorgan-reports-second-quarter-profit-of-5-billion-down-9/
Co. Management Task Force Regarding 2012 CIO Losses. 40 Yahoo Finance. (2012). JPMorgan Chase & Co. (JPM) – NYSE.
Retrieved from http://files.shareholder.com/downloads/ONE/ Retrieved from http://finance.yahoo.com/q/hp?s=JPM&a=06&b=
2407510808x0x628656/4cb574a0-0bf5-4728-9582-625e4519b5ab/ 12&c=2012&d=06&e=14&f=2012&g=d
Task_Force_ Report.pdf
41 Kopecki, D. (2012, July 13). JPMorgan’s Drew Forfeits 2 Years’ Pay
22 Keoun, B. (2012, June 2). JPMorgan’s Iksil Said to Take Big Risks as Managers Ousted. Bloomberg. Retrieved from http://www.
Long Before Loss. Bloomberg. Retrieved from http://www.bloom bloomberg.com/news/2012-07-13/dimon-says-ina-drew-offered
berg.com/news/2012-06-01/jpmorgan-s-iksil-said-to-take-big-risks- -to-return-2-years-of-compensation.html
long-before-loss.html
42 Melendez, E.D. (2013, March 13). Julien Grout, Former JPMorgan
23 United States Senate. (2013, March 15). JPMorgan Chase Whale Junior Trader, Challenged The London Whale. The Huffington Post.
Trades: A Case History of Derivatives Risks and Abuses. Retrieved Retrieved from http://www.huffingtonpost.com/2013/03/15/julien
from http://www.hsgac.senate.gov/download/report-jpmorgan- -grout-jpmorgan-london-whale_n_2884375.html
chase-whale-trades-a-case-history-of-derivatives-risks-and-abuses-
march -15-2013 43 JPMorgan CIO. (2013, January 16). Report of JPMorgan Chase &
Co. Management Task Force Regarding 2012 CIO Losses.
24 Ibid. Retrieved from http://files.shareholder.com/downloads/ONE/
25 JPMorgan CIO. (2013, January 16). Report of JPMorgan Chase & 2407510808x0x628656/4cb574a0-0bf5-4728-9582-625e4519b5ab/
Co. Management Task Force Regarding 2012 CIO Losses. Task_Force_ Report.pdf
Retrieved from http://files.shareholder.com/downloads/ONE/ 44 United States Senate. (2013, March 15). JPMorgan Chase Whale
2407510808x0x628656/4cb574a0-0bf5-4728-9582-625e4519b5ab/ Trades: A Case History of Derivatives Risks and Abuses. Retrieved
Task_Force_ Report.pdf from http://www.hsgac.senate.gov/download/report-jpmorgan-
26 Kopecki, D., & Abelson, M. (2012, May 26). JPMorgan Gave Risk chase-whale-trades-a-case-history-of-derivatives-risks-and-abuses-
Oversight to Museum Head With AIG Role. Bloomberg. Retrieved march-15-2013
from http://www.bloomberg.com/news/2012-05-25/jpmorgan-
gave-risk-oversight-to-museum-head-who-sat-on-aig-board.html
27 JPMorgan CIO. (2013, January 16). Report of JPMorgan Chase &
Co. Management Task Force Regarding 2012 CIO Losses.
Retrieved from http://files.shareholder.com/downloads/ONE/
2407510808x0x628656/4cb574a0-0bf5-4728-9582-625e4519b5ab/
Task_Force_ Report.pdf
28 Pollack, L. (2013, June 4). This is the VaR that slipped through the
cracks. Retrieved from http://ftalphaville.ft.com/2013/04/10/1455
152/this-is-the-var-that-slipped-through-the-cracks/
29 Office of the Comptroller of the Currency. (n.d.). About the OCC.
Retrieved from http://www.occ.gov/about/what-we-do/mission/
index-about.html
30 United States Senate. (2013, March 15). JPMorgan Chase Whale
Trades: A Case History of Derivatives Risks and Abuses. Retrieved
chase-whale-trades-a-case-history-of-derivatives-risks-and-abuses-
march -15-2013
31 Ibid.
32 Ibid.
33 Ibid.
56 UBS: ALL BETS ARE ON
UBS: ALL BETS ARE ON

CASE OVERVIEW OSWALD GRÜBEL, THE CEO
Swiss banking giant UBS shocked the world when it was On 26 February 2009, Oswald Grübel was named Group
revealed that, Kweku Adoboli, a member of its Global CEO and was tasked with leading UBS out of its crisis.7
Synthetic Equities (GSE) Trading team in London, had The move was well received by traders on the Zurich
engaged in unauthorised trading that resulted in an exchange as UBS’ share price rose 14.85% to open at
estimated loss of US$2 billion. For committing one of 11.60 Swiss francs (US$9.99) for the day.
the largest frauds in UK’s history, Adoboli was jailed for
7 years.1 The scandal revealed persistent weaknesses Grübel’s performance, to a large extent, met
in UBS’ internal controls and highlighted the excessive expectations. In his first year at UBS, he managed to
risk-taking culture for which UBS received heavy criticism stave off huge losses and in 2010, Grübel led UBS to even
from regulatory bodies. This incident also shook greater recovery as he returned UBS into profitability.8
investors’ confidence in the capital market and has The organizational culture of UBS also changed under
raised public concerns about corporate governance in the leadership of Grübel, who said in a statement, “I’d
UBS and other financial institutions. The objective of this actually like to see us put more risk on the table”.9
case is to facilitate a discussion of issues such as board
and management accountability; risk management and
internal control; and corporate governance of financial THE SCANDAL: FURTHER EROSION OF
institutions. CONFIDENCE
UBS suffered an enormous dip in investors’ confidence
in 2008 after the subprime mortgage crisis and the
THE STORY OF THE SWISS BANKING GIANT multi-million-dollar tax evasion controversy in the U.S.
As the largest Swiss bank and a leading financial service However, the worst had yet to come.
provider, UBS has a global presence in more than 50
countries with approximately 60,000 employees providing On 15 September 2011, UBS became aware of a
investment banking, asset management and wealth massive loss, estimated at US$2.3 billion, arising from
management services.2 unauthorised trading allegedly conducted by Kweku
Adoboli, an employee in UBS’ GSE Division. Adoboli
Since 1998, UBS has been the world’s largest manager of was a director on UBS’ GSE Trading team in London on
private wealth assets.3 Following its formation, the bank the Exchange-Traded Funds (ETF) Desk and had been
quickly proceeded to pursue its ambition of becoming responsible for a portfolio of companies with assets
a global power in investment banking by expanding totaling US$50 billion. To maintain his ‘star’ status in the
rapidly into the U.S. market. By 2003, UBS had become bank, he started increasing his risk exposure for greater
the fourth largest investment bank in the world, and profit, which resulted in greater losses when his bets
was among the top fee-generating investment banks failed. Using the knowledge and skills he had obtained
globally.4 from his time as an analyst in the “back office”, Adoboli
began to engage in unauthorised trading, entering false
By the end of 2007, UBS was purportedly the most- information into the computer systems to conceal the
leveraged major bank worldwide, with its assets far risks he took. The increasingly risky trading resulted in
exceeding its total equity.5 In mid-March 2007, the bank’s volatile earnings and losses that he concealed using a
channeling of more than US$100 billion into asset-backed range of prohibited mechanisms. These included one-
securities led to massive losses during the subprime sided internal futures positions, the delayed booking of
mortgage crisis. UBS then received a substantial financial transactions, fictitious deals with deferred settlement
bailout from the Swiss government and one of the dates, and a concealment mechanism he termed the
bank’s largest shareholders, Government of Singapore “umbrella”. Eventually, losses snowballed to hit US$2.3
Investment Corporation (GIC), further injected US$9.7 billion10 before anyone was any wiser.
billion into the bank.6 On 6 March 2009, the share price of
UBS hit a record low of US$7.72.
This is the abridged version of a case prepared by Ma Yan, Ng Wai Hong, Nie Yile and Su Liwen under the supervision of Professor Mak Yuen Teen and Dr Vincent Chen Yu-Shen. The case
was developed from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective management or governance. The interpretations and
perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Chloe Chua under
the supervision of Professor Mak Yuen Teen.

When the scandal became public, UBS’ stock price proprietary trading which seeks opportunities with
fell from US$12.68 to US$11.41, a 10% fall in value higher leverage using the bank’s own resources. In the
in one day.11 The scale of the losses led to renewed Investment Banking Division, risk limits were increased,
calls for the global separation of commercial banking and punishment for excessive risk taking was overlooked
from investment banking while media commentators in favour of generating profit. In particular, UBS was
suggested that UBS should consider downsizing its accused of rewarding traders who had breached
investment bank. compliance rules relating to personal account dealing
and spread betting with increased remuneration
and bonuses, as well as enrolment into higher-level
THE GATEKEEPER: BOARD OF DIRECTORS management programmes.17 This sent the signal that
excessive risk taking and non-compliance with rules were
Swiss law requires UBS to operate under a strict dual
acceptable for profit, thus incentivising such risk-seeking
board structure comprising the Board of Directors
behaviour.
(BOD) and the Group Executive Board (GEB), with clear
separation of duties and responsibilities. The BOD is
There were also signs that senior management neglected
responsible for overseeing the Group’s direction and
the importance of controlling and monitoring functions
monitoring and supervising the business. The GEB
in the bank organisation as evidenced by the lack of
is responsible for the executive management and is
control infrastructure realignment during the transfer
accountable to the BOD for the overall financial results of
of ETF desk from the Cash Equities (CE) Division to the
UBS.12
GSE Division.18 Responsibilities over Product Control
continued to be held by the CE team despite the transfer.
As at 31 December 2011, the BOD comprised 11
On many occasions, senior management sacrificed the
directors with diverse backgrounds, 10 of whom were
effectiveness of controls for efficiency of processes.
independent. The exception, Chairman Kaspar Villiger,13
was the former Swiss Minister of Military and Finance.
He had come out of retirement to guide UBS back on
track14 despite public concerns of whether his capabilities RISK MANAGEMENT AND INTERNAL
could be extended to places outside of the ministries, CONTROLS
particularly in a bank like UBS.
Where were the Controls and Monitoring?
Under the BOD, there were five board committees The ETF trading desk was controlled and monitored
covering audit, corporate responsibility, governance and by three separate back office functions – Operations,
nominating, human resource and compensation, and risk. Product Control (PC) and Market Risk (MR), and the line
The Risk Committee (“RC”) was responsible for reviewing managers who supervised traders. The key responsibility
the bank’s risk management and control framework. of the Operations unit was to ensure that trades at the
The Group chief risk officers and CEOs of the different Desk were accurately recorded and properly processed.
banking divisions were to be present at meetings with The PC unit was tasked with performing checks and
the committee to ensure they were kept updated on ensuring correct reporting of profit and loss (P&L) of each
the execution of risk management and controls. The trader. The MR department was responsible for daily
RC had the duty to make reasonable enquiries into the market risk reporting and analysis. The line managers
possible deficiencies detected in the bank’s control and ensured that the risk limits were adhered to and reported
monitoring mechanisms, and to raise these concerns any breach to the management.
during these meetings.15
However, over time, breaches of compliance
instructions remained unchallenged and warnings went
A RISKIER CULTURE uninvestigated. The Operations unit did not raise any
doubts even though there were unresolved reconciliation
“If a bank doesn’t take any risk, it is incredibly hard to errors followed by suspicious and unsatisfactory
make money, and that is our job. Grübel thought there explanations. PC personnel simply accepted the traders’
was room for more market risk, which in general was a explanations for anomalies without sufficient analysis.
view I agreed with.” It went completely unnoticed that the PC unit had not
- Phil Allison, UBS AG’s Head of Global Cash Equities.16 generated an important control report for a few months.19
Under Grübel’s charge, the bank undertook riskier

business activities in order to increase profits, including
Furthermore, UBS did not impose an approval threshold loophole in the regulations of ETFs to distort the true
or require evidence for adjustments of P&L, thus magnitude of risk exposure arising from the trade. This
providing traders with the opportunity to conceal their then allowed him to conceal his violation of stipulated
losses. The market risk system for the ETF Desk also did risk limits and thus advance his fictitious trades.
not automatically monitor trading positions in relation to
pre-set risk limits. Line managers were uncertain of what This incident has prompted global banking and securities
their functions and responsibilities were in monitoring regulators to increase scrutiny on ETF regulations.22
the ETF desk. Following a re-organisation, no specific Regulators are contemplating strict new rules dictating
arrangements were made for transferring responsibility the amount and quality of collateral ETF providers need,
for monitoring. System alerts failed to reach the new and could impose requirements for fund managers to
direct line manager in New York, and ended up instead disclose a greater degree of detail in relation to their
with the previous manager who acknowledged them, counterparties.23
despite it no longer being his responsibility.
Too Much Trust? CLEANING UP THE MESS

The relationships between traders and supervisors were In the aftermath, CEO Oswald Grübel and the co-heads
characterised by a high degree of trust. Supervisors of Global Equities at UBS, Francois Gouws and Yassine
often did not question traders sufficiently regarding Bouhara, resigned to assume responsibility for the
unusual increases in proprietary trading revenue as per trading scandal. Sergio Ermotti was appointed as the
guidelines. On numerous occasions where risk limits Group CEO on an interim basis.
were breached and brought to the attention of the
Desk’s line manager, no further investigation was made. Investigations took place over an eight-month period to
Explanations were usually accepted without further pinpoint the causes of the incident. Significant changes
verification.20 were made to the infrastructure and controls, including
changes to processes and monitoring capabilities.
The operational risk department also placed a high Changes to their internal control system, such as the
degree of trust on the front office and their self- escalation process for daily adjustments over defined
assessment of risks. Based on their internal framework thresholds and a supervisory signoff process, were
of risk assessment, the operational risk department did implemented. Monitoring became more robust in the
not impose requirements for evidence or substantive equities business, and there was better information flow
testing to be done in order to validate self-assessment to supervisors and risk managers.
results. In addition, self-assessment was only done on an
annual basis, hence presenting the possibility of control UBS also aimed to reinforce accountability by the
deficiencies going undetected for a long period of time. clarification of supervisory roles, reiteration of trading
mandates and how employees’ performance reviews
were done. A new supervision structure was implemented
Question of Competencies to ensure that supervisors are suitably experienced, while
Personnel in the control functions were allegedly management information was improved with clearer
incompetent and had a poor understanding of ETF- prioritisation of information.
related trading activities. They saw their role as a support
function rather than as a control mechanism. Moreover, On 20 October 2012, UBS announced its intention to
the poor definition of certain roles and responsibilities transform the firm by restructuring business activities. In
and a lack of proper training essential to navigating particular, UBS wanted to sharpen its focus in investment
the complexities of the ETF trading desks exacerbated banking, and to exit fixed income business lines,
the supervisors’ confusion, and compromised the proprietary trading and other lines and products that
supervisors’ ability to effectively carry out their duties. were overly complex and which did not deliver stable
and attractive risk-adjusted returns under new regulatory
rules.
Growth of Synthetic ETFs: The Need for Regulation
By European bank conventions, no confirmation of
positions from the bank’s finance, risk-control and audit
functions is required before proceeding with the trade.21
Investigators found that Adoboli had exploited this
A POST-MORTEM: PROBLEM RESOLVED? ENDNOTES

In late 2012, however, UBS was involved in yet another 1 Milmo, C. (2012, November 20). Biggest Fraudster in UK History:
£1.4bn UBS rogue trader Kweku Adoboli Jailed for 7 Years. The
trading scandal.24 UBS traders Tom Hayes and Roger Independent. Retrieved from http://www.independent.co.uk/news/
Darin were charged for taking part in a multi-year scheme uk/crime/biggest-fraudster-in-uk-history-14bn-ubs-rogue-trader-
to manipulate LIBOR and other benchmark interest kweku-adoboli-jailed-for-7-years-8335469.html
rates. UBS was fined US$1.5 billion – the second largest 2 UBS website. (2014, May 28). UBS in a few words. Retrieved from
fine ever imposed on a bank– by regulators in United http://www.ubs.com/global/en/about_ubs/about_us/ourprofile.
html
States, UK and Switzerland. Along with UBS, many other
banks, such as Barclays and RBS, were also fined for their
3 Tagliabue, J. (1997, December 9). 2 of the Big 3 Swiss Banks To Join
to Seek Global Heft. The New York Times. Retrieved from http://
involvement. www.nytimes.com/1997/12/09/business/international-business-2-of
-the-big-3-swiss-banks-to-join-to-seek-global-heft.html
The persistent occurrence of banking scandals in financial 4 Ringshaw, G. (2004, February 15). Swiss peak on Wall Street. The
institutions reflects a significant failure to address the Telegraph. Retrieved from http://www.telegraph.co.uk/finance/
core issues facing the whole financial sector. Despite 2877054/Swiss-peak-on-Wall-Street.html
the repeated revamp of internal control systems and 5 Reguly, E. (2009, August 20). Too big to fail, a Swiss icon swings
changes in company leadership in individual banks, back to life. The Globe and Mail. Retrieved from http://www.
theglobeand mail.com/report-on-business/too-big-to-fail-a-swiss-
banks continue to hog headlines with shocking icon-swings -back-to-life/article1201531/
reports concerning new schemes involving fraud and 6 Mark, L. & Werdigier, J. (2007, December 11). UBS Records a Big
manipulation. This points toward one overarching Write-Down and Sells a Stake. The New York Times. Retrieved from
question: Can such issues in financial sectors ever be http://www.nytimes.com/2007/12/11/business/worldbusiness/
11bank.html
truly avoided?
7 Fang, Y. (2009, February 26). UBS appoints new chief executive.
China View. Retrieved from http://news.xinhuanet.com/english/
2009-02/26/content_10901865.htm
DISCUSSION QUESTIONS 8 Simonian, H. & Murphy, M. (2011, March 4). UBS’s Grübel waives
1. What were the key controls and monitoring 2010 bonus. Financial Times. Retrieved from http://www.ft.com/
intl/cms/s/0/d6e3b3de-4667-11e0-aebf-00144feab49a.html#ax-
mechanisms in UBS before the scandal took place?
zz2QDPQXWwi
Comment on the effectiveness of these controls and
9 The Economist. (2012, November 24). The education of Kweku
mechanisms and how their inadequacies provided Adoboli. The Economist. Retrieved from http://www.economist.
opportunity for the trading scandal to happen. com/news/finance-and-economics/21567134-swiss-bank-also-has-
much-learn-education-kweku-adoboli
2. Discuss how the risk-taking culture in UBS could have
10 Fortado, L. and Hodges, J. (2012, November 20). UBS rogue trader
given an incentive to the traders to circumvent the gets 7 years for $2.3-billion fraud, biggest in UK trading history.
controls. Financial Post. Retrieved from http://business.financialpost.com/
2012/11/20/ubs-rogue-trader-convicted-of-2-3-billion-fraud-jury-
3. Should the board of directors have been held still-out-on-5-more-counts/
responsible along with the CEO? What should the 11 White, S. and Shirbon, E. (2012, October 15). UBS rogue trader loss
Risk Committee have done before the scandal fully less than crisis damage, UK court told. Reuters. Retrieved from
developed? What are some possible challenges faced http://www.reuters.com/article/2012/10/15/us-ubs-trial-idUSBRE
89E19N20121015
by the committee in pre-empting such scandals?
12 UBS. (2014, March 14). Corporate Governance. Retrieved from
4. Were the measures implemented by UBS to remedy https://www.ubs.com/global/en/about_ubs/corporate-governance.
the problems sufficient? How else could UBS improve html
corporate governance and internal controls? 13 UBS. (2012). Annual Report 2011. Retrieved from http://www.ubs.
com/global/en/about_ubs/investor_relations/annualreport-
5. What were the regulatory loopholes that contributed ing/2011.html
to the unauthorised trading? Could regulators play a 14 Aldrick, P. (2009, March 4). UBS to be chaired by former Swiss
bigger role in the governing of financial institutions finance minister Kaspar Villiger. The Telegraph. Retrieved from
with heavy trading activities? http://www.telegraph.co.uk/finance/newsbysector/banksand
finance /4938892/UBS-to-be-chaired-by-former-Swiss-finance
-minister-Kaspar-Villiger.html
15 UBS. (2012). Annual Report 2011. Retrieved from http://www.ubs.
com/global/en/about_ubs/investor_relations/annualreporting/
2011.html
16 Chellel, K. & Fortado, L. (2012, September 26). UBS Co-Workers 21 Lee, P. (2011, September 19). UBS Rogue Trader Exploited ETF
Knew of Fake Trades, Adoboli Told Lawyer. Retrieved from http:// Settlement Loophole. Retrieved from http://www.euromoney.com/
www.bloomberg.com/news/2012-09-25/gruebel-brought-more-risk- Article/2902786/UBS-rogue-trader-exploited-ETF-settlement-loop-
to-ubs-equity-desk-head-says.html hole.html
17 Croft, J. (2012, November 20). Rise and Fall of Adoboli the ‘Family’ 22 Bowman, L. (2013). Systemic Risk Unease Puts Exotic ETFs in
Man. Financial Times. Retrieved from http://www.ft.com/intl/cms/ Regulators’ Sights. Retrieved from http://www.euromoney.com/
s/0/91a2bd5c-2e9a-11e2-9b98-00144feabdc0.html#axzz2RdE3wv00 Article/ 2877238/CurrentIssue/83088/Systemic-risk-unease-puts
-exotic-ETFs-in-regulators-sights.html
18 Laming, H. & Querée, N. (2013, January). FSA v UBS: will big fines
change banks’ attitudes to risk management?. Butterworths 23 Bowman, L. (2011, September 16). UBS loss is a body blow to the
Journal of International Banking and Financial Law. Retrieved from ETF lobby. Retrieved from http://www.euromoney.com/Article/
http://www.petersandpeters.com/sites/default/files/publications/ 2901925/Category/0/ChannelPage/0/UBS-loss-is-a-body-blow-to-
JIBFL Jan2013.pdf the-ETF-lobby.html
19 Goodway, N. (2012, November 26). UBS’s £29.7m penalty for failing 24 Bart, K., Miles, T., & Viswanatha, A. (2012, December 19). UBS
to stop rogue trader Kweku Adoboli. London Evening Standard. Traders Charged, Bank Fined $1.5 Billion in LIBOR Scandal.
Retrieved from http://www.standard.co.uk/business/business-news/ Reuters.com. Retrieved from http://www.reuters.com/article/
ubss-297m-penalty-for-failing-to-stop-rogue-trader-kweku-adoboli- 2012/12/19/us -ubs-libor-idUSBRE8BI00020121219
8351631.html
20 Ibid.
TAX EVASION
AND KYC
62 MIZUHO FINANCIAL GROUP: DOING BUSINESS WITH THE YAKUZA
MIZUHO FINANCIAL GROUP:

DOING BUSINESS WITH THE
YAKUZA
CASE OVERVIEW THE FIRST SIGN OF TROUBLE
Mizuho Financial Group (Mizuho), the second largest On 1 October 2011, the Boryokudan Haijojorei2
financial services group in Japan, was embroiled in a case was formally written into Japanese law, signifying
of illicit loan financing to the Japanese mafia through its the country’s renewed effort to keep the Japanese
affiliate, Orient Corporation (Orient Corp). Early warnings mafia, more commonly known as Yakuza, out of Japanese
by Japan’s regulatory authority, the Financial Services society. Under the organised crime exclusion law, any
Agency (FSA), about such business dealings were initially forms of financing or payment to Yakuza are criminalised.
labelled as an isolated event, but the dealings were Regrettably, not all within Mizuho heeded the message.
later exposed to be done with the knowledge of the
Mizuho Bank’s President and CEO. The slow response The fiasco began with a routine inspection between
of the board and Mizuho’s failure to fulfil its promise to December 2012 and March 2013 by the FSA, which
tighten internal control resulted in persistent tolerance oversees banking, securities and exchange, and
of lax screening and allowed illicit loan financing to insurance in Japan.3 The inspection uncovered 230 loan
go undetected in Orient Corp. Gaps in management transactions with Yakuza-linked entities or individuals
oversight and the lack of streamlined control following with loan amounts exceeding ¥200 million (approximately
Mizuho’s birth from a merger of three banks allegedly US$2 million) over more than two years.4 Although it was
contributed to the failure to enforce compliance. The established that most of the loans were auto loans taken
scandal left Mizuho with a tarnished reputation and out via its consumer-finance affiliate, Orient Corp, Mizuho
led to an urgent call to revamp its board structure to was the ultimate entity financing these loans.5
institute greater independence and transparency of
board processes. The objective of this case is to allow
a discussion of issues such as board independence; THE YAKUZA: AN ENTRENCHED SOCIAL
board effectiveness; directors’ oversight role in ensuring ELEMENT
compliance; corporate governance and management
The history of the Yakuza dates back to the 17th century,
challenges resulting from a merger; governance of
when they controlled construction and dockside labour
entities such as affiliates in a complex group; and the
in addition to other unsavoury businesses such as
Japanese system of corporate governance.
prostitution, gambling and liquor distribution.6 From
the 1980s, the Yakuza expanded their reach beyond the
underworld to infiltrate the Japanese corporate world
LOOKING BACK AND FORWARD and financial system, in areas of real estate development
As Yasuhiro Sato, President and CEO of Mizuho Financial and stock market manipulation.7
Group (Mizuho), made his customary Japanese bow to
apologise and acknowledge his mistakes, the recovery In 2012, a new revision was made to the Boryokudan
of the Group was only at its beginning. The decisions Haijojorei to allow “police to designate organised crime
and penalties were announced one by one – suspension groups as “extremely dangerous” and arrest any member
of parts of Mizuho’s operations, issuance of a business of that group, without issuing a cease and desist order,
improvement order, management changes, and pay if he (or she), makes unreasonable or illegal demands
cuts. For the second time in three months,1 Mizuho was towards ordinary citizens”. 8
penalised for loans to organised crime groups.
Despite these measures, the Yakuza is still pervasive in
Why did the issues persist for so long? How did Mizuho many areas and echelons of Japanese society, with 63,000
end up in this predicament? What more could be done to known members in Japan currently.9 They are known to
improve the situation? The curtain may have fallen for the cover their tracks well through the use of front companies
time being, but Mizuho’s problems were far from settled. and other disguises, making prosecution difficult due to
the lack of evidence. The banking sector has suffered
This is the abridged version of a case prepared by Tan Ze Shan, Chan Yu Wei, Lee Xian En Paul and Wu Jiaying, Louisa under the supervision of Professor Mak Yuen Teen. The case was
perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Toh Jia Yun under

from the Yakuza’s penetration and influence as well. For In response, the FSA called for an additional detailed
instance, Citibank Japan lost its private banking license report to be submitted, including the names of all
in 2004 due to high-ranking Yakuza members holding executives who knew about the loan. Shortly after, on
numerous accounts with the bank.10 25 October, Mizuho announced that it would punish
54 executives in connection with the illicit loans.20 In
addition, Sato would forfeit six months of salary.21 Takashi
A FINANCIAL POWERHOUSE Tsukamoto, the Chairman of Mizuho Group and Mizuho
Bank, would step down as Chairman of Mizuho Bank.
Mizuho is a bank holding company headquartered in
However, at that time, he was allowed to remain as the
the Ōtemachi district of Chiyoda in Tokyo, with a primary
Group Chairman.22
listing on the Tokyo Stock Exchange (TSE).11 It is one of
the largest financial institutions in the world, offering On 5 November 2013, the FSA began to conduct
a wide range of financial services, including banking, additional probes, resulting in a more punitive
trust and securities, and asset management services.12 administrative order being meted out to Mizuho on 26
Mizuho Holdings, Inc. was established in September 2000 December, involving suspension of its loan business
through the merger of three banks – Dai-Ichi Kangyo with consumer-credit affiliate firms for a month and
Bank (DKB), Fuji Bank (Fuji) and the Industrial Bank of a requirement to submit a mandatory business
Japan (IBJ). Mizuho Financial Group was then established improvement plan by 17 January 2014.23
in January 2003 as the parent company of Mizuho
Holdings, Inc, and became its sole shareholder.13 Furthermore, on the same day, Tsukamoto announced
that he would be stepping down as Group Chairman in
In Japanese, “mizuho” means “a fresh harvest of rice”. March 2014 to take responsibility for the Yakuza loans
This expresses Mizuho’s commitment to “offer highly scandal. In addition, Sato would extend his no-pay
fruitful financial products and services to all customers, period from six months to one year.24
both in Japan and abroad”.14 Mizuho’s brand slogan,
“One Mizuho: Building the future with you”, indicates Following Mizuho’s loan scandal, FSA began inspections
their commitment to become “The most trusted financial of Japan’s two other largest banks, Mitsubishi UFJ
services group with a global presence and a broad Financial Group (MTU) and Sumitomo Mitsui Financial
customer base, contributing to the prosperity of the Group (SMFG), to ensure compliance with regulations
world, Asia, and Japan”.15 regarding transactions with organised crime.25
BIG BANK, BIG TROUBLE FAILING FROM WITHIN

On 27 September 2013, Mizuho received a Business “Executives from the former bank defended their own
Improvement Order from the FSA regarding its illicit fiefdoms … even from the outside, we can see they are
transactions with “anti-social elements”, a euphemism not well-informed, from the top to the bottom.”
for organised crime groups such as the Yakuza.16 It - Kanji Tanimoto, Professor in Corporate and Social
was a warning for Mizuho to tighten its processes and Responsibility at Waseda University26
procedures in accordance with the law, which prohibits
transactions with organised crime. In response, Mizuho The formation of Mizuho through the merger of the
vowed to “implement its improvement plan in relation three banks did not result in any dominant party, and
to this problem and also work with utmost effort towards thus created a lack of coordination and synergy within
further improvement and reinforcement of its internal the Group and created gaps in its governance structures.
control systems”.17 For instance, on Mizuho’s first day of business on 1 April
2002, it experienced “the biggest banking system failure
Initially, Mizuho claimed that the loans were traced to a in history” due to the many transaction errors relating
rogue compliance executive; that it was not pervasive to its Automated Teller Machine (ATM) system.27 This
through the ranks.18 However, this stand was reversed was mainly because the three banks could not come
three days later when Mizuho admitted that top to a unanimous decision on the adoption of a single
management, including Mizuho Bank President and CEO computer system. Eventually, instead of deciding whose
Yasuhiro Sato, had been kept in the loop long before the computer system to use, the three banks decided to
scandal unfolded.19 bridge the existing systems of each bank. However, this
also did not work out as Mizuho ATMs had to be shut
down in March 2011 due to a system overload, delaying questionable dealings.35 At that time, Masakane Koike
the processing of more than one million money transfer was the executive director acting as the head of both the
orders.28 risk management and compliance departments. While
the departments failed to take appropriate measures to
address the issue, the board as a whole failed to oversee
LACK OF OVERARCHING OVERSIGHT ON and ensure that Koike carried out his duties properly and
CAPTIVE LOANS diligently.
More significantly, some loans made through Orient
Corp, Mizuho’s consumer-finance affiliate and the
entity predominantly funding Yakuza-linked entities, BOARD INDEPENDENCE
were carried out without stringent due diligence and Before the scandal, Mizuho’s Board comprised 12
background checks.29 In such a “captive” lending members, consisting of Chairman Tsukamoto, eight
situation, Orient Corp extends and guarantees a executive directors and three ‘outside’ directors who did
loan while Mizuho finances it. However, the customer not engage in day-to-day management.36 Under Tokyo
screening process responsibility was outsourced to Stock Exchange listing rules, companies should have at
Orient Corp, instead of applying the more stringent least one independent director.37 A lack of independence
screening conducted by Mizuho for conventional loans. on the Mizuho Board still persists today, with the majority
Orient Corp’s lax screening system allowed Yakuza- being executive directors. This issue is common and
linked loans to be approved with minimal identification prevalent in Japan, where most board members are
checks.30 Despite calls from the FSA to enhance internal company insiders.38
controls in order to curb loans tied to Yakuza as early
as 2003, Mizuho did not perform its own customer
background checks for affiliate-linked customers until REPUTATION MATTERS
seven years later.31 Mizuho’s management did not
In absolute terms, the controversial loans amounting
provide oversight on the corporate governance and
to US$2 million would not have any material impact
internal controls of its affiliated companies,32 and the
on Mizuho’s earnings and financial performance.
scandal showed that the conduct of its affiliates would
Furthermore, the FSA merely ordered Mizuho to
have as great an impact on Mizuho as if it were making
strengthen its internal control and compliance without
the loan itself.
imposing any monetary penalties. The month-long
suspension of business with its affiliates should not
have material financial consequences as well. However,
FAILURE TO TAKE ACTION AND ADDRESS the business improvement order was seen as a public
ANTI-SOCIAL LOANS spanking and placed Mizuho in a bad light, thus
Perhaps what was more damaging was that the former adversely affecting the Group’s reputation.
banking unit President, Satoru Nishibori, did not take
action although he was made aware in July 2010 of the Unsurprisingly, Mizuho’s investors and shareholders
loans made to the Yakuza. After stepping down a year reacted negatively to the news. On the first trading day
later, he did not inform his successor, Tsukamoto, of after the FSA released its findings on 27 September 2013,
the illicit loans, and also did not inform Sato, CEO and Mizuho’s shares fell 4.1%, the most in three months, while
President of Mizuho, of the issue. Sato claimed that he the benchmark index retreated one percent.39 Over the
only knew of the issue in March 2013, after a regular next few weeks, Mizuho shares declined to a low of ¥203
FSA inspection raised red flags.33 Due to the lack of on 10 October from a high of ¥222 on 27 September.
coordination and communication within Mizuho, the Correspondingly, Mizuho’s market capitalisation fell
issue was only dealt with in 2013 although the former from ¥5.37 trillion to ¥4.91 trillion, a decline of over
President, Nishibori, already had knowledge of this issue ¥400 billion that far exceeded the direct economic
in 2010.34 consequences of the scandal. However, Mizuho share
price recovered to its previous level within two months
Mizuho’s failure to address the issue for nearly two and continued with an upward trend till early 2014.
years after uncovering the transactions highlighted the
ineffectiveness of the board in ensuring compliance with Similarly, Orient Corp’s share price fell from ¥283 on 27
legislation and ethical standards. At Mizuho, the legal September to ¥238 on 7 October. However, Orient Corp’s
compliance department was in charge of overseeing share price did not recover to its previous level as of early
financial transactions with Yakuza members and other 2014.
MIZUHO’S RESPONSE DISCUSSION QUESTIONS

In response to its compliance failure, Deputy President 1. Why do you think that the Mizuho board, after being
Toshitsugu Okabe replaced Koike as head of compliance made aware of the illicit business dealings, chose not
on 30 September 2013.40 With the aim of strengthening to take any action against the illicit loans?
the holding company’s power to oversee subsidiaries and
2. Evaluate Mizuho’s board composition before the
affiliates and to achieve greater transparency, Mizuho
fallout from the loans scandal.
announced that audit, nominating and compensation
committees will be formed as advisory bodies of the 3. Discuss whether the penalties meted out by the FSA
board, and Mizuho will pick an outsider to lead its were sufficient.
board after the departure of the Group Chairman,
4. Has Mizuho taken appropriate steps to improve its
Tsukamoto. With this, Mizuho will be the first among
internal control and governance structure?
Japan’s three biggest banking groups to have its
management supervised by three committees consisting 5. With reference to Mizuho and other examples, what
largely of outside directors41, allowing for a clearer are the corporate governance and management
separation between management oversight and business challenges that may arise from a merger?
operations, improving Group-wide governance42. This 6. What are the unique challenges relating to
plan was approved at a general shareholders’ meeting in governance of group entities, such as Orient Corp in
June 2014.43 Mizuho’s case?
7. Evaluate the Japanese corporate governance system
REPAIRING A TARNISHED REPUTATION in terms of the existing legislation and codes (or lack
thereof). Are there certain cultural or business norms
While rivals Mitsubishi UFJ Financial Group and which may have contributed to these issues?
Sumitomo Mitsui Financial Group continue to
aggressively expand overseas, Mizuho’s primary concern
for now will be its problems with corporate governance
ENDNOTES
and company culture.44
1 Yui, M., Kawamoto, S. (2013, December 26). Mizuho Chairman
Tsukamoto Resigns Over Loans to Crime Groups. Retrieved from
Mizuho has undergone management shake-ups in the http://www.bloomberg.com/news/2013-12-26/mizuho-draws-more-
wake of the scandal, which seem to have been met with penalties-for-transactions-with-crime-groups.html
shareholder approval, based on its rapid share price 2 Translated to English as Japanese Organised Crime Group
recovery. The latest shake-up was announced on 14 Countermeasures Law
March 2014, consisting of changes in executive positions 3 Fukase, A., & Inagaki, K. (2013, October 17). Mizuho Is a Bank Bowed
across the Group. On 1 April 2014, Nobuhide Hayashi, a by Its Structure. Wall Street Journal. Retrieved from http://www.wsj.
com/articles/SB10001424052702304330904579132822082403460
56-year-old deputy president of Mizuho, replaced Sato
as CEO of Mizuho Bank. Sato remains as President of 4 Hirata, N. (2013, October 29). Japan to Inspect Big Banks in
Broadened Yakuza Loans Probe. Reuters. Retrieved from http://
Mizuho, focusing on revamping the corporate culture of uk.reuters.com/article/2013/10/29/uk-japan-banks-scandal-idUK-
the Group.45 BRE99S09G20131029
5 Ibid.
6 Okinawa. (n.d.) The Yakuza. Retrieved from http://www.okinawan-
EPILOGUE shorinryu.com/okinawa/yakuza.html
Since the saga, Mizuho has led the way in governance 7 Fukase, A. (2013, December 26). Mizuho Ordered to Suspend Some
overhaul in Japan with the transformation to a more U.S.- Operations. Wall Street Journal. Retrieved from http://online.wsj.com/
news/articles/SB10001424052702303799404579281673604167640
style board. In a recent report released on 25 June 2015
endorsed by President Sato, it was stated that “the Board
8 Adelstein, J. (2012, July 30). Japan’s Newest Anti-Yakuza Laws Allow
Instant Arrests. Retrieved from http://www.thewire.com/global/
of Directors has started off well” in its first year after the 2012/07/japans-newest-anti-yakuza-laws-allow-instant-arrests/
transformation. Six out of thirteen directors in total are 55198/
outside directors and five out of these six directors are 9 Adelstein, J., Stucky, N. (2013, November 27). Japan’s Mega Banks
independent.46 The Chairman is also an outside director.47 Have Mega Yakuza Trouble. Retrieved from http://www.thedaily-
This represents a significant improvement in the overall beast.com/articles/2013/11/27/japan-s-mega-banks-have-mega-
yakuza-trouble.html
independence of the board. Mizuho’s share price has also
10 Ibid.
been on the rise in the aftermath of the reform, marking
a positive turnaround for the troubled bank.
11 Mizuho Financial Group. (2014, September 30). Company 31 McLannahan, B. (2013, October 28). Mizuho’s Flawed Controls
Information. Retrieved from http://www.mizuho-fg.co.jp/english/ Opened the Door for Yakuza Exploitation. The Financial Times.
company/info/index.html Retrieved from http://www.ft.com/intl/cms/s/0/e492a81e-3fc5-11
e3-a890-00144feabdc0.html#axzz2ykJNm6y3
12 Mizuho Bank Americas. (n.d.). About Us. Retrieved from http://
www.mizuhobank.com/americas/about/about_us/index.html 32 Tabuchi, H. (2013, October 28). Japanese Bank’s Inquiry Finds
Details of Shady Loans. The New York Times. Retrieved from http://
13 Mizuho Financial Group. (n.d.). Corporate History. Retrieved from dealbook.nytimes.com/2013/10/28/mizuho-report-finds-no-cover-
http://www.mizuho-fg.co.jp/english/company/info/profile.html up-of-gangster-loans/
14 Mizuho Financial Group. (n.d.) About Mizuho Financial Group 33 McLannahan, B. (2013, October 28). Mizuho’s Flawed Controls
(Question). Retrieved from http://www.mizuho-fg.co.jp/english/faq/ Opened the Door for Yakuza Exploitation. The Financial Times.
about_mhfg.html#q01 Retrieved from http://www.ft.com/intl/cms/s/0/e492a81e-3fc5-11
15 Mizuho Financial Group. (n.d.) Corporate Identity. Retrieved from e3-a890-00144feabdc0.html#axzz2ykJNm6y3
http://www.mizuho-fg.co.jp/english/company/policy/ci/index.html 34 Ibid.
16 Fukase, A., & Inagaki, K. (2013, October 17). Mizuho Is a Bank 35 Sasai, T. (2013, October 20). Mizuho Bank to Set up Anti-yakuza
Bowed by Its Structure. Wall Street Journal. Retrieved from http:// Department. Retrieved from http://ajw.asahi.com/article/business/
www.wsj.com/articles/SB1000142405270230433090457913282208 AJ201310200019
2403460
36 Mizuho Financial Group. (n.d.) Annual Report 2012/2013. Retrieved
17 Mizuho Bank. (2013, September 27). Administrative Order from the from: http://www.mizuho-fg.co.jp/english/investors/financial/
Financial Services Agency. Retrieved from http://www.mizuhobank. annual/data1303/pdf/data1303_all.pdf
com/company/release/pdf/20130927.pdf
37 Japan Exchange Group. (n.d.). Independent Directors/Auditors.
18 Torres, I. (2013, October 14). Tokyo Police to Investigate Mizuho Retrieved from http://www.jpx.co.jp/english/equities/listing/
Bank’s Dealings with Organized Crime. The Japan Daily Press. ind-executive/
Retrieved from http://japandailypress.com/tokyo-police-to
-investigate-mizuho-banks-dealings-with-organized-crime-1437678/ 38 Nagata, K. (2012, January 17). Corporate Japan: Woeful Lack of
Outside Directors. The Japan Times. Retrieved from http://www.
19 Ibid. japantimes.co.jp/news/2012/01/17/reference/corporate-japan
20 Fukase, A. (2013, December 26). Mizuho Ordered to Suspend Some -woeful-lack-of-outside-directors/#.U0qpMtzEUfM
Operations. Wall Street Journal. Retrieved from http://www.wsj.com/ 39 The Asahi Shimbun. (2013, October 5). Mizuho Bank says Deputy
articles/SB10001424052702303799404579281673604167640 Presidents Knew of Gangster Loans, Yet Took No Action. Retrieved
21 Ibid. from http://ajw.asahi.com/article/business/AJ201310050042
22 Ibid.
40 Yui, M., Kawamoto, S. (2013, October 4). Mizuho Takes Steps to
Improve Compliance After Crime-Group Loans. Retrieved from
23 Financial Services Agency. (2013, December 26). Administrative http://www.bloomberg.com/news/2013-10-04/mizuho-takes-steps-
Actions against Mizuho Bank Co., Ltd. and Mizuho Financial Group, to-improve-compliance-after-crime-group-loans.html
Inc. Retrieved from http://www.fsa.go.jp/en/news/2013/20131226-1.
html
41 Reuters. (2013, December 26). Mizuho to Restructure Amid Loan
Scandal. The New York Times. Retrieved from http://www.nytimes.
24 Japan Times. (2013, October 8). Ex-Mizuho President ‘Knew of com/ 2013/12/27/business/international/mizuho-to-restructure
Yakuza Loans’. The Japan Times. Retrieved from http://www.japan -amid-loan-scandal.html?_r=0
times.co.jp/news/2013/10/08/business/ex-mizuho-president-knew
-of-yakuza-loans/
42 Nikkei. (2013, December 26). Mob Loans Prompt Mizuho to Adopt
American-style Governance. Retrieved from http://asia.nikkei.com/
25 Langeland, T., Hyuga, T. (2013, November 7). Kicking the Yakuza in Business/Companies/Mob-loans-prompt-Mizuho-to-adopt
the Assets. Businessweek. Retrieved from http://www.business- -American-style-governance
week.com/articles/2013-11-07/japan-attacks-yakuza-crime
-syndicates-via -banking-system
43 Mizuho Financial Group. (n.d). Enhancement of Corporate
Governance. Retrieved from http://www.mizuho-fg.co.jp/english/
26 McLannahan, B. (2013, October 28). Mizuho’s Flawed Controls company/strategy/enhancement/index.html
Opened the Door for Yakuza Exploitation. The Financial Times.
Retrieved from http://www.ft.com/intl/cms/s/0/e492a81e-3fc5-11
44 Uranaka, T. (2014, January 23). Mizuho Replaces Core Unit CEO
e3-a890-00144feabdc0.html#axzz2ykJNm6y3 After Mob Loan Scandal. Reuters. Retrieved from http://www.
reuters.com/article/2014/01/23/mizuho-management-idUSL 3N
27 Nakao, M. (n.d.). Mizuho Financial Group Banking System Failure. 0KX2F420140123
Retrieved from http://www.sozogaku.com/fkd/en/cfen/CA1000623.
html
45 Ibid.
28 Mizuho’s Grave Governance Problem. (2013, October 30). The

46 Mizuho Financial Group. (2015, June 25). Corporate Governance.
Japan Times. Retrieved from http://www.japantimes.co.jp/opinion/ Retrieved from http://www.mizuho-fg.co.jp/english/company/
2013/ 10/30/editorials/mizuhos-grave-governance -problem/#. structure/governance/pdf/g_report.pdf
VZdNK1Wqqkp 47 Ibid.
29 Tabuchi, H. (2013, October 28). Japanese Bank’s Inquiry Finds
Details of Shady Loans. The New York Times. Retrieved from http://
dealbook.nytimes.com/2013/10/28/mizuho-report-finds-no-cover-
up -of-gangster-loans/
30 Ibid.
THE taX-FILES: HSBC GROUP 67
THE taX-FILES: HSBC GROUP

CASE OVERVIEW important things in his life – his family and the stolen
In early 2015, HSBC was accused of knowingly helping data.9
its clients evade taxes. When faced with the allegations,
In France, Falciani proceeded to hand the data over
HSBC admitted to control and compliance failings, but
to French authorities. Despite repeated attempts by
insisted that they were due to poor integration of its
Switzerland to extradite Falciani and recover the stolen
subsidiaries, and had not been intentional. The objective
data, France resisted on the grounds that the information
of this case is to allow a discussion of issues such as the
was against France’s national interest,10 and that Falciani,
ethics; whistleblowing; corporate governance in company
being a French citizen, was not subject to extradition
groups; and tax risk governance.
agreements.11
The stolen information was shared with other

GOING “GLOCAL” governments’ tax bodies by the then French Finance
HSBC, “The World’s Local Bank”, began operations in Minister, Christine Lagarde.12 This led to the tax
1865. Today, it has operations in over 80 countries and a authorities of various countries commencing tax recovery
total asset value of approximately US$2.67 trillion.1 efforts amounting to hundreds of millions of unpaid taxes
against offenders on the list.13
HSBC’s first foray into the Swiss private banking market
was in 1999 after its acquisition of Republic New York
Corporation and Safra Republic Holdings.2 HSBC Private FALSE-CIANI?
Bank (Suisse) S.A. was then incorporated to take over
“They will pay me for what I have done, which is worth a
the clients of the acquired firms. It offers clients private
lot.” – Hervé Falciani14
banking, investment and wealth management services.3
It soon emerged that Falciani may have had other

HSBC has had its fair share of controversies. Within
intentions for swiping the data. Guillaume Brachet, a
the past four years, it has been involved in the 2012
fiscal consultant Falciani engaged to help monetise the
LIBOR4 and EURIBOR5 fixing scandal, and the 2014
data, indicated that while Falciani claimed that the data
money laundering scandal. As a battered HSBC crawled
was obtained via the “expert mining of open, public
out from the wreckage of its scandals, it was slapped
sources”, Falciani appeared nervous and evasive when
with accusations that its Swiss private banking arm had
probed further.15 Geogina Mikhael, a HSBC contract
actively abetted tax evasion for its clients.
employee at the time, was responsible for tipping-off the
authorities about Falciani. The pair had set up a virtual
company, Palorva, which served as a front for selling
FALCIANI TAKES A LEAK
the data. In February of 2008, the pair flew to Beirut,
“I worked with a group called ‘change the bank’ but this Lebanon, to try to sell the data.16
was against another group called ‘run the bank’ which
wanted to do things without being monitored.” In Lebanon, Mikhael and Falciani attempted to sell
– Hervé Falciani6 the data to various banks, but Falciani’s evasive nature
when questioned on the data’s origins scuppered any
Between 2006 and 2008, Hervé Falciani, a French possibility of a deal with the banks. One of the banks
national and a computer security specialist tasked with informed the Swiss Bankers’ Association about Falciani’s
the migration of client data between HSBC Suisse offer, alerting the office of the Attorney General in
systems, allegedly pilfered a significant amount of the Switzerland which commenced an investigation.17
data.7 After a tip off about Falciani’s illicit activities, the
Geneva police picked him up on 22 December 2008 With the banks pulling out, Mikhael alleged that
for questioning before releasing him on bail.8 Falciani Falciani turned his attention to selling the data to
jumped bail and absconded to France with the two most the authorities.18 Falciani and Mikhael sent emails to
This is the abridged version of a case prepared by Choong Zhi Yong, Chuah Yih Hui, Tan Si Rui Bryan, Tan Zhe Ren and Tay Yi Qing under the supervision of Professor Mak Yuen Teen. The
case was developed from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective management or governance. The interpretations
and perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Nie Yuanqiu

68 THE taX-FILES: HSBC GROUP
European Tax authorities and intelligence agencies loopholes in the system. Tax evasion constitutes the
offering “the client list of one of the world’s largest failure of the taxpayer to declare certain income or
wealth management banks”. Signed by a “Ruben Al assets to tax authorities. Swiss law views tax evasion
Chidiack”, the email was titled “Tax evasion: Client list as a misdemeanour, but not a crime. Authorities are
available”.19 prohibited from lifting banking secrecy to obtain
information regarding taxpayers’ assets.24
ROBIN HERVÉ? Tax fraud is defined as the submission of falsified or

forged financial documents with the intention to avoid
“I am not Robin Hood. I’m not a mercenary. I acted like a
payment of tax. As tax fraud is subject to Swiss penal
citizen.”
prosecution, and a judge has the right to lift banking
– Hervé Falciani20
secrecy and subpoena client information directly from
the bank.25
Falciani publicly denounced Mikhael’s claims and stated
his only intention was to expose the tax-evasion that
HSBC was abetting. He claimed that he flew to Lebanon
and attempted the sale only because he was instructed SWISS APPEASE
to do so from men claiming to be agents of Mossad.21 Due to EU pressure over its banking secrecy, Switzerland
signed an agreement in 2005 known as the Swiss-
Falciani also maintained that he had handed the data EU Savings Tax Agreement. Under this agreement,
to French authorities instead of the Swiss because the Switzerland would charge a final 15% withholding tax
Swiss refused to protect his anonymity when he tried to on capital and savings income of EU citizens. This was
whistle-blow on HSBC.22 increased to 20% since 2008, and 35% since 2011. 75%
of the retention tax collected would go back to the EU
and its member states while Switzerland would keep the
SWISS SECRECY LAWS remaining 25%.26
“Imprisonment of up to three years and/or a fine of up to
Under this scheme, Switzerland got to keep its banking
250,000 SFr will be awarded to persons who deliberately
secrecy while earning 25% of the withholding tax. Clients
discloses a secret that is entrusted to him in his capacity
could protect their wealth information by paying a fixed rate,
as employee… of a bank... or attempts to induce such an
and the EU could collect some taxes that were previously
infraction of professional secrecy.”
uncollectible. This seemed like a win-win-win situation for
– Article 47, Swiss Banking Act
everyone involved. What could possibly go wrong?
In Switzerland, there is a federal act that enshrines
banking secrecy. The Swiss Federal Banking Act
criminalises transgressions against banking secrecy by ASSET RICH, ETHICS POOR
slapping imposing a prison term and a large fine on “I think they were a tax avoidance and tax evasion
offenders. Under the law, it is illegal for anybody to service. I think that’s what they were offering. They knew
deliberately disclose, or attempt to disclose, any bank full well that people come to them to dodge their tax
related confidential information made privy to him/ liabilities.”
her. This restriction on divulgation extends to certain –Richard Brooks, former HMRC tax inspector27
information by subsidiaries operating in Switzerland
given to parent companies. HSBC therefore faced severe Clever manipulation of Swiss banking laws can set the
restrictions on the amount and type of information they stage for tax evasion. However, it takes two to tango, and
were allowed to be made privy to with regards to HSBC HSBC Suisse’s questionable practices had to share the
Suisse.23 stage. HSBC Suisse exploited the freedom accorded by
the Swiss laws and took advantage of a loophole within
the Swiss-EU Savings Tax Agreement to initiate and
SWISS VIEW: TAX AVOIDANCE VS TAX aggressively market a “device” to its clients.28
EVASION VS TAX FRAUD
Swiss Law distinguishes between tax avoidance, tax
evasion and tax fraud.. Tax avoidance is the reduction
of one’s tax exposure via legal exploitation of
The withholding tax agreed on only applied to individual into HSBC after its purchase and was therefore run in a
savings and not corporate funds.29 Armed with this more “federated way” with decisions “frequently taken
knowledge, HSBC Suisse allegedly began offering “Tax, at a country level”.40 This allowed “significantly lower”
Trust and Real Estate Planning” services to its clients. standards of compliance and due diligence to persist.41
Clients were advised to circumvent the withholding tax A quick peek into HSBC annual report, however, showed
by depositing their funds into shell companies. HSBC that “the integration of the former Republic and Safra
would provide the necessary paperwork and incorporate businesses went smoothly during 2000”.42
the companies for an annual fee.30 A complementary
service which allowed clients to withdraw huge amounts It is worth noting that this was not the first time HSBC
of foreign currencies in Switzerland came packaged with had claimed poor integration. Douglas Flint, Chairman of
the deal.31 HSBC Group, made a similar claim when HSBC’s Mexican
subsidiary was exposed for money laundering back in
2012. Flint claimed that it was “impossible for board
HUFF AND PUFF AND BLOW YOUR HOUSE members to know how the bank’s different businesses
DOWN were operating” unless issues were raised.43 Stern and
Wilson, however, harshly rebuked this claim by alleging
“Most Swiss banks do have a whistle-blower program, but
that their reports of compliance failures fell on deaf ears.
they use it to punish those who avail themselves of it”
– Hervé Falciani32
HSBC’s Employee handbook outlines the company’s GULLIVER’S TROUBLES: STUART’S LITTLE
definition of wrongdoing at work, and the avenues that PROBLEM
employees can avail themselves to make a “protected “Being in Switzerland protects me from the Hong Kong
disclosure”.33 HSBC Chairman, Douglas Flint, asserted staff. Being in Panama protects me from the Swiss staff”
that firms should “encourage the calling out of bad – Stuart Gulliver, CEO, HSBC44
behaviour” and reward and praise “those who escalate
their concerns even if they are sometimes wrong”.34 It soon emerged that HSBC’s CEO Stuart Gulliver had
private Swiss and Panamanian bank accounts. Apart
The recent cases of Everett Stern35 and Nicholas Wilson36, from that, Gulliver was found to be registered as a non-
however, offer a different viewpoint. Both raised concerns domiciled citizen of the UK.45 Additionally, Gulliver’s role
over suspicious transactions and illegal practices only to as CEO of HSBC Holdings PLC was merely a secondment
see them fall on deaf ears, despite reporting to HSBC via from the Dutch-headquartered HSBC Asia Holdings.46 All
proper channels. these conferred tax advantages which allowed Gulliver to
limit his tax exposure in the UK.47
Being ignored is rarely the only repercussion whistle-
blowers face, particularly in Switzerland which is in Gulliver issued statements maintaining that he had
the midst of tightening its law on whistle-blowing.37 “never paid less than the marginal UK tax rate”.48 He
In Falciani’s case, Swiss authorities are in the midst further emphasised that he had declared his Swiss
of indicting him for qualified industrial espionage, account to UK tax authorities over the years. These
unauthorised obtainment of data, and violation of claims were supported by Flint who openly backed
banking secrecy.38 Gulliver by stating that “there is absolutely no story here.
There is nothing Stuart has done that is not absolutely
transparent, legal and appropriate”.49
THE APPLE DOESN’T FALL FAR FROM THE
TREE
“We deeply regret and apologise for the conduct FAIR WEATHER AHEAD?
and compliance failures highlighted which were in “I can assure you that we had no evidence of tax evasion”
contravention of our own policies as well as expectations – Rona Fairhead50
of us.”
– Douglas Flint, CEO HSBC Holdings PLC39 Rona Fairhead, Independent Non-Executive Director
of HSBC Holdings PLC, joined Gulliver at the centre
While HSBC apologised and accepted responsibility for of the furore when she insisted that no evidence of tax
its failures within its Swiss subsidiaries, it took due care avoidance had surfaced during her tenure.51 She blamed
to stress that its Swiss arm had not been fully integrated HSBC Suisse’s relationship and domestic managers for
the failings.52 However, her status as “independent” When quizzed about a recurrence of the scandal, Gulliver
non-executive director was called into question due to asserted that HSBC had put in place controls, systems
concerns over her remuneration of £847,000 in 2014.53 and compliance functions to reduce the risk of recurrence
Her plea of reliance on internal auditors, FINMA, and to an “absolute minimum”, and to uphold the “highest
on strict internal controls were refuted as she was or most effective standards across the group to combat
criticised for her passive regulation of the bank and financial crime”.65 However, he carefully noted that he
gross incompetence which led the court to call for her could not “absolutely guarantee that it (would) not
resignation.54 happen again”.
In a bid to win back investor confidence, a new

HIDE AND SEEK NO MORE management team was established to lead HSBC Suisse
and implement a host of new reforms, such as reviewing
The practices that HSBC was decried for is by no
clientele and refusing service to those who did not
means exclusive to the bank itself. Other players in
manage to pass, or enforcing a new tax transparency
the private banking industry, such as UBS, Julius Baer,
policy.66 This is in line with a major restructuring of
RBS55 and BSI56 have been either convicted or are under
HSBC’s control and management, with MWM Consulting
investigation for the same transgressions.57 In the wake
appointed to facilitate the sourcing and engagement
of these incidents, private bank managements are
of non-executive directors for the board. Analysts have
scrambling to inspect and eradicate tax evaders from
described this as the most sensational change in the
their client lists.58
management of Britain’s largest bank. In addition, prior
to the exposure of the tax scandal in its Swiss arm,
Following a growing global outcry regarding corporate
HSBC announced that it would do away with its age
tax compliance, a framework for the crackdown on global
old tradition of nominating the next chairman from its
tax avoidance has been released by the Organisation
internal pool of talent.67
for Economic Co-operation and Development (OECD)
and supported by more than 60 governments.59 The
The repercussions for HSBC have been financially and
framework aims at creating global guidelines for tax
reputationally damaging. In light of the recent scandals,
reform and reporting, as well as exercising pressure
almost a third of its shareholders refused to back the
on specific countries to address and correct commonly
proposed remuneration for top management at the 2015
exploited tax loopholes.60
Annual General Meeting and called for the resignation of
key management figures who were heavily involved in the
As part of the OECD’s efforts, Switzerland has budged
tax scandal.68
slightly on the international front and committed to the
automatic exchange of information about individual
accounts, taxes, assets and income, subject to reviews
and rules of confidentiality.61 The proposed timeline for AU REVOIR
full implementation by 2017 or 2018 and has been hailed “Can I know what every one of 257,000 people is doing?
as the final nail in the coffin for banking secrecy.62 Clearly I can’t” – Stuart Gulliver69
Following allegations that the company had become

A FRANC DISCLOSURE “too big to manage”, HSBC has been scaling down its
international operations by divesting businesses in less
“I would say that a number of us, myself included, think
profitable countries.70 In doing so, HSBC, the world’s
that the practices at the Swiss private bank in the past are
local bank, may be laying an epitaph on the slogan that it
a source of shame and reputational damage to HSBC.”
worked so hard to be synonymous with.
– Stuart Gulliver63
As of February 2015, HSBC has neither confessed nor

denied any of the tax evasion allegations. Instead, in a
statement released by HSBC on 8 February 2015, they
maintained that individuals themselves exploited Swiss
banking secrecy laws to circumvent tax obligations and
that such problems were prevalent throughout the entire
industry.64
DISCUSSION QUESTIONS ENDNOTES

1. Comment on the effectiveness of HSBC’s 1 Wikipedia. (n.d.) HSBC Holdings PLC. Retrived from https://
en.wikipedia.org/wiki/HSBC
whistleblowing policy.
2 Cowell, A,. (1999, May 11). HSBC to Pay $10.3 Billion For Republic.
2. Based on your answer in Question 1, evaluate the Retrieved from http://www.nytimes.com/1999/05/11/business/hsbc
implications of having a poor internal whistleblowing -to-pay-10.3-billion-for-republic.html
environment. When whistleblowers have to resort to 3 Croucher, S. (2015, February 23). HSBC: The Swiss private bank may
exposing their organisation to external parties, what run legally but it is still a grubby business. Retrieved from http://
www.ibtimes.co.uk/hsbc-swiss-private-bank-may-run-legally-it-still-
impact does it have on the organisation? grubby-business-1489124
3. Falciani’s whistleblowing differed from most other 4 Libor: FDIC sues Barclays, RBS, HSBC, Lloyds and BBA. (2014,
cases due to his questionable motives. Discuss March 14). Retrieved from http://www.telegraph.co.uk/finance/libor
-scandal/10699359/Libor-FDIC-sues-Barclays-RBS-HSBC-Lloyds
whether the eventual result of whistleblowing -and-BBA.html
necessarily justifies the means, in this instance theft 5 Barker, A. (2014, May 20). Brussels charges three banks over Euribor
and an intention to monetise the stolen data. fixing cartel. Retrieved from http://www.ft.com/intl/cms/s/0/d08b45
8a-e013-11e3-b709-00144feabdc0.html
4. HSBC stressed that its failure to integrate its Swiss
arm was the underlying reason for its low ethical
6 Martha, H. (2015, February 8). Whistleblower? Thief? Hero?
Introducing the source of data that shook HSBC. Retrieved from
standards. How should acquiring companies integrate https://www.icij.org/project/swiss-leaks/whistleblower-thief-hero
their subsidiaries and what are the implications for -introducing-source-data-shook-hsbc
corporate governance? 7 Whitaker, B. (2015, February 8). The Swiss Leaks. Retrieved from
http://www.cbsnews.com/news/hsbc-swiss-leaks-investigation
5. The HSBC parent bore the brunt of the public scrutiny -60-minutes
and criticism for the subsidiary’s misdeeds. To what 8 Matlack, C. (2013, August 9). Hero or Villain? The Strange Case of
extent should the parent board of a multinational HSBC Whistleblower Herve Falciani. Retrieved from http://www.
company be held responsible for the actions of its bloomberg.com/bw/articles/2013-08-09/hero-or-villain-the-strange-
case-of-hsbc-whistleblower-herv-falciani#p2
subsidiary?
9 Ibid.
6. The HSBC case brought up an increasingly pertinent
10 Hamilton, M. (2015, February 8). Whistleblower or opportunist? The
issue of tax governance. How should companies
source of the data that shook HSBC. Retrieved from http://www.
integrate the tax function within their corporate irishtimes.com/business/financial-services/whistleblower-or
governance framework? -opportunist-the-source-of-the-data-that-shook-hsbc-1.2096064
11 Toddy, D. (2015, Feburary 23). Is HSBC whistleblower Falciani the
7. Directors have a fiduciary duty to act in the best
“French Snowden”?. Franch 24. Retrieved from http://www.france
interest of the company and have an obligation to 24.com/en/20150209-part-james-bond-part-idealist-frenchman
maximise shareholder value. To what extent does this -behind-swissleaks
justify using legally permitted structures to shift profits 12 BBC. (2015, Feburary 9). Profile HSBC whistleblower Herve Falciani.
to low tax jurisdictions in order to minimise tax? Or do BBC News. Retrieved from http://www.bbc.com/news/world-europe
-31296007
directors have a broader ethical obligation to society
to ensure that the company pay its fair share of taxes? 13 Ibid.
14 Stothard, M. (2015, April 24). Breakfast with the FT: Hervé Falciani.
Retrieved from http://www.ft.com/intl/cms/s/0/eb8f5e7a-e9cc-11
e4-a687-00144feab7de.html
15 Gauthier-villars, D., & Ball, D. (2010, July 8). Mass Leak of Client
Data Rattles Swiss Banking. Retrieved from http://www.wsj.com/
articles/SB10001424052748704629804575324510662164360
16 Ibid.
17 Ibid.
18 Ibid.
19 Ibid.
20 Christopher, M. (2013, May 9). The morning risk report: the strange
case of Herve Falciani. The Wall Street Journal. Retrieved from
http://blogs.wsj.com/riskandcompliance/2013/05/09/the-morning-
risk-report-the-strange-case-of-herve-falciani/
21 Matlack, C. (2013, August 9). Hero or Villain? The Strange Case of 41 Leigh, D., Ball, J., Garside, J., & Pegg, D. (2015, February 8). HSBC
HSBC Whistleblower Herve Falciani. Retrieved from http://www. files show how Swiss bank helped clients dodge taxes and hide
bloomberg.com/bw/articles/2013-08-09/hero-or-villain-the-strange- millions. Retrieved from http://www.theguardian.com/business/
case-of-hsbc-whistleblower-herv-falciani#p2 2015/feb/08/hsbc-files-expose-swiss-bank-clients-dodge-taxes-
hide-millions
22 Ibid.
42 Pratley, N. (2015, February 13). How HSBC’s errors and lack of
23 Juliette, G. (2015, Feburary 8). HSBC files: how a 1934 Swiss law oversight hit reputation as ‘world’s best-run bank’. Retrieved from
enshrines secrecy. The Guardian. Retrieved from https://www. http://www.theguardian.com/news/2015/feb/13/hsbc-errors-lack-
theguardian.com/business/2015/feb/08/hsbc-files-1934-swiss-law- of-oversight-reputation-worlds-best-run-bank
secrecy
43 Jenkins, R. (2015, March 10). How HSBC chairman Flint can restore
24 Aubert, M, The Limits of Swiss Banking Secrecy under Domestic accountability at his bank. Retrieved http://www.ft.com/intl/cms
and International Law, 2 Int’l Tax & Bus.Law. 273 (1984). Retrieved /s/0/a3d37ec0-c71e-11e4-8e1f-00144feab7de.html#axzz3owbA1xIJ
from http://scholarship.law.berkeley.edu/bjil/vol2/iss2/2
44 Jim, E. (2015, February 24). Here’s the ridiculous detailed reason
25 Ibid. why HSBC boss Stuart Gulliver needed his paycheck to go through
26 Swiss Confederation. (2015 August). Taxation of savings aggrement a Panama company and a Swiss bank account. Business Insider.
with EU. Retrieved from https://www.efd.admin.ch/dam/efd/en/.../ Retrieved from http://www.businessinsider.sg/hsbc-stuart-gulliver
fb-zinsbesteuerungsabkommen-eu-e.pdf -salary-compensation-and-swiss-bank-account-2015-2/#.Vz_
kRmZIX_8
27 BBC. (2015, February 10). HSBC banks “help clients dodge millions
in tax”. BBC NEWS. Retrieved from http://www.bbc.com/news/
45 Greenwood, J. (2010, March 17). Non-dom status: Do you qualify?
business-31248913 Retrieved from http://www.telegraph.co.uk/finance/personal
finance/expat-money/7465517/Non-dom-status-do-you-qualify.
28 Aubert, M, The Limits of Swiss Banking Secrecy under Domestic html
and International Law, 2 Int’l Tax & Bus.Law. 273 (1984). Retrieved
from http://scholarship.law.berkeley.edu/bjil/vol2/iss2/2
46 Ball, J., Garside, J., Pegg, D., & Davies, H. (2015, February 23).
Revealed: Swiss account secret of HSBC chief Stuart Gulliver.
29 Ibid. Retrieved from http://www.theguardian.com/business/2015/feb/22/
swiss-account-secret-of-hsbc-chief-stuart-gulliver-revealed
30 Chang, M. (2015, February 27). Details of Tax Avoidance Schemes
for Wealthy HSBC Clients Revealed. Retrieved from http://www. 47 Ibid.
globalresearch.ca/details-of-tax-avoidance-schemes-for-wealthy-
hsbc-clients-revealed/5434408
48 Titcomb, J. (2015, February 23). HSBC boss Stuart Gulliver defends
himself against claims of secret Swiss account. Retrieved from
31 Ibid. http://www.telegraph.co.uk/finance/newsbysector/banksand
finance/11430617/HSBC-boss-Stuart-Gulliver-defends-himself-
32 BBC. (2015, February 10). HSBC banks “help clients dodge millions
against-claims-of-secret-Swiss-account.html
in tax”. BBC NEWS. Retrieved from http://www.bbc.com/news/
business-31248913 49 Yves, S. (2015, February 24). Hiding outrageous HSBC CEO pay in
tax havens. Retrieved from https://seniorsforademocraticsociety.
33 Annual Reports and Accounts 2015. (2015, May). Retrieved from
wordpress.com/page/13/?app-download=blackberry
http://www.hsbc.com/investor-relations/financial-and-regulatory
-reports 50 Juliette, G., & Jane, M. (2015, March 9). Rona Fairhead should lose
BBC job over HSBC role, says influential MP. The Guardian.
34 Catherine, N. (2014, September 23). Whistleblowers should be
Retrieved from http://www.theguardian.com/media/2015/mar/
“rewarded and celebrated”, says HSBC boss. Retrieved from
09/rona-fairhead-should-lose-bbc-job-over-hsbc-role-says
http://www.cityam.com/1411473823/whistleblowers-should-be
-influential-mp
-rewarded-and-celebrated-says-hsbc-boss
51 Bloomberg (2015, October 11) Profile: Rona Fairhead. Retrieved
35 Mollenkamp, C., & Wolf, B. (2012, July 13). Special Report: HSBC’s
from http://www.bloomberg.com/profiles/people/4774892-rona
money-laundering crackdown riddled with lapses. Retrieved from
-alison-fairhead
http://www.reuters.com/article/2012/07/14/us-hsbc-compliance
-delaware-idUSBRE86C18H20120714#IF77A7gOBozALByC.97 52 Garside, J,. & Martinson, J,. (2015, March 9). Rona Fairhead should
lose BBC job over HSBC role, says influential MP. Retrieved from
36 ‘Extraordinary hypocrite’: UK whistleblower says HSBC chief
http://www.theguardian.com/media/2015/mar/09/rona-fairhead-
Douglas Flint ignored fraud for years. (2014, September 25).
should-lose-bbc-job-over-hsbc-role-says-influential-mp
Retrieved from https://www.rt.com/uk/190304-whistleblowing-flint-
fraud-hsbc/ 53 Rushton, K,. & Salmon, J,. (2015, April 15). Quit the HSBC job right
now, under-fire BBC chief is warned: Two major investors and
37 Miles, T., & Evans, D. (2014, September 19). Switzerland prepares to
leading shareholder have already voted for director to go.
tighten screws on whistleblowers. Retrieved from http://www.
Retrieved from, http://www.dailymail.co.uk/news/article-3040974/
reuters.com/article/2014/09/19/us-switzerland-whistleblower-id
Quit-HSBC-job-right-fire-BBC-chief-warned-Two-major-investors-
USKBN0HE23K20140919
leading-shareholder-voted-director-go.html
38 Ibid. 54 Ibid.
39 Martin, A. (2015, February 23). HSBC share drops after full-year 55 Titcomb, J. (2015, February 26). RBS staff under investigation from
profits fall. The Financial Times. Retrieved from http://www.ft.com/
German authorities over Swiss tax evasion. Retrieved from http://
intl/cms/s/0/a1b1874e-bb35-11e4-b95c-00144feab7de.html#ax-
www.telegraph.co.uk/finance/newsbysector/epic/rbs/11436579/
zz49G8h8pNi
RBS-staff-under-investigation-from-German-authorities-over
40 David, L., James, B., & Juliette, G. (2015, February 8). A massive -Swiss-tax-evasion.html
leak has exposed shady dealings by HSBC’s swiss banking arm. 56 Swiss bank BSI to pay $211m in US tax evasion probe. (2015, March
Business Insider. Retrieved from http://www.businessinsider.com/
30). Retrieved from http://www.ft.com/intl/cms/s/0/2acaa1cc-d6fd
hsbcs-shady-swiss-banking-arm-2015-2?IR=T&r=US&IR=T
-11e4-97c3 00144feab7de.html#axzz3owbA1xIJ
57 Beutler, C. (2015, August 6). More Swiss banks settle tax evasion 66 Arnold, M. (2015, Apr 15). HSBC plans board cull after tax scandal.
probe with US. Retrieved from http:// http://www.swissinfo.ch/eng/ Retrieved from http://www.afr.com/business/banking-and-finance/
secret-accounts_more-swiss-banks-settle-tax-evasion-probe-with- hsbc-plans-board-cull-after-tax-scandal-20150414-1ml9rq
us/41590194
67 Gareth, M. (2016, March 23). Ex-standard life boss joins David Nish
58 Arnold, M., & Binham, C. (2015). HSBC tax scandal prompts rivals HSBC Board. The Scotsman. Retrieved from http://www.scotsman.
to check for ‘problem dossiers’. Retrieved from http://www.ft.com/ com/business/companies/financial/ex-standard-life-boss-david-
intl/cms/s/0/aeb505f4-b786-11e4-8807-00144feab7de.html#ax- nish-joins-hsbc-board-1-4079960
zz3qxd Hn4Ok
68 James, S. (2015, April 25). Bosses pay row shakes up HSBC as
59 Houlder, V (2015). Plans unveiled to crack down on corporate tax almost a third of shareholders refuse to back lavish awards handed
avoidance. Retrieved from http://www.ft.com/intl/cms/s/0/307 to top staff. The Daily Mial. Retrieved from http://www.thisismoney.
c921a-6b45-11e5-aca9-d87542bf8673.html#axzz3oKZBzC6j co.uk/money/markets/article-3054456/Bosses-pay-row-shakes-HS-
BC-shareholders-refuse-lavish-awards-handed-staff.html
60 Ferro, S (2015). Here’s what you need to know about the Swiss bank
document leak. Retrieved from http://www.businessinsider.sg/ 69 Andrew, H. (2015, February 28). When is a company too big to
importance-of-swiss-bank-document-leak-2015-2/#.Vj9y2bcrLIW manage? The Financial Times. Retrieved from https://next.ft.com/
content/87395500-bdd2-11e4-8cf3-00144feab7de
61 Standard for Automatic Exchange of Financial Account Informa-
tion. Retrieved from http://www.oecd.org/ctp/exchange-of-tax 70 Colchester, M., & Steinberg, J. (2015, June 10). HSBC to Reduce
-information/automatic-exchange-financial-account-information Head Count by 50,000 as Part of Overhaul. Retrieved from http://
-common-reporting-standard.pdf www.wsj.com/articles/hsbc-unveils-overhaul-of-global-operations
-1433824955
62 Samuel, J. (2014, December 12). Final nail in the coffin of banking
secrecy. Retrieved from http://www.swissinfo.ch/eng/end-of
-an-era_final-nail-in-the-coffin-of-banking-secrecy/41155450
63 Jill, T., & Sean, S. (2015, February 23). HSBC boss says bank shamed
by Swiss tax avoidance. The Guardian. Retrieved from https://www.
theguardian.com/business/2015/feb/23/hsbc-chief-paid-7m-
pounds-last-year-profits-slide-tax-avoidance-apology
64 Edited extract from a statement issued by HSBC responding to
revelations of misconduct at its Swiss bank. Retrieved from http://
www.theguardian.com/business/2015/feb/08/hsbc-responds
-revelations-misconduct-swiss-bank
65 Ibid.
MONEY
LAUNDERING
HSBC: THE WORLD’S LOCAL

(LAUNDRY) BANK
CASE OVERVIEW1 investigation report also illustrated the means through
In December 2012, banking giant HSBC was fined which HSBC’s money-laundering practices were carried
US$1.92 billion by the U.S. authorities over allegations of out - through its dealings in Mexico, bypassing the U.S.
money laundering and involvement in illegal financing Treasury Office of Foreign Assets Control’s (OFAC) filters,
activities. This followed the release of a detailed as well as its persistence in trading with terrorist-affiliated
investigation report in July 2012 by the U.S. Senate counter-parties.6
Permanent Subcommittee on significant lapses in HSBC’s
counter-terrorism financing systems and anti-money
laundering program. Despite having been issued several THE RISKY MEXICO AFFILIATE
warnings to reinforce its anti-money laundering programs “It was a financial institution with inadequate AML
over the past seven years, HSBC failed to make the resources, inadequate AML systems and controls; and
proper adjustments. The US$1.92 billion penalty was at AML leadership”
that time the largest fine ever in a case involving a bank – U.S. Senate Committee Report
and also brought significant reputational damage to
the company. The objective of this case is to facilitate HSBC USA (HBUS) has correspondent accounts with
the discussion of issues such as the effectiveness of hundreds of affiliates located in over 80 countries. These
whistle blowing policies and ethical codes in preventing accounts can be used for cashing in US$ instruments
fraudulent behaviour amongst employees; internal such as travelers cheques, and account for “63% of all
control and risk management; money laundering and US$ payments processed by HBUS”.7 One such affiliate is
terrorism financing risks; corporate governance of HSBC Mexico (HBMX), which handles almost US$2 billion
complex company groups; and corporate governance of in assets and over 8 million clients.8
banks.
Prior to HSBC’s acquisition of the Mexican affiliate, the
U.S. State Department had already alerted HBUS to the
THE MAKING OF A FALL fact that Mexico was a place with “high incidents of drug
trafficking” as international money launderers used it
“The HSBC settlement sends a powerful wake-up call
as a vehicle to introduce their drug proceeds into the
to multinational banks about the consequences of
“global financial system”.9 Despite this warning, HBUS
disregarding their anti-money-laundering obligations”1.
still classified HBMX as a “low-risk” affiliate through its
–Senator Carl Levin2
country-specific risk assessment process.10
HSBC has over 7,200 offices in more than 80 countries
Other than operating in a high-risk location, HBMX also
and reported US$20.6 billion of profits before tax in
had a history of severe AML deficiencies. Its problems
2012.3 It was ranked as the world’s third largest bank in
included a pervasive lack of Know Your Customer (KYC)
terms of market capitalisation in 2013.4
information in client files; database of high profile
clientele connected to drug trafficking allegations; and a
Although HSBC had a code of conduct and a whistle
huge backlog of accounts earmarked for closure due to
blowing policy that served as a guide for doing business,
suspicious activities.11
there were numerous accusations of money-laundering
violations over the years.
In the 340-page report produced by the U.S. Senate FROM LOCAL BANK TO LAUNDRY BANK
Permanent Subcommittee on Investigations, it revealed “These traffickers didn’t have to try very hard...They
that at the root of HSBC’s money-laundering practices would sometimes deposit hundreds of thousands of
was a confluence of factors – structural inadequacies of dollars in cash, in a single day, into a single account,
HSBC’s Anti-Money Laundering (AML) Program, as well using boxes designed to fit the precise dimensions of the
as the Office of Comptroller Currency’s (OCC) failure to teller windows in HSBC Mexico’s branches”.12
enforce regulations to prevent HSBC’s wrongdoings.5 The – U.S. Assistant Attorney General Lanny Breuer13
This is the abridged version of a case prepared by Amanda Aw Yong Zhi Xin, Eunice Tan, Yoke Si, Kang Zheng Yang, Kenneth Ling, Puah Yee Kai under the supervision of Professor Mak
Yuen Teen and Dr Vincent Chen Yu-Shen. The case was developed from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective
abridged version was edited by Ng Jun Yan under the supervision of Professor Mak Yuen Teen.

76 HSBC: THE WORLD’S LOCAL (LAUNDRY) BANK
Since HBUS previously categorised HBMX as a low-risk Because of ARB’s alleged terrorism links, the U.S. placed
affiliate,14 the AML monitoring system failed to detect the bank under inspection and included it in the OFAC
US$881 million of suspicious dealings.15 filter list.29 Upon subsequent recommendations by HSBC
Group’s Compliance Chief, HBUS decided to sever ties
During the five-year period from 2005 to 2010, the with ARB in 2005.30
OCC (Office of Comptroller Currency) – whose job is to
supervise and regulate national banks16 - conducted over Just four months after the declaration to terminate
four dozen AML examinations and highlighted at least business relationships with ARB, HSBC Group
“83 AML matters requiring attention”.17 Despite this, the Compliance made another announcement that
OCC took no formal or informal enforcement actions, HSBC affiliates were allowed to resume business with
thus allowing HSBC’s AML deficiencies to fester. Further ARB.31 Meanwhile, ARB threatened to stop dealing
findings of the investigation also revealed that HBMX with HSBC entirely if their Banknote account was not
were fully cognisant of these money-laundering activities. reinstated.32 Hence, HBUS Compliance approved the
recommencement of business between HBUS with ARB
in December 2006.
CIRCUMVENTING OFAC FILTERS18
HSBC only decided to exit the business of selling U.S.
In 2001, HSBC European Union (HBEU) proposed to
banknotes33 after the OCC’s criticism34 in 2010, thus
use its correspondent account with HBUS to clear
ending its contentious relationship with ARB.
U-turn transactions involving Iran’s Bank Melli,19 and
was approved upon review.20 HBEU then requested all
U-turn transactions to be done via bank-to-bank transfer,
and structured to hide the origins of transactions, so
AFTERMATH – CHANGES IN HBUS
that information about the origins would not trigger the “We accept responsibility for our past mistakes. We have
OFAC filter.21 Even though HBUS’ Compliance Head said we are profoundly sorry for them, and we do so
rejected this request,22 HBEU instructed Bank Melli to again.”35
make “cover payments”,23 which effectively concealed – HSBC Group Chief Executive Stuart Gulliver
Bank Melli’s role in laundering money through HBEU into
the U.S. financial system. To future reduce money-laundering risks, HBUS
embarked on a variety of measures to strengthen its
“HSBC knew what was going on, but allowed the internal controls. These include the implementation
deceptive conduct to continue” of stricter KYC standards,36 and the subjecting of non-
– Senator Levin U.S. group affiliates to similar due diligence as non-
affiliates. In addition, to further reduce its exposure
Although HBUS’ compliance executives consistently to high-risk transactions, HBUS terminated 109
reminded HBUS to require full disclosures of Iranian correspondent relationships. New monitoring systems
transactions,24 HBEU and HSBC Middle East (HBME) for wire transactions and improved customer risk rating
repeatedly sent U-turn transactions through U.S. dollar methodology have also been developed.37
accounts at HBUS without disclosing the Iranian links.25
Some HBUS officials even pretended that they knew As a means of internal disciplining, HBUS clawed back
nothing about processing these deceptive U-turn bonuses from their AML and Compliance Officers. It also
transactions.26 increased spending on AML controls by nine times to
address the inadequate staffing and also to reorganise its
AML department.38
DISREGARDING LINKS TO TERRORISM – AL
RAJHI BANK (ARB)
ARB has US$59 billion of assets and is the largest private
TOO BIG TO JAIL
bank in Saudi Arabia.27 For more than 25 years, HSBC It’s a dark day for the rule of law.
provided ARB with a large variety of banking services, – New York Times Editorial, 11 December 2012
including providing US dollars through a Banknote
account. In 2002, U.S. agents revealed that Sulaiman
Al-Rajhi, one of the Bank’s founders, provided finances to
Osama bin Laden’s “Golden Chain”28 terrorist activities.
Upon the conclusion of the investigation by the U.S. 7. What are the consequences of such money-
federal and state authorities, it was decided that no laundering cases for banking companies? Was the
charges would be pressed against any of the HSBC Department of Justice’s decision not to press criminal
officials.39 Despite the gravity of the matter, HSBC would charges the right thing to do – from an ethical point
only have to pay a US$1.92 billion settlement,40 which is of view?
insignificant relative to the US$20.6 billion profit before
tax HSBC earned in 2012.41
ENDNOTES
The decision not to prosecute HSBC was allegedly driven 1 U.S. Senator for Michigan. (2012, December 11). Levin Statement
by the fact that HSBC employs nearly 16,500 workers on HSBC Settlement. Retrieved from http://www.levin.senate.gov/
in the U.S. Should the bank faces criminal charges, it newsroom/press/release/levin-statement-on-hsbc-settlement.
would necessarily lose its license and cost thousands of 2 Carl Levin is a U.S. Senator and the Chairman of the US Permanent
Americans their livelihood.42 Therefore, it was purportedly Subcommittee on Investigations.
for society’s good that the bank was not prosecuted.43 3 HSBC Holdings PLC. (2013, March 4). 2012 Results Highlights.
Retrieved from http://www.hsbc.com/investor-relations/~/media/
HSBC -com/InvestorRelationsAssets/annual-results/pdfs/hsbc2012
Although Columbian drug traffickers who took arn.ashx.
advantage of HSBC’s lax regulations were charged and
4 Banks around the world (2013). Top Banks in the World 2013.
ended in prison, the HSBC employees who allowed for Retrieved from http://www.relbanks.com/worlds-top-banks/assets.
such poor regulations escaped unscathed.44 Even with 5 Permanent subcommittee on investigations. (2012). U.S. Vulnerabilities
the fine of an unprecedented amount of US$1.92 billion, to Money-laundering, Drugs, and Terrorists Financing: HSBC Case
the passing of a no-jail sentence begs the important History (pp 8). Retrieved from https://www.levin.senate.gov/down
question – are global banks really too big to jail? load/?id=90fe8998-dfc4-4a8c-90ed-704bcce990d4.
Nobody, not even Senator Carl Levin, has an answer to 6 Ibid (pp 6).
that, at least not for now. 7 Jersey State Assembly Government. (2013) Retrieved from http://
www.statesassembly.gov.je/AssemblyPropositions/2013 /P.010-
2013.pdf.
DISCUSSION QUESTIONS 8 HSBC Global Connections. (2013) Retrieved from https://global

connections.hsbc.com/global/en/tools-data/country-guides/mx
1. What were the ethical dilemmas in the case? Evaluate -march -2013/foreword.
based on the three scenarios provided in the case. 9 United States Department of Justice. (n.d.) Retrieved from http://
www.justice.gov/opa/documents/hsbc/dpa-attachment-a.pdf.
2. HSBC had a code of conduct, code of ethics and
10 Permanent subcommittee on investigations. (2012). U.S. Vulnerabil-
whistle blowing policy, but did not implement them
ities to Money-laundering, Drugs, and Terrorists Financing: HSBC
effectively. Why do you think this was so? What can Case History (pp 8). Retrieved from https://www.levin.senate.gov/
the board do to ensure that they are effective? download/?id=90fe8998-dfc4-4a8c-90ed-704bcce990d4.
11 Ibid (pp 25).
3. How can the board of a bank set the right corporate
culture and ensure that it is applied consistently 12 Breuer, L. (2012, December 11). United States Department of
Justice. Retrieved from http://www.justice.gov/criminal/pr/
throughout the group? What can a board do to speeches/2012/crm-speech-121211.html.
understand the culture of the company?
13 Lanny Breuer is an Assistant Attorney General from the US
4. How can the board of a complex banking group like Department of Justice who worked out the US$1.92 billion
settlement for HSBC.
HSBC ensure good corporate governance in all its
subsidiaries and operations around the world? 14 BBC News. (2012, December 11). HSBC Money Laundering Report:
Key Findings. Retrieved from http://www.bbc.co.uk/news/business
5. Comment on the regulatory actions and behaviour -18880269.
with respect to HSBC’s wrongdoings. Were there red 15 McCoy, K. (2012, December 11). USA Today. Retrieved from http://
flags that should have been raised with the regulator? www.usatoday.com/story/money/business/2012/12/11/hsbc-
laundering -probe/1760351/.
6. What were some of the key lapses in internal controls 16 About the OCC. (n.d.), OCC. Retrieved from http://www.occ.gov/
within HSBC’s anti-money laundering program? Do about/what-we-do/mission/index-about.html
you think the new internal control and AML policies 17 Permanent subcommittee on investigations. (2012). U.S. Vulnerabilities
implemented by HSBC will help to mitigate these to Money-laundering, Drugs, and Terrorists Financing: HSBC Case
issues? History (pp 283). Retrieved from https://www.levin.senate.gov/
down load/?id=90fe8998-dfc4-4a8c-90ed-704bcce990d4.
78 HSBC: THE WORLD’S LOCAL (LAUNDRY) BANK
18 The OFAC (Office of Foreign Asset Control) of U.S. Department of 34 Permanent subcommittee on investigations. (2012). U.S. Vulnerabil-
Treasury imposes economic and trade sanctions through the OFAC ities to Money-laundering, Drugs, and Terrorists Financing: HSBC
filter, which screens through all U.S. banks transactions and Case History (pp 224). Retrieved from https://www.levin.senate.
earmarks those associated with a predetermined list of prohibited gov/download/?id=90fe8998-dfc4-4a8c-90ed-704bcce990d4.
people and countries. Although Iran is on the list, the U.S. has
made some exceptions to allow those relating to crude oil to pass.
35 McCoy, K. (2012, December 11). USA Today. Retrieved from http://
These exceptions are known as “U-turn” transactions and are www.usatoday.com/story/money/business/2012/12/11/hsbc
meant to facilitate more efficient trading. -laundering- probe/1760351/.
19 Permanent subcommittee on investigations. (2012). U.S.

36 Wall Street Journal Online. (2012, December 11). HSBC to Pay
Vulnerabilities to Money-laundering, Drugs, and Terrorists Record U.S. Penalty. Retrieved from http://online.wsj.com/article/
Financing: HSBC Case History (pp 122). Retrieved from https:// SB10001424127887324478304578171650887467568.html.
www.levin.senate.gov/download/?id=90fe8998-dfc4-4a8c-90ed- 37 xon 1 April 2013. rieved froml from United States Department of
704bcce990d4. Justice. (2012, December 10). Retrieved from http://www.justice.
20 Ibid. gov/opa/documents/hsbc/dpa-executed.pdf.
21 Ibid.
38 Permanent subcommittee on investigations. (2012). U.S.
Vulnerabilities to Money-laundering, Drugs, and Terrorists
22 Ibid. Financing: HSBC Case History (pp 284). Retrieved from https://
www.levin.senate.gov/download/?id=90fe8998-dfc4-4a8c-90ed-
23 Ferrari, E, (2012, December 12). The Upward Spiral: A Timeline of 704bcce990d4.
HSBC’s Iran Sanctions Violations, Centre for Economics Sanction
and Reform. Retrieved from http://www.thecesar.com.php53-7. 39 The New York Times. (2012, December 11). Too Big to Indict.
ord1-1.websitetestlink.com/research/the-upward-spiral-a-timeline- Retrieved from http://www.nytimes.com/2012/12/12/opinion/hsbc
of-hsbcs-iran-sanctions-violations/. -too-big-to-indict.html.
24 U.S. Senate Permanent Subcommittee. (2012, July 17). Levin 40 DealBook. (2012, December 11). HSBC to Pay Record Fine to Settle
Opening Statement, “U.S. Vulnerabilities to Money Laundering, Money-Laundering Charges. Retrieved from http://dealbook.ny
Drugs, and Terrorist Financing: HSBC Case History”. Retrieved times.com/2012/12/11/hsbc-to-pay-record-fine-to-settle-money-
from http://www.levin.senate.gov/newsroom/speeches/speech/ laundering-charges/.
levin -opening-statement- us-vulnerabilities-to-money-laundering
-drugs-and-terrorist-financing-hsbc-case-history.
41 HSBC Holdings PLC. (2013, March 4). 2012 Results Highlights.
Retrieved from http://www.hsbc.com/investor-relations/~/media/
25 Dawn Newspaper. (2012, July 17). Senators accuse HSBC of giving HSBC-com/InvestorRelationsAssets/annual-results/pdfs/hsbc 2012
terrorists access to US system. Retrieved from http://dawn.com/ arn.ashx.
2012/07/18/senators-accuse-hsbc-of-giving-terrorists-access-to
-us-system/.
42 The Economist. (2012, December 15). Too Big to Jail. Retrieved
from http://www.economist.com/news/finance-and-economics/
26 U.S. Senate Permanent Subcommittee. (2012, July 17). Levin 21568403-two-big-british-banks-reach-controversial-settlements-
Opening Statement, “U.S. Vulnerabilities to Money Laundering, too-big-jail.
Drugs, and Terrorist Financing: HSBC Case History”. Retrieved
from http://www.levin.senate.gov/newsroom/speeches/speech/
43 China Securtities Journal. (2012, December 13). HSBC: Too big to
levin -opening-statement-us-vulnerabilities-to-money-laundering jail?. Retrieved from http://www.cs.com.cn/english/finance/201212/
-drugs-and-terrorist-financing-hsbc-case-history. t20 121213_3776640.html.
27 Business Insider. (2012, July 17). Report Shows How HSBC

44 Congress of the United States. (2013, January 14). Letter to the
Maintained Its Ties With One Of Osama Bin Laden’s Key Attorney General Holder. U.S. Government. Retrieved from http://
Benefactors. Retrieved from http://www.businessinsider.com/ georgemiller.house.gov/sites/georgemiller.house.gov/files/HSBC
hsbc-ties-to -al-rajhi-bank-2012-7. %20Letter.pdf.
28 Ibid.
29 Permanent subcommittee on investigations. (2012). U.S. Vulnerabil-
ities to Money-laundering, Drugs, and Terrorists Financing: HSBC
Case History (pp 205). Retrieved from https://www.levin.senate.
gov/download/?id=90fe8998-dfc4-4a8c-90ed-704bcce990d4.
30 Ibid (pp 208).
31 Ibid (pp 209).
32 U.S. Senate Permanent Subcommittee. (2012, July 17). Levin
Opening Statement, “U.S. Vulnerabilities to Money Laundering,
Drugs, and Terrorist Financing: HSBC Case History”. Retrieved
from http://www.levin.senate.gov/newsroom/speeches/speech/
levin -opening-statement- us-vulnerabilities-to-money-laundering
-drugs-and-terrorist-financing-hsbc-case-history
33 FCPA Compliance and Ethics Blog. (2013, January 14). The HSBC
AML Settlement – Lessons Learned for the AML Compliance
Practitioner. Retrieved from http://tfoxlaw.wordpress.com/2013/01/
14/the-hsbc-aml-settlement-lessons-learned-for-the-aml-compliance
-practitioner/.
MEGA BANK, MEGA FAILURE?

CASE OVERVIEW1 was the president and managing director of both Mega
Taiwan’s third largest bank, Mega International Bank and MFHC. In addition, there were two managing
Commercial Bank Co., Ltd. (Mega Bank), was fined directors, eight other non-independent directors, two
US$180 million by US regulators on 19 August 2016. independent directors, and an independent managing
The New York branch of the bank was penalised for its director on the board. Three of the 10 non-independent
compliance failure and for violating the US anti-money directors also held executive positions in MFHC.7
laundering regulations. This was not the first time that
In September 2016, both Mega Bank and MFHC
the bank was involved in money laundering scandals. The
reshuffled their boards, re-appointing the majority
bank’s branches in Australia were previously involved in
of the board members.8 Tsai resigned from his post
similar cases as well. The objective of this case is to allow
as Chairman of MFHC and Mega Bank, while Shiu
a discussion of issues such as board structure; the impact
Kuang-si was appointed as his replacement by Taiwan
of strong government influence on corporate institutions;
Premier Lin Chuan.9 Tsai had reportedly offered to
internal control and risk management; and money
resign over 10 times since May 2015, but was repeatedly
laundering in the banking industry.
rejected by Minister of Finance Chang Sheng-ford
on the grounds that the January 2016 presidential
election was approaching.10 Mega Bank also carried
HISTORY OF MEGA BANK
out an organisational restructuring, which included
Mega Bank was formed on 21 August 2006 from the separating the Risk Management Committee from the
merger of The International Commercial Bank of China Asset Liability and Risk Management Committee as a
Co., Ltd. (ICBC) and Chiao Tung Bank Co., Ltd. (CTB), standalone independent committee, and establishing
both of which were privatised in the 1900s. In 2014, it new departments such as the Anti-Money Laundering
had 107 domestic branches, and a total of 39 overseas Centre.11
outposts.1 It was the third largest bank in Taiwan in terms
of size of assets in 2016.2
PRIVATISATION OR A FACADE?
“Some of the largest state-owned enterprises are
BOARD STRUCTURE
becoming almost like private corporations… They are
Mega Financial Holding Company (MFHC), formed in traded in stock exchanges and have boards of directors,
2002, is the holding company of Mega Bank.3 The board maybe even with external managers. We haven’t always
of MFHC consisted of 15 directors, of which three were understood these changes.”
independent directors.4 The independent directors – Associate Professor Aldo Musacchio, Harvard Business
sat on both the Audit Committee and Remuneration School12
Committee. The holding company did not have a
separate Nomination Committee.5 To improve the performance of Taiwan’s banking industry,
the Taiwan government focused on privatising many
Mega Bank did not have separate Audit, Remuneration state-owned banks in the 1990s.13 Although Mega
or Nomination Committees. Instead, MFHC’s Bank became a privatised bank, it still maintained
Remuneration Committee approved Mega Bank’s some inextricable links to the Taiwan government.14
remuneration policies, and its Audit Committee assigned As of September 2016, the Ministry of Finance was the
supervisors onto Mega Bank’s board. Of the five largest single investor of Mega Bank, with an 8.4% share
supervisors sitting on the board, three held executive ownership, and was able to appoint seven directors on
positions in MFHC.6 the MFHC board to represent its interests.15
There was a total of 15 directors on the board of Mega The track records of the two ex-Chairmen of MFHC were
Bank in early 2016. The Chairman of the board, Tsai Yeou- indicative of their connections with the government. Tsai,
Tsair, was also the Chairman of MFHC. Wu Hann-Ching who served as Chairman of MFHC from 1 July 2010 to
This is the abridged version of a case prepared by Cindy Amelia, Cheryl Tan, Eric Wong, Eugene Soh and Tan Yan Shan under the supervision of Professor Mak Yuen Teen. The case was
perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Mok Xiao Chou under

80 MEGA BANK, MEGA FAILURE?
1 April 2016, had also served in various governmental New York branch (Mega-New York) was fined US$180
organisations.16 In fact, he was appointed to the board million for money laundering activities. During the
by former Taiwan President Ma Ying-jeou.17 Shiu, who investigation, DFS discovered “numerous deficiencies
succeeded Tsai as Chairman of MFHC on 16 August 2016, in Mega-New York’s compliance function”. These
had served as the Chairman of partially state-owned Hua deficiencies were of great concern as Mega Bank also
Nan Financial Holdings and held high-level positions at operated branches in Panama, a country often associated
state-owned banks. Shiu also served as the president of with money laundering scandals.25 A significant number
MFHC and Mega Bank previously.18 Amid criticism over of the bank’s “customer entities” were found to be shell
possible conflicts of interests in the Mega Bank scandal, companies formed by Mossack Fonseca, the law firm
Shiu resigned from his position as Chairman within two involved in the Panama Papers scandal.26
weeks of his appointment, on 31 August 2016.19
FAILED RISK MANAGEMENT AND

THE BEGINNING OF A MEGA FAILURE INTERNAL CONTROLS
In June 2009, Mega Bank admitted to breaches of the DFS highlighted several internal control problems
Australian Financial Transaction Reports Act and the Anti- present in Mega-New York. Firstly, there was a lack of
Money Laundering and Counter-Terrorism Financing Act proper segregation of duties between the compliance
2006 (AML/CTF). Following this, Mega Bank agreed to and business functions, due to conflicting responsibilities
enter into an enforceable undertaking with the Australian of certain compliance personnel. For instance, Mega-
Transaction Reports and Analysis Centre (AUSTRAC), and New York’s BSA/AML officer was also operations manager
its processes and procedures would be reviewed by the of the Business Division.27
Australian Prudential and Regulatory Authority (APRA).20
An enforceable undertaking was an alternative to criminal DFS further found fault in Mega-New York’s transaction
or civil enforcement action in ensuring compliance with monitoring systems and policies. Compliance staff failed
the AML/CTF Act.21 to regularly review “surveillance monitoring filter criteria
designed to detect suspicious transactions”.28 Various
Two months later, Mega Bank entered into another documents were also not translated from Chinese to
enforceable undertaking with APRA for suspicious English, impeding effective checks and investigations by
transactions identified within the bank. APRA had regulators.29
concerns that Mega Bank’s risk management system and
internal audit were ineffective. In addition, some of the In addition to these structural deficiencies, the staff at
bank’s staff had structured transactions to bypass the Mega-New York lacked proper knowledge and training
anti-money laundering laws. Some staff also knew about with regards to US regulatory requirements. These
the non-compliant practices but did not act upon them.22 included executive staff such as the BSA/AML Officer and
the Chief Compliance Officer.30
Despite prior warnings, concerns regarding Mega
Bank’s compliance with financial services laws were
raised for the third time in August 2010, this time by the SUSPICIOUS ACTIVITY
Australian Securities and Investments Commission. No
The compliance failure identified at Mega-New York
penalties were imposed, but the bank had to undergo an
further raised concern over suspicious activity involving
independent review by PricewaterhouseCoopers.23
the Panama branches. Due to the high risk of money
laundering in Panama, the bank was supposed to
deal with transactions between Mega-New York and
THE MEGA FINE the Panama branches with high-level surveillance and
“DFS will not tolerate the flagrant disregard of anti- diligence. However, the compliance failures in the bank’s
money laundering laws and will take decisive and New York branch raised doubt on whether checks had
tough action against any institution that fails to been carried out properly. This was aggravated by the
have compliance programs in place to prevent illicit large sums of financial transactions between the two
transactions.” locations. On top of this, Mega-New York failed to give
– Maria T. Vullo, Financial Services Superintendent24 adequate explanations regarding suspicious “payment
reversals” received from its Panama branches.31
On 19 August 2016, The New York State Department of
Financial Services (DFS) announced that Mega Bank’s
NEGOTIATING THE FINE highlighted the fact that the bank had increased its loan
to KMT-backed businesses, from NT$3.68 billion in 2010
DFS reportedly intended to impose a larger penalty on
to NT$11.19 billion in 2015.39
Mega-New York, but the penalty amount was negotiated
down by Perng Fai-nan, the governor of the Central Bank
of the Republic of China. Perng was the brother-in-law of
Shiu, the Chairman of MFHC at that time.32 CLEANING UP THE MESS
“The amended law shows our country’s resolve to fight
Huang Kuo-chang, the New Power Party Executive economic crimes and money laundering.”
Chairman, expressed his concerns about “the – Premier Lin Chuan40
administrative negligence and the question of who will
foot the bill for the US$180 million fine”. He also raised The entire Mega Bank scandal had cast doubt on the
concerns about the inappropriateness of having Shiu integrity of the anti-money laundering protocols in
participate in the administrative investigation conducted Taiwan.41 Given the severity of the situation, the Taiwan
by the Financial Supervisory Commission (FSC), and government undertook several corrective actions. In one
the inaction of the Ministry of Finance against former notable move, the government passed a bill to amend
MFHC Chairman Tsai. By not holding the bank’s officers the country’s anti-money laundering law, which included,
responsible, Huang believed that it was unfair to the inter alia, increasing the ceiling for the amount of fine
shareholders and taxpayers who might end up bearing from NT$1 million to NT$5 million.42
the burden for the fine.33
The Ministry of Finance also planned to make several
improvements by strengthening mechanisms, requiring
MFHC DENIAL government-controlled banks to report serious incidents,
assessing the qualifications of board members who
After his meeting with US regulators, Shiu, then-
represent government-controlled shares, reviewing
Chairman of MFHC, claimed that his US trip was not
the responsibilities of the board of the banks, as well
meant to investigate misconduct at the bank, but to meet
as enhancing on-the-job training for staff assigned to
with US regulators and clear up any misunderstandings.34
overseas branches.43
Moreover, the vice president of MFHC also denied that
the bank had any involvement in money laundering
activities, claiming that the fine was due to the bank’s
failure in adapting to the new and more stringent anti-
CONFLICTS OF INTEREST: SELF-
money laundering regulations in the US.35
INVESTIGATION IS NO INVESTIGATION
The Executive Yuan was first informed of the fine on 1
August 2016. Before breaking the news of the Mega-
GOVERNMENT INVOLVEMENT IN MEGA New York scandal to the public on 19 August 2016, the
BANK Executive Yuan appointed Shiu as the new Chairman
of MFHC on 11 August,2016.44 Premier Lin justified
As the money laundering saga continued to snowball,
the appointment by asserting that Shiu bore little
Taiwan lawmakers alleged former President Ma Ying-
responsibility in the scandal, and that he had prior
jeou’s involvement in the illegal transactions. Ma was
experience from dealing with a similar crisis.45
also the Chairman of Kuomintang (KMT), the second
largest political party in Taiwan and the ruling party at
Thereafter, in response to the money laundering scandal,
that time, which was alleged to have used Mega Bank
the Taiwanese government appointed the FSC to lead
to conduct money laundering activities.36 In its defence,
an administrative investigation on 21 August 2016.46 Tsai,
KMT released the results of an investigation by the
who held office as MFHC’s Chairman when the lapses
Legislative Yuan, showing that none of the 174 suspicious
in compliance occurred, was summoned to the FSC
transactions flagged by DFS had passed through
headquarters for questioning on 28 August 2016. FSC
Taiwan.37 However, political activists still found it difficult
officials claimed to have obtained greater insight into
to ignore the possibility that Mega Bank had assisted
the case after the questioning, but refused to release any
KMT in cleaning up illicitly gained assets. Democratic
details.47
Progressive Party (DPP) legislator Luo Chih-cheng
alleged that Mega Bank had been used to empty out
KMT’s assets, while Mega-New York was used to launder
them.38 Another DPP legislator, Su Chen-ching, also
As investigations continued, Huang expressed his DISCUSSION QUESTIONS

concern over the fact that the FSC was “an agency that
1. Critically evaluate the board structure and
is likely to be found guilty of administrative negligence
composition of Mega Bank and its holding company
over past violations”. Furthermore, the fact that Shiu
and identify any corporate governance concerns.
was involved in the investigations was questionable
given his alleged involvement in the scandal.48 Some 2. Despite being privatised, Mega Bank still maintained
political activists also pointed out the potential conflict of close ties with the Taiwanese government. Discuss
interests embroiling the FSC-appointed task force since the impact of strong government influence on the
they were reporting to the Ministry of Finance, which had quality of corporate governance of Mega Bank and
substantial shareholdings in Mega Bank.49 Furthermore, companies in general. Could strong government
the Deputy Minister of Finance also stated that there ties be one of the factors that led to the money
were no plans to level any charges against Tsai.50 laundering scandals in Mega Bank? How can banks
strive to mitigate this problem?
3. Given the strong governmental influence on
THE INVESTIGATOR BECOMES THE Taiwanese banks, evaluate the effectiveness of the
INVESTIGATED regulators as the fourth line of defence in the financial
Amid mounting pressure and criticism on the Executive industry.
Yuan, Premier Lin appointed a new cabinet task force,
4. What were some of the deficiencies in internal
which consisted of legal and finance experts, on 30
controls and risk management within Mega-New
August 2016 to investigate Mega-New York and oversee
York’s anti-money laundering system? Suggest
the ongoing efforts under the FSC and the Ministry of
possible improvements.
Justice.51
5. Do you think that the US$180 million fine was
On 18 September 2016, Premier Lin issued a directive appropriate in deterring potential future compliance
to investigate possible negligence of FSC officials in failures? What are the implications of such a hefty fine
detecting compliance issues in Mega Bank. The political on different stakeholders of Mega Bank? Are there
responsibility of FSC and the Ministry of Finance would alternative measures that regulators can adopt to
be reviewed as well. FSC’s claim of ignorance of Mega ensure effective compliance in the banking industry?
Bank’s non-compliance could not be overlooked, given
6. In light of recent money laundering cases involving
its responsibility in overseeing financial institutions. This
several global banks such as HSBC and Deutsche
sent a message to the top financial watchdog that it
Bank, discuss the effectiveness of regulators in
would be held accountable if it failed to detect serious
detecting and reacting to the scandals, drawing
breaches of regulations made by banks.52 Indeed, as
comparisons to Mega Bank. What were the underlying
pointed out by Huang, in addition to the misconduct
factors that perpetuate such a phenomenon?
within the bank itself, the Mega Bank incident had
also revealed the shortcomings of Taiwan’s regulatory
bodies.53
ENDNOTES
1 Mega International Commercial Bank. (2014). Historical Overview. 18 Bloomberg L.P. (2017). Mega Financial Holding Co Lt – Executive
Retrieved from https://www.megabank.com.tw/en/about.asp Profile: Kuang-Si Shiu. Retrieved from http://www.bloomberg.com/
research/stocks/people/person.asp?personId=61127085&privcapId
2 Mega ICBC. (2016, July 22). Mega ICBC is helping to lead Taiwan =8247179
to great stability. World Finance. Retrieved from https://www.
worldfinance.com/banking/mega-icbc-is-helping-to-lead-taiwan- 19 Hsu, C. (2016, September 1). Mega Financial chairman Shiu resigns.
to-great-stability Taipei Times. Retrieved from http://www.taipeitimes.com/News/
front/archives/2016/09/01/2003654274
3 Mega Holdings. (2003). Profile of the company. Retrieved from
http://www.megaholdings.com.tw/econtents_1024/about/about 20 Rogers, I. (2014, November 21). Mega strife from money laundering
01.asp legacy. Banking Day. Retrieved from https://www.bankingday.com/
nl06_news_selected.php?selkey=17830
4 Mega Bank. (2017). Biographies of Directors. Retrieved from http://
www.megaholdings.com.tw/images_expose/160913104124_%E8% 21 AUSTRAC. (2009, July 1). AUSTRAC accepts enforceable under
91%A3%E7%9B%A3%E4%BA%8B%E7%B0%A1%E6%AD%B7(%E8 taking from Mega International Commercial Bank. Retrieved from
%8B%B1%E6%96%87)-1050910.pdf http://www.austrac.gov.au/media/media-releases/austrac-accepts
-enforceable-undertaking-mega-international-commercial-bank
5 Mega International Commercial Bank. (2014). Execution of
Corporate Governance. Retrieved from https://www.megabank. 22 Mega International Commercial Bank Co., Ltd. (2009, August 20).
com.tw/en/dload01_03.asp Enforceable Undertaking. Retrieved from http://www.apra.gov.au/
adi/documents/cfdocs/mega-eu-240809.pdf
6 Mega International Commercial Bank. (2016, April). Annual Report
2015. Retrieved from https://wwwfile.megabank.com.tw/upload/ 23 Butler, B. (2010, August 31). Taiwanese Bank under scrutiny for third
FI03/Mega_ICBC_Annual_Report_2015-1.pdf time. The Sunday Morning Herald. Retrieved from http://www.smh.
com.au/business/taiwanese-bank-under-scrutiny-for-third-time-
7 Ibid. 20100830-147dz.html
8 Mega International Commercial Bank Co., Ltd. (n.d.) Filing History. 24 Loconte, R. (2016, August 19). DFS fines Mega Bank $180 million
Companies House. Retrieved from https://beta.companieshouse. for violating anti-money laundering laws. Retrieved from http://
gov.uk/company/FC025726/filing-history?page=2 www.dfs.ny.gov/about/press/pr1608191.htm
9 Hioe, B. (2016, September 1). The Mega Bank scandal: Implications 25 New York State Department of Financial Services. (2016, August
not just for the KMT, but the Tsai Administration? New Bloom. 19). Consent order under New York Banking Law 39 and 44.
Retrieved from https://newbloommag.net/2016/09/01/mega-bank Retrieved from http://www.dfs.ny.gov/about/ea/ea160819.pdf
-scandal/
26 Loconte, R. (2016, August 19). DFS fines Mega Bank $180 million
10 Chiu, P., Tien, Y. and Kao, E. (2016, March 29). Mega Financial for violating anti-money laundering laws. Retrieved from http://
Holding Co. chairman to resign. The Central News Agency. www.dfs.ny.gov/about/press/pr1608191.htm
Retrieved from http://focustaiwan.tw/news/aeco/201603290016.
aspx 27 New York State Department of Financial Services. (2016, August
19). Consent order under New York Banking Law 39 and 44.
11 Mega Financial Holding Co., Ltd. (2016). Dodd-Frank Act Section Retrieved from http://www.dfs.ny.gov/about/ea/ea160819.pdf
165(d) 2016 Resolution Plan. Retrieved from https://www.federal
reserve.gov/bankinforeg/resolution-plans/mega-intl-commercial 28 Loconte, R. (2016, August 19). DFS fines Mega Bank $180 million
-bk-3g-20161231.pdf for violating anti-money laundering laws. Retrieved from http://
www.dfs.ny.gov/about/press/pr1608191.htm
12 HBS Working Knowledge. (2013, February 22). What capitalists
should know about state-owned enterprises. Forbes. Retrieved 29 Ibid.
from https://www.forbes.com/sites/hbsworkingknowledge/2013/
02/22/what-capitalists-should-know-about-state-owned-enterprises
30 New York State Department of Financial Services. (2016, August
/#1019d8d13509 19). Consent order under New York Banking Law 39 and 44.
Retrieved from http://www.dfs.ny.gov/about/ea/ea160819.pdf
13 Chen, P. and Liu, P. (2013). Bank ownership, performance, and the
politics: Evidence from Taiwan. Economic Modelling, 31, 578-585.
31 Ibid.
14 Hioe, B. (2016, September 1). The Mega Bank scandal: Implications

32 Chen, W. (2016, August 31). Cabinet task force to probe Mega
not just for the KMT, but the Tsai Administration? New Bloom. Bank. Taipei Times. Retrieved from http://www.taipeitimes.com/
Retrieved from https://newbloommag.net/2016/09/01/mega-bank News/front/archives/2016/08/31/2003654207
-scandal/ 33 Hsiao, A. (2016, August 31). Lawmaker pans FSC probe on Mega.
15 Chou, C. (2016, September 14). FSC fines Mega Bank 10 million Taipei Times. Retrieved from http://www.taipeitimes.com/News/
new Taiwan dollars, sacks 6 executives. Asia News Network. taiwan/archives/2016/08/31/2003654218
Retrieved from http://annx.asianews.network/content/fsc-fines- 34 Ibid.
mega-bank-10-million-new-taiwan-dollars-sacks-6-executives-28083
35 Huang, L. and Zhang, G. (2016, August 21). US fines Mega ICBC
16 Bloomberg L.P. (2017). Mega Financial Holding Co Lt – Executive NT$5.7b for violating money laundering rules. PTS News Network.
Profile: Yeou-Tsair Tsai. Retrieved from https://www.bloomberg. Retrieved from http://news.pts.org.tw/article/332409
com/research/stocks/people/person.asp?personId=13445583&-
capId =8247179 36 Chen, W. (2016, August 24). Mega bank knew of issues in 2013:
DPP. Taipei Times. Retrieved from http://www.taipeitimes.com/
17 Chen, W. (2016, August 24). Mega bank knew of issues in 2013: News/taiwan/archives/2016/08/24/2003653754
DPP. Taipei Times. Retrieved from http://www.taipeitimes.com/
News/taiwan/archives/2016/08/24/2003653754
37 Chou, C. (2016, September 30). Suspect Mega transactions not via 46 Chen, T. (2016, August 22). FSC commission to probe Mega Bank.
Taiwan. The China Post. Retrieved from http://www.chinapost.com. Taipei Times. Retrieved from http://www.taipeitimes.com/News/
tw/taiwan/national/national-news/2016/09/30/479778/Suspect front/archives/2016/08/22/2003653605
-Mega.htm
47 Chou, C. (2016, August 29). Former Mega Bank chief grilled in
38 Formosa News. (2016, August 23). Legislators allege Mega Bank 8-hour questioning session. The China Post. Retrieved from http://
used to launder KMT party assets. Retrieved from http://english- www.chinapost.com.tw/taiwan-business/2016/08/29/476919/
news.ftv.com.tw/read.aspx?sno=9670558032DFADAAE3125B24 Former-Mega.htm
2B6F4912
48 Hsiao, A. (2016, August 31). Lawmaker pans FSC probe on Mega.
39 Chen, W. (2016, August 24). Mega bank knew of issues in 2013: Taipei Times. Retrieved from http://www.taipeitimes.com/News/
DPP. Taipei Times. Retrieved from http://www.taipeitimes.com/ taiwan/archives/2016/08/31/2003654218
News/taiwan/archives/2016/08/24/2003653754
49 Hioe, B. (2016, September 1). The Mega Bank scandal: Implications
40 AFP. (2016, August 25). Taiwan to toughen anti-money laundering not just for the KMT, but the Tsai Administration? New Bloom.
law after US fine. Channel NewsAsia. Retrieved from http://www. Retrieved from https://newbloommag.net/2016/09/01/mega-bank
channelnewsasia.com/news/asiapacific/taiwan-to-toughen-anti -scandal/
-money-laundering-law-after-us-fine-7872894
50 Hsiao, A. (2016, August 31). Lawmaker pans FSC probe on Mega.
41 Tsai, P. and Chen, C. (2016, August 24). Mega Bank case could Taipei Times. Retrieved from http://www.taipeitimes.com/News/
lower Taiwan’s money laundering rating. Focus Taiwan. Retrieved taiwan/archives/2016/08/31/2003654218
from http://focustaiwan.tw/news/aeco/201608240019.aspx
42 AFP. (2016, August 25). Taiwan to toughen anti-money laundering Bank. Taipei Times. Retrieved from http://www.taipeitimes.com/
law after US fine. Channel NewsAsia. Retrieved from http://www. News/front/archives/2016/08/31/2003654207
channelnewsasia.com/news/asiapacific/taiwan-to-toughen-anti
-money-laundering-law-after-us-fine-7872894
52 Lee, H. and Chung, J. (2016, September 18). Former FSC officials to
be probed over Mega Bank. Taipei Times. Retrieved from http://
43 Kuomintang. (2016, September 21). Mega Bank case: Fiscal/ www.taipeitimes.com/News/front/archives/2016/09/18/2003655358
financial chiefs to deliver reports to LY. Retrieved from http://www1.
kmt.org.tw/english/page.aspx?type=article&mnum=112&anum
53 Chen, T. (2016, August 22). FSC commission to probe Mega Bank.
=18259 Taipei Times. Retrieved from http://www.taipeitimes.com/News/
front/archives/2016/08/22/2003653605
44 Chou, C. (2016, September 2). Ex-First Bank chief appointed Mega
Bank chair. The China Post. Retrieved from http://www.chinapost.
com.tw/taiwan-business/2016/09/02/477307/ex-first-bank.htm
Bank. Taipei Times. Retrieved from http://www.taipeitimes.com/
News/front/archives/2016/08/31/2003654207
DEUTSCHE BANK: A RUSSIAN

AFFAIR
CASE OVERVIEW1 BOARD STRUCTURE
In 2015, Deutsche Bank (DB) started investigations after DB has maintained a dual board structure since its
the bank received reports of suspected “mirror trades” in inception,9 as mandated by German law which came
DB Moscow. The internal investigation, known as “Project into force in 1870.10 In 2014, DB’s supervisory board
Square”, revealed that Tim Wiswell, the head of equities consisted of approximately 20 members, headed by
for DB Moscow, helped Russians divert an approximate Chairman Dr Paul Achleitner and Alfred Herling, who
US$10 billion out of the country, through a series of was the deputy Chairman then.11 The supervisory board
mirror trades between 2011 and 2015. This scheme was had established seven standing committees, with Dr
facilitated by long-standing inadequate compliance Achleitner being involved in all committees.12 Meanwhile,
procedures in DB. The objective of this case is to allow the management board had seven members.13 DB
a discussion of issues such as anti-money laundering had two CEOs, Jürgen Fitschen and Anshuman
controls; know-your-customer policies; internal controls; Jain.14 Up till October 2015, DB also had a Group
dual board structure; compliance culture in banks; and Executive Committee that comprised of the members
risk management issues. of the management board and senior representatives
appointed by management board. However, this
committee was dissolved to reduce the organisational
THE AMERICAN DREAM complexity of DB.15
Tim Wiswell grew up in Old Saybrook, Connecticut. As
a child, he occupied his time with sports and sailing. On 7 June 2015, the supervisory board of DB appointed
Wiswell and his sister often travelled to Russia to live John Cryan to the position of co-CEO. The co-Chairmen
with their father. He went on to study for a year at the of the management board and co-CEOs, Jain and
Anglo-American School of Moscow, where he picked up Fitschen, stepped down from their positions on 30 June
Russian. He then continued his studies in Colby College 2015 and 19 May 2016 respectively,16,17 following news
in Maine, United States (U.S.).1 releases on DB’s mirror trades scandal.18
Upon graduation, Wiswell found a job at United Financial

Group in Russia, which was bought over by DB in the PROLIFERATION OF SCANDALS
mid-2000s.2 In 2008, Wiswell was promoted to head
Since 2008, DB has paid fines and settlements amounting
of equities in Russia3 at the age of 29.4 He was “loyal
to more than US$9 billion, as a result of improprieties
and reliable”, working well with the London equities
management team and acting as a “straightforward such as its involvement in the conspiracy to manipulate
Western presence” to “bridge the cultural gap” between the price of gold and silver, and the violation of U.S.
Moscow and London. Meanwhile, economic conditions sanctions by trading in Iran, Syria, Myanmar, Libya and
in Russia worsened. The previous years of spectacular Sudan. In April 2015, the U.S. and United Kingdom
growth backed by a global commodities boom came (U.K.) regulators fined DB US$2.5 billion over alleged
to an end with the onset of the financial crisis, and benchmark interest rate rigging.19
Russian clients grew “desperate to get money out of the
country”.5
A TALE OF TWO CITIES - MIRROR TRADES
The “mirror trades” in DB went by largely undetected
THE RISE OF DEUTSCHE BANK and unchecked until the beginning of 2015, when DB
In 1870, DB was incorporated as a German global organised an internal investigation. The checks revealed
banking and financial services company in Berlin.6,7 As that DB had ignored signs of dubious transactions and
of 31 March 2018, DB has a total of 2,407 branches, more than two thousand transactions did not comply
including branches in emerging markets such as the Asia with internal AML control procedures. Although DB
Pacific, Central and Eastern Europe, and Latin America.8 Moscow passed the audit in 2014, it received warnings
This is the abridged version of a case prepared by Ong Shu Hui, Elizabeth, Lee Xin Yi, Rachel Pan Yu and Yeoh Wei Huan under the supervision of Professor Mak Yuen Teen. The case was
perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Yeo Hui Yin Venetia

86 DEUTSCHE BANK: A RUSSIAN AFFAIR
from its independent auditors that there were “serious More red flags appeared in early 2014, when a Cypriot
shortcomings” in its system of vetting its clients.20 bank sent a query to a senior AML manager at London’s
DB, regarding “suspicious high-volume transactions”
Between 2011 and 2015, a Russian broker, Igor Volkov, through a particular U.K.-registered company’s account.
called a sales trader of the equities desk of DB’s Moscow However, no follow-up action was taken by the manager
headquarters, Dina Maksutova, nearly every weekday and the inquiry was eventually handled by the equities
and instructed her to place two trades simultaneously. trading desk in Moscow, which replied to the Cypriot
He would buy a Russian blue-chip stock with Russian bank that the trades were in compliance with the rules.29
rubles on behalf of a Russian company, where the order
was usually approximately US$10 million worth of the
stock. Meanwhile, Volkov, who was acting on behalf of THE REVELATION
a different company typically registered in an offshore
Following the revelation of DB’s shocking five-year
territory such as the British Virgin Islands, would sell
scheme, three DB employees
the same amount of that Russian blue-chip stock in
– Wiswell, Maksutova, and Georgiy Buznik – were
London, receiving U.S. dollars, euros or British pounds in
suspended.30
exchange.21
The suspension of Wiswell, the then-head of the equities
Initially, the trades seemed trite and pointless, as the
desk at the Moscow branch, came as no surprise. In
transactions yielded little to no profit. However, these
2011, the year which the mirror trades started, revenues
transactions had a deeper underlying purpose: to turn
on Wiswell’s desk had been declining drastically and
rubles in Russia into dollars abroad. The counterparties
it was suggested that the mirror trading started as a
actually had the same owner, so DB was essentially
consequence of the pressure on Wiswell to boost the
helping Volkov to buy and sell stocks to himself.22 At
performance of his desk.31 An internal investigation,
least 12 entities were involved23 and three members of
known as “Project Square”, confirmed that Wiswell’s
the Russian equities desk were suspended afterwards for
desk had indeed helped to expatriate billions of Russian
their involvement in the mirror trades.24 Overall, around
rubles out of the country through mirror trades.32 Despite
US$10 billion was squirrelled out of Russia through these
the role Wiswell played in the scheme, he filed a lawsuit
trades from 2011 to 2015.25
against DB over his dismissal soon after he was fired.33
The New York Department of Financial Services (DFS)
While Wiswell stood to benefit from the mirror
discovered that DB and its senior managers missed
trades through bonuses or even bribes,34 there was
numerous opportunities to detect, investigate and
no clear financial benefit for the sales traders on the
intercept the mirror trading scheme due to serious
Russian equities desk conducting the mirror trades.35
compliance failures.26
Interestingly, neither of Wiswell’s supervisors nor DB’s
compliance managers had faced similar disciplinary
According to a former manager at DB, the mirror trades’
action.36
clients were willing to repeatedly lose small amounts of
money, which was the difference between the Moscow
As part of the consent order entered with DFS following
and London stock prices, in addition to paying DB a
the massive scandal, DB had to engage an independent
commission for each transaction. These obvious signs
monitor approved by DFS and submit an engagement
of a recurring pattern should have been a red flag
letter that provides for the independent monitor to
for DB and should have warranted a rigorous “client
review and report on the following: the areas in DB’s
review” process. However, all the clients were deemed
corporate governance that might have led to or fuelled
satisfactory by DB’s compliance team.27
the improper conduct; revamps to corporate governance
that DB had made since the improper conduct and the
Both the DFS and the U.K. Financial Conduct Authority
impact they have on DB’s AML compliance; and the
(FCA) expressed the view that DB should have suspected
coverage of the bank’s current global AML compliance
improprieties in mirror trading as early as 2011, when the
programs. The submission of a written action plan to
license of one of the counterparties, Westminster Capital
enhance DB’s existing global AML compliance programs
Management, was suspended and subsequently revoked
was also required.37
by Russian regulators.28
The DFS and FCA also imposed nearly US$630 million process.48 DB’s onboarding staff also faced threats when
of fines on DB for various money laundering offences in they did not expedite processes to facilitate the mirror
Russia.38 trade transactions. Although the senior management
were aware of the deficiencies for years, DB did not take
steps to implement any proper reforms until 2016, after
MIRROR MIRROR ON THE WALL: A TIME the scandal had been uncovered.49
FOR REFLECTION
“We will do what is right – not just what is allowed.” Flaws in AML risk rating system
– Deutsche Bank39 DB’s AML risk rating system was not precise in providing
risk ratings for the relevant countries and customers. DB
Mirror trading is not always illegal.40 If DB had remained also did not have a global policy with benchmarked risk
firm with its values and beliefs, what might then explain appetites, which led to significant inconsistencies and
how it got itself into one of the largest scandals for the absence of a methodology for updating the ratings.
funnelling Russian rubles offshore? Was the scandal a DB was also not on the same page as peer banks, which
result of a few rogue sales traders, or did DB play a role classified Russia as a high-risk country, before DB did so
as well? in late 2014.50
Several reasons had been cited for the motivation behind

the bank’s misconduct. First, the New York authorities Inadequate compliance and internal audit resources
suggested that DB’s sales traders were driven by “greed DB’s anti-financial crime, anti-money laundering and
and corruption”, having experienced sluggish business compliance units were ineffective and understaffed.
following the slump in oil and gas prices and the global A single personnel had to handle multiple roles
financial crisis. A trader admitted to being “focused simultaneously, and employees in leadership positions
on commission” during the time of “slow markets” of the units were inexperienced in their respective roles
and hence continued these trades despite doubts. and lacked necessary training.51 They also had no real
The earning of commissions was seemingly also the authority to challenge suspicious actions or clients that
reason why the traders had refrained from questioning they discovered.52
suspicious trades.41
Furthermore, the bank’s third line of defence – its group
Although the DB head office in Germany had not audit – was unable to fulfil its key role of ensuring
been directly involved in the mirror trades, its lack of compliance and effectiveness of controls.53
participation did not absolve it from being accountable
for the scandal – in fact, DB Moscow could conduct Inadequate KYC and AML IT structure
mirror trades undetected for such a considerable period
DB did not have a shared repository for KYC information,
because of extensive inadequacies in the AML control
and thus a reconciliation between trading and the
framework, as revealed in investigation findings by both
customer onboarding system was not possible. Moreover,
the FCA and DFS.42,43
DB did not have an automated system to monitor
securities transactions, which further increased the risk of
Deficiencies in know-your-customer policies and using the remote booking model.54
procedures
DB adopted the risk-based approach to know-your Flaws in corporate structure and organisation
customer (KYC) procedures,44 which was in line with the DB’s decentralised, non-global AML framework resulted
application of Regulation 7 of the Money Laundering in inconsistencies in the formulation and application of
Regulations 2007.45 However, the due diligence for policies and procedures across the bank. This created the
onboarding customers was not appropriately performed. potential for a lack of compliance with international or
In particular, there was inadequate documentation by other countries’ regulatory requirements.55
DB Moscow’s securities desk for its onboarding files
and there were many lapses in DB’s KYC procedures.46 The dual reporting structure and lack of clear delegation
Investigations revealed that many customers were only of roles and responsibilities also led to excessive
asked to provide cursory or informal documentation on reliance on the supervisor for the management of
the source of funds.47 Additionally, there were insufficient trading activities at DB Moscow’s securities desk. The
resources and infrastructure to facilitate the KYC London supervisor of Wiswell had effectively failed in
his supervisory role. When they praised Wiswell for Aside from the mirror trade scandal, DB was also
promoting global products among Russian clients, an involved in other scandals, such as the mis-selling of toxic
adverse culture was created that gave rise to the mirror bonds, as well as using insolvent shell companies to hide
trades and enabled the proliferation and continuation of significant tax liabilities in recent years.64
the improper trading over a five-year period. There were
also indications that DB had a corporate culture which In light of all these problems, is DB really too big to
permitted “short-term profiteering through improper govern?
conduct”, at the expense of strict compliance, which
could incur higher costs in the long term.56
1. Discuss the implications of a dual board structure
AN END TO A CHAPTER? and the advantages and disadvantages. In addition,
“Where we encounter...business lines that are not consider the effectiveness of the board structure in
controlled to the standards we demand, we will exit Deutsche Bank and discuss any board structure issues.
them, even if this means closing them down.”
2. Evaluate Deutsche Bank’s risk management
– John Cryan, CEO of Deutsche Bank 57
framework and discuss the effectiveness of the “Three
Lines of Defence” model adopted by Deutsche Bank.
DB’s latest strategic plan, “Strategy 2020”, was released
What are the possible reasons that led to the failure of
in October 2015, focusing on strengthening individual
the third line of defence?
accountability and discipline within the bank by reducing
the complexity of DB’s management structure.58 3. Deutsche Bank has a whistleblower policy. Why were
there no whistleblowers in the case of mirror trades,
In 2015, DB enhanced its “Three Lines of Defence” despite suspicions over the trades that were booked
model, with the overall goal of decreasing the risks at the Moscow securities desk? How can financial
associated with its people, systems and conduct-related institutions like Deutsche Bank strengthen their
failures.59 DB has also agreed with the Federal Reserve compliance culture?
to engage an outside monitor to review transactions
4. Discuss how financial institutions can strengthen
with international banks in the second half of 2016 and
their anti-money laundering policies and know-your-
to review DB’s compliance with anti-money laundering
customer procedures. Is the risk-based approach truly
laws.60
effective?
Although the regulatory authorities have concluded 5. Do you think the shareholder advisory group’s action
that there was no evidence that any of the senior to call for a special audit on management’s conduct is
management or employees of DB in London had been justified? Should the blame solely be on Wiswell and
aware of or involved in the suspicious trading,61 the two of his team members? Explain.
shareholder advisory group, Institutional Shareholder
Services, called for an independent audit into the
conduct of DB’s management in handling this issue and ENDNOTES
previous scandals.62 1 Vaughan, L., Rudnitsky, J. and Choudhury, A. (2016, October 3). A
Russian tragedy: how Deutsche Bank’s “Wiz” kid fell to Earth.
Bloomberg. Retrieved from https://www.bloomberg.com/features/
2016-tim-wiswell-deutsche-bank/
A GAME OF RUSSIAN ROULETTE 2 Burton, J. (2017, January 31). Missing: hot shot trader who
funnelled £8bn out of Russia for oligarchs… and landed his City
Can DB escape this difficult game of Russian Roulette bosses with a £505m fine. This is Money. Retrieved from http://
unscathed? Unfortunately, it appears not to be the case, www.thisismoney.co.uk/money/news/article-4177090/Rock-star-
as the mirror trades have been linked to other major trader-funnelled-8bn -Russia-oligarchs.html
global money laundering schemes. 3 Ibid.
4 Vaughan, L., Rudnitsky, J. and Choudhury, A. (2016, October 3). A
As further investigations into the mirror trades continue, Russian tragedy: how Deutsche Bank’s “Wiz” kid fell to Earth.
it has been revealed that DB might not be the only Bloomberg. Retrieved from https://www.bloomberg.com/features/
2016-tim-wiswell-deutsche-bank/
international lender found to have conducted such
mirror trades in Russia.63 This might just be the start of 5 Ibid.
something much bigger.
6 Deutsche Bank. (n.d.). History – chronicle – from 1870 until today. 23 New York State Department of Financial Services. (2017, January
Retrieved from https://www.db.com/company/en/media/ 30). Consent order under New York Banking Law §§ 39, 44 and 44-a.
Deutsche-Bank-History--Chronicle-from-1870-until-today.pdf Retrieved from https://www.dfs.ny.gov/about/ea/ea170130.pdf
7 Historical Association of Deutsche Bank. (n.d.). FAQ. Retrieved 24 Caesar, E. (2016, August 29). Deutsche Bank’s $10-billion scandal.
from http://www.bankgeschichte.de/en/content/788.html The New Yorker. Retrieved from https://www.newyorker.com/
magazine/ 2016/08/29/deutsche-banks-10-billion-scandal
8 Deutsche Bank. (2018, April 27). Global network. Retrieved from
https://www.db.com/company/en/global-network.htm 25 Ibid.
9 Deutsche Bank. (2018, March 16). Annual Report 2017. Retrieved 26 New York State Department of Financial Services. (2017, January
from https://www.db.com/ir/en/download/DB_Annual_Report 30). Consent order under New York Banking Law §§ 39, 44 and 44
_2017.pdf -a. Retrieved from https://www.dfs.ny.gov/about/ea/ea170130.pdf
10 Muchlinski, P. (2013). The development of German corporate law 27 Caesar, E. (2016, August 29). Deutsche Bank’s $10-billion scandal.
until 1990: an historical reappraisal. German Law Journal. Retrieved The New Yorker. Retrieved from https://www.newyorker.com/
from https://core.ac.uk/download/pdf/42549378.pdf magazine/ 2016/08/29/deutsche-banks-10-billion-scandal
11 Deutsche Bank. (n.d.). Deutsche Bank Annual Report 2015 – 28 Kentouris, C. (2017, September 18). Mirror trading: new focus on
Supervisory Board. Retrieved from https://annualreport.deutsche potential AML violations. Finops Report. Retrieved from https://
-bank.com/2015/ar/supplementary-information/corporate finops.co/regulations/mirror-trading-new-focus-on-potential-aml
-governance-report/management-board-and-supervisory-board/ -violations/
supervisory-board.html
29 United States District Court, Southern District of New York. (2016,
12 Deutsche Bank. (n.d.). Deutsche Bank Annual Report 2015 October 5). Case No. 1:16-cv-03495-AT Plaintiff, vs Deutsche Bank
- Standing Committees. Retrieved from https://annualreport. Aktiengesellschaft, Stefan Krause, Juergen Fitschen, Anshuman
deutsche-bank.com/2015/ar/supplementary-information/corporate Jain, John Cryan, and Marcus Schenck – class action complaint for
-governance-report/management-board-and-supervisory-board/ violations of Federal Securities Laws. Retrieved from http://share
standing-committees.html holdersfoundation.com/system/files/complaints/deutsche_bank_
ag_ original_filing_edited_5_2016.pdf
13 Deutsche Bank. (n.d.). Deutsche Bank Annual Report 2014
– Management Board. Retrieved from https://annualreport. 30 Caesar, E. (2016, August 29). Deutsche Bank’s $10-billion scandal.
deutsche-bank.com/2014/ar/supplementary-information/ The New Yorker. Retrieved from https://www.newyorker.com/
corporate-governance-report/management-board.html magazine/ 2016/08/29/deutsche-banks-10-billion-scandal
14 David, J. (2015, June 7). Deutsche Bank’s co-CEOs set to depart the 31 Ibid.
bank. CNBC. Retrieved from https://www.cnbc.com/2015/06/07/
deutsche-banks-co-ceos-set-to-depart-the-bank-wsj.html
32 Vaughan, L., Rudnitsky, J. and Choudhury, A. (2016, October 3). A
Russian tragedy: how Deutsche Bank’s “Wiz” kid fell to Earth.
15 Deutsche Bank. (n.d.). Deutsche Bank Annual Report 2015 – Group Bloomberg. Retrieved from https://www.bloomberg.com/features/
Executive Committee. Retrieved from https://annualreport.deutsche 2016-tim-wiswell-deutsche-bank/
-bank.com/2015/ar/supplementary-information/corporate
-governance-report/management-board-and-supervisory-board/
33 Caesar, E. (2016, August 29). Deutsche Bank’s $10-billion scandal.
group -executive -committee.html The New Yorker. Retrieved from https://www.newyorker.com/
magazine/ 2016/08/29/deutsche-banks-10-billion-scandal
16 Deutsche Bank. (2015, June 7). Deutsche Bank appoints John Cryan
to succeed Jürgen Fitschen and Anshu Jain. Retrieved from https://
34 Johny, S. (2016, October 5). Tim Wiswell: Deutsche Bank’s toppled
www.db.com/newsroom_news/2015/ir/deutsche-bank-appoints- poster boy. NewsBytes. Retrieved from https://www.newsbytesapp.
john-cryan-to-succeed-juergen-fitschen-and-en-11156.htm com/timeline/Business/3553/21127/the-tim-weswell-saga
17 Deutsche Bank AG. (2015, June 7). Deutsche Bank appoints John
35 Caesar, E. (2016, August 29). Deutsche Bank’s $10-billion scandal.
Cryan to succeed Jürgen Fitschen and Anshu Jain. Retrieved from The New Yorker. Retrieved from https://www.newyorker.com/
https://www.db.com/newsroom_news/2015/ir/deutsche-bank magazine/2016/08/29/deutsche-banks-10-billion-scandal
-appoints-john-cryan-to-succeed-juergen-fitschen-and-en-11156. 36 Kentouris, C. (2017, September 18). Mirror trading: new focus on
htm potential AML violations. Finops Report. Retrieved from https://
18 Vaughan, L., Rudnitsky, J. and Choudhury, A. (2016, October 3). A finops.co/regulations/mirror-trading-new-focus-on-potential-aml
Russian tragedy: how Deutsche Bank’s “Wiz” kid fell to Earth. -violations/
Bloomberg. Retrieved from https://www.bloomberg.com/features/ 37 New York State Department of Financial Services. (2017, January
2016-tim-wiswell-deutsche-bank/ 30). DFS fines Deutsche Bank $425 million for Russian mirror
19 Caesar, E. (2016, August 29). Deutsche Bank’s $10-billion scandal. -trading scheme. Retrieved from https://www.dfs.ny.gov/about/
The New Yorker. Retrieved from https://www.newyorker.com/ presspr1701301.htm
magazine/ 2016/08/29/deutsche-banks-10-billion-scandal 38 Treanor, J. (2017, January 31). Deutsche Bank fined $630m over
20 World News, Breaking News. (2016, April 14). Deutsche Bank has Russia money laundering claims. The Guardian. Retrieved from
called the failure of the shady deals in Russia at $10 billion. https://www.theguardian.com/business/2017/jan/31/deutsche-
Retrieved from https://sevendaynews.com/2016/04/14/deutsche- bank-fined-630m-over-russia-money-laundering-claims
bank-has-called-the-failure-of-the-shady-deals-in-russia-at-10 39 Deutsche Bank. (n.d.). Corporate culture and corporate values.
-billion/ Retrieved from https://www.db.com/cr/en/concrete-cultural
21 Caesar, E. (2016, August 29). Deutsche Bank’s $10-billion scandal. -change.htm?kid=werte.inter.redirect#tab_corporate-values
The New Yorker. Retrieved from https://www.newyorker.com/ 40 Kentouris, C. (2017, September 18). Mirror trading: new focus on
magazine/ 2016/08/29/deutsche-banks-10-billion-scandal potential AML violations. Finops Report. Retrieved from https://
22 Ibid. finops.co/regulations/mirror-trading-new-focus-on-potential-aml
-violations/
41 Winning, A. and Char, P. (2017, February 1). The ‘mirror’ trades that 57 Cryan, J. (2015, July 1). Message from John Cryan to employees.
caught Deutsche in Russian web. Reuters. Retrieved from https:// Deutsche Bank. Retrieved from https://www.db.com/unitedking-
uk.reuters.com/article/deutsche-mirrortrade-probe-scheme/the- dom/content/en/Message_from_John_Cryan_to_employees.html
mirror-trades-that-caught-deutsche-in-russian-web-idUKL5N1FL50R
58 Deutsche Bank. (2015, October 29). Deutsche Bank announces
42 New York State Department of Financial Services. (2017, January details of Strategy 2020. Retrieved from https://www.db.com/
30). DFS fines Deutsche Bank $425 million for Russian mirror newsroom_news/2015/medien/deutsche-bank-announces-details-
-trading scheme. Retrieved from https://www.dfs.ny.gov/about/ of-strategy-2020-en-11247.htm
press/pr 1701301.htm
59 Deutsche Bank. (2016). Corporate Responsibility Report 2015.
Retrieved from https://cr-report.db.com/2015/en/servicepages/
downloads/files/dbcr2015_entire.pdf
43 Financial Conduct Authority. (2017, January 31). FCA fines
Deutsche Bank £163 million for serious anti-money laundering 60 Hamilton, J. and Arons, S. (2017, May 31). Deutsche Bank Fined $41
controls failings. Retrieved from https://www.fca.org.uk/news/ Million for money-laundering lapses. Bloomberg. Retrieved from
press-releases/fca-fines-deutsche-bank-163-million-anti-money- https://www.bloomberg.com/news/articles/2017-05-30/deutsche-
laundering-control-failure bank-pays-41-million-fine-for-money-laundering-faults
44 United States District Court Southern District of New York. (2016, 61 Shearman & Sterling LLP. (2017, March 2). European Union: UK
December 16). Case 1:16-cv-03495-LTS-BCM in re Deutsche Bank regulator fines Deutsche Bank For AML control failings related to
Aktiengesellschaft securities litigation – consolidated amended mirror trading. Mondaq. Retrieved from http://www.mondaq.com/
class action complaint for violations of Federal Securities Laws. uk/x/572780/Financial+Services/UK+Regulator+Fines+Deutsche
Retrieved from http://securities.stanford.edu/filings-documents/ +Bank+For+AML+Control+Failings+Related+To+Mirror+Trading
1057/DBA00_01/20161216_r01c_16CV03495.pdf
62 Schuetze, A. (2017, May 3). Shareholder advisors call for special
45 UK Legislation. (2007). The Money Laundering Regulations 2007. audit at Deutsche Bank. Reuters. Retrieved from https://www.
Retrieved from http://www.legislation.gov.uk/uksi/2007/2157/pdfs/ reuters.com/article/us-deutsche-bank-audit-iss-idUSKBN17Z1L8
uksi_20072157_en.pdf
63 Pismennaya, E. (2017, June 27). Deutsche Bank wasn’t only ‘mirror’
46 New York State Department of Financial Services. (2017, January trader: Russian Central Bank. Bloomberg. Retrieved from https://
30). In the matter of Deutsche Bank AG and Deutsche Bank AG www.bloomberg.com/news/articles/2017-06-27/deutsche-bank-
New York Branch – consent order under New York Banking Law §§ wasn-t-only-mirror-trader-russian-central-bank
39, 44 and 44-a. Retrieved from https://www.dfs.ny.gov/about/ea/
ea 170130.pdf
64 Treanor, J. (2017, January 31). Deutsche Bank fined $630m over
Russia money laundering claims. The Guardian. Retrieved from
47 United States District Court Southern District of New York. (2016, https://www.theguardian.com/business/2017/jan/31/deutsche-
December 16). Case 1:16-cv-03495-LTS-BCM in re Deutsche Bank bank-fined-630m-over-russia-money-laundering-claims
Aktiengesellschaft securities litigation – consolidated amended
class action complaint for violations of Federal Securities Laws.
Retrieved from http://securities.stanford.edu/filings-documents/
1057/DBA00_01/20161216_r01c_16CV03495.pdf
48 Financial Conduct Authority. (2017, January 30). Final notice to
Deutsche Bank AG. Retrieved from https://www.fca.org.uk/
publication/final -notices/deutsche-bank-2017.pdf
49 New York State Department of Financial Services. (2017, January
30). In the matter of Deutsche Bank AG and Deutsche Bank AG
New York Branch – consent order under New York Banking Law §§
ea 170130.pdf
50 Ibid.
51 Ibid.
52 Monroe, B. (2017, February 2). U.S., U.K. regulators hit Germany’s
largest bank with historic AML fine on Russian ‘mirror trades’.
Association of Certified Financial Crime Specialists. Retrieved from
https://www.acfcs.org/news/329221/U.S.-U.K.-regulators-hit
-Germanys-largest-bank- with-historic-AML-fine-on-Russian-mirror-
trades-.htm
53 New York State Department of Financial Services. (2017, January
30). In the matter of Deutsche Bank AG and Deutsche Bank AG
New York Branch – consent order under New York Banking Law §§
ea 170130.pdf
54 Ibid.
55 Ibid.
56 Ibid.
COMMONWEALTH BANK OF
AUSTRALIA: THE UNWITTING
MULE
CASE OVERVIEW Counter-Terrorism Financing Act 2006 (the AML/CTF Act)
Australian banking giant Commonwealth Bank of between November 2012 and September 2015.5 This
Australia (CBA) received international scrutiny in 2017 was a landmark case that caused a ripple of shock for
when it emerged that international criminal syndicates observers as each instance of breach in the Act carried
had been using the bank’s Intelligent Deposit Machines a maximum penalty of A$18 million. The maximum fine
(IDMs) for years to launder money and finance terrorism. of nearly A$1 trillion dwarfed the entire bank’s market
The bank was accused of having a poor regulatory value.6 After news of the legal proceedings emerged,
compliance and governance environment, which was CBA’s share value fell by 3.9% the following day.7
exploited by the money laundering syndicates. An
Four syndicates, of which three were linked to drug
Australian Transaction Reports and Analysis Centre’s
dealing and distribution, were discovered to have carried
(AUSTRAC) investigation highlighted many instances
out money-laundering activities using the bank’s fleet
where CBA was forewarned of illicit activity but took
of IDMs – smart ATMs that could process cheques and
inadequate actions – public observers voiced their
cash deposits instantly – making the funds immediately
opinions that the bank’s key management and directors
available for transfer. The drug syndicates made deposits
were all asleep at the wheel. With CBA’s large influence
into several separate accounts under fake names,
in the international financial market, news of the money
ensuring that each deposit was under A$10,000 – a limit
laundering scandal not only shocked and impacted
that legally required CBA to report the transaction to
the domestic market, but also stakeholders worldwide.
AUSTRAC. The syndicates transferred the money out to
The objective of this case is to facilitate a discussion
overseas accounts thereafter.8 CBA had allowed such
of issues such as money laundering; board leadership
transfers exceeding A$75 million to remain undetected
and oversight; risk assessment and management; and
for over two years.
accountability to various stakeholders.
ABOUT CBA ATTACKS FROM ALL SIDES

After the first civil proceeding were initiated by AUSTRAC,
CBA is a multinational financial group that provides
more parties started to hop on the bandwagon, adding
integrated financial services such as retail banking,
to the bank’s headache. AUSTRAC’s allegations sparked
business and private banking, institutional banking and
off a series of subsequent proceedings against CBA from
markets, and wealth management to its customers.1
their various stakeholders. Other regulators such as the
Founded in Australia in 1911,2 the bank has established
Australian Securities and Investment Commission (ASIC)
its longstanding position as one of the pillars of the
also began to announce that they were starting their
Australian financial industry. In 2015, CBA was ranked
own investigations into CBA.9 Members of the Australian
at the top of the Australian Securities Exchange (ASX)
Senate also called for a royal commission in parliament to
market capitalisation report.3 The group has grown its
investigate the breaches.10
operations both locally and globally through a wide
network of branches, subsidiaries and associates such as
The Australian Prudential Regulation Authority (APRA)
Bankwest, Colonial First State Investments, ASB Bank,
then announced that it would initiate an independent
and Commonwealth Securities.4
public inquiry against CBA, focusing on whether the
bank deliberately overrode its controls and safeguards
in pursuit of higher potential profits.11 Such an action
THE LANDMARK CASE
was unprecedented as APRA had normally operated
On 3 August 2017, AUSTRAC initiated civil proceedings ‘behind the scenes’, and the overt action was interpreted
against CBA in the Australian federal courts for severe as a symbolic move that government regulators were
breaches of the Australian Anti-Money Laundering and adamant in making changes to the bank’s leadership.12
This is the abridged version of a case prepared by Khoo Dingyan, Le Quang Quan, Tng Shiqi and Wecom Huang under the supervision of Professor Mak Yuen Teen. The case was developed
in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Clarisse Tan under the supervision
of Professor Mak Yuen Teen.

92 COMMONWEALTH BANK OF AUSTRALIA: THE UNWITTING MULE
THE INTELLIGENT LAUNDROMATS FOONG’S GOLD

Problems started back in 2012 when CBA introduced The launch of CBA’s IDMs with weak controls came as
its IDMs into the market. The IDMs provided its pleasant news to two members of a methamphetamine
customers with another integrated financial service. The manufacturing and trafficking ring based in Sydney,
introduction of IDMs saw an increase in transactions Australia – Yuen Hong Fung and Kha Weng Foong. Fung
and savings.13 Competition in both domestic and global and Foong began laundering more than A$650,000 a day
markets remained stiff with other competitors launching through CBA’s IDMs from late 2014 to August 2015. An
new innovative products and services. Therefore, to estimated total of A$20.6 million was deposited through
place itself ahead of its competition and to prepare IDMs into CBA accounts, and all of it was transferred
for potential stagnant economic growth, CBA offered offshore.22
consumers an option of using IDMs in the hope that
this would bring the bank to the forefront of financial This was not the first time that Foong had used his
technological advancement.14 expertise in fabricating false identification cards. In
2009, he was involved in producing fake credit cards
What made the IDM seem like a superior service that enabled him to misappropriate almost A$7 million
was that individuals, regardless of whether they were from retailers in Australia. Foong’s expertise was just
personally CBA customers, could deposit either cheques what Fung, who wanted to launder money made from
or cash into CBA accounts without a limit on the methamphetamine sales to Hong Kong, needed. In
number of transactions.15 This strategy helped attract 2014, Foong helped Fung to create false CBA accounts
more customers to CBA, especially small and medium using fake driving licenses. Foong went by many names,
enterprises, which were heavily reliant on cash.16 These such as Ronald Brown, Luke Shaw, and Richard Whippy.
small and medium enterprises could also now bypass However, had CBA’s staff looked closer, they would have
certain stringent restrictions in place when making large noticed that all the fabricated licenses used the same
transactions. Furthermore, the technologically advanced picture of Foong.23
and fast IDMs would ameliorate the large salary expenses
that CBA incurred for bank tellers and front desk Fung used a number of IDMs throughout Sydney
personnel, significantly reducing the bank’s operating and ensured that the amounts deposited were under
expenses.17 A$10,000 for each transaction. CBA had identified
consistent, suspicious patterns of cash deposits in 16 of
Without a limit on the number of transactions per day, these accounts by April 2015. Despite this, the bank did
large transactions could take place daily without any not follow up on its findings, and allowed an estimated
restrictions imposed by the IDMs. However, due to A$9.1 million to be transferred to Hong Kong between
control oversight, the IDMs failed to capture unusually April and July 2015.24
large transactions. This violated the compliance
regulations imposed by the Australian authorities. The
AML/CTF Act prescribed that any transactions exceeding THE LONE HERO
the threshold value of A$10,000 had to be reported in
On the morning of 28 May 2015, the manager at CBA’s
Threshold Transaction Reports (TTRs) to AUSTRAC within
Leichhardt branch received an error message from one of
10 business days.18 In addition, as the machine could
the branch’s IDMs, indicating that the machine was full.
be used by anyone – including non-CBA customers –
As this was an unusual occurrence, he was prompted to
anonymous deposits were permitted.19
investigate further. He found that multiple deposits of
about A$50,000 each were made to two accounts that
In fact, the IDM platform was not a unique technological
morning. Upon further investigation, it was discovered
innovation exclusive to CBA. Westpac Banking
that over the past month, both accounts had received
Corporation (Westpac), another Australian bank, had
deposits of at least A$1 million each which were then
also conducted a trial using IDMs. However, Westpac
almost immediately transferred offshore. Fung had
concluded in its trials that the risk of such machines
deposited A$457,980 that day as he went around using
being utilised by criminal gangs for money laundering
IDMs located in different locations. The problem at
purposes were too high, and ultimately chose to not
Leichhardt meant he had to go to Ashfield to deposit the
proceed with the roll out of IDMs for public use.20
remaining amount.25
However, CBA decided to install more than 805 IDMs
country-wide by May 2017.21
A month later, on 30 June 2015, the Leichhardt branch alerts were raised in the remainder of these instances,
manager approached Fung while he was doing his usual CBA failed to review them in a timely manner and did
deposit run, which disrupted his actions. Fung simply not submit timely Suspicious Matter Reports (SMRs), as
moved to another location to carry on his business. That required legally by the AML/CTF Act.29
same night, CBA blocked 19 of Foong’s accounts at the
request of the Australian Federal Police (AFP). By this In late 2015, the AFP advised CBA that several of the
time, the bank had identified that the false accounts were accounts related to one of these syndicates were
opened by foreign nationals on holiday visas. The money involved in an investigation into serious criminal offences
laundering was therefore put to a stop for five days. including drug importation and unlawful processing of
However, it resumed later with 11 new accounts. These money. However, even after the warnings were issued,
accounts utilised the same modus operandi previously CBA did not close several of these accounts and allowed
identified by CBA. They fell through the cracks as there more transactions to occur.30
was a lack of subsequent follow-up monitoring for money
laundering and terrorism financing risks.26
REGULATORS GIVEN THE RUN-AROUND
Foong and Fung were eventually arrested on the
It was clear as day that CBA had failed to manage
morning of 24 August 2015 at CBA’s Eastgardens Branch
its regulatory compliance obligations adequately.
for dealing with the proceeds of crime and structuring
Within the three-year period from November 2012 to
offences. Meanwhile, AUSTRAC alleged that CBA had
September 2015, CBA did not submit 53,506 TTRs on
failed to report 60 TTRs related to transactions by Fung
time, totalling A$624.7 million.31 Even when the amounts
and suspicious activities relating to Fung on 92 separate
transacted were less than A$10,000, CBA had a legal
occasions.27
obligation to file SMRs to AUSTRAC when it identified
suspicious patterns of activity. Such patterns might
include customers who deposit amounts just under the
A LACK OF FOLLOW UP threshold transaction limit to avoid detection. However,
Foong and Fung were not the only criminals making CBA adopted an internal policy where SMRs would not
use of CBA’s IDMs to launder money. Between June be submitted if suspicious matter of the same nature
2014 and May 2016, three other money laundering had already been reported in the previous three months.
syndicates making use of CBA accounts were identified. Between August 2012 and June 2017, there were 69
These three syndicates adopted similar practices of cases identified where CBA failed to submit SMRs related
executing financial transactions in a specific pattern. to possible money laundering crimes on a timely basis,
Large amounts of cash were deposited into multiple even after receiving requests from law enforcement for
CBA accounts through IDMs. Almost immediately after account details to assist in their criminal investigations.32
each deposit was made, the money would be transferred
to either other domestic accounts or offshore bank In many other cases, SMRs were not submitted due to a
accounts. These deposits were the proceeds made from lack of transaction monitoring alerts raised or reviewed.
drug manufacturing and trafficking carried out by the For the incidents where alerts were raised and reviewed,
syndicates.28 CBA’s submissions were usually incomplete.33
In all three situations, CBA was aware of the unusual

patterns of these transactions and identified the RISK ASSESSMENT FALLS SHORT
suspicious accounts, a few months after the money
Before the introduction of IDMs into the mass market,
laundering activities started. For one of the syndicates,
CBA did not perform risk assessments for anti-money
CBA had even identified evidence of structuring, and
laundering and counter-terrorism financing risks. Such
concluded that some of the accounts belonged to
risk assessments were required under the AML/CTF Act
suspicious money remitters that were potentially part of
in Australia. As a result, there was a lack of adequate risk-
a money laundering syndicate. However, CBA did not
based systems and controls to manage these risks. 34
continue to monitor these customers and accounts and
continued to allow these highly suspicious individuals to
After the IDM launch, CBA did not carry out the
deposit cash and make transactions for their accounts.
necessary risk assessments from 2012 to mid-2015 even
Despite the large and structured cash deposits made,
when there was an exponential increase in the amount of
several transactions for these accounts did not trigger
cash deposited during this period. An estimated A$8.9
transaction monitoring alerts for structuring. Although
billion in cash was deposited through CBA’s IDMs before
it performed the risk assessment required. CBA had also CBA responded by denying a further 89 of these claims.
failed to comply with its transaction monitoring program A deadlock between CBA and AUSTRAC ensued, with
for 778,370 accounts from the launch date to September both parties increasing their accusations and claims
2016.35 over the scandal. On 22 March 2018, the courts ordered
mediation between the two parties.41
Around July 2015, CBA’s intelligence analysis had
obtained evidence that criminal syndicates were
laundering several millions of dollars through its IDMs. MISSING FROM THE EQUATION:
Following that, CBA contacted the serious organised ACCOUNTABILITY
crime units of the AFP, New South Wales (NSW) police,
The bank identified ‘accountability’ as one of its five
and Western Australian police regarding the said money
core values in its 2014 Shareholder Review.42 However,
laundering activity. However, once again, CBA failed to
accountability was clearly lacking in CBA’s corporate culture.
follow its own anti-money laundering procedures and no
new risk controls were introduced to tackle the problems
APRA released the CBA prudential inquiry final report on
that surfaced.36
30 April 2018.43 The report noted that CBA’s culture had
a lack of clear accountability, and hence it was difficult
One year later in July 2016, CBA evaluated that the IDMs
to identify who was accountable when problems arise. A
had a high inherent money laundering risk but once
lack of collective accountability by senior leadership was
again, it concluded that the residual risk was low. Hence,
one of the main factors identified by the regulator that
no action was taken to address the high inherent risk.37
led to CBA’s ineffective management of its regulatory
compliance obligations, leading to the money laundering
scandal.44
MISMANAGEMENT OF OPERATIONAL
RISKS APRA had also assessed the internal practices of CBA
CBA had the legal obligation to continually monitor through interviews and focus group discussions with
its customers so that the risk of money-laundering and employees from various levels. The company’s culture
terrorism financing could be managed and reduced. was characterised as lax, complacent and reactive
Once suspicious transactions have been identified, CBA based on the findings. The report highlighted that CBA
must carry out enhanced customer due diligence (ECDD), employees tended to adopt a sense of helplessness
as required by the AML/CTF Act. This may include because of the large size of the company and the
ascertaining the source of the customer’s wealth or complexity of issues. The employees of the bank
terminating their accounts. attributed the problems faced by the bank to external
factors such as the highly volatile nature of the financial
However, when dealing with suspicious customers, CBA markets, rather than internal failures. Employees were
was slow to decide on whether to cease doing business found to have a “check-box” mentality whereby they
with these customers. They gave the criminal syndicates would just carry out the processes assigned to them and
30 days’ notice before suspending their accounts and nothing more due to their lack of understanding of the
in 20 of these cases, AUSTRAC noted that the money rationale behind decisions made.45
laundering offences continued during the notice period
given. CBA did not put in place any additional checks
on these transactions and was unable to address the WHO IS TO BLAME?
problem properly.38
CBA’s first response to the AUSTRAC accusations was to
downplay the severity of its error. It claimed that due to
technicalities of the law, the 53,700 breaches alleged by
LEGAL TUSSLES AUSTRAC may only be considered as just one breach
By December 2017, CBA had filed its response to the as all the breaches were caused by a software update
legal suit by AUSTRAC. The bank only admitted to 91 error.46 The software update error had caused the IDMs
allegations, challenging the remaining hundred or so to malfunction and stopped the generation of TTRs
claims made by AUSTRAC.39 The agency responded by required for all transactions above A$10,000. CBA’s Chief
increasing the scope of its claims and charged the bank Executive Officer (CEO) Ian Narev claimed CBA only
with 100 additional new claims of breaches of the AML/ discovered the error three years later in 2015 and had
CTF Act.40 taken steps to notify AUSTRAC and provided a fix for the
machines within a month.47
Critics, however, pointed out the fact that suspicions of scandals since 2009 that included the bribery of CBA’s
related to illegal activities had already been raised within executives in relation to the award of business contracts,
the bank since July 2014. These red flags should have provision of shoddy financial planning advice, and the
prompted the company to file a report regarding their “fees for no service” scandal.56
IDMs being used for illegal activities to AUSTRAC within
three business days under the AML/CTF Act.48 However, The board was originally made up of 10 directors, out of
CBA did not do so. which eight were independent non-executive directors.57
The Chairman of the Risk Committee, Shirish Apte, did
According to a report by AUSTRAC, “Had [CBA] not reside in Australia, where the CBA headquarters are
introduced daily limits earlier it would have disrupted located. Instead, he lived in Singapore, where he was
money laundering activity through IDMs by syndicates employed.58
involved in the importation and distribution of drugs
including methamphetamine.”49 APRA’s final report on CBA’s prudential inquiry had found
that there was a culture of complacency, dismissiveness
toward government regulations, and a general lack of
SIGNS OF REPENTANCE accountability and oversight of the risks by CBA’s key
management and senior executives. The regulator found
Under immense public pressure, the board of CBA
that the board had placed high trust and confidence in
announced in August 2017 that it would cut all short-
the bank’s management due to their continual financial
term incentive bonuses for its top management, as well
success. The board also believed that CBA, being one of
as reduce the director fees of its board members by
the four largest banks in Australia, was conservative and
20% for the year.50 In addition, CBA announced that its
had a culture of prioritising their customers’ interest. This
CEO would be leaving the bank by the end of the 2018
led the board to let its guard down.59
financial year.51
APRA noted that these factors resulted in the board
Following the additional pressure from legal actions
being complacent and less attentive to signals that may
being taken against the bank, as well as the fall in its
have alerted it to the risks introduced by the IDMs and
share price, Catherine Livingstone, the Chairman of the
the money laundering scandal. The report also said that
board, announced a board restructuring plan, with three
the board and its committees were often slow in dealing
directors being replaced. She also announced that the
with non-financial risks, which may have communicated
bank intends to establish a director subcommittee to
a tone of inaction to the rest of organisation. The inquiry
oversee the investigations and responses relating to the
found that the board was not sufficiently rigorous in
scandal.52
ensuring that management mitigated high risk areas.60
Analysts estimated that the increase in operating costs
arising from legal fees to defend itself against lawsuits
would amount to A$200 million over the following two THE BEGINNING OF THE END
years.53 In addition, it was estimated that CBA would have In early April 2018, Narev stepped down as CEO of
to incur a A$2.5 billion fine as a result of its breaches.54 CBA with A$12 million worth of shares as a parting
gift. He was replaced by Matt Comyn, the head of
Subsequently, CBA announced that Narev would not CBA’s retail bank since 2012.61 Two months later, CBA
be eligible to cash in his long-term bonus shares for the and AUSTRAC reached a settlement agreement. As
year. In an investor conference, Narev apologised for part of the settlement, CBA would pay a record A$700
the scandal and took responsibility for it. Livingstone million fine to settle the claims of money laundering
also apologised for the scandal during the shareholders and terrorism financing breaches. The bank admitted
meeting. In addition, it was announced that two more to failure in the late or non-filing of more than 53,700
board directors would leave by the end of 2018.55 reports to AUSTRAC for cash deposits over A$10,000 and
149 suspicious matter reports. CBA claimed that it had
improved its internal controls and systems since then.62
DIRECTORS ASLEEP AT THE WHEEL?
CBA’s board of directors also came under the spotlight
when consumer advocates claimed that the “long-
serving Commonwealth Bank board members had been
asleep at the wheel”, leading to the bank’s long string
EPILOGUE: HAYNE’S CALL FOR CHANGE 4. Evaluate if the penalty imposed by the courts was fair
to CBA’s stakeholders. Should the board of directors
The Royal Commission into Misconduct in the Banking,
have been held responsible for the breaches?
Superannuation and Financial Services Industry was
tasked with investigating if Australia’s banks have 5. In light of the recent wave of technological integration
engaged in misconduct, and whether adequate controls within the banking and finance industry, discuss its
were put in place. The one thousand-page report by impact and how the risks can be managed.
Commissioner Hayne, which was released in February
6. What are the regulatory bodies and regulations in
2019, contained 76 recommendations. Among the
place in your country in relation to money laundering
recommendations, financial regulators are to impose
and terrorism financing? In your opinon, would the
criminal charges against entities associated with the
CBA case have been prevented if it were to happen in
“fees for no service” scandal. The royal commission also
your country?
recommended the retention of the “twin peaks model”
for financial regulation, but with a clearer segregation
of roles. APRA continued to retain its role in regulation, ENDNOTES
and ASIC would oversee conduct and disclosure. ASIC 1 Commonwealth Bank of Australia. (2018). Annual Report 2018.
was also urged to commence legal proceedings when Retrieved from https://www.commbank.com.au/content/dam/
dealing with large corporations in the event of law commbank/about-us/shareholders/pdfs/results/fy18/cba-annual
-report-2018.pdf
breaches, instead of merely issuing infringement notices,
which should only be used for administrative matters. In
2 Commonwealth Bank of Australia. (2018). History. Retrieved from
https://www.commbank.com.au/about-us/our-company.html?ei=
addition, APRA and ASIC should also be more stringently CB-footer_who-we-are
monitored by an independently chaired regulator- 3 Commonwealth Bank of Australia. (n.d.) About Us. Retrieved from
oversight body, to ensure the accountability of regulators https://www.commbank.com.au/about-us.html
by conducting regular reviews.63 4 Ibid.
5 AUSTRAC. (2017, August 03). AUSTRAC seeks civil penalty orders
Following the royal commission’s calls for further
against CommBank. Retrieved from http://www.austrac.gov.au/
investigations by the regulators into CBA’s failings, CEO media/media-releases/austrac-seeks-civil-penalty-orders
Comyn addressed past lapses and pledged to improve -against-cba
its compliance and risk functions.64 6 Doran, M., & Janda, M. (2018, June 04). CBA to pay record $700m
fine over money laundering breaches. ABC (Australian Broadcast-
Commissioner Hayne highlighted that the Australia’s ing Corporation) News. Retrieved from https://www.abc.net.au/
news/ 2018-06-04/commonwealth-bank-pay-$700-million-fine
financial institutions must change their culture and -money-laundering-breach/9831064
conduct.65 The CBA scandal involving money laundering 7 Yeates, C. (2017, August 04). CommBank shares slump as bank
and terror financing breaches was arguably one of vows to fight the Austrac claims. The Sydney Morning Herald.
the largest scandals in recent years. However, other Retrieved from https://www.smh.com.au/business/banking-and
-finance/cba -shares-slump-as-bank-vows-to-fight-the-austrac-
misconduct such as deceased customers being charged
claims-20170804-gxp9xp.html
fees and unqualified customers being sold insurance, was
8 Eyers, J. (2017, August 04). CBA money laundering scandal: how it
also uncovered. It remains to be seen if the Hayne report
happened. ABC (Australian Broadcasting Corporation) News.
will act as a wakeup call to the financial industry. Retrieved from https://www.afr.com/business/banking-and-finance/
financial-services/commonwealth-bank-safe-haven-for-criminal
-activity-20170804-gxp54g
DISCUSSION QUESTIONS 9 Ryan, P. (2018, August 11). Commonwealth Bank: ASIC to

investigate CBA over money-laundering scandal. The Australian
1. Describe the deficiencies in oversight and Financial Review. Retrieved from https://www.abc.net.au/news/
2017-08-11/asic-to-investigate-cba/8796542
accountability within CBA that contributed to
the failure. Should the CEO, Ian Narev, be held 10 Hutchens, G. (2018, April 19). Banking royal commission: All you
need to know – so far. The Guardian. Retrieved from https://www.
responsible for a technical operational error? Suggest theguardian.com/australia-news/2018/apr/20/banking-royal
potential improvements. -commission-all-you-need-to-know-so-far
2. Discuss how the culture at CBA contributed to the 11 Janda, M. (2017, August 28). Scandal-hit CommBank promises to
cooperate with APRA probe. ABC (Australian Broadcasting
lapses in risk management. Suggest improvements to Corporation) News. Retrieved from https://www.abc.net.au/news/
be made. 2017-08-28/commonwealth-bank-to-face-independent-inquiry
-apra/8848004
3. Comment on the actions taken by CBA following the
discovery of the vulnerabilities. Was there more that
the company could have done?
12 Yeates, C. (2017, August 28). APRA inquiry may trigger CBA 25 Chenoweth, N. (2017, August 11). AUSTRAC case: How drug
management shake-up. The Sydney Morning Herald. Retrieved syndicates turned Commonwealth Bank into a money pump. The
from https://www.smh.com.au/business/banking-and-finance/ Australian Financial Review. Retrieved from https://www.afr.com/
apra-inquiry-may-trigger-cba-management-shakeup-20170828 business/banking-and-finance/austrac-case-how-drug-syndicates-
-gy5r8y.html turned-commonwealth-bank-into-a-money-pump-20170810-gxtnht
13 Commonwealth Bank of Australia. (2015, August 12). Results 26 Ibid.
Presentation for the full year ended 30 June 2015. Retrieved from
https://www.commbank.com.au/content/dam/commbank/about
27 Ibid.
-us/shareholders/pdfs/results/FY15/fy15-results-presentation.pdf 28 Evans, M., & Bucci, N. (2017, August 03). This is how drug
14 Coyne, A. (2017, Aug 08). CBA allegedly took two years to fully fix syndicates used Commonwealth ATMs to launder cash. Business
its IDM software error. itnews. Retrieved from https://www.itnews. Insider. Retrieved from https://www.businessinsider.com.au/this
com.au/news/cba-took-two-years-to-fully-fix-its-idm-software-error -is-how-drug-syndicates-used-commonwealth-atms-to-launder-
-470376 cash-2017-8
15 Ibid.
29 Commonwealth Bank of Australia. (2018, August 15). CBA and
AUSTRAC resolve AML/CTF proceedings. Retrieved from https://
16 Davidson, J. (2017, 04 04). CBA should have known ATMs might www.commbank.com.au/guidance/newsroom/CBA-and-AUSTRAC
have bugs. The Australian Financial Review. Retrieved from https:// -resolve-AMLCTF-proceedings-201806.html
www.afr.com/business/banking-and-finance/cba-should-have-
known-atms-might-have-bugs-20170804-gxpayl
30 Federal Court of Australia. (2017, August 3). Chief Executive Officer
Of The Australian Transaction Reports And Analysis Centre V
17 Parry, Y., & Ockenden, W. (2017, Aug 8). Commonwealth Bank: How Commonwealth Bank Of Australia Limited ACN 123 123 124 [PDF].
smart ATMs and a coding error caused a massive mistake. ABC
(Australian Broadcasting Corporation) News. Retrieved from
31 Ibid.
https://www.abc.net.au/news/2017-08-07/commonwealth-bank- 32 Eyers, J. (2018, June 04). Money laundering scandal: What CBA
how-smart-atms-and-coding-error-caused-mistake/8781066 admitted to, and why it happened. The Australian Financial Review.
18 Doran, M., & Janda, M. (2018, June 04). CBA to pay record $700m Retrieved from https://www.afr.com/business/banking-and-finance/
fine over money laundering breaches. ABC (Australian Broadcast- money-laundering-scandal-what-cba-admitted-to-and-why-it
ing Corporation) News. Retrieved from https://www.abc.net.au/ -happened-20180604-h10xm3
news/ 2018-06-04/commonwealth-bank-pay-$700-million-fine 33 Ibid.
-money-laundering -breach/9831064
34 Smyth, J., & Bland, B. (2018). Financial Times Special Report: A
19 Knaus, C. (2017, August 03). Commonwealth Bank accused of billion-dollar money laundering scandal at an Australian bank has
money laundering and terrorism-financing breaches. The Guardian. revealed ties to the drug gangs of Hong Kong. Retrieved from
Retrieved from https://www.theguardian.com/australia-news/2017/ https://ig.ft.com/special-reports/banking-scandal/
aug/03/commonwealth-bank-accused-of-money-laundering
-and-terrorism -financing-breaches 35 Federal Court of Australia. (2017, August 3). CHIEF EXECUTIVE
OFFICER OF THE AUSTRALIAN TRANSACTION REPORTS AND
20 Yeates, C. (2017, October 11). Westpac dumped intelligent ATMs ANALYSIS CENTRE v COMMONWEALTH BANK OF AUSTRALIA
for ‘risk and operational’ reasons. The Sydney Morning Herald. LIMITED ACN 123 123 124 [PDF].
Retrieved from https://www.smh.com.au/business/banking-and
-finance/westpac-dumped-intelligent-atms-for-risk-and-operational 36 Eyers, J. (2018, June 04). Money laundering scandal: What CBA
-reasons-20171011-gyyx3e.html admitted to, and why it happened. The Australian Financial Review.
Retrieved from https://www.afr.com/business/banking-and-finance/
21 Eyers, J. (2018, June 04). Money laundering scandal: What CBA money-laundering-scandal-what-cba-admitted-to-and-why-it
admitted to, and why it happened. The Australian Financial Review. -happened-20180604-h10xm3
Retrieved from https://www.afr.com/business/banking-and-finance/
money-laundering-scandal-what-cba-admitted-to-and-why-it 37 Ibid.
-happened-20180604-h10xm3 38 Ibid.
22 Welch, D. (2017, August 03). How three men got away with money 39 Yeates, C. (2017, December 13). CBA files defence in Austrac case.
laundering through CommBank. Australian Broadcasting
The Sydney Morning Herald. Retrieved from https://www.smh.com.
Corporation (ABC) News. Retrieved from https://www.abc.net.au/
au/business/banking-and-finance/cba-files-defence-in-austrac-case
news/2017-08-03/cba-money-laundering-law-breach-claim-how-
-20171213-h044iw.html
men-got-away-with-it/ 8771652
40 Letts, S. (2017, December 15). CBA warned terrorist his account was
23 Chenoweth, N. (2017, August 11). How drug syndicates turned
about to be closed: AUSTRAC. Australian Broadcasting Corpora-
Commonwealth Bank into a money pump. The Australian Financial
tion (ABC) News. Retrieved from https://www.abc.net.au/news/
Review. Retrieved from https://www.afr.com/business/banking
2017-12-14/money-laundering-things-just-got-a-lot-worse-for-cba/
-and-finance/austrac-case-how-drug-syndicates-turned-common-
9259034
wealth-bank-into-a-money-pump-20170810-gxtnht
41 Dutta, R. (2018, March 22) Commonwealth Bank says AUSTRAC
24 One of the Largest Banks in the World Just https://www.afr.com/
proceeding to move to mediation as per court orders. Reuters.
business/banking-and-finance/austrac-case-how-drug-syndicates-
Retrieved from https://www.reuters.com/article/us-australia-cba
turned-commonwealth-bank-into-a-money-pump-20170810-gxtn-
-moneylaundering/commonwealth-bank-says-austrac-proceeding-
htof Laundering Millions for Drug Cartels. (2017, August 04).
to-move-to -mediation-as-per-court-orders-idUSKBN1GY0WL
Retrieved from https://busy.org/@swiftcoin/one-of-the-largest-
banks-in-the-world-just-accused-of-laundering-millions-for-drug- 42 Commonwealth Bank of Australia. (2014, November 12).
cartels Shareholder Review 2014 [PDF].
43 Australian Prudential Regulation Authority (APRA). (2018, May 1). 59 APRA. (2018, April 30). Prudential Inquiry into the Commonwealth
APRA releases CBA Prudential Inquiry Final Report and accepts Bank of Australia (Rep.). Retrieved from https://www.apra.gov.au/
Enforceable Undertaking from CBA. Retrieved from https://www. sites/default/files/CommBank-Prudential-Inquiry_Final-Report_
apra.gov.au/media-centre/media-releases/apra-releases-cba 30042018.pdf
-prudential-inquiry-final -report-accepts-eu
60 Ibid.
44 APRA. (2018, April 30). Prudential Inquiry into the Commonwealth
Bank of Australia (Rep.). Retrieved from https://www.apra.gov.au/
61 Kruger, C. (2018, April 11). Former CBA boss Ian Narev departs with
sites/default/files/CommBank-Prudential-Inquiry_Final-Report_ $12m worth of shares, with more on horizon. The Sydney Morning
30042018.pdf Herald. Retrieved from https://www.smh.com.au/business/
companies/former-cba-boss-ian-narev-departs-with-12m-worth-of-
45 Ibid. shares-with-more-on-horizon-20180411-p4z8zo.html
46 Pash, C. (2017, August 06). CBA says the $624 million money 62 Smyth, J. (2018, June 4). CBA agrees largest civil settlement in
laundering issue was caused by a tiny software update. Business Australian history. Financial Times. Retrieved from https://www.
Insider. Retrieved from https://www.businessinsider.com.au/cba- ft.com/content/4ecfc438-6793-11e8-8cf3-0c230fa67aec
says-the-money-laundering-issue-was-caused-by-a-tiny-software
-update-2017-8
63 Chalmers, S., & Worthington, B. (2019, February 04). Banking royal
commission report at a glance. Australian Broadcasting Corporation
47 H. (2017, August 07). Commonwealth Bank says ‘coding error’ to (ABC) News. Retrieved from https://www.abc.net.au/news/2019-02-
blame for alleged money-laundering breaches. The Straits Times. 04/banking-royal-commission-report-at-a-glance/10777188
Retrieved from https://www.straitstimes.com/business/banking/
commonwealth-bank-says-coding-error-to-blame-for-alleged
64 Commonwealth Bank of Australia. (2019, February 04). CBA
-money -laundering-breaches comments on Royal Commission Final Report. Retrieved from
https://www.commbank.com.au/guidance/newsroom/cba-royal
48 AUSTRAC. (2018). Statement of Agreed Facts - Austrac. Retrieved -commission-final-report-statement-201902.html
from https://www.commbank.com.au/content/dam/caas/news
room/docs/2018-06-04-CBA-AUSTRAC-SAFA.pdf
65 The Australian Financial Review. (2019, February 07). Banking royal
commission: Has Kenneth Hayne done enough to change bank
49 Ibid. culture?. Retrieved from https://www.afr.com/chanticleer/
banking-royal-commission-has-kenneth-hayne-done-enough-to-
50 Janda, M. (2017, August 08) Commonwealth Bank to cut executive change-bank-culture-20190207-h1ayi2
bonuses, director fees after AUSTRAC scandal. Australian
Broadcasting Corporation (ABC) News. Retrieved from https://
www.abc.net.au/news/2017-08-08/commonwealth-bank-to-cut
-executive -bonuses-director -fees/8784030
51 Yeates, C. (2017, August 14) Commonwealth Bank chief Ian Narev
to leave bank by end of financial year. The Sydney Morning Herald.
-finance/commonwealth-bank-chief-ian-narev-to-leave-bank-by-
end-of -financial-year-20170814-gxvg33.html
52 Gray, J. (2017, August 7) Risk, culture and complexity: CBA board
must investigate lapse in controls. The Australian Financial Review.
Retrieved from https://www.afr.com/leadership/risk-culture-and-
complexity-cba-board-must-investigate-lapse-in-controls-2017
0807-gxqpw1
53 Knight, E. (2018, May 25). Law firms clamour to profit from
Commonwealth Bank’s behaviour. The Sydney Morning Herald.
-finance/law-firms-clamour-to-profit-from-commonwealth-bank
-s-behaviour-20180410-p4z8sv.html
54 Frost, J. (2017, August 07). CBA fine could range from zero to
billions. The Australian Financial Review. Retrieved from https://
www.afr.com/business/banking-and-finance/cba-fine-could-range-
from-zero-to-billions-20170807-gxqnsb
55 Thomson, J. (2017, August 8). CBA kills short-term bonuses for Ian
Narev, top executives. The Australian Financial Review. Retrieved
from https://www.afr.com/ business/banking-and-finance/cba
-kills-shortterm-bonuses-for-ian-narev-top-executives-20170807
-gxrd2d
56 Knaus, C. (2018, May 03). Commonwealth Bank board ‘asleep at
the wheel’ during scandals, advocates say. The Guardian. Retrieved
from https://www.theguardian.com/australia-news/2018/may/04/
commonwealth-bank-board-asleep-at-the-wheel-during-scandals-
advocates-say
57 Commonwealth Bank of Australia. (n.d.) Our company. Retrieved
from https://www.commbank.com.au/about-us/our-company.html
58 Ibid.
DANSKE BANK: HUNG OUT

TO DRY
CASE OVERVIEW its pure form, including money laundering”, estimated
In 2017, it was revealed that Danske Bank – Denmark’s at “billions of roubles monthly”, at the Estonian branch.6
largest bank – was involved in one of the world’s largest In 2009, the Estonian FSA performed further follow-up
money laundering scandals. Between 2007 and 2015, 9.5 investigations. The investigations concluded with a less
million suspicious payments from Russia and other ex- critical report than the financial regulator’s initial inquiry
Soviet states, amounting to an aggregate of 200 billion, in 2007.7
were made through the Estonian branch of Danske Bank.
In 2010, Danske Bank’s executive board got wind of
The scandal rocked the financial sector and significantly
the high level of suspicious activities occurring in the
dampened the credibility of Denmark’s financial markets
Estonian branch. However, the issue was brushed off as
and negatively impacted Danske Bank’s reputation as a
the bank’s managers felt that they were “comfortable”
stable and efficient bank. The objective of this case is to
with “substantial Russian deposits”.8
facilitate a discussion of issues such as risk management
in financial institutions; whistleblower policies; group
structure and integration; anti-money laundering
(AML) regulations and policies; and the role of financial
THE LAUNDROMATS
supervisory authorities. Laundromats are criminal financial vehicles which used
shell companies to perform money laundering activities
across the globe through fraud, manipulation of state
THE SOURCE OF IT ALL contracts, and evasion of tax. It was found that the
Russian and Azerbaijani Laundromats were central to the
In November 2006, Danske Bank expanded into Finland
Danske Bank money laundering scandal.9
through the acquisition of Sampo Bank, the third-
largest bank in Finland. This acquisition also included
Between 2011 and 2014, 21 shell companies were created
Sampo Bank’s Estonia subsidiary and its non-resident
in the U.K., New Zealand, and Cyprus to launder US$20.8
portfolio, which comprised of customers from the
billion from 19 Russian banks. These funds eventually
Russian Federation and the larger Commonwealth of
ended up in 5,140 companies in 96 countries.10 Several
Independent States, including Azerbaijan and Ukraine.1
accounts in Danske Bank had been used by a member of
Russian President Vladimir Putin’s family and the Federal
From 2011 to 2013, there was a significant increase in
Security Service of the Russian Federation, to launder
the proportion of the Estonian branch’s profits that were
significant amounts of suspicious money.11
derived from foreign money. By the end of 2013, the
non-resident portfolio held 44% of total deposits from
The Azerbaijan Laundromat – which existed between
non-resident customers in Estonian banks – an increase
2012 and 2014 – was a secret fund utilised by the
from 27% in 2007 – and 76% of the share of profits before
Azerbaijan government to court favours amongst
tax of Danske Bank’s Estonian branch was derived from
international peers. Similar to the Russian Laundromat,
customers in the non-resident portfolio.2
it utilised Danske Bank’s Estonian branch to process
‘dirty’ funds, before the funds were channelled to four
U.K.-registered shell companies and used to pay off
THE BEGINNING OF A HUGE DISCOVERY politicians and purchase luxury goods.12,13 The Estonian
In 2007, months after acquiring Sampo Bank together branch of Danske Bank managed the accounts of all
with its Estonia branch, Danske Bank received a warning four Azerbaijani Laundromat companies and it enabled
from the Russian Central Bank3 that its Estonia branch billions to move without scrutinising their propriety.14
was being used for tax evasion and money laundering4 of
billions of Russian roubles every month.5 Additionally, the
Estonian Financial Supervisory Authority (FSA) issued a
critical inspection report, which highlighted possible “tax
and custom payments evasion” and “criminal activity in
This is the abridged version of a case prepared by Chua Tuan Xin, Goh Kwee Yong, Katty Teo Kai Heng, Jerome Lim Zi En, Jessica Goh Kai Ling and Nicholas Lee Jian Wei under the
supervision of Professor Mak Yuen Teen. The case was developed from published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective
abridged version was edited by Mirabel Clarissa Reynaldo and Isabella Ow under the supervision of Professor Mak Yuen Teen.

100 DANSKE BANK: HUNG OUT TO DRY
WHAT’S HAPPENING AT THE ESTONIAN That might be the biggest mistake. We have a cultural
BRANCH? thing we need to work on.”
Danske Bank’s branch in Estonia functioned as if it – Jesper Nielsen, Danske Bank’s interim CEO24
was a stand-alone entity which had its own systems
and procedures relating to its anti-money laundering The first line of defence, the business operations, paid
methods.15 As such, any reporting to the Group was insufficient attention on high risk clients in the branch’s
dependent on reporting from local management in portfolio. Meanwhile, the Group’s business banking team
Estonia.16 that the Estonian branch reported to relied on continual
assurances that all regulations were followed by the
The Estonian branch had its own IT platform. As a result, branch.25
the branch was not using the same customer, risk and
transaction monitoring systems as the rest of the Group. The second line of defence omitted the details of AML
The idea of integrating the Baltic banking activities onto risk residing in the Baltic branches in reports to the
the Group’s IT platform were abandoned in 2008 due to top management.26 The bank deferred the decision to
the high costs involved. Hence, it did not subscribe to terminate part of the high risk non-resident portfolio that
the Group’s AML procedures.17 related to clients with no personal or business-related
links to the Baltic nations until January 2015, which was
Further, as numerous documents were prepared in not completed until January 2016.27
Estonian or Russian, Danske Bank had faced a language
barrier and thus a lack of insight into the Estonian The third line of defence in the form of the branch’s
branch’s activities. Danske Bank simply assumed that internal audit function was not fully integrated into
the branch was using appropriate AML procedures. Danske’s Group Internal Audit department.28 At the
However, the Group’s faith in the branch was misplaced. beginning of 2014, Danske Bank failed to inform the
The Estonian branch’s AML procedures were found to be Danish FSA of the problems related to the AML issues,
insufficient to monitor and mitigate the risk of fraudulent even though it was evident to some executive board
financial activities, leading to many breaches of legal members that previous reports provided by the bank to
obligations by the branch.18 This also resulted in missed the Danish FSA and the Estonian FSA were inaccurate.29
opportunities to detect and investigate any fraudulent
activities at the Estonian branch, allowing fraudulent
transactions to carry on undetected for a significant CORPORATE CULTURE
period of time.19 The culture cultivated in the Danske Bank discouraged
employees from speaking up. When faced with problems,
Forty-two staff and eight ex-staff of the Estonian branch employees were encouraged to work out the issues at
had also been deemed to be involved in colluding a lower level instead of alerting top management. This
with criminals to carry out money laundering activities. “mean and lean” culture could have contributed to the
Amongst other misdeeds, these staff actively evaded sudden explosion of Danske Bank’s Estonian money
the bank’s compliance procedures,20 performed dubious laundering scandal.30
transactions, deposited large amounts of cash, and
were involved in suspicious transactions with other
staff.21 They were also found to have failed to carry out RUN-IN WITH THE FINANCIAL REGULATORS
basic background checks on non-resident customers.22
Moreover, the Estonian branch’s employees actively In 2007, the Russian Central Bank alerted the Danish FSA
conducted and covered up the violations to the bank’s regarding the money laundering risks. Subsequently,
senior management in Denmark as well as to the the Danish FSA requested a report from Danske Bank
Estonian FSA.23 and discussed the matter with the head of its legal
department and the bank’s Chief Audit Executive.
The response stated that no money laundering risks
PROBLEMS WITH INTERNAL CONTROLS were found in the Estonian branch. The Estonian FSA
discovered lack of care related to the management of
“All three lines of defence collapsing in this case: it’s a money laundering risks by the Estonian branch. Thus,
matter of internal collusion; it’s an underestimation from the Estonian FSA ordered the branch to enhance its
management of the impact of this case; it’s basically background checks on non-resident clients and its
looking at this case as risk minimising and not as crime. internal controls to prevent money laundering.31
Between 2007 and 2014, the Estonian FSA conducted released a report placing responsibility on the Estonian
a total of four AML inspections.32 In 2012, the Estonian regulator.39
FSA became concerned about the number of non-
resident clients in Danske Bank’s Estonian branch and
communicated these concerns to the Danish FSA. DID THEY KNOW?
The Danish FSA then ordered Danske Bank to resolve
The Russian Central Bank’s warning in 2007 was Danske
the issues raised by the Estonian FSA. Following the
Bank’s first real opportunity to investigate the suspicious
bank’s submission of a comprehensive illustration of the
transactions at its Estonian branch. However, this
Estonian branch’s management of money laundering risks
opportunity was missed by the bank’s management
and a review of its business procedures, the Danish FSA
and board. Five years later, in 2013, J.P. Morgan, a
decided that even though the concentration of clients
correspondent bank of Danske Bank, brought the
from high risk countries could be “problematic”, the
correspondent banking relationship with the Estonian
bank’s procedures and controls were adequate.33
branch to an end as it was concerned that it was
being used as a conduit for illicit funds. Although this
The Estonian FSA contacted the Danish FSA in 2013 once
event prompted the Group to initiate a review of the
again on the risks of money laundering in the Estonian
non-resident portfolio, the review was not properly
branch following a warning given by the Russian Central
completed.40,41
Bank, which covered a record of dubious clients from
Russia and its own analysis of the customer mix of the
Reporting from the Estonian branch to the Group’s
branch. The Danish FSA ordered Danske Bank to solve
executive board and board of directors was almost
this issue. In response, the bank said that it had already
completely reliant on reporting from local country
established a special arrangement in the Estonian branch
management. This resulted in censored information that
in light of the increased money laundering risk. The
did not paint the full picture of the Estonian branch’s
Estonian FSA subsequently requested documentation
activities and performance. For example, between 2011
from the Estonian branch on the suspicious Russian
and 2013, the board of directors was given incomplete
customers but did not find any significant breaches of
reports regarding the Estonian branch, including a
internal procedures or legal requirements, and therefore
presentation on 5 May 2011 which provided no detailed
saw no basis for swift regulatory action.34
analysis and no mention about the non-resident
portfolio.42
Thereafter, two AML inspections were carried out by the
Estonian FSA in 2014. However, the Estonian FSA did not
For years, the Group believed that the high risk
invite the Danish FSA to participate in these inspections.
represented by non-residents in the Estonian branch was
It was later revealed that there were serious deficiencies in
mitigated by appropriate AML procedures. However,
Danske Bank’s AML system, which prompted an overhaul
in late 2013, a report from a whistleblower emerged.
of the branch’s local management. Eventually, the Estonia
Together with audit letters from the Group Internal Audit
FSA issued a critical report to Danske Bank,35 putting
in early 2014, the fog surrounding the circumstances at
pressure on the bank to exit the non-resident business.36
the Estonian branch dissipated and it became clear that
the branch’s AML procedures were vastly inadequate.43
The Danish FSA was of the view that as the host country
supervisor, the Estonian FSA was responsible for the
AML supervision of Danske Bank’s Estonian branch,
which is in line with the AML directives and the division THE WHISTLEBLOWER
of responsibilities prescribed by European Union (EU) In 2013 and 2014, Howard Wilkinson, who led the
legislation.37 trading unit of Danske Markets in the Baltics since 2007,
alerted the executive board of Danske Bank about
The Estonian FSA, on the other hand, was of the the occurrence of suspicious activities at the Estonian
opposite view that supervision over branches operating branch.44 He made four reports to the executive board
in Estonia should be exercised by the supervision regarding suspicious clients in the Estonian branch’s non-
authority of the country of origin. It therefore relied resident portfolio45 in the hope that investigations would
on the Danish FSA as the lead for AML supervision of be promptly initiated.46
Danske Bank.38
Wilkinson’s suspicions were first aroused when he came
As a result, a war of words erupted in late January across the documents of Lantana Trade LLP (Lantana).
2019 between the two regulators when the Danish FSA The U.K. company did not have any net assets and yet
it moved US$480 million through the Estonian branch of Wilkinson was invited to address both the Danish and
Danske Bank in five months. This prompted Wilkinson European Parliaments in late November 2018. Prior to
to check if the business records filed by Lantana with his testimony, on 24 October 2018, the European Union
the authorities were aligned with the deposits with placed pressure on Danske Bank to drop its NDA with
Danske Bank. Based on its filings to the U.K. authorities, Wilkinson to ensure crucial whistleblower testimony from
Lantana’s bank accounts had US$20,500 as at 31 May Wilkinson would not be blocked. On 29 October 2018,
2012. However, bank records revealed that it had Danske Bank informed that it had “released the person
deposits amounting to nearly US$1 million with Danske in question of all contractual duties of confidentiality in
Bank. Wilkinson then emailed the bank’s headquarters relation to Danske Bank.”57,58
about the matter in December 2013.47
After several more reports made by Wilkinson drawing IMPROVEMENTS

management’s attention to several suspect transactions
Following the eruption of the money laundering scandal,
and an investigation by the bank’s internal audit team –
enhancements were made to Danske Bank’s AML and
which produced a damning draft report stating that the
compliance frameworks. Initiatives to address the
Estonian branch acted in violation of AML legislative
specific issues relating to the Estonian branch were also
requirements, there was still no action taken to address
implemented.
the matter. Wilkinson then realised that Danske Bank’s
top management did not seem to want to fix the
Firstly, Danske Bank made the decision to only enter
problem. He observed that “there was a curious lack of
into engagement arrangements with subsidiaries of
interest at senior management level”.48
Danske Bank’s Nordic clients and global clients with
a solid Nordic footprint. The bank’s non-resident
In April 2014, Wilkinson resigned from his position.49
portfolio in Estonia was shut down in 2015. Danske
On 8 April 2014, he informed Danske Bank’s Chief Risk
Bank also strengthened its governance and oversight
Officer that he would report the false accounts to the
of its branches in the Baltics with the establishment
Estonian authorities if no action was taken by the bank.50
of a new pan-Baltic management team, and boosted
Soon after, the Group presented Wilkinson with a non-
independence of control functions in the region to
disclosure agreement (NDA) to sign before he left the
uphold the same degree of risk management and
bank.51
control as the rest of the Group. There was also an IT
migration exercise to integrate the Baltics operations’ IT
In Europe, whistleblowers generally lack special
systems with the rest of the Group, thus allowing greater
legal status to protect them from retaliation by their
transparency and oversight.59
employer.52 As such, they may risk retaliatory action if
they expose wrongdoing.53
Danske Bank also started a comprehensive AML
programme, including better organisational
structures, improved routines and procedures, and
WHAT HAPPENED NEXT? the implementation of new, upgraded IT systems.
Over the period from 2015 to 2016, Danske Bank closed Additionally, Danske Bank promised to continuously
its non-resident business in its Estonian branch. This improve the organisation-wide compliance knowledge
withdrawal occurred following orders issued by the and culture through extensive compulsory training
Estonian FSA in 2015 for Danske Bank to exit the non- and a robust management focus. Furthermore,
resident business.54,55 risk management and compliance in performance
agreements were put in place for all members of the
On 19 September 2018, Danske Bank announced that its executive board and senior managers.60
board of directors and executive board “[did] not wish
to benefit financially” from the suspicious transactions This was further reinforced by the appointment of
in its Estonia branch. It decided to donate the gross Philippe Vollot as the bank’s new Chief Compliance
income derived from the non-resident portfolio between Officer on 18 July 2018. He was formerly the Global Head
2007 and 2015 – estimated to be kr. 1.5 billion – to of Anti-Financial Crime & Group Anti-Money Laundering
an independent foundation established to support Officer in Deutsche Bank, and has extensive experience
initiatives directed at tackling international financial crime in tackling financial crime and money laundering
and money laundering.56 activities.61
Danske Bank’s whistleblower setup was also upgraded FINANCIAL REGULATORS NOT SPARED
and a better governance setup was implemented to
European Banking Authority’s investigation
manage reports. The bank’s employees were also actively
informed about the whistleblower system through During the money laundering saga, fingers were also
mandatory training sessions. On this matter, Danske Bank pointed at the Estonia and Denmark FSAs over their
made a commitment to ensure that whistleblower reports supervisory failings. On 19 February 2019, the European
and correspondences with supervisory authorities form Banking Authority (EBA) launched a formal investigation
part of reporting to the board of directors.62 into both financial regulators.69,70
As part of a new governance model for interactions However, two months later, on 16 April 2019, EBA
with financial authorities, Danske Bank planned to decided to shelve the investigation after it voted to reject
establish a central unit at the Group level, which role is to an internal draft report into the supervisory failings of
“coordinate and register all significant interaction” with the Danish and Estonian supervisory authorities. The
the financial authorities. The Group would hold this unit draft report identified breaches of union law, such as
to the highest standards of “quality, transparency and “significant shortcomings” in cooperation between the
completeness”.63 two supervisory authorities, insufficient and ineffective
monitoring of whether due-diligence procedures were
carried out by Danske Bank, as well as inadequate
BORGEN OUT reviews of Danske Bank’s governance arrangements.71
On 19 September 2018, Borgen announced his plans to This move drew severe criticism from senior EU
step down from his position as CEO after a long-term policymakers who wanted tougher legislation for the
successor was found. However, he was officially dismissed financial services industry. One member of the European
by Danske Bank on 1 October 2018, after the board Parliament, Sven Giegold, commented that it was
of directors selected Jesper Nielsen – who formerly “scandalous” that the EBA had rejected the report. He
headed Danske Bank’s Danish banking activities – as further urged the EU commission to open “infringement
interim CEO.64,65 Observers were of the view that the procedures” against Denmark and Estonia for failure to
appointment of Nielsen as interim CEO demonstrated apply EU law.72
the board’s sense of “urgency” to remove Borgen. The
decision came after the bank’s shareholders, including
the Danish Shareholders’ Association – Denmark’s Other inquiries
largest investor group - demanded his immediate exit The U.S. Justice Department also started criminal
and expressed anger and frustration at the board’s initial investigations into Danske Bank in January 2019. The
decision not to dismiss Borgen.66 investigation was regarding whether as a correspondent
bank, Deutsche Bank, had sufficiently monitored billions
In December 2018, Estonia arrested 10 former employees of dollars in suspicious transactions from Danske Bank
of the Estonian branch of Danske Bank on suspicion of when it assisted its Estonian branch to convert foreign
knowingly enabling money laundering. This came as a currency into US dollars for its customers.73
part of an investigation into the bank’s money laundering
activities.67 On 20 February 2019, Estonia’s state prosecutors
expanded their investigations to include Swedbank AB
– a Nordic-Baltic banking group based in Sweden, in
EXITING THE BALTICS AND RUSSIA view of allegations of suspicious transactions in Estonia
with Danske Bank. It was alleged that from 2007 to 2015,
In February 2019, Estonian FSA demanded that Danske
US$4.3 billion were transferred between Swedbank and
Bank exit the country and quit all operations in Estonia.
Danske Bank.74 Meanwhile, Denmark’s authorities also
The head of Estonian FSA, Kilvar Kesser, said that
expanded investigations to target accounting firms,
scandal had greatly harmed the Estonian financial market
including Ernst & Young for its audit of Danske Bank’s
reputation and called for Danske Bank’s departure due
accounts in 2014.75
to “serious and large-scale violations of the local rules”.
In response, Danske Bank said that it would not only
cease its operations in Estonia, but in Russia, Latvia and
Lithuania as well.68
EPILOGUE ENDNOTES
Danske Bank’s money laundering scandal has stunned 1 Bruun & Hjejle. (2018, September 19). Report on the Non-Resident
Portfolio at Danske Bank’s Estonian branch. Retrieved from https://
the world’s banking sector, the general public, as well as danskebank.com/-/media/danske-bank-com/file-cloud/2018/9/
Denmark’s political establishment. As a result, Danske report-on-the-non-resident-portfolio-at-danske-banks-estonian-
Bank’s reputation has been severely tarnished and its branch-.-la=en.pdf
shares had plunged about 50% during 2018, reducing its 2 Ibid.
market value by over US$18 billion.76 3 Lund, T., Niemec, I., & Birch, J. (2018, November 20). TIMELINE
-How Danske Bank’s Estonian money laundering scandal unfolded.
All in all, one of history’s largest money laundering Reuters. Retrieved from https://www.reuters.com/article/danske
-bank -moneylaundering/timeline-how-danske-banks-estonian
scandals highlighted the importance of implementing -money -laundering-scandal-unfolded-idUSL8N1XA55U
robust internal control policies and proper enforcement 4 Guarascio, F. (2019, April 30). Supervisors ignored Russian warnings
of such policies. It also highlighted that countries’ over money laundering at Danske: Document. Reuters. Retrieved
financial supervisory authorities have a part to play in from https://www.reuters.com/article/us-danskebank-money
ensuring that money laundering is not pervasive. As laundering-eba/supervisors-ignored-russian-warnings-over-money
-laundering-at-danske-document-idUSKCN1S60O2
money laundering methods evolve to become more
sophisticated and complex, countries and companies
5 Lund, T., Niemec, I., & Birch, J. (2018, November 20). TIMELINE
-How Danske Bank’s Estonian money laundering scandal unfolded.
alike need to stay vigilant and constantly update national Reuters. Retrieved from https://www.reuters.com/article/danske-
and organisational policies to be several steps ahead in bank-moneylaundering/timeline-how-danske-banks-estonian
the game. -money-laundering- scandal-unfolded-idUSL8N1XA55U
6 Bruun & Hjejle. (2018, September 19). Report on the Non-Resident
danskebank.com/-/media/danske-bank-com/file-cloud/2018/9/
DISCUSSION QUESTIONS report-on-the-non-resident-portfolio-at-danske-banks-estonian-
branch-.-la=en.pdf
1. Evaluate Danske Bank’s internal control framework
7 Ibid.
using the Three Lines of Defence Model and/or other
relevant concepts. 8 Milne, R., & Winter, D. (2018, December 19). Danske: anatomy of a
money laundering scandal. Financial Times. Retrieved from https://
2. If you were Howard Wilkinson, would you have blown www.ft.com/content/519ad6ae-bcd8-11e8-94b2-17176fbf93f5
the whistle? Compare and contrast the whistleblowing 9 Gricius, G. (2018, October 8). The Danske Bank Scandal Is the Tip
policies implemented in Europe and in the U.S. of the Iceberg. Retrieved from https://foreignpolicy.com/2018/
10/08/the-danske-bank-scandal-is-the-tip-of-the-iceberg-money
3. Who were the key players in the money laundering -laundering-estonia-denmark-regulation-financial-crime/
scandal, and how did their roles and actions further 10 Ibid.
contribute to Danske Bank’s money laundering 11 OCCRP. (n.d.) Report: Russia Laundered Millions via Danske Bank
scandal becoming one of the largest money Estonia. Retrieved from https://www.occrp.org/en/projects/ 28
laundering scandals in history? -ccwatch/cc-watch-indepth/7698-report-russia-laundered-billions-
via-danske-bank-estonia
4. Discuss the effectiveness of the Danish and Estonian 12 Harding, L., Barr, C., & Nagapetyants, D. (2017, September 4). UK
FSAs in carrying out their duties as regulators. at centre of secret $3bn Azerbaijani money laundering and
What more could they have done to prevent money lobbying scheme. Guardian. Retrieved from https://www.the
guardian.com/world/2017/sep/04/uk-at-centre-of-secret-3bn
laundering activities? -azerbaijani-money-laundering-and-lobbying-scheme
5. Comment on Danske Bank’s improvements in 13 Gilchrist, K. (2017, September 5). Azerbaijan accused of running
response to the money laundering scandal and $2.8 billion ‘secret slush fund’ to pay off European politicians.
CNBC. Retrieved from https://www.cnbc.com/2017/09/05/
what other financial institutions could learn from the azerbaijan-ran-secret-slush-fund-to-pay-off-european-politicians.
scandal. html
14 OCCRP. (2017, September 4). The Azerbaijani Laundromat.
Retrieved from https://www.occrp.org/en/azerbaijanilaundromat/
15 Hope, B., Hinshaw, D., & Kowsmann, P. (2018, September 7).
Russia-Linked Money-Laundering Probe Looks at $150 Billion in
Transactions. Wall Street Journal. Retrieved from https://www.wsj.
com/articles/danske-bank-money-laundering-probe-involves-150-
billion-of-transactions -1536317086
16 Danske Bank. (2017, September 21). Danske Bank expands
investigation of Estonia branch. Retrieved from https://danskebank.
com/news-and-insights/news-archive/press-releases/2017/pr21092017
17 Rubenfeld, S. (2018, September 20). Abandoned IT Integration 31 Danish Financial Supervisory Authority. (2018, October 4). Danske
Linked to Danske Bank Failures. Wall Street Journal. Retrieved from Bank’s follow-up on the Danish Financial Supervisory Authority’s
https://www.wsj.com/articles/abandoned-it-integration-linked decision in the Estonia case of 3 May 2018. Retrieved from https://
-to-danske-bank-failures-1537480505 ml-eu.globenewswire.com/Resource/Download/73b31632-fa7c-4d
d5-b09b-f76a9c4a3333
18 Watt, J. C. (2018, September 20). Danske Bank CEO Resigns on
Heels of Report Detailing an Astounding $234 Billion in Suspicious 32 Danish Financial Supervisory Authority. (2019, January 29). Report
Transactions in Money Laundering Scandal. Retrieved from https:// on the Danish FSA’s supervision of Danske Bank as regards the
www.moneylaunderingnews.com/2018/09/danske-bank-ceo-resigns Estonia case. Retrieved from https://www.dfsa.dk/~/media/
-on-heels-of-report-detailing-an-astounding-234-billion-in-suspicious Nyhedscenter/ 2019/Executive-summary.pdf?la=en
-transaction-in-money-laundering-scandal/
33 Ibid.
19 Hodge, N. (2018, April 17). Getting to the heart of what went wrong
at Danske Bank. Retrieved from https://www.complianceweek.com/
34 Ibid.
getting-to-the-heart-of-what-went-wrong-at-danske-bank/2308. 35 Milne, R., & Winter, D. (2018, December 19). Danske: anatomy of a
article money laundering scandal. Financial Times. Retrieved from https://
20 Rubenfield, S. (2018, September 20). Abandoned IT Integration www.ft.com/content/519ad6ae-bcd8-11e8-94b2-17176fbf93f5
Linked to Danske Bank Failures. Wall Street Journal. Retrieved from 36 Danish Financial Supervisory Authority. (2019, January 29). Report
https://www.wsj.com/articles/abandoned-it-integration-linked on the Danish FSA’s supervision of Danske Bank as regards the
-to-danske-bank-failures-1537480505 Estonia case. Retrieved from https://www.dfsa.dk/~/media/
21 Gricius, G. (2018, October 8). The Danske Bank Scandal Is the Tip Nyhedscenter/ 2019/Executive-summary.pdf?la=en
of the Iceberg. Retrieved from https://foreignpolicy.com/2018/ 37 Cavegn, D. (2019, February 1). Estonian financial supervision
10/08/the-danske-bank-scandal-is-the-tip-of-the-iceberg-money authority rejects blame in Danske case. Retrieved from https://
-laundering-estonia-denmark-regulation-financial-crime/ news.err.ee/ 906612/estonian-financial-supervision-authority-rejects
22 Rubenfield, S. (2018, September 20). Abandoned IT Integration -blame-in-danske-case
Linked to Danske Bank Failures. Wall Street Journal. Retrieved from 38 Ibid.
https://www.wsj.com/articles/abandoned-it-integration-linked-to-
danske-bank-failures-1537480505 39 Estonian Financial Supervision and Resolution Authority. (2019,
January 30). Response to the Report on the Danish FSA’s
23 Danish Financial Supervisory Authority. (2019, January 29). Report supervision of Danske Bank. Retrieved from https://www.fi.ee/en/
on the Danish FSA’s supervision of Danske Bank as regards the news/response-report-danish-fsas-supervision-danske-bank
Estonia case. Retrieved from https://www.dfsa.dk/~/media/
Nyhedscenter/ 2019/Executive-summary.pdf?la=en 40 Brunn & Hjejle. (2018, September 19). Report on the Non-Resident
24 Milne, R. (2018, November 1). Danske Bank plans culture revamp danskebank.com/-/media/danske-bank-com/file-cloud/2018/9/
after money laundering scandal. Financial Times. Retrieved from report-on-the-non-resident-portfolio-at-danske-banks-estonian-
https://www.ft.com/content/e0016170-dda7-11e8-9f04-38d397 branch-.-la=en.pdf
e6661c
41 Coppola, F. (2018, September 30). The Banks That Helped Danske
25 O’Connor, D. (2018, August 16). Money Laundering at Danske Bank Estonia Launder Russian Money. Forbes. Retrieved from
Bank: Lessons for financial crime professionals (Part 1). Retrieved https://www.forbes.com/sites/francescoppola/2018/09/30/the
from https://www.riskscreen.com/kyc360/article/money-laundering -banks-that-helped-danske-bank-estonia-launder-russian-money/#-
-at-danske-bank-lessons-for-financial-crime-professionals-part-1/ 6878cac27319
26 Ibid. 42 Ibid.
27 Danish Financial Supervisory Authority. (2018, October 4). Danske 43 Ibid.
Bank’s follow-up on the Danish Financial Supervisory Authority’s
decision in the Estonia case of 3 May 2018. Retrieved from https:// 44 Reuters. (2018, September 26). Whistleblower at Danske Bank was
ml-eu.globenewswire.com/Resource/Download/73b31632-fa7c-4 firm’s Baltics trading head. Guardian. Retrieved from https://www.
dd5-b09b-f76a9c4a3333 theguardian.com/world/2018/sep/26/danske-bank-whistleblower-
was-ex-baltics-trading-head-howard-wilkinson
28 Danish Financial Supervisory Authority. (2018, May 3). Danske
Bank’s management and governance in relation to the AML case at 45 Schwartzkopff, F. (2018, October 29). Danske Bank Whistle-Blower
the Estonian branch. Retrieved from https://danskebank.com/-/ Is Freed to Talk to U.S. and EU. Bloomberg. Retrieved from https://
media/danske-bank-com/pdf/investor-relations/fsa-statements/ www.bloomberg.com/news/articles/2018-10-29/danske-says-it
fsa-decision -re-danske-bank-3-may-2018-.-la=en.pdf -freed-whistle-blower-of-confidentiality-clause
29 Danish Financial Supervisory Authority. (2018, January 28). Report 46 Hope, B., Hinshaw, D., & Kowsmann, P. (2018, September 7).
on the Danish FSA’s supervision of Danske Bank as regards the Russia-Linked Money-Laundering Probe Looks at $150 Billion in
Estonia case. Retrieved from https://www.dfsa.dk/~/media/ Transactions. Wall Street Journal. Retrieved from https://www.wsj.
Nyhedscenter/ 2019/Report_on_the_Danish_FSAs_supervision_of com/articles/danske-bank-money-laundering-probe-involves-150-
_Danske-Bank_as_regards_the_Estonia_case-pdf.pdf?la=en billion-of-transactions -1536317086
30 Schwartzkopff, F. (2019, July 22). Have a Good Idea for Danske 47 Ibid.
Bank? Email the CEO. Seriously. Retrieved from https://www. 48 Jensen, T., & Gronholt-Pedelsen, J. (2018, November 19). Danske
bloomberg.com/amp/news/articles/2019-07-22/danske-ceo-says-
whistleblower says big European bank handled $150 billion in
email-me-as-bank-breaks-with-old-traditions
payments. Reuters. Retrieved from https://www.reuters.com/article/
us-danske-bank-moneylaundering/danske-whistleblower-says-big-
european-bank-handled-150-billion-in-payments-idUSKCN1NO0ZR
49 Kelton, E. (2018, October 15). Danske Bank’s Culture Of Silence 65 Jacobsen, S. (2019, June 24). Danske Bank ousts former interim
Implodes, Thanks To A Whistleblower. Forbes. Retrieved from CEO after customers overcharged. Reuters. Retrieved from https://
https://www.forbes.com/sites/erikakelton/2018/10/15/danske- www.reuters.com/article/us-danske-bank-management/danske
banks-culture-of-silence-implodes-thanks-to-a-whistleblower/ -bank -ousts-former-interim-ceo-after-customers-overcharged-id
#6309c6542040 USKCN1TP0XC
50 Rettman, A. (2018, November 19). Whistleblower: Danske Bank gag 66 Schwartzkopff, F. (2018, October 1). Danske Names Interim CEO as
stops me telling more. Retrieved from https://euobserver.com/ Borgen Is ‘Relieved of His Duties’. Bloomberg. Retrieved from
justice/143430 https://www.bloomberg.com/news/articles/2018-10-01/danske-
names-interim-ceo-as-borgen-is-relieved-of-his-duties
51 Grugan, T. M. (2018, November 30). Danske Bank Money Laundering
Scandal: The Tip of the Iceberg(s). Retrieved from https://www. 67 Milne, R. (2019, December 19). Estonia arrests 10 former employees
moneylaunderingnews.com/2018/11/danske-bank-money of embattled Danske Bank. Financial Times. Retrieved from https://
-laundering-scandal-the-tip-of-the-icebergs/ www.ft.com/content/07ec88bc-037e-11e9-9d01-cd4d49afbbe3
52 Ibid. 68 Schwartzkopff, F., & Ummelas, O. (2019, February 19). Danske
Thrown Out of Estonia After Country Is Drawn Into Probe.
53 Ridley, K., & Jessop, S. (2018, November 14). Danske money Bloomberg. Retrieved from https://www.bloomberg.com/news/
laundering scandal is ‘tip of iceberg’, whistleblower’s lawyer says. articles/2019-02-18/eba-extends-probe-into-danish-supervisor-s
Reuters. Retrieved from https://www.reuters.com/article/us-danske -oversight-of-danske
bank-moneylaundering-whistleblo/danske-money -laundering
-scandal-is-tip-of -iceberg-whistleblowers-lawyer -says-idUSKCN1 69 Ibid.
NI2HC
70 European Banking Authority. (2019, February 19). EBA opens formal
54 Danish Financial Supervisory Authority. (2019, January 29). Report investigation into possible breach of Union law by the Estonian and
on the Danish FSA’s supervision of Danske Bank as regards the Danish competent authorities regarding money-laundering
Estonia case. Retrieved from https://www.dfsa.dk/~/media/ activities linked to Danske Bank. Retrieved from https://eba.
Nyhedscenter/ 2019/Executive-summary.pdf?la=en europa.eu/-/eba -opens-formal-investigation-into-possible-breach-
of-union-law-by -the-estonian-and-danish-competent-authorities
55 Milne, R., & Winter, D. (2018, December 19). Danske: anatomy of a -regarding-money -laundering-activitie
money laundering scandal. Financial Times. Retrieved from https://
www.ft.com/content/519ad6ae-bcd8-11e8-94b2-17176fbf93f5 71 Brunsden, J. (2019, April 29). EBA faces calls to reform after
dropping Danske Bank probe. Financial Times. Retrieved from
56 Danske Bank. (2018, September 19). Danske Bank A/S donates DKK https://www.ft.com/content/377f4b60-698f-11e9-80c7-60ee53e
1.5 billion and revises outlook downwards. Retrieved from https:// 6681d Ibid.
www.globenewswire.com/news-release/2018/09/19/1572849/0/en/
Danske-Bank-A-S-donates-DKK-1-5-billion-and-revises-outlook- 72 Ibid.
downwards.html
73 Biscevic, T. (2019, January 23). Deutsche Bank Investigated for Role
57 Schwartzkopff, F. (2018, October 29). Danske Bank Whistle-Blower in Danske Scandal. Retrieved from https://www.occrp.org/en/daily/
Is Freed to Talk to U.S. and EU. Bloomberg. Retrieved from https:// 9154-deutsche-bank-investigated-for-role-in-danske-scandal
www.bloomberg.com/news/articles/2018-10-29/danske-says-it
-freed-whistle-blower-of-confidentiality-clause
74 Ahlander, J., & Johnson, S. (2019, February 20). Estonia investigates
alleged Swedbank link to money laundering scandal. Reuters.
58 Levring, P. (2018, October 24). EU Wants Bank to Drop Whistleblower’s Retrieved from https://www.reuters.com/article/us-danske-bank
NDA. Bloomberg. Retrieved from https://www.bloomberg.com/ -moneylaundering-swedbank/estonia-investigates-alleged-swed-
news/articles/2018-10-24/danske-bank-urged-by-eu-to-drop bank-link-to-money -laundering-scandal-idUSKCN1Q90RW
-whistle blower-s-nda-agreement
75 Schwartzkopff, F., & Ummelas, O. (2019, April 12). Swedbank Hit by
59 Leth, K. (2018, September 19). Findings of the investigations Criminal Probe in Growing Laundering Crackdown. Bloomberg.
relating to Danske Bank’s branch in Estonia. Retrieved from https:// Retrieved from https://www.bloomberg.com/news/articles/201-04
danske bank.com/news-and-insights/news-archive/press-releases/ -12/estonia-expands-danske-bank-criminal-probe-to-include
2018/pr19092018 -swedbank
60 Ibid. 76 Schwartzkopff, F., & Ummelas, O. (2019, February 19). Danske
Thrown Out of Estonia After Country Is Drawn Into Probe.
61 Leth, K. (2018, June 18). New member of Danske Bank’s Executive Bloomberg. Retrieved from https://www.bloomberg.com/news/
Board with responsibility for Group Compliance. Retrieved from articles/2019-02-18/eba-extends-probe-into-danish-supervisor-s-
https://danskebank.com/news-and-insights/news-archive/company oversight-of-danske
-announcements/2018/ca18072018a
62 Leth, K. (2018, September 19). Findings of the investigations
relating to Danske Bank’s branch in Estonia. Retrieved from https://
danskebank.com/news-and-insights/news-archive/press-releases/
2018/pr19092018
63 Danish Financial Supervisory Authority. (2018, October 4). Danske
Bank’s follow-up on the Danish Financial Supervisory Authority’s
decision in the Estonia case of 3 May 2018. Retrieved from https://
ml-eu.globenewswire.com/Resource/Download/73b31632-fa7c-4
dd5-b09b-f76a9c4a3333
64 Schwartzkopff, F. (2018, October 1). Danske Names Interim CEO as
Borgen Is ‘Relieved of His Duties’. Bloomberg. Retrieved from
https://www.bloomberg.com/news/articles/2018-10-01/danske-
names-interim-ceo-as-borgen-is-relieved-of-his-duties
A SWEDBANK AFFAIR
CASE OVERVIEW
While the opportunity seemed promising, the truth
On the morning of 28 March 2019, an hour before was the Baltics offered limited upside potential while
Swedbank’s AGM was due to start, CEO Birgitte significantly adding to money laundering risks for
Bonnesen was dismissed following various money Swedbank. The combined population in the Baltics was
laundering allegations afflicting the company over only 6.2 million, not much higher than that of Denmark or
its Baltic operations. In an investigative news report, Norway.5 Additionally, as at FY2018, the combined Baltic
Swedish broadcaster SVT claimed that at least US$4.3 banking sectors’ assets stood at €75 billion (US$82.49
billion had been funnelled through Swedbank accounts, billion), a much smaller figure in comparison to the
thrusting the company into public scrutiny. To make Nordic countries with figures amounting to €2.6 trillion
matters worse, Swedbank was simultaneously caught (US$2.86 trillion).6
in an insider trading scandal. The objectives of this
case study are to facilitate the discussion of issues such
as money laundering; cross-border governance and CROSSING BORDERS: SWEDBANK’S BALTIC
regulatory oversight of subsidiaries; risk management in EXPANSION
financial institutions; board composition; and corporate In 1998, Swedbank group acquired 50% of Hansabank
culture. which consequently led to their expansion into the
Baltics.7 In 2005, Hansabank became wholly owned
by Swedbank and by the autumn of 2008, Hansabank
ABOUT SWEDBANK AND BIRGITTE was renamed to Swedbank in the Baltics region.8
BONNESEN Nevertheless, a name change does not signify a change
Swedbank AB, Sweden’s oldest bank, was founded in to the underlying risk management and compliance
the early 19th century. As a company rooted in tradition, culture. In fact, Swedbank professes that the local roots
it was the go-to bank for its people to deposit their are and will continue to be ingrained in the principles.9
savings, and the bank expanded rapidly to become one However, as the largest bank in Estonia10, coupled
of Sweden’s largest banks. In 2005, Swedbank acquired with the close proximity of the Baltics with Russia, it
Hansabank, one of the largest banks in Estonia with has undoubtedly increased Swedbank’s risk of getting
operations spanning all three Baltic states.1 embroiled in illegal financing flows.11 There exists a
recurring pattern where Nordic banks with operations
Born in Denmark, Birgitte Bonnesen relocated to Sweden in the Baltic area get caught up in money laundering
in 1987 and worked at Swedbank from the late 80s. She scandals of their Russian counterparts, which puts into
rose through the ranks and supervised the bank’s anti- question the probity of Nordic banks.12
money laundering policy between 2009 and 2011.2 From
2011 to 2014, she took over as head of Swedbank’s Baltic
operation. Following this in 2015, she headed Swedbank’s TROUBLED TIMES IN THE BALTICS
Swedish operations for a year. In 2017, Bonnesen took Things did not always go as planned. Earlier in 2007,
over as CEO of Swedbank before she was named second some US$230 million was stolen from American
in the list of the top 125 most powerful women in the financier Bill Browder’s investment fund Hermitage
Swedish business sector by VA just a year later.3 Capital Management in Russia.13 Sergei Magnitsky, a
tax accountant initially tasked to investigate the fraud,
was arrested and imprisoned following his unveiling of
COVERING NEW GROUND: BOON OR the US$230 million fraud. It was later revealed that the
BANE? Magnitsky affair was the largest tax fraud in Russian
When the Baltic states gained independence in the history.14
1990s, it created an opportunity for Nordic banks to cater
to the underbanked populations across the Baltic Sea. SVT alleges that a total of US$26 million from the tax
Regional expansion into the Baltics opened new markets fraud was transferred to about 50 accounts in Swedbank,
and was seen as a lucrative business for banks willing to through companies suspected of money laundering
accept money laundering risks.4 identified from the Danske Bank scandal.15 Howard
This case written by Blondell Kong, Seah Yong Xian Donovan, Shaun Phang, Rong Jun and Tang Wei Hao under the supervision of Professor Mak Yuen Teen. The case was developed from
case are not necessarily those of the organisations named in the case, or any of their directors or employees. This case was edited by Professor Mak Yuen Teen.
108 A SWEDBANK AFFAIR
Wilkinson, the whistle-blower of dirty Russian money In February 2019, Swedbank came under the spotlight
laundering at Danske Bank recalled the time when he after reports from Swedish television SVT revealed
was employed at Danske’s branch in Tallinn, Estonia.16 dubious transactions totalling US$4.3 billion possibly
He noted that Russian customers would call in daily to occurring between Swedbank and Danske Bank’s
exchange rubles for dollars, and on the very next day, Baltic accounts.28 SVT had obtained scores of classified
transfer the money out to other places. By 2015, Danske documents corroborating the numerous transactions
Bank subsequently shut down its Estonian non-resident between the two banks’ clients between 2007 to 2015.
portfolio after risks of money laundering surfaced.17 Following the allegations, Swedish and Baltics regulators
initiated a joint investigation into Swedbank.29 Figure 1
Further problems arose in 2008 when Swedbank was summarises the key milestones in Swedbank’s history and
accused of reckless lending in the Baltics.18 This forced key events relating to the scandal.
Swedbank to stomach huge credit losses when the global
financial crisis hit. In 2009, swelling loan losses in the On 21 February 2019, Swedbank announced the
Baltics led to a net loss amounting to US$1.14 billion and appointment of Ernst & Young (EY) Global Ltd. to
a negative return on equity of 12.5%.19 investigate allegations of fraud and money laundering.30
However, on 26 February 2019, just five days after the
On 19 September 2018, investigations into Danske Bank’s appointment, Swedbank discharged EY and hired
Estonia branch concluded that “major deficiencies in Forensic Risk Alliance instead.31
controls and governance made it possible to use Danske
Bank’s branch in Estonia for criminal activities such as Swedbank’s decision was due to reports of the Danish
money laundering.”20 Until 2016, Danske Bank’s Estonia government probing into EY’s ties to the Danske scandal.
branch had a non-resident portfolio of thousands of A Swedbank spokesman said in an email that they were
customers who did not reside in Estonia, including aware of the reports in the media and to avert any future
customers from the Russian Federation and the larger misunderstandings, Swedbank resolved to change the
Commonwealth of Independent States (“CIS”).21 firm.32
Fourteen years after the expansion into the Baltics,

Swedbank was now embroiled in a dirty money scandal.22
This was thought to be the result of the company’s weak
policies and inadequate Anti-Money Laundering (AML)
and Know Your Customer (KYC) procedures.23 News
of the alleged money laundering scandal arose when
SVT claimed that at least US$4.3 billion was funnelled
between high risk accounts between the period of 2007
to 2015.24 This came after Danske Bank was investigated
for allowing US$230 billion worth of non-resident money
from Russia and other former Soviet states to pass
through its Estonia branch.25 SVT obtained an internal
document of Swedbank which showed that Swedbank
did not know “who the real owners of the accounts were,
or where the money was coming from” and that many of
the bank’s “high risk customers should never have been
approved.”26
THE STRAW THAT BROKE THE SWED’S

BACK
“Swedbank have zero tolerance on money laundering
and when we see signs, we act,”
Gabriel Rodau, Head of Group Communication27
Figure 1: Swedbank’s History and Key Events Surrounding the Scadal
1820
1998 Swedbank was founded in
Swedbank acquired more than Gothenburg
50% of Hansabank
2002
2004 Hansabank started operations in
Hansabank acquired Moscow Russia
Based OAO Kvest Bank
2005
Swedbank acquired 100% of
2006 Hansabank
During the Annual General
Meeting, the bank’s name was
changed to Swedbank
2007 to 2015
19 February 2019 Money laundering occurred during
CEO analyst call failed to reject this period
report which states that Swedbank
had handled US$4.3 billion in
suspicious flows tied to the Danske
Bank A/S Estonia scandal
22 February 2019
Swedbank hired Ernst & Young
(EY) to investigate money 26 February 2019
laundering issues Swedbank dropped EY and hired
Foreign Risk Alliance instead
27 March 2019
Police probe Swedbank on insider 28 March 2019
trading Birgitte Bonnesen (CEO) was fired
5 April 2019
Lars Idermark, Chairman resigned
19 June 2019
Appointment of Swedbank AB’s
30 September 2019 new Chairman, Goran Persson
Robert Kitt, Vaiko Tammevali and
Kaie Metsia from Swedbank Estonia 1 October 2019
were dismissed Appointment of Swedbank AB’s
new CEO, Jens Henriksson
Subsequent probes unveiled that 50 of Swedbank’s know-your-customer (KYC) procedures. However, when
clients with high risk indicators of money laundering had then acting CEO Anders Karlsson took the helm in March
possibly channelled US$5.8 billion through Swedbank.33 2019, he admitted that previous internal investigations
These client companies had neither operations nor revealed shortcomings in Swedbank’s AML and KYC
legitimate owners.34 Evidently, warning signs were procedures. Karlsson disclosed cases in which risky
insufficient to flag out the problem of money laundering customers connected to previous money-laundering
that was occurring right under the noses of Swedbank’s cases were not flagged out, and cases where reports
management. Ever since allegations of money laundering on suspicious transactions should have been made to
surfaced, Bonnesen had repeatedly emphasised her authorities but were not done.35
faith in the company’s anti-money laundering (AML) and
To further exacerbate matters, these transactions were have had any intention of covering things up,” and
purportedly linked to the Russian tax fraud totalling went further stating “That is not at all consistent with
over US$230 million.36 In addition, Sweden’s Economic the way we work, or how we’ve done things throughout
Crime Authority (SECA) commented that its search the years.”42 Subsequently, in an email response,
of Swedbank’s head office on 27 March 2019 was Swedbank even cited banking secrecy as the reason
part of its independent inquiry into whether the bank why full disclosure was not given.43 Despite damning
contravened insider trading regulations by notifying evidence laid out by SVT pertaining to money laundering
major shareholders about SVT’s initial report before the taking place in Swedbank, top management refused to
information was disclosed.37 cooperate and instead chose to sidestep the issues at
hand.
In an interview with Sveriges Television (SVT), Bonnesen
mentioned that the Baltic business was “the most
successful business at Swedbank under her reign.” OVERLOOKING RED FLAGS: DELIBERATE
When Swedbank was alleged to be involved in money OR NEGLIGENT?
laundering, she attempted to convince shareholders and
Records obtained by SVT had unravelled events
customers that everything was under control, asserting
alluding to Swedbank’s failure to uncover serious money
that the business model and processes were sound and
laundering issues. The documents portrayed recurring
that the bank had operated in the Baltics with the highest
dealings amounting to US$5.8 billion between Swedbank
customer satisfaction rates of all banks. However, all was
and Danske Bank.44 Another red flag was raised when
not as it seems.
SVT alleged that up to US$22 billion in annual gross
transactions from risky Russian clients were funnelled
It appeared that Bonnesen had misled the public
through Swedbank’s Estonian bank between 2010 to
regarding the gravity of the money laundering case.38
2016.45
Swedbank had failed to identify the illicit money

WRAPPING FIRE WITH PAPER laundering taking place over the years. The Swedish
“If the information is correct, there are two alternatives: Shareholders’ Association claimed that Swedbank had
they have known about it but let it continue or they fostered a tendency to treat lightly the regulations and
haven’t checked and the transactions haven’t triggered laws it should have followed.46 However, Swedbank top
any alarm, I don’t know what’s worse.” management held a different view.
- Joakim Bornold, savings adviser at Soderberg &
Partners39 Gabriel Rodau, the Head of Group Communication,
pointed out that “Swedbank have zero tolerance on
The culture in Swedbank encouraged keeping money laundering and when we see signs, we act.”47
information under wraps. In April 2016, New York State He later went on to reassure SVT of the bank’s robust
Department of Financial Services, DFS, approached transaction monitoring and reporting systems.48 In a
Swedbank seeking its cooperation in providing telephone interview, Bonnesen also stated that she was
information of all dealings tied to Mossack Fonseca, satisfied with the safeguard systems of Swedbank and
a Panamanian law firm sinking in its own scandal.40 was confident that any discoveries had been looked
In response, Swedbank said that the only dealings into.49 However, she later conceded that the bank might
associated with Mossack Fonseca were outside of the have been unable to catch everything.50
Baltics, in Norway and Sweden. However, incriminating
evidence provided by SVT pointed to Swedbank
suppressing crucial transactional information between THE FALL FROM GRACE
over 100 companies and Mossack Fonseca within the
“It’s a massive scandal. From what we’ve learned from SVT’s
Baltics.41 In order to withhold details from the DFS,
information, Swedbank’s accommodation of suspicious
Swedbank had allegedly spun a colossal lie.
transactions comprised a significant part of the money
laundering operations, in parity with Danske Bank…”
Perhaps the more pressing issue was the extent that
– Louise Brown, corruption expert and chair of
Swedbank’s top management would go to in order to
Transparency International’s Swedish chapter51
evade accountability. At the helm of Swedbank was
former CEO Bonnesen who responded to SVT’s inquiry
saying “It sounds incredibly strange that we would
On 20 February 2019, Swedbank saw their market value Meanwhile, it emerged that several senior management
plummet by 14% (Figure 2). Bonnesen attempted to personnel at Swedbank have been buying thousands of
re-establish calm by getting in touch with analysts. Swedbank’s shares and these included board members
However, the effect was far from what she had hoped Ulrika Francke, Bo Johansson and Anna Mossberg.
to achieve.52 In a conference call, Bonnesen found Moreover, Ola Laurin, head of large corporates and
herself unable to refute a Swedish media report alleging institutions, and Anders Ekedahl, head of group IT, had
that Swedbank had handled US$4.3 billion in dubious also been buying the bank’s shares. Just two days after
transactions tied to the Danske Bank Estonia scandal.53 their purchases, Swedbank shares rose by almost five
In a desperate bid to allay concerns, she announced percent.61
that Bill Browder, an investor known for clamping down
hard on money launderers, had informed Swedbank After the public was made aware of the scandal,
that he would not be filing a criminal complaint against Lars Idermark, Chairman of Swedbank, attempted to
them. This announcement was short-lived, as Swedbank salvage the situation through the promise of increased
subsequently retracted the statement after Browder transparency.62 However, his actions were contradictory
disconfirmed Bonnesen’s words.54 to what he had promised. During a press conference
following the AGM, he reportedly evaded an important
Philip Richards, an analyst at Bloomberg Intelligence in question concerning a leaked report alleging billions
London, said that Swedbank’s management was either in suspicious flows funnelled through the non-resident
unable or unwilling to deny or confirm virtually anything. unit in Swedbank Estonia.63 His actions raised new
In particular, whether the management knows the “full suspicions, after he provided frivolous excuses such as
extent of what links they may or may not have had with not having known about the report beforehand. When
suspicious transactions or customers.”55 Due to the probed further about the supposedly leaked report, he
sensitive nature of the subject, another analyst chose to declined to give a reply.64 He was further discredited
be anonymous and he said “the call left him with more when SVT made claims of Swedbank having knowledge
questions than answers.”56 of transactions relating to Viktor Yanukovych which is
suspected bribery wrapped as a book deal since 2017.65
At Morgan Stanley, the opinion was that there was little
chance for the shares to recover after the conference call Swedbank’s anti-money laundering policy was overseen
with Bonnesen. 57 They said that there was insufficient by Bonnesen between 2009 and 2011, when she was the
assurance to fuel a prompt recovery in Swedbank’s shares.58 Chief Audit Executive.66 SVT asserted that Bonnesen
had herself to blame for Swedbank’s inability to identify
Responding to the spate of bad news, investors the spate of money laundering activities that occurred.67
proceeded to dump the stock and Swedbank traded Swedbank has since confessed to potential shortcomings
down about 10%. Over the span of two days, alarmed in its internal system for detecting money laundering
investors caused Swedbank’s market value to fall by risks during an internal probe.68 However, Bonnesen’s
US$5.3 billion.59 retraction of her initial denial regarding Swedbank’s
connection with the Danske Bank scandal led to a fall in
investor’s confidence.69
Figure 2: Impact of the Scandal
Less than a week before the AGM was held, Bonnesen
still had the full backing of the board. However,
increasing allegations of money laundering and
indications of the US investigating Swedbank riled
investors. To make matters worse, Swedbank was now
being investigated for other criminal activities, including
suspected fraud and a breach of insider trading rules.70
Some of Swedbank’s major shareholders expressed
their disapproval and intimated at an extraordinary
general meeting to potentially elect a new board.71 This
sentiment was also shared by Nordnet, an online broker,
After two days of precipitous losses, Swedbank’s shares
and the Swedish Shareholders’ Association.72
regained some ground. However, Joakim Bornold, a
savings adviser at Soderberg & Partners, said that “the
danger is far from over.”60
The Swedish Shareholders’ Association was of the view announced that its findings up till then suggested
that Swedbank’s new leadership should come from that sanctions could be imposed on Swedbank. Under
outside the company, as the company’s mindset was to Swedish law, fines of “up to 10% of a bank’s total annual
‘take lightly’ current laws and regulations.73 Bonnesen income” could be imposed.83
was subsequently fired on 28 March 2019 on grounds of
failing to detect and prevent the illicit money laundering Bloomberg Intelligence also weighed in, commenting
activities as CEO and Head of Baltic operations.74 that Swedbank is vulnerable to money-laundering fines
According to the terms stipulated in her contract, she due to a new Swedish FSA sanction case and Swedbank’s
was entitled to a compensation of US$2.3 million.75 tight capital buffer which is “US$800 million over the
Iderman also left. regulatory minimum.”84
On 5 April 2019, Browder lodged a criminal complaint

against Swedbank to Latvian authorities, accusing them POTENTIAL FINES
of their involvement in the Russian money laundering
Anders Karlsson, the acting CEO, remarked that
scandal.76 On 28 October 2019, new allegations were
Swedbank’s new dividend policy reflected the
directed at Swedbank indicating that it might have
circumstances of the bank being “in a very special
contravened European Union laws and on the morning
situation” which required it to have a “safety buffer.”85
of 29 October 2019, Swedbank’s shares fell by more than
Furthermore, he stated that it was too early to say how
four percent and its market value plunged more than 30%
the bank should prepare for the possibility of a money
for the year.77 The bank is currently being investigated
laundering fine.86
by several U.S. agencies as well as the European Central
Bank, and investors are bracing for large fines and higher
In an interview with Bloomberg Television, Karlsson was
compliance costs.78
quoted as saying “If there is a fine, when there is a fine,
we will pay that fine, and exactly how that will pan out,
it is still too early to say,” and “I think it is important to
DIVIDEND WOES build a safety buffer, in the environment we are in.”87
“The lender’s dividend, cut to a 50% payout, may need to
change again if fines approach $1 billion.”
– Philip Richards, Senior Bank Analyst at Bloomberg STEPPING ON TOES: UNITED STATES
Intelligence79
Swedbank admitted to Swedish and Estonian regulators
that it still has “shortcomings” in its anti-money
On 17 July 2019, Swedbank revealed to the Stockholm
laundering work and facing multiple inquiries by US
Exchange it will no longer be able to accomplish its
regulators.88
goal of maintaining the “highest dividend ratio within
the Nordic finance industry.”80 The ongoing money
Any action by the US authorities, such as the Department
laundering scandal culminated in Swedbank finishing
of Justice or the Securities and Exchange Commission, is
last in terms of stock performance in 2019. Up till now,
a major concern for investors because the magnitude of
Swedbank had aimed to pay out 75% of its profits
potential US sanctions could dwarf those from Swedish
to shareholders. However, in light of the ongoing
watchdogs and even compromise Swedbank’s ability to
investigations, it was forced to adjust its pay-out
transact in the US dollar.89
downwards to just 50% of profits.81
The cornerstone US criminal money laundering statutes
Philip Richards and Georgi Gunchev, bank analysts of
are 18 USC sections 1956-1957, along with other
Bloomberg Intelligence, commented that the reduction
federal criminal statutes. 18 USC section 1956 outlaws
of dividend pay-out to 50% is a practical and needed
international money laundering (1956(a)(2)): “moving
move as Swedbank strives to strengthen “its capital
money into or outside of the US with the intent to
buffer of just over US$1 billion compared to the 14.6%
promote an SUA, or with the intent to conceal a money
CET1 requirement.”82
laundering offence or avoid reporting requirements
knowing that the funds are proceeds of an SUA.”90
On 28 October 2019, new allegations were directed at
Swedbank, accusing it of contravening European Union
(EU) sanctions. Barely a day later, Sweden’s financial
watchdog, the Financial Supervisory Authority (FSA),
GUARDIANS OF THE SWEDES: CORPORATE media scrutiny.101 Sweden has done well out of having
GOVERNANCE IN SWEDEN AND robust media scrutiny, which has helped to shine the light
SWEDBANK on corporate scandals and abuses. Armed with ample
information and the ability to act, shareholders have
Corporate governance in Sweden has been a model
spared executives no mercy.102
for other countries to emulate, with the first official
Swedish Code of Corporate Governance issued in 2005.
It is widely known for its practice of giving investors
a large say in the oversight of companies through its GUARDIANS OF SWEDBANK AB
novel nominating committee, which has been praised Swedbank has a corporate governance framework which
for promoting stability and a focus on the long-term.91 laid the foundation of the company structure. It serves
According to an annual survey by the Reputation Institute as a guideline for the board to follow when deciding
in 2018, Sweden emerged top as the most reputable and the direction of the company.103 The three key principles
trustworthy country.92 The survey results further showed when determining the company structure comprise of
that Sweden has a “high standard of living” and “a board oversight, group level executive management
strong sense of business.”93 oversight and business level executive management
monitoring and oversight.104
Despite being ranked as the fourth most transparent
country in the world by U.S. News,94 a string of Swedbank AB elects its board of directors annually
corporate scandals has rocked the financial markets through an annual general meeting (AGM), where each
and undermined Sweden’s credibility as an ethical and director is re-elected every year.105 The Board is tasked
virtuous country. Companies such as Swedish pulp with the responsibility of running Swedbank’s affairs
and paper manufacturer Svenska Cellulosa AB (SCA) in the interests of the company and shareholders. In
have been decimated in the wake of such scandals, addition, the board places emphasis on the interests
raising questions regarding the effectiveness of the of its customers and sound risk-taking to guarantee
Swedish system of corporate governance. In the case the bank’s continued survival and instil stakeholder
of Swedbank, several top executives of the company, confidence.106 The roles of the Board include the
including CEO Bonnesen and Estonia Chief Executive establishment of financial goals and strategies; the
Robert Kitt were fired as a result of the money laundering appointment, dismissal and evaluation of the CEO;
scandal.95 This scandal sent shockwaves across the providing the assurance that competent systems are
Swedish community.96 in place to monitor and control operations; ensuring
compliance with the laws and regulations; and ensuring
Under Sweden’s unique nominating committee the accuracy and transparency of the information
system, investors decide on the composition of the released.107
board through electing members into the nominating
committee during the Annual General Meeting.97
Shareholders ‘sit’ in the nominating committee and GUARDIANS OF SWEDBANK ESTONIA
have the right to choose its directors and auditor each
Swedbank Estonia has a Supervisory Board which
year.98 In Swedbank’s case, the nominating committee
is separate from its Board of Directors It consists of
comprised of at most six members including the Chair
between five to 12 members appointed by Swedbank
of the Board and representatives of the five largest
AB,108 and do not receive remuneration from the
shareholders.99 This is in contrast to the system of
company. The primary purpose of the Supervisory
nomination in other countries such as the US and UK,
Board is to provide oversight and assist in the company
where nominations are made by the directors themselves.
direction, through decision making and evaluation
In these countries, shareholders have limited ability to
relating to operations, as well as to delegate and monitor
influence these nominations.100
the Board of Directors.109 Strategic issues also require the
approval of the Supervisory Board.110
Shareholders in Sweden play an active role in the
strategic decisions of companies, helping to shake up the
The Supervisory Board works hand in hand with
board structure when necessary. The participation of the
the Board of Directors, by helping ensure that the
five largest shareholders in the nominating committee
consolidated financial statements are accurate before
limits the issues of over-concentration of power and
they are provided to shareholders.111 Swedbank Estonia
lowers the risks of short-termism. Apart from the scrutiny
adopted the Enterprise Risk Management (ERM) policy
of shareholders, the Board is also heavily subjected to
which aids in the bank’s risk management efforts, assessment practices in both Sweden and Estonia.120 It
detailing the framework, process and duties.112 The also admitted to the blurring of responsibilities within the
proposal and approval of a remuneration policy is also bank which resulted in the occasional non-compliance
based on an analysis of potential risks that could occur in with its internal policies.121 These admissions came after
the bank.113 SVT released incriminating evidence that over US$135
billion in risky money moved through Swedbank’s
The Board of Directors comprises of six to 12 members, Estonian branch for over a decade undetected.122
and the members are elected by the Supervisory Board
for a term of three years.114 The Board of Directors
focuses on operations and ensures compliance to rules UNITED THEY FELL: DISMISSAL OF
and regulations.115 The directors’ remuneration is based ESTONIA EXECUTIVES
on variable pay following the “Performance and Share
On 30 September 2019, amidst the ongoing probe into
based Remuneration Program.”116
the money laundering scandal, three top executives at
the Estonian branch of Swedbank were simultaneously
fired. They were Robert Kitt, Chief Executive Officer;
WHAT WERE THE SIRENS IN PLACE? Vaiko Tammevali, Chief Financial Officer; and Kaie
Swedbank’s risk management framework is built upon a Metsla, head of Swedbank Estonia Private Customer
three lines of defence model as shown in Figure 3 below. Division. According to Bjoern Elfstrand, council chair
of Swedbank Estonia, the resolution to remove these
Its first line of defence focuses on risk management by executives was based on “information concerning
business operations whereby individual business units historical shortcomings connected to anti-money
are expected to manage their own risks. The second laundering work.”123
line of defence relates to its risk and compliance-related
functions.117 Swedbank has its own separate compliance Following the dismissal of these executives, Swedbank
function led by the Chief Compliance Officer who is Estonia appointed Olavi Lepp to lead the Estonian
directly accountable to the Chief Executive Officer. business and Anna Kouts as the new Chief Financial
Under its third line of defence, the Internal Audit function Officer, alongside Tarmo Ulla as the new head of the
evaluates the risk management, governance and internal Private Customer Division.124
controls of the company. The Internal Audit function
reports directly to the Board.118 The money laundering scandal greatly impacted
Swedbank. The company also had to deal with the fall in
share price, reduction in dividend pay-out, potential fines
Figure 3: Swedbank’s Three Lines of Defence Model119 and contravention of US money laundering law.
Swedbank’s risk management

Swedbank’s risk management is built on a well-established risk process with three lines
of defence and clear reporting.
SILVER LINING OR THE START OF A
PERFECT STORM?
Board of Directors “The investigation is like a cloud hanging over Swedbank,
so the sooner the FSA reaches a decision, the better.”
CEO – Joakim Bornold, a savings adviser at Soderberg &
Partners in Stockholm125
Risk management Control (operational) Evaluation (not operational)
(operational)
Second line of Third line of defence
First line of defence defence
On 23 October 2019, Jens Henriksson made the decision
Evaluate and validate the
Own and manage risks Established frameworks and effect of the first and that his top priority would be to ameliorate the “dark
second lines of defence
• Business and operations
(line)
monitor risks
• Internal Audit
cloud” of money laundering allegations. Furthermore,
• Risk
• Support function
• Compliance he repudiated claims that investigations by US and
European authorities were an “existential threat” for
Swedbank.126
However, doubt was cast on the robustness of
Swedbank’s three lines of defence and risk management With the aid of law firm Clifford Chance and forensic
policies. In the midst of the money laundering scandal, accountants, Swedbank proceeded to commence 132
Swedbank admitted to the inadequacy of its risk initiatives to bolster its ability to combat financial crime and
aimed to complete about 70 of them by the end of 2019.127 6. Who were the key players in the money laundering
Swedbank’s internal investigation would be expected to set scandal at Swedbank? Evaluate the role of the media
it back by approximately €93 million (US$102.3 million). The and shareholders in promoting good corporate
findings are expected in early 2020.128 governance and whether measures implemented by
Swedbank are sufficient.
Barely a week later, on 30 October 2019, Swedbank ran
into a heightened risk of fines following allegations of
having handled more than US$100 billion in possibly ENDNOTES
dubious funds. “Sweden’s financial watchdog gave its 1 Swedbank Group. (n.d.). Our History. Retrieved from https://www.
swedbank.com/about-swedbank/our-history.html
strongest indication yet that there is evidence of serious
wrongdoing” in Swedbank.129 2 Reuters. (2019, March 27). U.S. authority probes Swedbank over
money laundering allegations; headquarters searched. Retrieved
from https://www.todayonline.com/world/swedbank-may-have
The Swedish FSA aimed to announce its findings -misled-us-over-clients-links-panama-papers-scandal-swedish-tv
in the beginning of 2020. A fine would be issued if 3 Swedbank Group. (n.d.). Sustainability Awards. Retrieved from
investigations concluded Swedbank contravened the law https://www.swedbank.com/sustainability/reporting-monitoring/
with respect to money laundering prevention.130 Will this sustainability -awards.html
once prestigious bank will be able to successfully make 4 Kim. (2019, June 11). ANALYSIS: Danske Bank, Swedbank, and
a comeback and once again become Sweden’s most Global AML Failures. Retrieved from https://news.bloomberglaw.
com/bloomberg-law-analysis/analysis-danske-bank-swedbank-and-
reliable bank? global-aml-failures
5 Scope Ratings. (2019, June 25). How exposed are Nordic Banks to
Only time will tell. the Baltics?. Retrieved from https://www.scoperatings.com/Scope
RatingsApi/api/downloadstudy?id=aab452eb-7a93-4fc3-bf9f-0faf
b8c572dc
DISCUSSION QUESTIONS 6 Ibid
1. With reference to the case, discuss the importance of 7 Swedbank. (n.d.). The Hansabank history. Retrieved from https://
www.swedbank.com/about-swedbank/our-history/hansabank
corporate culture and the tone at the top. Comment -history.html
on Swedbank’s actions in response to the money
8 Ibid
laundering scandal and provide recommendations
moving forward.
9 Swedbank. (n.d.). The Story of Swedbank. Retrieved from https://
online.swedbank.se/ConditionsEarchive/download?bankid=1111
2. Birgitte Bonnesen was highly regarded as the second &id= WEBDOC-PRODE24529001
most powerful woman in the Swedish business sector. 10 Corporate Finance Institute. (n.d.). Overview of Banks in Estonia.
Evaluate the conflict that a company might face Retrieved from https://corporatefinanceinstitute.com/resources/
careers/companies/top-banks-in-estonia/
between a CEO’s competency and her integrity.
11 Guarascio. (2019, April 8). Explaining Europe’s Growing Money
3. Given the high transaction volume that banks handle Laundering Scandal. Retrieved from https://www.insurancejournal.
daily, how may they mitigate the risks associated com/news/international/2019/04/08/523148.htm
with money laundering using the different lines 12 Hoikkala & Lindeberg. Swedbank Chairman Quits Over Money
of defence? Suggest potential improvements for -Laundering Scandal. Retrieved from https://www.bloomberg.com/
news/articles/2019-04-05/swedbank-chair-exits-as-laundering-case-
Swedbank. rips-through-top-ranks
4. Under the Swedish system of corporate governance, 13 SVT. (2019, February 20). Suspected money laundering in
the five largest shareholders have the option Swedbank. Retrieved from https://www.svt.se/special/swedbank/
english/
of electing a representative each to sit on the
14 OCCRP. (2014, January 29). Europe: Parliamentary Assembly Votes
nominating committee, along with the head.
for Magnitsky Sanctions. Retrieved from https://www.occrp.org/en/
Evaluate the pros and cons of such an arrangement 27-ccwatch/cc-watch-briefs/2298-europe-parliamentary-assembly-
in improving corporate governance and how it can votes-for-sanctions-in-magnitsky-case
protect the interests of shareholders. 15 SVT. (2019, February 20). Suspected money laundering in
Swedbank. Retrieved from https://www.svt.se/special/swedbank/
5. With reference to Swedbank, what are some of the english/
risks when companies venture abroad? Explain your 16 Sharman. (2019, May). How the Danske Bank money-laundering
answer and discuss the other aspects that companies scheme involving $230 billion unraveled. Retrieved from https://
have to consider in risk assessment. www.cbsnews.com/news/how-the-danske-bank-money-laundering-
scheme-involving-230-billion-unraveled-60-minutes-2019-05-19/
17 Reznik & Ummelas. (2019, October 6). A Banker Reveals the Bonus 34 Ahlander & Johnson. (2019, February 21). Estonia Probes
Culture Behind a $220 Billion Scandal. Retrieved from https://www. Allegations Swedbank Linked to Danske Money Laundering
bloomberg.com/news/articles/2019-10-06/a-banker-who-handled Scandal. Retrieved from https://www.insurancejournal.com/news/
-danske-s-non-resident-accounts-speaks-out international/2019/02/21/518295.htm
18 The Local Sweden. (2009, March 3). Untangling the role of Swedish 35 Ahlander & Vaish. (2019, April 25). Swedbank admits money
banks in Latvia’s financial woes. Retrieved from https://www.the laundering flaws, faces multiple U.S. probes. Retrieved from
local.se/20090303/17962 https://www.reuters.com/article/us-swedbank-results/swedbank-
admits-money-laundering-flaws-faces-multiple-u-s-probes-id
19 Magnusson, Liman & Hoikkala. (2019, March 2). Baltic Cash Cow USKCN1S10DK
Delivers a Second Crisis to Sweden’s Oldest Bank. Retrieved from
https://www.bloomberg.com/news/articles/2019-03-01/baltic-cash- 36 SVT. (2019, February 20). Suspected money laundering in
cow-delivers-a-second-crisis-to-sweden-s-oldest-bank Swedbank. Retrieved from https://www.svt.se/special/swedbank/
english/
20 Brunn & Hjejle. (2018, September 19). Report on the Non-Resident
Portfolio at Danske Bank’s Estonian Branch. Retrieved from https:// 37 Reuters. (2019, March 27). U.S. authority probes Swedbank over
danskebank.com/-/media/danske-bank-com/file-cloud/2018/9/ money laundering allegations; headquarters searched. Retrieved
report-on-the-non-resident-portfolio-at-danske-banks-estonian- from https://www.todayonline.com/world/swedbank-may-have
branch.pdf?rev=56b16dfddae94480bb8cdcaebeaddc9b&hash -misled-us-over-clients-links-panama-papers-scandal-swedish-tv
=B7D 825F2639326A3BBBC7D524C5E341E
38 Magnusson, Schwartzkopff & Hoikkala. (2019, March 28). Swedbank
21 Ibid Fires CEO Over Money Laundering Allegations. Retrieved from
https://www.bloomberg.com/news/articles/2019-03-28/swedbank-
22 Hoikkala, Magnusson & Schwartzkopff. (2019, February, 22) ceo-has-been-fired-amid-mounting-laundering-allegations
Swedbank scandal puts spotlight on CEO’s history of denials.
Retrieved from https://www.fin24.com/Economy/World/swed 39 Schwartzkopff, Magnusson & Hoikkala. (2019, February 20).
bank-scandal-puts-spotlight-on-ceos-history-of-denials-20190222 Swedbank Dirty Money Plot Thickens After CEO Analyst Call.
Retrieved from https://www.bloomberg.com/news/articles/2019-02
23 Ahlander & Vaish. (2019, April 25). Swedbank admits money -20/swedbank-reportedly-behind-4-3-billion-in-suspicious-transfers
laundering flaws, faces multiple U.S. probes. Retrieved from
https://www.reuters.com/article/us-swedbank-results/swedbank- 40 SVT. (2019, February 20). Swedbank misled American investigators.
admits-money-laundering-flaws-faces-multiple-u-s-probes-id Retrieved from https://www.svt.se/special/swedbank/english/
USKCN1S10DK investigators/
24 The Local Sweden. (2019, April 5). Swedbank money-laundering 41 Ibid
scandal rumbles on as chairman steps down. Retrieved from
https://www.thelocal.se/20190405/swedbank-money-laundering
42 Ibid
-scandal -intensifies-as-chairman-steps-down 43 Ibid
25 Kowsmann & Hinshaw. (2019, September 19). Money-Laundering 44 SVT. (2019, February 20). Suspected money laundering in Swedbank.
Probe Tied to Russia Expands to $230 Billion in Transactions. Retrieved from https://www.svt.se/special/swedbank/english/
Retrieved from https://www.wsj.com/articles/danske-banks-finds-
more-than-200-billion-in-transactions-at-branch-suspected-of 45 Ahlander & Vaish. (2019, June 19). New chairman pledges to ‘clean’
-money-laundering -1537345254 scandal-hit Swedbank. Retrieved from https://www.reuters.com/
article/us-europe-moneylaundering-swedbank-board/new-chairman-
26 The Local Sweden. (2019, April 5). Swedbank money-laundering pledges-to-clean-scandal-hit-swedbank-idUSKCN1TK11G
scandal rumbles on as chairman steps down. Retrieved from
https://www.thelocal.se/20190405/swedbank-money-laundering 46 Hoikkala & Lindeberg. Swedbank Chairman Quits Over Money
-scandal -intensifies-as-chairman-steps-down -Laundering Scandal. Retrieved from https://www.bloomberg.com/
news/articles/2019-04-05/swedbank-chair-exits-as-laundering-case-
27 SVT. (2019, February 20). Suspected money laundering in rips-through-top-ranks
english/ 47 SVT. (2019, February 20). Suspected money laundering in
28 Reuters. (2019, March 27). U.S. authority probes Swedbank over english/
money laundering allegations; headquarters searched. Retrieved
from https://www.todayonline.com/world/swedbank-may-have 48 Ibid
-misled-us-over-clients-links-panama-papers-scandal-swedish-tv 49 Ahlander & Johnson. (2019, February 21). Estonia Probes
29 Ibid Allegations Swedbank Linked to Danske Money Laundering
Scandal. Retrieved from https://www.insurancejournal.com/news/
30 Martuscelli. (2019, February 21). Swedbank : Appoints EY to international/2019/02/21/518295.htm
Investigate Fraud and Money-Laundering Allegations. Retrieved
from https://www.marketscreener.com/SWEDBANK-6496651/ 50 Ibid
news/Swedbank-Appoints-EY-to-Investigate-Fraud-and-Money 51 SVT. (2019, February 20). Suspected money laundering in
-Laundering-Allegations -28045735/
31 Broughton. (2019, February 26). Swedbank Drops EY as External english/
Auditor Amid Reports of Danske Bank Ties. Retrieved from https:// 52 Ibid
www.wsj.com/articles/swedbank-drops-ey-as-external-auditor-amid
-reports-of-danske-bank-ties-11551218963 53 Ibid
32 Ibid 54 Ibid
33 SVT. (2019, February 20). Suspected money laundering in 55 Ibid
english/ 56 Ibid
57 Schwartzkopff, Magnusson & Hoikkala. (2019, February 20). 77 Magnusson & Hoikkala. (2019, October 29). Swedbank Faces
Swedbank Dirty Money Plot Thickens After CEO Analyst Call. Bigger Risk of Fines as Watchdog Weighs Sanctions. Retrieved
Retrieved from https://www.bloomberg.com/news/articles/2019-02 from https://www.bloomberg.com/news/articles/2019-10-29/
-20/swedbank-reportedly-behind-4-3-billion-in-suspicious-transfers sweden-considers-sanctions-against-swedbank-in-laundering
-probe
58 Ibid
78 Milne. (2019, September 17). Swedbank admits to money-laundering
59 Ibid failings. Retrieved from https://www.ft.com/content/c10076e2-d920
60 Hoikkala, Magnusson & Schwartzkopff. (2019, February 22) -11e9-8f9b-77216ebe1f17
Swedbank scandal puts spotlight on CEO’s history of denials. 79 Ibid
Retrieved from https://www.fin24.com/Economy/World/swedbank-
scandal-puts-spotlight-on-ceos-history-of-denials-20190222 80 Business Times. (2019, July 17). Swedbank slashes dividend as
Baltic dirty-money probes drag on. Retrieved from https://www.
61 Ibid businesstimes.com.sg/banking-finance/swedbank-slashes
62 Magnusson, Hoikkala & Schwartzkopff. (2019, March 29). Swedbank -dividend-as-baltic -dirty-money-probes-drag-on
Chairman Is Next in Firing Line After CEO Is Ousted. Retrieved 81 Ibid
from https://www.bloomberg.com/news/articles/2019-03-29/
swedbank-board-in-crosshairs-as-ceo-ouster-fails-to-calm-markets 82 Ibid
63 Ibid 83 Magnusson & Hoikkala. (2019, October 29). Swedbank Faces
Bigger Risk of Fines as Watchdog Weighs Sanctions. Retrieved
64 Ibid from https://www.bloomberg.com/news/articles/2019-10-29/
65 Perryer. (2019, February 27). Swedbank scandal: suspicious funds sweden-considers-sanctions-against-swedbank-in-laundering
linked to former Ukrainian president. Retrieved from https://www. -probe
europeanceo.com/finance/swedbank-scandal-suspicious-funds- 84 Ibid
linked-to-former-ukrainian-president/
85 Business Times. (2019, July 17). Swedbank slashes dividend as
66 Vaish & Ahlander. (2019, March 29). Swedbank Fires CEO on Baltic dirty-money probes drag on. Retrieved from https://www.
Growing Investor Criticism of Handling of Laundering Scandal. businesstimes.com.sg/banking-finance/swedbank-slashes
Retrieved from https://www.insurancejournal.com/news/ -dividend-as-baltic -dirty-money-probes-drag-on
international/2019/03/29/522276.htm
86 Ibid
67 Ibid
87 Ibid
68 Reuters. (2019, August 23). Swedish regulator delays Swedbank
money-laundering probe report. Retrieved from https://www. 88 Milne. (2019, September 17). Swedbank admits to money-launder-
reuters.com/article/us-europe-moneylaundering-swedbank/ ing failings. Retrieved from https://www.ft.com/content/c10076e2-
swedish -regulator-delays-swedbank-money-laundering-probe d920-11e9-8f9b-77216ebe1f17
-report-id USKCN1VD0X1
89 Ahlander & Vaish. (2019, April 25). Swedbank admits money
69 Vaish & Ahlander. (2019, March 29). Swedbank Fires CEO on laundering flaws, faces multiple U.S. probes. Retrieved from https://
Growing Investor Criticism of Handling of Laundering Scandal. www.reuters.com/article/us-swedbank-results/swedbank-admits-
Retrieved from https://www.insurancejournal.com/news/ money-laundering-flaws-faces-multiple-u-s-probes-idUSKCN1S10DK
international/ 2019/03/29/522276.htm
90 Lisa, Spivack & Garcha. (2019, June). Anti-Money Laundering.
70 Farmbrough. (2019, March 29). Swedbank Faces Escalating Retrieved from https://gettingthedealthrough.com/area/50/
Money-Laundering Scandal. Retrieved from https://www.forbes. jurisdiction/23/anti-money-laundering-united-states/
com/sites/heatherfarmbrough/2019/03/29/swedbank-faces
-escalating-money-laundering-scandal/#19946f4346bc
91 The Financial Times. (2016, April 10). Sweden sets an example in
corporate governance. Retrieved from https://www.ft.com/content/
71 https://www.bloombergquint.com/onweb/swedbank-board -in 34107b60-fd78-11e5-b3f6-11d5706b613b
-crosshairs-as-ceo-ouster-fails-to-calm-markets
92 Reputation Institute. (2018, June 21). The World’s Most Reputable
72 https://www.bloombergquint.com/onweb/swedbank-board -in Countries. Retrieved from https://www.reputationinstitute.com/
-crosshairs-as-ceo-ouster-fails-to-calm-markets sites/default/files/pdfs/2018-Country-RepTrak.pdf
73 Hoikkala & Lindeberg. Swedbank Chairman Quits Over Money 93 Reputation Institute. (n.d.). Sweden has best country reputation in
-Laundering Scandal. Retrieved from https://www.bloomberg.com/ the world. Retrieved from https://www.business-sweden.se/en/
news/articles/2019-04-05/swedbank-chair-exits-as-laundering-case- Invest/inspiration/investment-news/Sweden_has_best_country_
rips-through-top-ranks reputation_in_the_world/
74 The Local Sweden. (2019, March 28). Swedbank halts trading and 94 Farmbrough. (2019, March 29). Swedbank Faces Escalating
fires CEO on ‘dramatic morning’. Retrieved from https://www. Money-Laundering Scandal. Retrieved from https://www.forbes.
thelocal.se/20190328/swedbank-halts-trading-and-fires-ceo-on com/sites/heatherfarmbrough/2019/03/29/swedbank-faces
-dramatic-morning -escalating-money-laundering-scandal/#3eae1c4446bc
75 Ibid 95 Ummelas. (2019, October 1). Swedbank executives fired amid
€200bn money laundering investigation. Retrieved from https://
76 Vaish & Gelzis. (2019, April 17). Bill Browder files Swedbank money www.independent.co.uk/news/business/news/swedbank-money
laundering complaint in Latvia. Retrieved from https://www.reuters. -laundering-investigation-executives-fired-danske-bank-a9127941.
com/article/europe-moneylaundering-swedbank-browder/bill html
-browder-files-swedbank-money-laundering-complaint-in-latvia
-idUSL3N21Z1TD
96 Magnusson, Schwartzkopff & Hoikkala. (2019, March 28). Swedbank 115 Ibid
Fires CEO Over Money Laundering Allegations. Retrieved from
https://www.bloomberg.com/news/articles/2019-03-28/swedbank-
116 Ibid
ceo-has-been-fired-amid-mounting-laundering-allegations 117 Swedbank. (n.d.). Corporate Governance Report. Retrieved from
97 Swedbank. (n.d.). Swedbank Annual and Sustainability Report 2018. https://www.swedbank.com/idc/groups/public/@i/@sbg/@gs/@ir/
Retrieved from https://internetbank.swedbank.se/Conditions documents/financial/cid_2580659.pdf
Earchive/download?bankid=1111&id=WEBDOC-PRODE32061861 118 Ibid
98 Ibid 119 Swedbank. (n.d.). Swedbank Annual and Sustainability Report 2018.
99 Ibid Retrieved from https://internetbank.swedbank.se/Conditions
Earchive/download?bankid=1111&id=WEBDOC-PRODE32061861
corporate governance. Retrieved from https://www.ft.com/content/
120 Milne. (2019, September 17). Swedbank admits to money-laundering
34107b60-fd78-11e5-b3f6-11d5706b613b failings. Retrieved from https://www.ft.com/content/c10076e2-d
920-11e9-8f9b-77216ebe1f17
101 SVT. (2019, February 20). Suspected money laundering in Swedbank.
Retrieved from https://www.svt.se/special/swedbank/english/
121 Ibid
122 Ibid
corporate governance. Retrieved from https://www.ft.com/content/ 123 Ummelas. (2019, October 1). Swedbank executives fired amid
34107b60-fd78-11e5-b3f6-11d5706b613b €200bn money laundering investigation. Retrieved from
103 Swedbank. (2018, December 31). Swedbank AB U.S. Resolution https://www.independent.co.uk/news/business/news/swedbank
Plan. Retrieved from https://www.federalreserve.gov/supervision- -money -laundering-investigation-executives-fired-danske-bank
reg/resolution-plans/swedbk-ab-3g-20181231.pdf -a9127941.html
104 Ibid
124 Reuters. (2019, October 1). Swedbank removes three executives
from Estonian unit. Retrieved from https://www.reuters.com/article/
105 Swedbank. (n.d.). The Board of Directors. Retrieved from https:// swedbank-estonia/swedbank-removes-three-executives-from
www.swedbank.com/about-swedbank/management-and-corporate -estonian-unit-idUSL5N26L6T3
-governance/the-board-of-directors.html
125 Business Times. (2019, October 30). Swedbank faces bigger risk of
106 Ibid fines as watchdog weighs sanctions. Retrieved from https://www.
businesstimes.com.sg/banking-finance/swedbank-faces-bigger-
107 Ibid risk-of-fines-as-watchdog-weighs-sanctions
108 Swedbank. (n.d.). Swedbank AS, Estonia Annual Report 2015. 126 Milne. (2019, October 23). Swedbank chief aims to lift ‘dark cloud’
Retrieved from https://www.swedbank.ee/static/pdf/about/finance/ of money-laundering claims. Retrieved from https://www.ft.com/
reports/info_annual-report-2015_eng.pdf content/7ba1caea-f579-11e9-b018-3ef8794b17c6
109 Ibid 127 Ibid
110 Ibid 128 Ibid
111 Swedbank. (n.d.). Swedbank AS, Estonia Annual Report 2018. 129 Business Times. (2019, October 30). Swedbank faces bigger risk of
Retrieved from https://www.swedbank.ee/static/pdf/about/finance/ fines as watchdog weighs sanctions. Retrieved from https://www.
reports/info_annual-report-2018_eng.pdf businesstimes.com.sg/banking-finance/swedbank-faces-bigger-
112 Ibid risk-of-fines-as-watchdog-weighs-sanctions
113 Ibid
130 Ibid
114 Swedbank. (n.d.). Swedbank AS, Estonia Annual Report 2015.

Retrieved from https://www.swedbank.ee/static/pdf/about/finance/
reports/info_annual-report-2015_eng.pdf
BRIBERY
120 JP MORGAN: PRINCE UN-CHARMING
JP MORGAN: PRINCE
UN-CHARMING
CASE OVERVIEW Investigations were ongoing, and it was going to be
JP Morgan China was not getting the deals as it would tough.
have liked. It believed that other banks were able to
In November 2013, JP Morgan withdrew as an
secure deals because they were hiring their potential
underwriter for a share sale by China Everbright Bank.
clients’ children. JP Morgan therefore allegedly followed
The IPO eventually launched in December amounted
suit by hiring several sons and daughters of officials in
to US$3 billion. In January 2014, it also withdrew from
Chinese state-owned companies, commonly referred
a US$1 billion IPO for Tianhe Chemicals. In March,
to as princelings. The connections from the princelings
amidst investigations, Fang Fang, the Chief Executive
apparently started to help JP Morgan gain deals just like
for investment banking in JP Morgan China, retired. Two
its competitors.
months later, he was arrested.5
However, the good times did not last. JP Morgan

was investigated by the United States Securities and
Exchange Commission (SEC) under the Foreign Corrupt
ABOUT JP MORGAN
Practices Act (FCPA). As a result, it dropped out of two JP Morgan Chase and Co, headquartered in New York
billion-dollar Initial Public Offering (IPO) deals. The City, traces its roots back to 1799. In 2000, JP Morgan
objective of this case is to explore issues such as ethics merged with The Chase Manhattan Corporation and
and tone at the top; role of the board in ensuring the was renamed JP Morgan Chase and Co6. The key
appropriate culture in a company; effectiveness of codes areas of business include investment banking, markets
of conduct and whistleblowing policies; and the fine line and investor services, treasury services, investment
between bribery and “guanxi” in China. management, private banking, wealth management and
brokerage, as well as commercial banking.7
COURTING ROYALTY The company serves clients in 100 locations, including

the Americas, Asia Pacific, Europe, Middle East and
“You all know I have always been a big believer of
Africa. In 2011, the firm celebrated the 90th anniversary
the Sons and Daughters programme – it almost has a
of its presence in China,8 where it has offices in Beijing,
linear relationship with winning jobs to advise Chinese
Shanghai, Tianjin, Guangzhou, Chengdu, Harbin, Suzhou,
companies.”
Shenzhen and Zhongshan, which serves corporations,
– Fang Fang, former Chief of investment banking, JP
financial institutions and government agencies.9
Morgan China1
It was the loss of a key deal to Deutsche Bank (DB)

in 2009 that started it all. When Wall Street suffered
KINGDOM RULES
during the global financial crisis, JP Morgan China JP Morgan’s Code of Conduct is given to all new
was urged to push up earnings. “We lost a deal to DB employees and has a section addressing anti-bribery and
today because they got chairman’s daughter work for anti-corruption. Employees are not allowed to “give, offer
them this summer,” 2 a fellow executive from investment or promise (directly or through others) anything of value to
banking had remarked via email. The replies followed: anyone, including government officials, clients, suppliers
“I am supportive to have our own hiring strategy”; “We or other business partners, if it is intended or appears
do way, way, way too little of this type of hiring and I intended to obtain some improper business advantage.” 10
have been pounding on it with China team for a year”;
“Confidential, just added son of #2 at SinoTruk to my Employees are also required to report any known
team”.3 Even though none of the executives themselves or suspected violations of the Code and this was
have been implicated or accused of any wrongdoing specified as the responsibility of all employees. Each
yet, the carefully detailed spreadsheets specifying employee would be assigned a Code Specialist from the
appointments of these sons and daughters of prominent Compliance or Legal Department, to answer questions
people and their resulting effects had been found.4 on the Code.11
This is the abridged version of a case prepared by Chua Zi Hui Grace, See Xiaowei, Sng Jing Kai and Trina Ling Tzi Chi under the supervision of Professor Mak Yuen Teen. The case was
perspectives in this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Lim Hui Ying under

THE CHOSEN ONES Programme had in fact hoped to prevent. JP Morgan

executives in Hong Kong studied the hiring movement
The Sons and Daughters Programme was started in 2006
of established banks in China and decided to hire Tang
to weed out nepotism and avoid bribery charges in the
Xiaoning, the son of the chairman of China Everbright
United States12. The two-tiered process was originally
Group. As such, JP Morgan successfully secured deals
meant to prevent the controversial hiring of the sons and
which had not previously been possible since 2010.22
daughters of senior officials in the Chinese Communist
Party and executives in state-owned enterprises, so-
The company continued the streak by engaging Fullmark
called “princelings”.13 This was done by separating them
Consultants, which was owned by the well-connected Lily
in the recruitment process. However, the programme
Chang, the daughter of Wen Jiabao, who was China’s
ended up fostering the very results it was intended to
Premier at that time. The engagement helped JP Morgan
prevent, with these candidates allegedly facing fewer
to clinch deals with state-owned Chinese companies
interviews and sub-par standards.14
during Wen Jiabao’s premiership.23 JP Morgan also hired
Zhang Xixi, the daughter of an official of China Railway
Group who was later arrested on charges of bribery. She
YOU SCRATCH MY BACK, I’LL SCRATCH was hired around the time when China Railway Group’s
YOURS IPO was facilitated by JP Morgan.24
Such hiring practices were triggered15 by the loss of
the deal to DB, when JP Morgan apparently realised16 Tang Xiaoning and Zhang Xixi have since left JP
that others in China secured deals through the hiring of Morgan.25
princelings.17
The concept of exchanging favours is deeply etched in CLAMPING DOWN ON THE GIANTS
China’s culture. Big banks often hire sons and daughters
It is uncommon for the American authorities to scrutinise
of senior Chinese government officials in the hope of
hiring practices of banks and such practices have been
creating opportunities and securing deals.18 Relationships
left relatively unchecked until recently.26 In August 2013,
or networking, also known as “guanxi”, is a fundamental
SEC began its investigations into JP Morgan’s hiring
concept to grasp if one wishes to operate effectively
practices in China. JP Morgan was suspected to be
in the Chinese economy.19 With the right “guanxi”,
involved in the bribery of foreign officials. In exchange for
businesses are able to overcome obstacles and gain new
hiring their children, JP Morgan allegedly gained lucrative
opportunities. Often, it is the power of networking that
businesses which were influenced by the officials. The
will determine a company’s long run competitiveness in
FCPA prohibits U.S. companies from giving “anything
China.
of value” to a foreign official to win “an improper
advantage” in retaining or attracting business27 and such
One of the banks which demonstrated the concept of
hiring practices would be a clear breach of the Act.
“guanxi” in the hiring of employees was Morgan Stanley.
The bank hired Zhang Nan, the son of Zhang Dongsheng,
Despite the relatively low monetary value of the salaries
an official of China’s powerful economic planning agency
paid, the princelings value jobs in banks as it improves
National Development and Reform Commission. A list
and adds credibility to their resumes.28
of other princelings allegedly hired by Morgan Stanley
was also circulated in the Chinese social media. Some of
those included in the list are the son of Xiao Tian, deputy
head of China’s sports bureau, and the son of Xie Xuren,
WALKING A FINE LINE
China’s former finance minister and current chairman of What made the SEC suspicious was the fact that the
the National Council for Social Security Fund.20 hiring of princelings was usually accompanied by large
deals from princelings-related companies which the
bank never had much dealing with.29 For instance, the
ERA OF THE PRINCELINGS emergence of China Everbright as one of JP Morgan’s
prized Asian clients coincided with the time that Tang
The loss of the deal to DB dealt JP Morgan a huge
Xiaoning was hired by JP Morgan. Similarly for Zhang
blow. In order to prevent history from repeating itself,
Xixi, JP Morgan clinched the IPO for China Railway Group
JP Morgan allegedly followed suit and stepped up its
around the period she was hired.
hiring21 of the sons and daughters of the elites. This
ironically achieved what its initial Sons and Daughters
SEC questioned JP Morgan about their hiring of hiring in China to several other major banks, including
personnel related to these two companies. In May 2013, Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs
SEC’s anti-bribery unit asked JP Morgan for documents and Morgan Stanley.37 The scope of the investigation
related to Tang Xiaoning. They also requested for expanded to non-U.S.-headquartered firms and the
“documents sufficient to identify all persons involved”30 hiring practices in the rest of Asia.
in the decision to hire Zhang Xixi. Aside from these two
persons of interest, SEC also inquired about “all JP
Morgan employees who performed work for or on behalf FIFTY SHADES OF GREY
of the Ministry of Railways” over the previous six years,
However, SEC has yet to accuse any banks, including
which hinted that the investigations were targeted at the
JP Morgan, or executives of any wrongdoing. Legal
broad hiring strategies of JP Morgan’s China office.31
analysts commented that such unethical practices
have flourished in the banking industry partly due to
In addition to the investigation, JP Morgan’s Sons and
the difficulty in pinpointing wrongdoings. Banking is a
Daughters Programme was hit by whistleblowers as
relationship business, and being well-connected is a big
it was not popular among some of the employees. In
advantage to an individual vying for a position in the
December 2011, a junior banker from JP Morgan in Hong
top banks. Furthermore, many of the princelings who
Kong resigned with an email commenting, “I do not
are employed by the major banks are highly educated
think my family is in a position to help you to the extent
and hold degrees and MBAs from top universities
as others did; bring their family business to the firm.”32
around the world.38 It is therefore seen to be reasonable
Furthermore, at least two whistleblowers reported to the
for the banks to hire these individuals who, on top of
Hong Kong stock exchange and the U.S. authorities with
their academic capabilities, can build on their existing
regards to JP Morgan’s hiring practices.33
relationships to bring in big contracts.
CROSSING THE LINE

TAINTED AND BRUISED
The investigations uncovered a series of emails and
JP Morgan would face substantial legal costs if SEC
confidential documents which seemed to link JP
decides to take enforcement actions against them.
Morgan’s business opportunities directly to the hiring
Together with other charges and investigations such as
of these well-connected employees. The documents
the Madoff Ponzi fraud and the ‘London Whale’ case, the
showed how JP Morgan referred to the hiring practices
princelings investigation may further tarnish JP Morgan’s
of other banks in China.34 Spreadsheets listing JP
reputation.39
Morgan’s history of converting hires into business deals
were submitted to the authorities. The spreadsheets also
JP Morgan’s stock price fell by 2.7% when the
revealed how the Sons and Daughters Programme, which
investigation on JP Morgan was publicly announced on
was originally meant to be a preventive measure against
17 August 2013. When the company withdrew from China
unethical hiring, eventually became a means of doing
Everbright Bank’s IPO in November 2013, its stock price
businesses with state-owned companies in China through
fell by 0.08%. There was another fall of 5.3% when the
the hiring of princelings.35
IPO with Tianhe Chemicals was dropped. The stock price
fell by a further 1.9% when Fang Fang retired in March
JP Morgan executives in New York were alerted by
2014.40
a bank official in Asia with regards to anonymous
accusations about the bank hiring for the purpose
However, as the timing of this investigation coincides
of winning investment banking assignments. Email
with the prosecution of Madoff Ponzi fraud and ‘London
discussions showed that the executives dismissed those
Whale’ cases, the impact on the stock price that was
accusations and continued to propose revisions to the
directly related to the princelings issue was unclear.
region’s hiring practices which were in favour of the hiring
of princelings.36
TOO BIG TO REGULATE?

DOMINO EFFECT Some economists have commented that banks like JP
Morgan are too large to be regulated.41 The frequency
Following JP Morgan, SEC ramped up the scale of the
of significant legal cases involving JP Morgan raises
investigations and issued letters of inquiry regarding
questions about JP Morgan’s ethical culture. Although
the authorities have had some success in acting against 5. Some economists are of the view that the Wall Street
unethical or illegal activities and taking enforcement banks are getting “too big to regulate”. Discuss
actions against banks, financial analysts have questioned whether or not you support this view, taking into
the effectiveness of the legal enforcements on large account the role and powers of the SEC and other
banks. This is because while the effectiveness of fines is regulators.
questionable,42 restrictions on businesses might upset
6. JP Morgan’s Code of Conduct specifically prohibits
the financial markets to a large extent43.
bribery and corruption. How effective is it in
preventing such acts? Whistleblowing arrangements
are increasingly seen to be an important component
END OF THE MONARCHY of the corporate governance framework of an
On 29 May 2015, JP Morgan was subpoenaed by organisation. To what extent does having a
SEC for all of the company’s communications related whistleblowing policy help to mitigate such acts?
to 35 Chinese government officials.44 Together with
the departure of the Vice Chairmen Todd Marin and
Catherine Leung, JP Morgan announced a wider ENDNOTES
reshuffle of senior roles.45 Even if JP Morgan was found 1 Gough, N. & Forsythe, M. (2014, May 21). Fomer Chief of JP
Morgan’s China Unit Is Arrested. The New York Times. Retrieved
innocent of hiring princelings to secure contracts, the from http://dealbook.nytimes.com/2014/05/21/former-top-china-
damage done to its reputation would remain. Such jpmorgan-banker-said-to-be-arrested-in-hong-kong/
hiring practices remains prevalent in other American and 2 Protess, B. & Silver-Greenberg, J. (2013, December 29). On
European investment banks, such as Bank of America, Defensive, JP Morgan Hired China’s Elite. The New York Times.
Citigroup, Credit Suisse, Goldman Sachs and Macquarie. Retrieved from http://dealbook.nytimes.com/2013/12/29/on
-defensive-jpmorgan-hired-chinas-elite/
All of these banks have hired relatives of high-ranking
Chinese officials over the years to secure deals in China.
3 Ibid.
A thorough investigation would inevitably affect more 4 Kopecki, D. (2013, August 29). JP Morgan Bribe Probe Said to
Expand in Asia as Spreadsheet Is Found. Bloomberg. Retrieved
companies both within and outside the financial sector.46
from http://www.bloomberg.com/news/2013-08-29/jpmorgan-
bribe-probe-said-to-expand-in-asia-as-spreadsheet-found.html
In 2016, JP Morgan agreed to pay US$264 million to 5 Gough, N. & Forsythe, M. (2014, May 21). Former Chief of JP
settle the charges relating to the “princelings” bribery Morgan’s China Unit Is Arrested. The Wall Street Journal. Retrieved
scheme.47 from http://dealbook.nytimes.com/2014/05/21/former-top-china
-jpmorgan-banker-said-to-be-arrested-in-hong-kong/
In recent years, the authorities in China seem to have 6 JP Morgan Chase & Co. (2014). Company History. Retrieved from
stepped up on their stand against corruption and https://www.jpmorgan.com/pages/company-history
bribery.48 The tide may have turned for doing business 7 JP Morgan Chase & Co. (2014). What We Do. Retrieved from
as the world moves towards a more transparent and fair https://www.jpmorgan.com/pages/what-we-do
society. 8 JP Morgan Chase & Co. (2014). Company History. Retrieved from
https://www.jpmorgan.com/pages/company-history
9 JP Morgan Chase & Co. (2014). JP Morgan China. Retrieved from
http://www.jpmorganchina.com.cn/pages/jpmorgan/china/eng/
DISCUSSION QUESTIONS home
1. To what extent should the Board of Directors be 10 JP Morgan Chase & Co. (2014). Code of Conduct. Retrieved from
responsible for the corporate culture of a company? http://www.jpmorganchase.com/corporate/About-JPMC/
document /FINAL-2014CodeofConduct.pdf
2. What do you think is the “tone at the top” for JP 11 Ibid.
Morgan? How did this affect the decision to hire
12 Silver-Greenberg, J. & Protess, B. (2013, August 29). JP Morgan
princelings? Hiring Put China’s Elite on an Easy Track. The New York Times.
Retrieved from http://dealbook.nytimes.com/2013/08/29/jpmorgan
3. What do you think JP Morgan (New York
-hiring-put-chinas-elite-on-an-easy-track/
headquarters) could have done to prevent the abuse
13 Hibbard, S. D. (2014). Analysis of J.P. Morgan Princelings Investiga-
of the “Sons and Daughters” programme? tion. Retrieved from http://www.academia.edu/8101537/Analysis_
of_J._P._Morgan_Princelings_Investigation
4. JP Morgan’s main defence is that ‘every other bank
is doing it’ and that the princelings are well qualified 14 Silver-Greenberg, J. & Protess, B. (2013, August 29). JP Morgan
Hiring Put China’s Elite on an Easy Track. The New York Times.
as well. Do you think this justifies the hiring practices Retrieved from http://dealbook.nytimes.com/2013/08/29/jpmorgan
adopted? Explain this using both a legal and ethical -hiring-put-chinas-elite-on-an-easy-track/
perspective.
15 Protess, B. & Silver-Greenberg, J. (2013, December 29). On 34 Protess, B. & Silver-Greenberg, J. (2013, December 29). On
Defensive, JP Morgan Hired China’s Elite. The New York Times. Defensive, JP Morgan Hired China’s Elite. The New York Times.
Retrieved from http://dealbook.nytimes.com/2013/12/29/on Retrieved from http://dealbook.nytimes.com/2013/12/29/on
-defensive-jpmorgan-hired-chinas-elite/ -defensive-jpmorgan-hired-chinas-elite/
16 Son, H. (2013, December 8). JP Morgan China Hiring Probe 35 Protess, B. & Silver-Greenberg, J. (2013, December 7). JP Morgan
Spreads to Five More Banks, NYT Says. Bloomberg. Retrieved from Tracked Business Linked to China Hiring. The New York Times.
http://www.bloomberg.com/news/2013-12-08/jpmorgan-china Retrieved from http://dealbook.nytimes.com/2013/12/07/bank
-hiring-probe-spreads-to-five-more-banks-nyt-says.html -tabulated-business-linked-to-china-hiring
17 Levine, M. (2013, December 30). JP Morgan’s Mistake Was Not 36 Glazer, E., Fitzpatrick, D. & Eaglesham, J. (2014, October 23). J.P.
Hiring Chinese Princelings Fast Enough. Bloomberg View. Morgan Knew of China Hiring Concerns Before Probe. The Wall
Retrieved from http://www.bloombergview.com/articles/2013-12 Street Journal. Retrieved from http://online.wsj.com/articles/
-30/jpmorgan -s-mistake-was-not-hiring-chinese-princelings-fast- j-p-morgan-was-aware-of-overseas-hiring-concerns-before-u-s-
enough probe-1413998056
18 Barboza, D. (2013, August 20). Many Wall St. Banks Woo Children 37 Son, H. (2013, December 8). JP Morgan China Hiring Probe
of Chinese Leaders. The New York Times. Retrieved from http:// Spreads to Five More Banks, NYT Says. Bloomberg. Retrieved from
dealbook.nytimes.com/2013/08/20/many-wall-st-banks-woo http://www.bloomberg.com/news/2013-12-08/jpmorgan-china
-children-of-chinese-leaders/ -hiring-probe-spreads-to-five-more-banks-nyt-says.html
19 Warren-Gash, C. (2012, March 15). Want To Capitalize On China? 38 Barboza, D. (2013, August 20). Many Wall St. Banks Woo Children
You Better Have Good Guanxi. Forbes. Retrieved from http://www. of Chinese Leaders. The New York Times. Retrieved from http://
forbes.com/sites/languatica/2012/03/15/want-to-capitalize-on dealbook.nytimes.com/2013/08/20/many-wall-st-banks-woo
-china-you-better-have-good-guanxi -children-of-chinese-leaders/
20 Anderlini, J. (2014, September 3). China Fraud Unit Questions 39 Pei, M. (2013, August 19). J.P. Morgan and The Pitfalls of Hiring
Morgan Stanley Arm Over ‘Princeling’. The Financial Times. China’s Elite Offspring. Fortune. Retrieved from http://fortune.
Retrieved from http://www.ft.com/intl/cms/s/0/4debfe4e-336a-11e com/2013/ 08/19/j-p-morgan-and-the-pitfalls-of-hiring-chinas
4-9607-00144feabdc0.html#axzz3H4NxQXWA -elite-offspring
21 Levine, M. (2013, December 30). JP Morgan’s Mistake Was Not 40 Yahoo Finance. (n.d.). JP Morgan Chase & Co. (JPM) – NYSE.
Hiring Chinese Princelings Fast Enough. Bloomberg View. Retrieved Retrieved from https://sg.finance.yahoo.com/echarts?s=JPM#
from http://www.bloombergview.com/articles/2013-12 -30/jpmorgan symbol=JPM;range=1d
-s-mistake-was-not-hiring-chinese-princelings-fast-enough
41 Alperovitz, G. (2012, July 22). Wall Street Is Too Big To Regulate.
22 Protess, B. & Silver-Greenberg, J. (2013, December 29). On The New York Times. Retrieved from http://www.nytimes.com/
Defensive, JP Morgan Hired China’s Elite. The New York Times. 2012/ 07/23/opinion/banks-that-are-too-big-to-regulate-should-be
Retrieved from http://dealbook.nytimes.com/2013/12/29/on -nationalized.html
-defensive-jpmorgan-hired-chinas-elite/
42 The Financial Times. The Regulatory Cost of Being JP Morgan.
23 Cassin, R. L. (2014, May 23). JP Morgan Ex-China Chief Arrested in (2014, January 10). Retrieved from http://www.ft.com/cms/s/0/a1b6
Hong Kong. The FCPA Blog. Retrieved from http://www.fcpablog. bb7c-79ed-11e3-a3e6-00144feabdc0.html
com/blog/2014/5/23/jp-morgan-ex-china-chief-arrested-in-hong-
kong.html
43 Kaufman, T. (2013, May 7). Are Banks Too Big To Tolerate? Forbes.
Retrieved from http://www.forbes.com/sites/tedkaufman/2013/05/
24 Silver-Greenberg, J., Protess, B. & Barboza, D. (2013, August 17). 07/are-banks-too-big-to-tolerate/
Hiring in China by JP Morgan Under Scrutiny. The New York Times.
Retrieved from http://dealbook.nytimes.com/2013/08/17/hiring
44 SEC Seeks JP Morgan Data Related to Chinese Officials. (2015,
-in-china-by-jpmorgan-under-scrutiny/ May 29). Bloomberg. Taipei Times. Retrieved from http://www.
taipeitimes.com/News/biz/archives/2015/05/29/2003619391
25 Ibid.
45 Chan, R. (2015, February 14). JP Morgan Executives Linked to Asia
26 Ibid. Hiring Probe to Leave Bank. South China Morning Post. Retrieved
from http://www.scmp.com/business/banking-finance/article/1711
27 Foreign Corrupt Practices Act. (n.d.) U.S. Department of Justice. 694/2-jpmorgan-executives-connected-princeling-probe-set-leave
Retrieved from http://www.justice.gov/criminal/fraud/fcpa/
46 Pei, M. (2013, August 19). J.P. Morgan and The Pitfalls of Hiring
28 Silver-Greenberg, J., Protess, B. & Barboza, D. (2013, August 17). China’s Elite Offspring. Fortune. Retrieved from http://fortune.
Hiring in China by JP Morgan Under Scrutiny. The New York Times. com/2013/ 08/19/j-p-morgan-and-the-pitfalls-of-hiring-chinas
Retrieved from http://dealbook.nytimes.com/2013/08/17/hiring -elite-offspring
-in-china-by-jpmorgan-under-scrutiny/
47 Lynch, D.J., Hughes, J. and Arnold, M. (2016, November 18). JP
29 Ibid. Morgan To Pay $264m Penalty For Hiring ‘Princelings’. Financial
30 Ibid. Times. Retrieved from https://www.ft.com/content/fc32b64e-ac87-
11e6-ba7d-76378e4fef24
31 Ibid.
48 Shankar, S. (2014, November 3). China To Set Up New Anti-
32 Protess, B. & Silver-Greenberg, J. (2013, December 7). JP Morgan Corruption Committee To Fight ‘Unprecedentedly Serious’ Cases.
Tracked Business Linked to China Hiring. The New York Times. International Business Times. Retrieved from http://www.ibtimes.
Retrieved from http://dealbook.nytimes.com/2013/12/07/ com/china-set-new-anti-corruption-committee-fight-unprecedent-
bank-tabulated-business-linked-to-china-hiring edly-serious-cases -1717648
33 FCPA. (2013, December 20). JP Morgan ‘Sons and Daughters’
Program Hit by Whistleblowers’ Emails. Retrieved from http://www.
fcpablog.com/blog/2013/12/20/jp-morgan-sons-and-daughters-
program-hit-by-whistleblowers-e.html
GOLDMAN SACHS: HUNGRY

LIKE A WOLF
CASE OVERVIEW license advisory operations in the country shortly after, in
In July 2015, news broke regarding the embezzlement of December 2009.4
money from Malaysia’s sovereign wealth fund, 1Malaysia
A few years later, Goldman proceeded to raise a
Development Berhad (1MDB) with the then Prime
total of US$6.5 billion for the state’s sovereign wealth
Minister, Najib Razak, accused of siphoning off up to
fund, 1Malaysia Development Berhad (1MDB).5
US$700 million into his personal bank accounts. Since
However, misdeeds underlying these transactions were
then, many countries have launched investigations into
subsequently unveiled, embroiling the firm in a mess of
1MDB-related fund flows across borders. These led to
regulatory investigations.
Goldman Sachs, a United States-based multinational
investment bank and financial services firm, being thrust
into the spotlight for its bond dealings with 1MDB. As
the appointed bank for 1MDB’s three bond offerings, BOARD AND COMMITTEES
Goldman Sachs helped raise a total of US$6.5 billion As at 26 March 2013, the Board of Directors (BOD)
for the state-owned sovereign wealth fund. Further comprised 13 directors, with 10 independent directors
probes revealed that US$600 million was paid as fees to and three executive directors, namely Blankfein (CEO),
Goldman Sachs. Gary D. Cohn (President & Chief Operating Officer
(COO)) and David A.Viniar (Chief Financial Officer
On 1 November 2018, the United States Department (CFO)).6 The board was chaired by Blankfein and had a
of Justice (DoJ) announced charges against three key lead independent director, James J. Schiro.
players in the fraud - Tim Leissner, Roger Ng and Jho
Low. Authorities from other countries such as Malaysia The board comprised directors from diverse
and Singapore also took action. The objective of this backgrounds, with directors from different countries,
case is to facilitate discussion of issues such as corporate including United States, Europe and Africa. One of the
culture, risk management, internal controls, director directors, Adebayo O. Ogunlesi, was a Nigerian lawyer
duties, remuneration, and the role of regulators and and investment banker with experience in international
banks in cross-border deals. business. He was the chair and managing partner of
Global Infrastructure Partners and was 60 years old.7
THE GOLD(MAN) STRATEGY Another director, 50-year-old Debora L. Spar completed

her education at Harvard University, and later became
Founded in 1869, Goldman Sachs (Goldman) is one of
the President of Barnard College (Barnard) in Columbia
the leading global investment banking, securities and
University. Blankfein’s wife, Laura, is a Barnard College
investment management firms and provides a wide
alumna and is listed as a member of the board of trustees
variety of financial services to individuals, companies,
at Barnard. The Lloyd & Laura Blankfein Foundation
financial institutions and governments.1 Headquartered
donated US$50,000 and US$25,000 to Barnard for fiscal
in New York, it has a global presence in more than 30
years ended 31 January, 2010 and 2009 respectively. In
countries with offices in all the major financial centres.
response to queries, Gregory Brown, Barnard’s Chief
Operating Officer, claimed that Barnard does not receive
Goldman’s business strategy, said the former Chief
any direct funding from Goldman but it does receive
Executive Officer (CEO) Lloyd Blankfein, is “chasing
contributions from its employees.8
GDP around the world.”2 It was his commitment to this
that led him to a meeting with Malaysia’s then prime
Stephen Friedman (Friedman), the Chairman of Stone
minister, Najib Razak, in late 2009.3 The meeting, held
Point Capital, was the oldest director on the board, at 76
in a New York hotel, was arranged and attended by
years old. He was also a Class C director at the New York
Goldman’s former employee, Tim Leissner, and Malaysian
Federal Reserve Board (Fed). Being among those who
businessman Jho Low. This gathering marked the start
were assigned to represent the public interest in the Fed,
of Goldman’s expansion into Malaysia. The Securities
he played more of a supervisory role over Goldman.9 In
Commission in Malaysia announced the approval of
2009, he began boosting his holdings of the Goldman
Goldman’s fund management and corporate finance
This case written by Cheok Sin Ping, Chua Jia Yi, Loh Zhi Yan and Than Jia Hui under the supervision of Professor Mak Yuen Teen and Professor Richard Tan. The case was developed from
case are not necessarily those of the organisations named in the case, or any of their directors or employees. This case was edited by Vidhi Killa under the supervision of Professor Mak
Yuen Teen.
126 GOLDMAN SACHS: HUNGRY LIKE A WOLF
stock without checking with the Fed. He bought 37,300 planning. It recommended individuals for nomination
shares on December 17, 2008 and a further 15,300 shares and appointment to the board and its committees as it
on January 22, 2009, raising a total of around five million deemed fit. It reviewed the succession plans of the senior
dollars in volume. The Federal Reserve Act bars directors managers and directors of the company. The committee
representing the public interest from owning bank stocks was also responsible for board evaluation, upholding
or being bank directors or officers.10 These rules created governance and ethical standards, and reviewing board
a controversy involving the ethicality of Friedman’s compensation, among other things. 15 It was also to
actions. While Friedman was lambasted by the Fed and ensure diverse demographics on the company board by
other colleagues, Blankfein believed that “there was considering race, ethnicity, nationality, gender, culture
nothing in the slightest way wrong or untoward about his and other factors, to inculcate healthy and diverse
actions”. 11 viewpoints within the board.
The board also included Indian businessman, Lakshmi N. The Risk Committee (RC) was responsible for the board’s
Mittal (Mittal), aged 63. Based in the United Kingdom, oversight and review of the company’s risk management
he became Chairman and CEO of the world’s largest process and control framework.16 It conducted regular
steelmaking company, ArcelorMittal S.A. However, his reviews and held discussions with management regarding
appointment was questioned given his non-financial the aggregate risk exposures relating to areas such
background. Blankfein defended the decision to place as market risk, credit risk and operational risk. During
an industrialist on the board, saying that Mittal had the review of risk, there will be frequent interactions
“reshaped a global industry” and “sparked remarkable between the RC, the CFO, the General Counsel, the
growth” in the economy. He added that Mittal’s Chief Risk Officer (CRO) and other key risk management
“experience, judgment and independent thinking” executives. The CRO was tasked to advise the RC of
were important to Goldman’s board, and would be of relevant risk metrics and material exposures which will be
“tremendous value” to all their shareholders and their communicated to the board as part of the firmwide risk.17
clients.12
The overlap in membership between the Compensation
Other directors included: Committee (CC) and RC allows the CC to recognise
the significance of having compensation programs that
– 65 year-old Claes Dahlbäck, a Swedish businessman, senior
are consistent with the safety and soundness of the
adviser to Investor AB and Foundation Asset Management,
firm. Firmwide compensation policies were frequently
and a graduate of the Stockholm School of Economics;
reviewed, taking into consideration the firm’s risk
– James A. Johnson, 70, a United States Democratic Party appetite to ensure that it does not impact the firm
figure, who was the former CEO of Fannie Mae and the adversely and materially.18
Former Vice Chairman of Perseus, L.L.C.;
– M. Michele Burns, 56, who was the CEO of the Retirement

Policy Center and Mercer; RISK MANAGEMENT
The risk management process was governed by a
– 71-year-old William W. George, Professor of Management
comprehensive framework revolving around three
Practice at Harvard Business School; and
core components: governance, processes and people.
– Mark E. Tucker, 57, Executive Director, Group Chief The framework was applied to monitor, evaluate and
Executive Officer and President of AIA Group Limited.13 manage the risks assumed by Goldman in conducting
There were four board committees covering audit, risk, the activities which included market, credit, liquidity,
compensation and corporate governance/nominating, operational, legal, regulatory and reputational risks.19
all comprising solely of independent directors. The Audit
The risk management process involved various functions
Committee (AC) which comprised of professionals with
such as the revenue-producing units, independent
an extensive range of audit and industry experience, was
control and support functions, risk-related committees
responsible for independently assessing and validating
and senior management. In order to foster a strong
key controls within the risk management framework.14
oversight structure with appropriate segregation
of duties, the company adopted a comprehensive
The Corporate Governance and Nominating Committee
framework involving multi-layered supervision and
(Governance Committee) at Goldman was responsible for
dedicated extensive resources to independent control
talent development, recruitment and board succession
and support functions.20
With the numerous risk committees in place, the OPERATIONAL RISK MANAGEMENT
Management Committee (MC) was responsible for
The Operational Risk Management (ORM) function was
overseeing the global activities of the firm as well as
mainly responsible for developing and implementing
all the independent control and support functions.
policies, methodologies and a formalised framework
Directly under the MC, the Firmwide Client and Business
for operational risk management so as to minimise
Standards Committee (FCBSC) and Firmwide Risk
Goldman’s exposure to operational risk. A combination
Committee (FRC) were established with two and four
of top-down and bottom-up approach was implemented
subcommittees respectively. The FCBSC was responsible
to manage and measure operational risks on a day-to-
for assessing and making determinations regarding
day basis. For example, senior management was required
business standards and practices, reputational risk
to assess the operational risk profile while the revenue-
management, client relationships and client service.
producing units, independent control and support
The FRC handled the monitoring and control of firm’s
functions were responsible for identifying, mitigating and
financial risks through approving risk limits and reviewing
escalating operational risks to the appropriate personnel.
results of stress tests and scenario analysis. Under the
The operational risk framework, subjected to annual
FCBSC and FRC, the Firmwide Capital Committee
review by the internal audit function, comprised of three
(FCC) was established with the aim to safeguard
main practices: risk identification and reporting, risk
business and reputational standards for underwritings
measurements and risk monitoring.23
and capital commitments on a global basis. The FCC’s
main responsibilities were in providing approval and
Under risk identification and reporting of operational
oversight of debt-related transactions as well as principal
risk events, a comprehensive data collection process
commitments of the firm’s capital.21
with firmwide policies and procedures was adopted.
Established policies were present which required risk
Under the independent control and support functions
events to be documented, analysed and escalated
of the risk management framework, 11 subcommittees
so as to determine if changes were necessary in the
were established: Compliance, Controllers, Credit Risk
firm’s systems or processes to prevent any recurrence.
Management, Human Capital Management, Legal,
Additionally, Goldman implemented firmwide systems
Market Risk Management, Operations, Operational Risk
that allowed management to capture internal operational
Management, Tax, Technology and Treasury.
risk event data, key metrics and statistical information.
The data was used to evaluate operational risk exposures
and identify businesses, activities and products with
COMPLIANCE AND LEGAL FUNCTIONS higher operational risks.24
The Compliance and Legal functions, which were part
of the independent control and support function, Under risk measurement, Goldman adopted statistical
played an important role in the 1MDB scandal. The modelling and scenario analysis to measure the firm’s
key responsibilities of the compliance function were operational risk exposure over a 12 months’ time
managing and overseeing the compliance policies and horizon. Both qualitative and quantitative factors were
internal accounting controls of Goldman, while the legal incorporated into the assessment such as internal and
function was responsible for conducting due diligence external operational risk event data, evaluation of the
and analysing the impact of potential clients’ reputational complexity of the firm’s business activities and the legal
risk on Goldman. The legal function was also in charge of and regulatory environment. Results from the analysis
conducting investigations and probing inquiries related were utilized to monitor changes in operational risks as
to fraud, corruption, sanctions and money laundering. well as identify business lines that may have heightened
exposure to operational risk. Ultimately, the results were
For the implementation of projects, lawyers and internal used to determine the appropriate level of operational
and external auditors were engaged to conduct due risk capital to hold.25
diligence on investment banking, through reviewing
public records and performing additional screening. Under risk monitoring, changes in operational risk profile
Potential or actual risks identified were raised to senior of the firm and its businesses, which included changes
management and various committees to mitigate the in business mix or jurisdictions that the firm operates
same. These reviews and the approval process by the in, were evaluated by the ORM function at the firmwide
compliance and legal functions ensured that business, level. Both, detective and preventive internal controls,
suitability and reputational standards were maintained as were in place to reduce the frequency and severity
required and transactions were executed in accordance of operational risk losses as well as the probability of
with management’s authorisation.22 operational risk events.26
THE GENESIS OF 1MDB THE GOLD DIGGERS

“We cannot have an egalitarian society - it’s impossible Tim Leissner, a German national, had worked for Goldman
to have an egalitarian society,” “But certainly we can since 1998. He was the Southeast Asia Chairman under
achieve a more equitable society.”27 Goldman’s Investment Banking Division.32
-Najib Razak, Former Prime Minister of Malaysia
Low Taek Jho, also known as Jho Low, was a Malaysian
1MDB is a state investment fund which Najib Razak national who acted as an adviser on the establishment
(Najib) launched in July 2009 shortly after becoming of the Terengganu Investment Authority (TIA), which was
Malaysia’s Prime Minister. The aim of the fund was to later named as 1MDB. He worked as an intermediary for
resuscitate Malaysia’s economy through investing in 1MDB and other foreign government officials on projects
green energy and tourism via issuance of various debt that involved Goldman but he did not hold any formal
securities. However, it was discovered that multiple key position in 1MDB.33
figures including public officials and associates allegedly
formed a conspiracy in fraudulently siphoning off billions Ng Chong Hwa, also known as Roger Ng, another
of dollars from 1MDB from 2009 to 2015. The funds Malaysian national, was a former Goldman partner
were transferred illegally through banks and foreign and the head of its Southeast Asia sales and trading
wire communications. The funds were then used for department.34
personal purposes, by co-conspirators, their relatives and
associates, including the purchase of artwork worth more Leissner, Ng and Low worked together to obtain
than US$200 million, luxury real estate in the U.S. and business for Goldman. In January 2009, they discussed
other countries, lavish gifts for family and friends, and the engagement of Goldman in raising funds for Project
even funding the production of major Hollywood films.28 Tiara, the predecessor of 1MDB. At that point in time,
Low was the person-in-charge of Project Tiara and
served as an adviser for the project. They used Low’s
GOLDMAN STEPS IN connections with high-ranking officials to build the
network. A meeting involving the Executive Director
“That’s a bit too cozy, a bit too overly generous. Goldman
of 1MDB, Low and the two bankers for a potential
was one of the few firms, in fact the only firm, that could
partnership was set up by email in January 2009.35
provide the solution that was required.”29
-Arul Kanda, Former 1MDB President In February 2009, the Malaysian municipality of
Terengganu officially launched TIA for the purpose of
In 2012, Goldman provided services for the acquisition
investing and managing the municipality’s public funds,
of Tanjong Energy Holdings from Malaysian billionaire
with the support of Goldman. TIA issued Islamic medium-
Ananda Krishnan, and domestic power plants from
term notes valued at US$1,425,680,000 with Low and
Genting Berhad (Genting). These acquisitions were
Leissner involved in these transactions. They kept their
financed by two separate bond offerings in 2012 worth
relationship confidential despite knowing that they
US$3.5 billion.30
were obligated to disclose it to Goldman. The Ministry
of Finance (MOF) took over control of TIA for national
The bonds were guaranteed by 1MDB and the
expansion in July 2009 and it was renamed to 1MDB.36
International Petroleum Investment Company (IPIC), an
investment fund wholly-owned by the government of
In November 2009, there was speculation regarding Low’s
Abu Dhabi. In 2013, 1MDB issued an additional US$3
source of money, when he splurged in New York City
billion in debt underwritten by Goldman to raise capital
Clubs. He was seen going to the city’s most lavish night
for new strategic economic initiatives with Abu Dhabi.
clubs in a fleet of black Cadillac SUVs. Despite the red
These initiatives comprised of a financial centre built on
flags, the two bankers still continued to work with him.37
70 acres of prime Kuala Lumpur real estate. Goldman
received US$600 million in fees for all the underwriting Between May 2012 and March 2013, Goldman was
and arranging services. The bank’s fees amounted to appointed as the lead bank for three 1MDB bond offerings.
7.7% of the face value of the securities, as compared to Leissner was the lead banker on the deal teams and Ng
prevailing market rate of 1.32% in 2013 for comparable was involved for the two bond offerings in 2012. Jasmine
deals.31 Loo Ai Swan, 1MDB’s General Counsel and Executive
Director of Group Strategy, was the main point of contact
between 1MDB and Goldman for the bond offerings.38
PROJECT MAGNOLIA and its intention to issue a second bond amounting to

US$1.75 billion. This private placement bond transaction
1MDB approached Goldman for advice regarding the
was named Project Maximus. 1MDB entered into an
acquisition of a Malaysian energy company, Tanjong
agreement with Genting for the acquisition of power
Energy Holdings Sdn Bhd (Tanjong Energy) in February
assets on 13 August 2012. 1MDB had established a
2012 and appointed Goldman as the sole bank to handle
wholly-owned subsidiary known as 1MDB Energy (Langat)
the US$1.75 billion debt financing. Within Goldman,
Limited (1MDB Energy Langat) to take possession of
the bond deal was named Project Magnolia. During
the power assets and issue debt securities to fund the
the engagement on Project Magnolia, Leissner and
acquisition.43
Ng contacted each other via email and met up on at
least two occasions during March 2012 to discuss the The offering circular for Project Maximus, dated 17
transactions. Low also arranged meetings for Leissner October 2012, stated that 1MDB issued US$1.75 billion
with high-ranking officials. Low allegedly mentioned that in privately-placed notes, at an interest rate of 5.75%
they needed to pay bribes to government officials in per annum, redeemable in 2022. The net proceeds of
Malaysia and Abu Dhabi, including Najib, to gain their the bond sale were estimated at US$1.636 billion after
approval for part of the transactions.39 taking into account Goldman’s fees and commissions. It
also disclosed that the net proceeds of the bond were to
The deal team structured Project Magnolia as bond deals be used for 1MDB Energy Langat to fulfill its obligations
instead of other financing alternatives which could be under its contract with Genting, in relation to the
cheaper for 1MDB. This is because bond deals could acquisition of power assets. A total of US$692 million of
generate much higher commissions for Goldman and the bond proceeds were meant for Genting acquisition
boost Goldman’s reputation worldwide. They could also and the balance were for general corporate purposes
provide Leissner and Ng with additional remuneration including future acquisitions. Both, Project Magnolia and
and professional prestige.40 Project Maximus, were guaranteed by 1MDB and IPIC
in order to increase the credit rating and negotiate for
The offering circular for the bond, dated 18 May 2012 better interest rates on the bonds.44
indicates that 1MDB Energy issued US$1.75 billion in
privately-placed notes at an interest rate of 5.99% per
annum, redeemable in 2022. The net proceeds were PROJECT CATALYZE
estimated to be approximately US$1.553 billion after
the deduction of Goldman’s fees and commissions. The In November 2012, almost right after the closing of
Project Maximus, Leissner and Low started to work on
offering circular also stated that US$810 million of the
the next 1MDB bond deal. The latest bond transaction
net proceeds from the bond issue were to be used to
was called Project Catalyze within Goldman. On 13
fund the acquisition of Tanjong Energy. The remaining of
March 2013, 1MDB entered into the joint venture with
US$744 million was designated for “general corporate
Abu Dhabi Malaysia Investment Company (ADMIC), with
purposes”, such as future acquisitions. On 21 May 2012,
each holding 50%. The creation of ADMIC was meant
the bond deal was closed.41
for the strategic initiatives to be undertaken jointly by
both, the Government of the Emirates of Abu Dhabi
In exchange for Goldman’s services as the arranger and
and the Government of Malaysia, for the growth of both
underwriter of the notes, Goldman received an arranger
countries. Both parties were to pump in a capital of US$3
fee of one percent of the principal amount of the notes
billion each. Hence, 1MDB Global Investment Limited
which was US$17.5 million as well as a commission of
(1MDB Global), a wholly owned subsidiary of 1MDB,
US$192.5 million. The total fees added up to around 11%
issued US$3 billion in bonds, dated 16 March 2013, at an
of the principal amount of the bond and was directly
interest rate of 4.4% per annum, redeemable in 2023. The
deducted from the subscription proceeds of the bond.
net proceeds after deduction of Goldman’s service and
This resulted in lucrative year-end bonuses paid to
commission fees were US$2.716 billion. On 23 April 2013,
Leissner and Ng as well as the other members in the deal
1MDB announced that the full amount of capital raised
team who were involved in obtaining and structuring the
will be deployed for investments in strategic projects
bond deal.42
such as energy and real estate, which can significantly
contribute to the long-term economic growth of both
parties.45
PROJECT MAXIMUS
On 31 May 2012, Leissner informed Goldman about
1MDB’s plan to purchase power assets from Genting
Unfortunately, the truth is that the funds for all the whether Low was involved and Leissner affirmed that
projects were not used for legitimate business purposes he was not aware of his presence for the transactions.
and were diverted into different accounts in other Firmwide Capital and Suitability Committees then
countries. approved the projects based on the information given to
them.50
STUMBLING BLOCKS The revelation of the bribery and kickback scheme in late
2018 brought several internal control loopholes to the
Between September 2009 and March 2011, Leissner and
surface as authorities questioned the robustness of the
Ng made several attempts to make Low a formal client of
firm’s system in reviewing the approval for those illicit
Goldman, but were unsuccessful.
deals. In November 2018, Goldman’s quarterly filings
revealed that Leissner and Ng circumvented the firm’s
In September 2009, Leissner attempted to open a
internal accounting controls, which are based on Foreign
Private Wealth Management (PWM) account for Low
Corrupt Practices Act (FCPA)’s anti-bribery and internal
with 1MDB’s Swiss office. Compliance personnel, part
accounting control provisions.51
of the independent control and support function in the
risk management framework, reviewed his finances and
The duo managed this feat by providing misleading
raised doubts regarding his source of wealth highlighted
information about Low’s involvement to the control
by his lavish spending.46
personnel and the internal committees reviewing the
deal. In addition, it was alleged that at least one high-
During the period from January to March 2011, Leissner
ranking executive in Goldman’s Asian operations knew of
again suggested a transaction with Project Gold, a
the bribery, but the deal was able to successfully evade
private equity firm controlled by Low. The legal team of
the bank’s detection system.52
Goldman expressed concern and a senior employee also
opposed the transaction. In March 2011, Leissner referred
The findings from DoJ showed that the compliance
Low for another PWM account with the Singapore office.
and legal divisions of Goldman were willing to rely
After a background check was conducted by Europe,
on the word of Leissner to dismiss the concerns they
Middle East and Africa (EMEA) counterparts and the
had in dealing with such an inexplicably affluent and
legal team, he was again rejected due to unfavourable
politically connected individual, Low.53 They failed to
information stemming from the suspicious source of his
take any further actions to substantiate Leissner’s words.
wealth. A compliance employee stated that they have
In addition, the fact that they had repeated success in
zero appetite for a relationship with Low.47
closing bond deals with 1MDB is partly attributed to the
willingness of other colleagues to assist them to cover up
Knowing that the Compliance and Legal departments
Low’s participation in the deals.
have strong objections towards dealings with Low, the
two bankers decided to conspire with Low without
disclosure to certain personnel who would jeopardize
their deals, as they believed that Low’s connections with LACK OF BOARD APPROVAL
the government officials in Malaysia could bring about It was further discovered that Goldman proceeded
lucrative business deals to Goldman.48 with the issuance of at least one bond without gaining
approval from the BOD of the bond guarantor, IPIC.
Typically, board resolutions should be obtained for
GOING THROUGH THE BACKDOOR corporate actions involving any material transaction that
entails considerable risks. In the case of US$1.75 billion
“The due diligence functions at Goldman Sachs fell
raised in 2012, the funding was only approved by a senior
apart. If you’re going to raise $6 billion for someone
IPIC official, Khadem Al Qubaisi. Goldman also relied on
you better know everything there is to know about that
the close relationships between senior IPIC executives
someone.”49
and a few key Malaysian government officials to evade
-Richard Bove, Analyst at Odeon Capital
scrutiny from the compliance teams. It simply relied
on documents presented by IPIC executives and legal
Across the three bond offerings, Goldman conducted
opinions of external counsel as proof of IPIC’s consent to
compliance reviews for all projects and it mostly involved
be the chief guarantor.54
the Compliance team questioning Leissner and the
deal team regarding the involvement of Low in the
transactions. Compliance personnel repeatedly enquired
HUFF AND PUFF, WHERE DID THE MONEY About two weeks after the bonds were issued,
GO? approximately US$35 million was transferred from Tanore
to a Hong Kong bank account. This company was a BVI-
1MDB had no interest in the assets that were being
incorporated entity controlled by Leissner and owned
acquired with the funds and envisaged no return on
by his close relative. Financial records found during the
those investments. During the course of their detour and
investigations revealed that the company’s bank account
misappropriation, the funds were transferred to several
also received a transfer of approximately US$16.9 million
shell companies across numerous countries. These
from Tanore Finance Corporation. The other bond funds
countries included Switzerland and Singapore, before
were distributed to officials of a foreign agency, foreign
they finally reached the hands of those involved in the
investment firm and 1MDB, including “foreign officials”
scheme. Some of these funds flowed through the United
under the FCPA, Low and his accomplices.58
States, in particular, the Eastern District of New York. Low,
together with the other accomplices, continued to make
payments to the 1MDB officials, including those officials
who had the power and authority to grant business to PROJECT MAXIMUS
Goldman. Some of the funds that were used to bribe the Two days after Project Maximus was closed, about
foreign officials were derived from the proceeds of the US$790 million of the proceeds from this bond was
bonds issued by 1MDB in 2012 and 2013, with the aid of diverted to Aabar-BVI account on the same day that
Goldman.55 1MDB Energy received the proceeds. The US$790 million
was transferred into and then out of the United States.
Some of the proceeds were transferred to another
PROJECT MAGNOLIA shell company account. Financial records showed that
funds amounting to approximately US$209 million
Based on the review of the financial records that were
were transferred between these two shell companies’
gathered during the investigation, Goldman had sent the
accounts. Like Project Magnolia, the unauthorised
proceeds of the Magnolia bond offering to 1MDB Energy
proceeds that were being diverted from Project Maximus
Labuan, outside the U.S., amounting to nearly US$577
were transferred to Tanore and distributed to various
million. This sum was equivalent to more than one-third
accomplices.
of the net proceeds of the bond offering, and was being
transferred to the bank account of the Aabar-British
Between late October and early November 2012,
Virgin Islands (Aabar BVI).
approximately US$200 million was transferred from
Tanore, through several intermediaries, to an account
The name of the account was intentionally created to
that was beneficially owned by Low. Amongst other
give the impression of a link to Aabar Investments PJS
things, he used these funds to purchase jewelry, and pay
(Aabar), a subsidiary of IPIC. In reality, there was no
off credit card bills and expenses related to a private
affiliation between the companies, and the Swiss bank
jet. Funds were also transferred to other accounts that
account was just a conduit for transferring the funds
were beneficially owned by Low or immediate family
from the bond proceeds, before being subsequently
members.59
used for the benefit of officials at 1MDB, IPIC, and
Aabar, including Qubaisi (IPIC’s Chairman), and Husseiny
About US$472 million was transferred from Tanore to a
(Aabar’s CEO). These transfers were not disclosed in the
Luxembourg account. This account, which was under the
offering circular.56
control of an accomplice, was used to purchase luxury
properties in New York and Beverly Hills, amongst other
Sometime in May 2012, approximately US$295 million
things. Another US$238 million was transferred to a
was wire transferred from the Aabar-BVI account to a
Singapore bank account belonging to an entity owned by
Singapore bank account in the name of a real estate
Low’s friend. This person was also a relative of Najib.
company, Tanore Finance Corporation (Tanore). However,
this company was believed to have no relation to a widely
Leissner also facilitated the transfer of approximately
known real estate investment firm which was similarly
US$2.7 million from the holding company account to
named. The registered beneficial owner of Tanore, Eric
the account of a company beneficially owned by several
Tan Kim Loong, is a Malaysian national and associate
1MDB officials. By 22 February 2013, Tanore’s account
of Low. Low had used Tan as a proxy for financial
balance had fallen to zero.
transactions and further instructed him to transfer funds.
Low had control over Tanore as well.57
PROJECT CATALYZE and bondholders. In the same chat, Low promised him
“one American burger should be delivered next week”
Leissner began to transfer millions of dollars to accounts
when they were discussing the payment of bribes.62
that were beneficially owned by 1MDB officials, several
days after Goldman was awarded Project Catalyze. On
17 January 2013, he transferred about US$2 million to
these accounts. The illegal proceeds, which amounted to THE HUNT BEGINS
US$3 billion, raised by the Catalyze bond issuance were In July 2015, The Wall Street Journal released a report
transferred to Leissner, Low and the others. alleging that US$681 million of deposits have flowed into
Najib’s personal bank accounts.63 A special task force was
About US$65 million which could be tracked to the formed to investigate these accounts, which concluded
Project Catalyze bond issue, was transferred in and out that the amount deposited into his accounts were
of U.S. from an account of a purported private equity donations from the Saudi royal family, not from 1MDB.
firm controlled by Low.60 Around US$681 million was
transferred from an account in Switzerland in the name of As a result of the US$681 million transfer, various
an implied financial corporation to an account in Malaysia authorities, including Swiss prosecutors, the Monetary
belonging to Najib, which had an individual and a 1MDB Authority of Singapore (MAS) and the DoJ, were involved
official as signatories. in an international probe to trace the flow of cash
allegedly siphoned out of the state fund.64
US$620 million was wired from a separate account,
controlled by Najib, to another shell account. A share On 1 November, 2018, the DoJ unveiled charges on the
of these funds then passed through several additional three key parties involved in the 1MDB scandal - Leissner,
accounts and was ultimately used to purchase a 22-carat Ng and Low.65 The court filings outlined their collusion
pink diamond pendant and necklace for Rosmah. in the 1MDB money laundering scheme as well as their
violation of the FCPA for circumvention of internal
On 4 June 2013, about US$58 million was transferred controls and bribery to several government officials. The
from that shell account to an account maintained in embezzled 1MDB money had been moved around the
New York by an auction house. The funds were used globe before being used to buy luxury real estate in the
to purchase five pieces of valuable artwork for Low US, precious artwork and custom-made jewellery.66
and another individual. Additional transfers of about
US$7.9 million and US$71 million were used to purchase That same day, Leissner pleaded guilty to his two-
additional artworks for them as well. count indictment and agreed to pay US$43.7 million.67
Ng was detained in Kuala Lumpur, shortly after the
announcement of charges by the U.S DoJ.68 Low,
MORE GOLD! however, has denied any wrongdoing. He is wanted
by several countries and is the subject of a global
After the closing of the bond offerings, Leissner and Ng
manhunt.69
were still actively seeking more 1MDB business. In order
to persuade government officials to provide a role for
Goldman in any 1MDB dealings, they used more bribes
and kickbacks. The DoJ’s charge documents alleged that HUNTERS ARE COMING
Low and Leissner discussed the need to get on the good Malaysia has filed charges against three of the bank’s
side of a 1MDB official and to send “cakes” to Rosmah units (Goldman Sachs International (UK), Goldman
in 2014. A few months later, Leissner’s bank account was Sachs (Singapore) and Goldman Sachs (Asia) LLC).70 It
used to transfer approximately US$4.1 million to pay for also filed charges against former employees, Leissner
gold jewelry for Rosmah.61 and Ng, for alleged false statements involving US$6.5
billion of 1MDB bond sales that the bank arranged.71
Low and Leissner continued to make corrupt payments The Malaysian authorities allege that Goldman misled
to 1MDB officials and Low also persisted in his promise investors, when the bank knew that proceeds from 1MDB
to pay the 1MDB officials. For instance, one of the 1MDB bond sales it arranged would be misappropriated. The
official had emailed himself a saved chat with Low, in government is seeking fines in excess of both the US$2.7
which they discussed the 1MDB business. This included billion of allegedly misused funds and the US$600 million
ways to cover up the diversion of the funds from the 2012 in fees received by Goldman on the deals.72
to 2013 bonds into shell company accounts from auditors
Less than a week after Malaysia filed charges, it was During the investigation of the scandal, when fingers
reported that Singapore has expanded a criminal were pointed at Goldman, the company simply claimed
investigation with regards to fund flows linked to 1MDB that such misconduct was just the behaviour of a “rogue”
to include Goldman.73 In the country’s first criminal employee who did not truly reflect the corporate culture
investigation of a company relating to the 1MDB scandal, of Goldman. While on the sidelines of the DealBook
the authorities are trying to determine if the US$600 conference, Blankfein attempted to brush the case
million fees earned from the bond issuance had flowed to aside.82
Goldman Sachs’ Singapore unit.74
“These are guys who evaded our safeguards, and lie.
Various regulatory and law enforcement agencies around Stuff like that’s going to happen.”83
the world are working closely together to unravel the - Blankfein, Former CEO of Goldman Sachs
complex network of transactions which involved various
offshore shell companies and conspirators operating in Ironically, Blankfein was reportedly present at the
numerous jurisdictions.75 meeting with Low and Najib for discussions regarding
1MDB.84 It was alleged in the indictment that the
On 1 November 2018, the DoJ announced the profiles culture in Southeast Asia “prioritized consummation of
of the Goldman bankers who were involved in the 1MDB deals” over complying with the law. Greg Smith, who
fraud and indicated that there is a high possibility that was the executive director and head of the firm’s U.S.
the firm will face significant fines. The announcement equity derivatives business, highlighted that Goldman’s
caused Goldman’s shares to dive to an all-time low since culture was depraved to the state where clients are
2011.76 seen as “muppets” and were being manipulated to
produce as much revenue as possible for the company.
On 17 December 2018, Goldman was officially charged Inexperienced trainees at the firm were encouraged to
for the first time for its alleged violations of Malaysia’s coerce clients to invest, even if those investments were
securities laws. Malaysia has also filed related charges not in their best interest.85
against Leissner and Ng, as well as the former 1MDB
employee, Loo and fugitive financier, Low. Goldman’s Additionally, Leissner justified his action of pocketing
stock fell 30% from US$226.97 in November 2018 to US$200 million of the proceeds from the bond offerings
US$167.05 as on 31 December, 2018.77 and concealing facts from the compliance and legal side
as being very much in line in the Goldman culture.86
As of 1 April 2019, Goldman’s shares had not completely
recovered from the 1MDB fraud, closing at US$202.23.78
THE NEW PACK LEADER
On 1 October, 2018, David Solomon succeeded
“WOLF CULTURE” Blankfein as the new CEO of Goldman and also took
Under the leadership of the former CEO, Blankfein, who over as Chairman when Blankfein assumed the role of
had been in the role since 2006, Goldman faced many “senior chairman” at the end of that year.87 Solomon’s
allegations of prioritising profits to the detriment of its background in banking contrasts with Blankfein’s
clients.79 background in trading, indicating the direction Goldman
is likely to take under him. This signaled that the
Blankfein was compensated with US$13.3 million in company is likely to move away from high risk trading
restricted shares in 2012, together with a US$5.7 million towards less volatile businesses, including mergers and
cash bonus and US$2 million in salary. This was US$9 acquisitions (M&A), securities underwriting and consumer
million more than the previous year. Since Blankfein was banking.
on a long-term incentive plan, he also received shares
depending on his performance. Blankfein was known to Today, a majority of Goldman’s employees are
be the best-paid banker across the globe and his lavish millennials.88 Goldman now competes for talent not only
paycheck also earned him the title of “Most Outrageous with other investment banks such as J.P. Morgan and
CEO” in a 2009 Forbes ranking.80 Morgan Stanley but also with technology companies such
as Amazon, Facebook and Apple.89
“They have embarked on a very aggressive course of
having their cake and eating it too”81
- A private equity executive from Goldman
It has publicly indicated that it needs to become more M. Michele Burns, Lakshmi N. Mittal and David A. Viniar
transparent and open so that it can be a friendlier place remain on the board and Adebayo O. Ogunlesi is the
to work in. It has already started offering opportunities lead independent director.93
through social media channels, allowing employees to
share information and interact like at major technological Solomon announced that from February 2020, the bank
firms. Solomon also laid down new guidelines to allow would only underwrite IPOs of private companies in the
the firm to successfully shift towards being a more U.S. and Europe that have at least one diverse board
diverse firm. Solomon believes that such a shift would member. The CEO said that he had benefitted a great
help it to serve its current diverse client base better.90 He deal from the counsel of his Lead Director who is “a
believes that the quality of his employees and his belief black man from Nigeria” and from the board with four
in them can serve as the cornerstone to the success of out of 11 directors who are females.94
Goldman.91
In 2013, the board renamed its existing Corporate
The top management at Goldman claim to be committed Governance and Nominating Committee as the
to “driving diversity” in their work with clients and in Corporate Governance, Nominating and Public
their core commercial activities. In fact, diversity is a Responsibilities Committee.95 However, in 2015, the
shared priority among many of Goldman’s clients and Public Responsibilities subcommittee was restructured to
stakeholders. The current board at Goldman believes form an independent board committee called the Public
that wider diversity in terms of experience, gender Responsibilities Committee.96 According to Goldman’s
identity, race, ethnicity, and sexual orientation on boards policy, its lead independent director is an ex-officio
reduces the risk of groupthink and unlocks creative and member of all the committees.97
impactful solutions for the company.92
THE HUNT CONTINUES

A NEW BREED? The spectre of 1MDB remains as authorities in various
The current board at Goldman has 58-year-old David countries continue to pursue their investigations. In
M Solomon as its Executive Chairman. He has been June 2019, representatives from all three Goldman
Goldman’s CEO and director since 2018. units in London, Hong Kong and Singapore were
expected to appear in a Malaysia court hearing.98 It
Drew G. Faust, aged 72, an American, serves as an has been estimated that US$2 billion in penalties99 will
independent director on the board. She has been a be imposed on the Wall Street firm. This court hearing
professor, dean and president at Harvard University. was subsequently pushed to 30 September, 2019, when
She joined Goldman’s board in July 2018. Peter the Prosecution appealed to transfer this case to the
Oppenheimer, 57, joined Goldman in 2014 as an Malaysian High Court.100
independent director, chairing the AC. He has a strong
background in finance, and has been a CFO for over 20 This court case in Kuala Lumpur involved three of
years. Mark A. Flaherty, 53, an independent director, has Goldman’s subsidiaries, Goldman Sachs International
been at Goldman since 2014. Ltd, Goldman Sachs (Asia) LLC and Goldman Sachs
(Singapore). In December 2019, the case against all
Ellen J. Kullman, another American who is 64, joined the the three business units had been moved from the
board as an independent director in 2016. She chairs Magistrate Court to Malaysia’s High Court.101
the Public Responsibilities Committee and is a member
of the Compensation and the Governance Committees Ng will face trial in the U.S. in May, 2020. Low, who is
as well. Another American, Jan E. Tighe, 57, had served currently reportedly in China, also finds himself facing
as an independent director in Goldman since 2018. She charges in the US and Malaysia.102 Leissner has already
has been highly involved in the company’s strategic and pleaded guilty to conspiring to perpetrate bribery,
technological planning. money laundering and violating Foreign Corrupt
Practices. He was fined US$1.42 million by the Fed. 103 A
Mark O. Winkelman, aged 72, is an independent director lifetime ban from the securities industry has been issued
and a trustee at Goldman since 2014. He chairs the Risk against both Leissner and Ng. While Ng has only been
committee. He is currently a private investor and has banned in the U.S., Leissner has been barred in the U.S.,
previously been an investment officer as well. Hong Kong and Singapore.104
Another permanent ban from the banking industry was 2. Discuss whether the former Chairman and CEO,
issued by the Fed against another Goldman executive, Lloyd Blankfein, should be held responsible for the
Andrea Vella, for his role in Malaysia’s 1MDB scandal. behaviour of its employees in the 1MDB scandal.
Despite being the former co-head of Asia investment Identify and propose other measures in which the new
banking, he failed to flag Low’s involvement in the CEO could take to rebuild Goldman Sachs’ reputation
2012 and 2013 bond offerings. He was aware that Low as a leading global investment bank.
was “a person of known concern” with regard to this
3. Evaluate Goldman’s corporate culture and how it
scandal. His role in the firm was to provide complete and
could have encouraged or incentivised employees to
accurate information to the board committees reviewing
circumvent internal controls. How can the board of
the complex financing transactions and appropriately
directors set and oversee corporate culture?
supervising financing personnel working on those
transactions. Moreover, he was accountable for both, Ng 4. Critically evaluate the composition of the board and
and Leissner. Vella had already left Goldman.105 board committees as of 2013 and after the scandal. To
what extent should the board of directors of Goldman
In the second week in January 2020, Goldman’s problems be held accountable for Goldman’s role in the 1MDB
were underscored by the second consecutive miss of scandal?
its target quarterly earnings, with a 24.8% drop in the
5. Goldman has a separate Audit Committee and
fourth quarter profit.106 Litigation provisions related to the
Risk Committee. Discuss the advantages and
1MDB scandal knocked off more than US$1 billion from
disadvantages of having separate committees, and
the bank’s bottom line.
how may the Board ensures that the governance and
oversight of risk, control and compliance matters do
Goldman has been negotiating a settlement. This case
not fall through the crack of the two committees.
once again shows that large banks like Goldman may be
too big to regulate.107 Goldman’s business in Malaysia, 6. Critically evaluate the failure in the different lines of
relative to the size of the group, is extremely small such defence at Goldman in relation to the 1MDB scandal.
that any fines or restrictions on the bank’s operations in
7. Examine whether the Risk Committee took adequate
the country are unlikely to have a large impact on the
steps in assessing the bond transactions. What were
Group’s bottom line.108
the weaknesses in internal control of Goldman Sachs
leading to the fraud being undiscovered for years?
In addition to the large fine that Goldman will likely
Suggest how those weaknesses should have been
have to pay, the DoJ is also seeking a guilty plea for the
addressed.
company itself. Given that Goldman has never previously
pleaded guilty to any criminal wrongdoing in its 150-year 8. To what extent did remuneration policies contribute
history, it is far from clear that this will happen.109 The to Goldman’s role in the 1MDB scandal? Explain.
bank and U.S. officials have discussed a deal in which
9. Do you think the changes introduced by Goldman
a Goldman subsidiary in Asia would plead guilty to
following the scandal will help prevent a recurrence of
violating US bribery laws and pay up to two billion U.S.
similar scandals? Explain.
dollars as fine. This settlement involves agreement
between three regulators- the DoJ, the SEC and the Fed- 10. Discuss the effectiveness and efficiency of regulators
and is not yet finalized.110 in detecting and taking action against cross-border
money laundering. To what extent should the various
banks be held accountable for failing to detect
DISCUSSION QUESTIONS suspicious money laundering activities? What could
both parties have done to better address money
1. How might Lloyd C. Blankfein’s dual role as Chairman
laundering risks?
and CEO have affected Goldman Sachs leading up
to the scandal? Why do you think he held both roles 11. To what extent does the anti-corruption legislation
despite the potential corporate governance issues in your country hold the company, board and
which may arise? What measures are necessary to management accountable in a situation such as
mitigate the potential risks of combining the two roles Goldman’s role in the 1MDB scandal? Explain.
and to what extent were those measures in place at
Goldman Sachs?
ENDNOTES
1 Goldman Sachs. (n.d.). Goldman Sachs | Our Firm. [online] 18 Ibid.
Available at: https://www.goldmansachs.com/our-firm/index.html
19 Goldman Sachs. (2012). Goldman Sachs Annual Report for the year
2 Mclean, B. (2008, March 17). The Man Who Must Keep Goldman ended December 31, 2012. Retrieved from https://www.goldman
Growing. Fortune. Retrieved from http://fortune.com/2008/03/17/ sachs.com/s/2012annual/assets/downloads/GS_AR12_AllPages.pdf
lloyd-blankfein-goldman-sachs/?mod=article_inline
20 Ibid.
3 Natarajan, S., Chew, E. (2018, November 9). Lloyd Blankfein Was
the Unidentified Goldman Executive Present at 2009 1MDB
21 Ibid.
Meeting. Bloomberg. Retrieved fromhttps://www.bloomberg.com/ 22 United States v. Leissner, No. 1:18-cr-00439 (E.D.N.Y. 2018) https://
news/articles/2018-11-08/blankfein-said-to-be-in-09-1mdb-meeting s3.eu-west-2.amazonaws.com/sarawakreportdocs/TIm+Leissner
-set-up-by-leissner-low +DOJ+Filing.pdf
4 Securities Commission Malaysia. (2009, December 8). SC Grants 23 Goldman Sachs. (2012). Goldman Sachs Annual Report for the year
Fund Management, Corporate Finance Licenses to Goldman ended December 31, 2012. Retrieved from https://www.goldman
Sachs. [Press release]. Retrieved fromhttps://www.sc.com.my/news/ sachs.com/s/2012annual/assets/downloads/GS_AR12_AllPages.pdf
media -releases-and-announcements/sc-grants-fund-management
-corporate-finance-licences-to-goldman-sachs 24 Ibid.
5 Burroughs, C. (2019, March 14). The bizarre story of the Goldman 25 Ibid.
Sachs 1MDB Malaysia fund scandal now has a Trump link. Business 26 Ibid.
Insider Singapore. Retrieved fromhttps://www.businessinsider.sg/
1mdb-timeline-the-goldman-sachs-backed-malaysian-wealth-fund- 27 The Business Times. (2016, March 30). The rise and fall of Tim
2018-12/?r=US&IR=T Leissner, Goldman’s big man in Malaysia. The Business Times.
Retrieved from https://www.businesstimes.com.sg/banking
6 Goldman Sachs. (2013). Proxy Statement for 2013 Annual Meeting
-finance/the-rise-and-fall-of-tim-leissner-goldmans-big-man-in
of Shareholders. Retrieved from https://www.goldmansachs.com/
-malaysia
investor-relations/financials/arhived/proxy-statements/docs/2013-
proxy-statement-pdf.pdf 28 Financial Times. (2019, February 10). 1MDB explained: timeline of
Malaysia’s financial scandal. Financial Times. Retrieved from https://
7 Siewert, J., Holmes, D. (2012, October 15). Adebayo O. Ogunlesi to
www.ft.com/content/fce8018c-2b4e-11e9-88a4-c32129756dd8
Join Goldman Sachs Board of Directors. Businesswire. Retrieved
from https://www.businesswire.com/news/home/20121015006681/ 29 The Business Times. (2016, March 30). The rise and fall of Tim
en/Adebayo-O.-Ogunlesi-Join-Goldman-Sachs-Board Leissner, Goldman’s big man in Malaysia. The Business Times.
Retrieved from https://www.businesstimes.com.sg/banking
8 Toure, M. (2013, March 27) President Spar to serve on board of
-finance/the-rise-and-fall-of-tim-leissner-goldmans-big-man-in
Goldman Sachs. Columbia Spectator. Retrieved from https://www.
-malaysia
columbiaspectator.com/2011/06/16/president-spar-serve-board-
goldman-sachs/ 30 Adam, S. (2018, November 2). The 1MDB Deals That Continue to
Haunt Goldman Sachs. Bloomberg. Retrieved from https://www.
9 Sherter, A. (2009, November 25). Friedman Scandal Spurs Rules
bloomberg.com/news/articles/2018-11-02/the-1mdb-deals-that-
Change for Federal Reserve Banks. CBS News. Retrieved from
continue-to-haunt-goldman-sachs-quicktake
https://www.cbsnews.com/news/friedman-scandal-spurs-rules-
change-for-federal-reserve-banks/ 31 Adam, S. (2018, November 2). The 1MDB Deals That Continue to
Haunt Goldman Sachs. Bloomberg. Retrieved from https://www.
10 (2012, January 10). Is Stephen Friedman Guilty Of Insider Trading.
bloomberg.com/news/articles/2018-11-02/the-1mdb-deals-that-
The Daily Bail. Retrieved from http://dailybail.com/home/is
continue-to-haunt-goldman-sachs-quicktake
-stephen-friedman-guilty-of-insider-trading.html
32 Shi, M. (2019, January 3). High-flying investment bankers, reclusive
11 Farrell, G. (2009, May 9). Friedman taken to task over Goldman
billionaires, and ‘The Wolf of Wall Street’: a guide to the major
deal. Financial Times. Retrieved from https://www.ft.com/content/
players in Malaysia’s 1MDB scandal. Business Insider. Retrieved
11d4c ad2-3c06-11de-acbc-00144feabdc0
from https://www.businessinsider.sg/goldman-1mdb-scandal
12 (2008, July 7). Rediff India Abroad Business. ‘Lakshmi Mittal joining -players-explainer-2018-12/?r=US&IR=T
Goldman Sachs could raise questions’. Retrieved from https://www. 33 The Straits Time. (2018, November 1). US charges Jho Low, former
rediff.com/money/2008/jul/07mittal.htm
Goldman bankers over 1MDB scandal. The Straits Times. Retrieved
13 Goldman Sachs Index. Retrieved from https://www.goldmansachs. from https://www.straitstimes.com/world/united-states/us-to
com/our-firm/leadership/board-of-directors/index.html -announce-charges-against-jho-low-former-goldman-bankers -for
-1mdb-wsj
14 Goldman Sachs. (2012). Goldman Sachs Annual Report for the year
ended December 31, 2012. Retrieved from https://www.goldman 34 Shi, M., Business Insider US. (2019, January 3). High-flying
sachs.com/s/2012annual/assets/downloads/GS_AR12_AllPages.pdf investment bankers, reclusive billionaires, and ‘The Wolf of Wall
Street’: a guide to the major players in Malaysia’s 1MDB scandal.
15 Proxy Statement 2013 Annual Meeting of Shareholders. Goldman Business Insider. Retrieved from https://www.businessinsider.sg/
Sachs. Retrieved from https://www.goldmansachs.com/investor goldman-1mdb-scandal-players-explainer-2018-12/?r=US&IR=T
-relations/financials/archived/proxy-statements/docs/2013-proxy-
statement-pdf.pdf 35 United States v. Leissner, No. 1:18-cr-00439 (E.D.N.Y. 2018) https://
s3.eu-west-2.amazonaws.com/sarawakreportdocs/TIm+Leissner
16 Ibid. +DOJ+Filing.pdf
17 Goldman Sachs. (2013). Proxy Statement for 2013 Annual Meeting 36 United States v. Certain Rights to and Interests in the Viceroy Hotel
of Shareholders. Retrieved from https://www.goldmansachs.com/ Group, No.17-cr-04438. (U.S.D.C. 2018) https://www.justice.gov/
investor-relations/financials/arhived/proxy-statements/docs/2013- opa/press-release/file/973671/download
proxy-statement-pdf.pdf
37 Crow, D., & Noonan, L. (2018, November 9). Lloyd Blankfein 64 Palma, S. (2019, February 11). 1MDB explained: timeline of
revelation piles pressure on Goldman over 1MDB. Financial Times. Malaysia’s financial scandal. Financial Times. Retrieved from https://
Retrieved from https://www.ft.com/content/9c6bb17a-e380-11e8-a www.ft.com/content/fce8018c-2b4e-11e9-88a4-c32129756dd8
6e5-792428919cee
65 Department of Justice. (2018, November 19). Malaysian Financier
38 United States v. Leissner, No. 1:18-cr-00439 (E.D.N.Y. 2018) https:// Low Taek Jho, Also Known As “Jho Low,” and Former Banker Ng
s3.eu-west-2.amazonaws.com/sarawakreportdocs/TIm+Leissner Chong Hwa, Also Known As “Roger Ng,” Indicted for Conspiring to
+DOJ+Filing.pdf Launder Billions of Dollars in Illegal Proceeds and to Pay Hundreds
of Millions of Dollars in Bribes. [Press release]. Retrieved from
39 United States v. Certain Rights to and Interests in the Viceroy Hotel https://www.justice.gov/opa/pr/malaysian-financier-low-taek-jho
Group, No.17-cr-04438. (U.S.D.C. 2018) https://www.justice.gov/ -also-known-jho-low-and-former-banker-ng-chong-hwa-also-known
opa/press-release/file/973671/download
66 Financial Times. (2019, February 10). 1MDB explained: timeline of
40 Ibid. Malaysia’s financial scandal. Financial Times. Retrieved from https://
41 Ibid. www.ft.com/content/fce8018c-2b4e-11e9-88a4-c32129756dd8
42 Ibid.
67 Ahmad, R. (2018, November 2). Jho Low maintains innocence
despite US DoJ charges over 1MDB. The Star Online. Retrieved
43 Ibid. fromhttps://www.thestar.com.my/news/nation/2018/11/02/jho-low
-maintains-innocence-despite-us-doj-charges-over-1mdb/
44 Ibid.
68 Latiff, R. (2019, February 20). Malaysia to put former Goldman Sachs
45 Ibid.
banker on trial before U.S. extradition. Reuters. Retrieved from
46 United States v. Leissner, No. 1:18-cr-00439 (E.D.N.Y. 2018) https:// https://www.reuters.com/article/us-malaysia-politics-1mdb-goldman
s3.eu-west-2.amazonaws.com/sarawakreportdocs/TIm+Leissner /malaysia-to-put-former-goldman-sachs-banker-on-trial-before-u-s-
+DOJ+Filing.pdf extradition-idUSKCN1Q90CS
47 Ibid. 69 Sukumaran, T. (2018, November 2). What’s the deal with Jho Low,
Malaysia’s most wanted man?. South China Morning Post. Retrieved
48 Ibid. from https://www.scmp.com/news/asia/southeast-asia/article/21714
49 Presse, A. (2019, February 9). Goldman Sachs plans to cut bonuses 28/whats-deal-jho-low-malaysias-most-wanted-man
as 1MDB scandal deepens. The Guardian. Retrieved from https:// 70 Ananthalakshmi, A., Latiff, R. (2018, December 18). Malaysia says
www.theguardian.com/world/2019/feb/09/goldman-sachs-plans-to- Goldman Sachs failed to disclose key facts in 1MDB bond sales.
cut-bonuses-as-1mdb-scandal-deepens Reuters. Retrieved from https://www.reuters.com/article/us
50 United States v. Leissner, No. 1:18-cr-00439 (E.D.N.Y. 2018) https:// -malaysia-politics-1mdb-goldman/malaysia-says-goldman-sachs-
s3.eu-west-2.amazonaws.com/sarawakreportdocs/TIm+Leissner failed-to-disclose-key-facts-in-1mdb-bond-sales-idUSKBN1OH0WC
+DOJ+Filing.pdf 71 Ananthalakshmi, A. (2018, December 17). Malaysia files criminal
51 Goldman Sachs. (2018). Quarterly Report on Form 10-Q for the charges against Goldman Sachs in 1MDB probe. Reuters. Retrieved
Quarter Ended September 30, 2018. Retrieved from https://www. from https://www.reuters.com/article/malaysia-politics-1mdb
goldman sachs.com/investor-relations/financials/archived/10q/ -goldman/malaysia-files-criminal-charges-against-goldman-sachs
third-quarter-2018-10-q.pdf -in-1mdb-probe-idUSK7N1IX029
52 Ibid.
72 Natarajan, S., Shukry, A. (2018, November 17). Goldman’s Woes
Mount as Malaysia Slaps First Criminal Charge. Bloomberg.
53 Sarawak Report. (2018, November 3). Why Goldman Sachs (U.S. Retrieved from https://www.bloomberg.com/news/articles/ 2018
Financial Institution #1) Is In The DOJ’s Sights. Sarawak Report. -12-17/malaysia-files-criminal-charges-against-goldman-its
Retrieved from http://www.sarawakreport.org/2018/11/why -employees
-goldman-sachs-u-s-financial-institution-1-is-in-the-dojs-sights/
73 Tan, A. (2018, December 21). Singapore to Expand 1MDB Criminal
54 Lopez, L. (2018, December 20). Goldman didn’t get IPIC board’s Probe to Include Goldman. Bloomberg. Retrieved from https://www.
approval for $2.4b bond issue. The Straits Times. Retrieved from bloomberg.com/news/articles/2018-12-21/singapore-said-to
https://www.straitstimes.com/asia/goldman-didnt-get-ipic-boards- -expand-1mdb-criminal-probe-to-include-goldman
approval-for-24b-bond-issue
74 Ibid.
55 United States v. Leissner, No. 1:18-cr-00439 (E.D.N.Y. 2018) https://
s3.eu-west-2.amazonaws.com/sarawakreportdocs/TIm+Leissner
75 Bernama. (2019, March 20). Monetary Authority of Singapore: 1MDB
+DOJ+Filing.pdf investigations ongoing. New Straits Times. Retrieved from
https://www.nst.com.my/news/nation/2019/03/471356/monetary
56 Ibid. -authority-singapore-1mdb-investigations-ongoing
57 Ibid. 76 The Straits Times. (2018, November 13). Goldman Sachs shares fall
most in 7 years on 1MDB scandal and `fear of the unknown’. The
58 Ibid. Straits Times. Retrieved from https://www.straitstimes.com/
59 Ibid. business/banking/goldman-sachs-shares-tumble-on-1mdb-scandal-
and-fear-of-the -unknown
60 Ibid.
77 Melloy, J. (2018, December 19). Goldman shares are getting hit
61 Ibid. again after Malaysia files criminal charges in 1MDB probe. CNBC.
Retrieved from https://www.cnbc.com/2018/12/17/goldman-shares-
62 Ibid.
fall-again-on-1mdb-fund-scandal.html
63 Clark, S., Wright, T. (2015, July 2). Investigators Believe Money 78 Yahoo Finance. (n.d.). Goldman Sachs Group, Inc. (The) (GS) Stock
Flowed to Malaysian Leader Najib’s Accounts Amid 1MDB Probe.
Price, Quote, History & News. Retrieved from https://finance.yahoo.
The Wall Street Journal. Retrieved from https://www.wsj.com/
com/quote/GS/
articles/SB10130211234592774869404581083700187014570
79 McLean, B. The man who must keep Goldman growing. (2008, 97 Board and Committees. Goldman Sachs. Retrieved from https://
March 5).CNN. Retrieved from https://money.cnn.com/2008/03/02/ www.goldmansachs.com/investor-relations/corporate-governance/
news/companies/mclean_goldman.fortune/index2.htm board-and-governance/board-committees.html
80 Forbes. (2009, November 25). The Biggest CEO Outrages Of 2009. 98 Latiff, R. (2019, March 18). Malaysia to summon two Goldman Sachs
Retrieved from http://www.forbes.com/2009/11/25/ceo-outrages- units ahead of 1MDB case. Reuters. Retrieved from https://www.
shame-leadership-ceonetworkgovernance.html. reuters.com/article/us-malaysia-politics-1mdb-goldman/malaysia-
to-summon-two-goldman-sachs-units-ahead-of-1mdb-case-id
81 McLean, B. The man who must keep Goldman growing. (2008, USKCN1QZ0FD
March 5).CNN. Retrieved from https://money.cnn.com/2008/03/02/
news/companies/mclean_goldman.fortune/index2.htm 99 Campbell, K., Surane, J. (2018, November 15). Goldman’s CEO Says
He’s ‘Personally Outraged’ by 1MDB Scandal. Bloomberg. Retrieved
82 Henning, P. J. (2018, November 15). Goldman Blames Rogue Staff from https://www.bloomberg.com/news/articles/2018-11-15/
for Its 1MDB Scandal. That May Not Wash. The New York Times. goldman-s-ceo-says-he-s-personally-outraged-by-1mdb-scandal
Retrieved from https://www.nytimes.com/2018/11/15/business/
dealbook/goldman-sachs-1mdb.html 100 (2019, September 30). Goldman’s 1MDB case in Malaysia to be
moved to higher court. The Star. Retrieved from https://www.
83 Ibid. thestar.com.my/business/business-news/2019/09/30/goldmans-
84 Natarjan, S., Chew, E. 2018, November 9). Lloyd Blankfein Was the 1mdb-case-in-malaysia-to-be-moved-to-higher-court
Unidentified Goldman Executive Present at 2009 1MDB Meeting. 101 Shukri, A., Azmi, H. (2020, February 5). Goldman Sachs’s 1MDB Case
Bloomberg. Retrieved from https://www.bloomberg.com/news/ Completes Move to Malaysia High Court. Bloomberg. Retrieved from
articles/2018-11-08/blankfein-said-to-be-in-09-1mdb-meeting-set- https://www.bloomberg.com/news/articles/2020-02-05/goldman-
up-by-leissner-low sachs-s-1mdb-case-completes-move-to-malaysia-high-court
85 MacBride, E. (2012, March 14). The ‘Toxic’ Culture at Goldman 102 Noonan, L. (2020, January 19). The 1MDB scandal: what does it
Sachs. Wealthfront Blog. Retrieved from https://blog.wealthfront. mean for Goldman Sachs? Financial Times. Retrieved from https://
com/wall-street-ethics/ www.ft.com/content/3f161eda-3306-11ea-9703-eea0cae3f0de
86 Hurtado, P., Farrell, G. (2018, November 10). Leissner Cites 103 Moskowitz, E. (2020, January 16). Goldman Sachs Braces For Q4
Goldman’s ‘Culture’ of Secrecy in 1MDB Scheme. Bloomberg. Losses Due to 1MDB Scandal. OCCRP. Retrieved from https://www.
Retrieved from https://www.bloomberg.com/news/articles/ 2018 occrp.org/en/daily/11458-goldman-sachs-braces-for-q4-losses-due-
-11-09/leissner-in-unsealed-plea-cites-goldman-culture-of-secrecy to-1mdb-scandal
87 Sperling, J. (2017, July 17). Who Is David Solomon? Meet the New 104 Hamilton, J. (2019, March 12). 1MDB-Linked Ex-Goldman Bankers
CEO of Goldman Sachs. Fortune. Retrieved from http://fortune. Leissner and Ng Banned From Industry. Bloomberg. Retrieved from
com/ 2018/07/17/david-solomon-ceo-goldman-sachs/ https://www.bloomberg.com/news/articles/2019-03-12/ex-goldman-
88 Campbell, D. (2017, October 17). Goldman Sachs Loves Millennials bankers-leissner-and-ng-banned-from-industry-by-fed and Sen, J.
and Engineers. Bloomberg. Retrieved from https://www.bloomberg. (2018, December 19). Ex-Goldman Sachs banker Tim Leissner
com/news/articles/2017-10-24/goldman-presidents-take-turns banned for life by MAS over role in 1MDB scandal. The Straits
-touting-firm-s-shifting-workforce Times. Retrieved from https://www.straitstimes.com/business/
banking/mas-slaps-lifetime-ban-on-ex-goldman-banker-tim-leissner-
89 Loosvelt, D. (2018, August 01) Ways Goldman Sachs’ Culture Will in-1mdb-scandal
Change Under New CEO DJ D-Sol. Vault Blogs. Retrieved from
http://www.vault.com/blog/workplace-issues/3-ways-goldman-sachs
105 Gripas,Y. (2020, February 4). US Federal Reserve bars Goldman
-culture-will-change-under-new-ceo-dj-d-sol/ Sachs executive from industry for role in 1MDB scandal. CNBC.
Retrieved from https://www.cnbc.com/2020/02/04/1mdb-scandal
90 Ibid. -goldman-sachs-executive-barred-from-industry.html
91 Goldman Sachs. (2012). Goldman Sachs Annual Report for the year 106 Moskowitz, E. (2020, January 16). Goldman Sachs Braces For Q4
ended December 31, 2012. Retrieved from https://www.goldman Losses Due to 1MDB Scandal. OCCRP. Retrieved from https://www.
sachs.com/s/2012annual/assets/downloads/GS_AR12_AllPages.pdf occrp.org/en/daily/11458-goldman-sachs-braces-for-q4-losses-due-
to-1mdb-scandal
92 (2020, February 4). Goldman Sachs. Goldman Sachs’ Commitment
to Board Diversity. Retrieved from https://www.goldmansachs.com/ 107 Dayen, D. (2020, January 29). Goldman Sachs’s Still Unpunished
what -we-do/investing-and-lending/launch-with-gs/pages/ Adventures in Malaysia. The American Prospect. Retrieved from
commitment-to-diversity.html https://prospect.org/power/goldman-sachs-unpunished-adventures
-malaysia-1mdb-jho-low/
93 Goldman Sachs Index. Retrieved from https://www.goldmansachs.
com/our-firm/leadership/board-of-directors/index.html 108 Noonan, L. (2020, January 19). The 1MDB scandal: what does it
mean for Goldman Sachs? Financial Times. Retrieved from https://
94 (2020, February 4). Goldman Sachs’ Commitment to Board Diversity.
www.ft.com/content/3f161eda-3306-11ea-9703-eea0cae3f0de
Goldman Sachs. Retrieved from https://www.goldmansachs.com/
what-we-do/investing-and-lending/launch-with-gs/pages/ 109 Moskowitz, E. (2020, January 16). Goldman Sachs Braces For Q4
commitment-to-diversity.html Losses Due to 1MDB Scandal. OCCRP. Retrieved from https://www.
occrp.org/en/daily/11458-goldman-sachs-braces-for-q4-losses-due-
95 Proxy Statement 2013 Annual Meeting of Shareholders. Goldman
to-1mdb-scandal
Sachs. Retrieved from https://www.goldmansachs.com/investor
-relations/financials/archived/proxy-statements/docs/2013-proxy- 110 Marshall, E. (2019, December 20). Goldman Sachs in talks over $2.9b
statement-pdf.pdf fine to settle 1MDB probe. Financial Review. Retrieved from https://
www.afr.com/companies/financial-services/goldman-sachs-in-talks-
96 Proxy Statement 2015 Annual Meeting of Shareholders. Goldman
over-2-9b-fine-to-settle-1mdb-probe-20191220-p53ls3
Sachs. Retrieved from https://www.goldmansachs.com/investor
-relations/financials/archived/proxy-statements/docs/2015-proxy-
statement-pdf.pdf
CYBERSECURITY
BREACH
140 CENTRAL BANK OF BANGLADESH: THE BIGGEST CYBER HEIST IN ASIA
CENTRAL BANK OF
BANGLADESH: THE BIGGEST
CYBER HEIST IN ASIA
CASE OVERVIEW A malware, evtdiag.exe3, was alleged to have been
On 4 February 2016, the Central Bank of Bangladesh propagated through Universal Serial Bus (USB) by an
(CBB), fell victim to the largest financial cybercrime in insider or technician working with the bank.4 Other
Asian history. Hackers attempted to move a total of sources speculated that it was done through the use of
US$951 million into fake accounts using the Society email spear phishing. According to BAE Systems security
for Worldwide Interbank Financial Telecommunication researchers, evtdiag.exe was custom-made for this
(SWIFT) messaging system. Although the heist was heist and is likely part of a broader attack toolkit. A BAE
discovered before all the money transfers could be Systems report stated that “the malware registers itself
completed, CBB suffered a total loss of US$81 million. as a service and operates within an environment running
The heist was not limited to the breach of the security SWIFT’s Alliance software suite, powered by an Oracle
system of CBB, but also included the subsequent lapses Database”.5 The malware was able to function in the
that occurred along the communication channel for system and allowed the hackers to carry out sabotage
SWIFT financial messages. The increasing sophistication actions. According to CBB’s officials, the malware likely
of cyberattacks is a growing concern to the global resided in the system as far back as January 2016, giving
payment network. The objective of this case is to allow the hackers time to study CBB’s system while they
a discussion of issues such as board and committee remained unnoticed.6
expertise; cybersecurity risk management; the roles of
The hackers stole local administrative credentials and
stakeholders; and crisis management.
were able to navigate their way and obtain access to
the SWIFT-connected systems, on which a monitoring
software was installed. They managed to capture SWIFT-
CENTRAL BANK OF BANGLADESH
issued digital certificates, enabling them to execute the
CBB was established under the Bangladesh Bank Order, heist by submitting financial messages over the SWIFT
1972 (P.O. No. 127 of 1972) on 16 December, 1971. CBB network.7
holds the official foreign reserves of Bangladesh and is
responsible for the regulation and supervision of banks
and financial institutions in Bangladesh.1 THE FATEFUL DAY OF THE HACK
During the financial year 2015, CBB had nine members On 4 February 2016, when CBB closed for the day, the
on its board of directors. The board was led by Governor, hackers logged onto the SWIFT messaging system and
Dr. Atiur Rahman and Deputy Governor, Md. Abul attempted to withdraw funds amounting to US$951
Quasem. million from CBB’s account at the FRBNY.8 This was
performed by issuing 35 separate transfers via SWIFT.9
The first five transfer requests, which amounted to
US$101 million, were approved and sent to the FRBNY
CROUCHING TIGER
and its correspondent banks.10
In May 2015, four accounts were opened with the Rizal
Commercial Banking Corporation (RCBC) Jupiter branch Out of the five transfer requests sent to FRBNY, four
in Manila, using fake driving licences as identification requests amounting to US$81 million were routed to
documents. A fifth account under the name of a the four accounts set up in RCBC Jupiter branch in the
Philippines businessman, William So Go, was created Philippines.11 The funds were deposited and consolidated
on 1 February, 2016. These accounts were dormant until in the account under Go’s name.12
the illegitimate transfer of Bangladeshi funds from the
Federal Reserve Bank of New York (FRBNY) in February The fifth request was intended to send US$20 million to a
2016.2 non-governmental organisation in Sri Lanka. The money
had initially reached Pan Asia Banking Corporation
This is the abridged version of a case prepared by Desmond Teng, Serene Lee, Tan Ai Ling and Ye Keyu under the supervision of Professor Mak Yuen Teen. The case was developed from
published sources solely for class discussion and is not intended to serve as illustrations of effective or ineffective management or governance. The interpretations and perspectives in
this case are not necessarily those of the organisations named in the case, or any of their directors or employees. This abridged version was edited by Raffles Ng under the supervision of
Professor Mak Yuen Teen.

(PABC). However, it was later diverted back to routing laundering laws in the country. The country also practises
bank, Deutsche Bank, for further verification due to some of the world’s toughest bank secrecy laws.22 Under
the unusually large payment size.13 This later led to the the Philippines Banking Laws, stolen funds cannot be
cancellation of the payment and recovery of the money.14 frozen unless a criminal case has been lodged.23
The subsequent 30 requested transactions were rejected According to Julia Bacay Abad of the Anti-Money
after suspicions were raised when the name “Jupiter” Laundering Council (AMLC), the money was traced to
formed part of the address of the targeted RCBC bank. three different accounts namely: Solaire (US$29 million),
It was a coincidence that a US-sanctioned Iran oil tanker Eastern Hawaii Leisure Company (US$21.2 million) and
and shipping company was named “Jupiter”. The Weikang Xu (US$31.6 million).24 The trail for the US$81
sanction listing prompted the FRBNY to scrutinise the million has gone cold as the money disappeared into the
fake transactions before releasing the funds. FRBNY then Philippine casino industry.
sent multiple queries to CBB but did not get a response
as it was closed for the day.15 With regards to the incident, Sergio R. Osmeña III, a
senator from the Philippines, who heads a committee on
A day later, on 5 February 2016, the malware installed on banks and financial institutions, said that “They picked
CBB’s servers bought time for the money to be collected [the Philippines] to launder this money because [the
and laundered. Incoming confirmation messages that Philippines] system is full of loopholes.”25
may have alerted the bank about the fraudulent transfers
were automatically removed from the SWIFT messaging
system.16 RCBC: A LITTLE TOO LATE
Since 2013, RCBC has been recognised for its good
An apparently broken printer was not an unusual sight.
corporate governance practices and was awarded
Jubair Bin-Huda, former joint director of CBB, requested
numerous awards. Under the board of directors, RCBC
for it to be fixed. However, it was a Friday in Bangladesh,
has eight board committees, two of which are the Audit
which had a Muslim majority, and all the bank officials
Committee and the Risk Oversight Committee. By virtue
had left by 12.30pm for their mid-day prayers. The
of Bangko Sentral ng Pilipinas (BSP) Circular No. 14526,
officials thus did not see FRBNY’s queries and remained
RCBC also has a compliance office, which is tasked to
oblivious to the cyber-heist.17
supervise the implementation of the compliance program.
It was only over the weekend did the officials at CBB
Lorenzo Tan, president and Chief Executive Officer of
recognised the scale of the problem. They tried to
RCBC, and Ana Luisa Lim, head of the internal audit
contact the FRBNY but there was no response. SWIFT
group, certified that RCBC’s internal control system
then fixed the messaging system remotely.18
for year ended 2015 complied with PSE Corporate
Governance Guidelines for Listed Companies.
On 8 February 2016, CBB issued stop orders to the
relevant banks. It requested for RCBC to freeze the
Besides conducting regular training, RCBC also regularly
money in the four accounts. Unfortunately, it was a
revises its policies to comply with the latest Anti-Money
special non-working day in the Philippines and the
Laundering Act. The Money Laundering and Terrorist
messages were not read.19
Financing Prevention Program is approved by the board
of directors before being implemented throughout
the bank. It aims to prevent RCBC from “being used,
AFTERMATH OF THE HACK intentionally or unintentionally, for money laundering and
According to RCBC, the cancellation requests were sent terrorist financing activities”.27
via SWIFT messaging system in the wrong format and
not flagged as urgent. As such, priority was not given for In July 2014, RCBC adopted the Base60 AML Monitoring
their review.20 System (Base60) to facilitate the detection of money
laundering or terrorist financing activities by using its
From 5 February to 13 February 2016, the US$81 million rule-based scenarios that include the application of
from Go’s account was routed to PhilRem Services pattern analysis and monetary thresholds. The system’s
Corporation, a money transfer company, and funnelled enterprise-wide approach also helps to prevent money-
into the Philippines casino industry.21 The Philippines laundering schemes by studying the client’s profile and
casino industry is exempt from many of the anti-money transactions.28
LAPSE AT RCBC? THE BLAME GAME

Bank officials of RCBC reproached Maia-Santos-Deguito, The FRBNY did not have a real-time system to identify
former manager of the Jupiter branch, and Angela unusual transactions immediately. Most transactions are
Torres, senior customer relations officer, for delaying executed automatically, unless a problem is identified
the submission of a suspicious transaction report (STR). and highlighted. The flagged transaction and review
RCBC’s head office requested for the STR on 5 February usually occurs only one day after the request, which
2016, in the hope of freezing the accounts that held may be after payments have already been made. In
the stolen US$81 million. Both Deguito and Torres were the review, the staff would verify SWIFT formatting
dismissed from their positions for the contravention of and authentication, and determine if the US economic
bank protocols, falsification of commercial documents sanctions or anti-money laundering laws have been
and assisting in the transfer of illicit money. Deguito violated.37
was said to have facilitated the opening of the five bank
accounts that stored the heist funds and helped in the On 4 February 2016, the first 35 messages sent by the
withdrawal of the funds.29 hackers were rejected by the system due to incorrect
formatting. The hackers simply corrected this and
On 15 March 2016, the AMLC filed a complaint against resent the messages, of which five were cleared
Deguito for the breach of BSP Circular No. 706.30 automatically and payments were made. The other 12
According to the AMLC, Deguito approved the opening payment requests made by CBB were seen as potentially
of accounts based on fictitious documents. She violated suspicious by the staff and flagged for review. However,
the Know-Your-Customer rule by failing to verify the a complete manual review only began on the following
identities of the account holders and allowed them day.38
to withdraw funds even after knowledge of the stop
payment request.31 Claiming to be a scapegoat, Deguito The Bangladesh government claimed that the Federal
said she only acted in accordance with Tan’s instructions. Reserve did not perform sufficient due diligence,
resulting in the funds being stolen. However, FRBNY
Tan and Raul Victor, former RCBC treasurer, resigned denied responsibility, stating that it was not their systems
from their positions after the incident.32 Deguito that the hackers had compromised.39
came under the investigation of the prosecutors from
the Philippines government for money laundering. If
No firewall and US$10 switches, CBB?
found guilty, she may face the maximum jail sentence
of 14 years.33 On 24 April 2017, it was reported that Investigations revealed that CBB had no firewall and used
the Department of Justice “has resolved to indict” second-hand US$10 switches for network computers
Deguito and a few other individuals linked to the money connected to the SWIFT global payment network. Cyber
laundering; they would be charged for violating the Anti- consultants such as Jeff Wichman criticised CBB harshly,
Money Laundering Act. Kam Sim Won, one of the casino finding it ironic that CBB was “an organization that has
junket operators, surrendered a sum of US$4.63 million access to billions of dollars and they are not taking even
and Php488.28 million to the BSP, the Monetary Board of the most basic security precautions.”40
the Philippines, which subsequently returned the monies
Officials at CBB, however, claimed that it was only after
to the Bangladesh government.34
the attack that SWIFT advised about the upgrade of its
switches.41
THE FINE
Why were installations not thorough?
In relation to the cyber-heist, RCBC’s non-compliance
with the New Central Bank Act resulted in a record-high CBB claimed that its vulnerability to the hackers
fine of one billion pesos imposed by BSP. RCBC also increased as 13 security measures were not implemented
faced a supervisory enforcement action, whereby it was by SWIFT when installing the Real Time Gross Settlement
subjected to increased obligations in transparency and system. SWIFT also made mistakes when setting up a
documentation.35 local network.42
A week after the announcement of the hefty fine, CBB However, SWIFT rejected all allegations as it was certain
insisted that it would initiate a lawsuit against RCBC if that the security of its financial messaging system had
efforts to recover the funds were not successful.36 not been breached. It emphasised that member banks
should be responsible for their own system interfaces.43
PERPETRATORS RUN FREE, MONEY GONE ENDNOTES

FOR GOOD? 1 Bangladesh Bank. (n.d.). About Us. Retrieved from https://www.
bb.org.bd/aboutus/index.php
Subsequent to the heist, the relevant parties involved
took measures to prevent a similar attack from repeating
2 Mallet, V. and Chilkoti, A. (2016, March 18). How Cyber Criminals
Targeted Almost $1bn in Bangladesh Bank Heist. The Financial
in the future. The heist attracted worldwide attention as Times. Retrieved from https://www.ft.com/content/39ec1e84-ec45-
it targeted the SWIFT messaging system, the pillar of 11e5-bb79-2303682345c8
today’s international finance operations. Concerns over 3 Finkle, J. and Quadir, S. (2016, April 25). Bangladesh Bank Hackers
the integrity of the SWIFT reporting system were also Compromised SWIFT Software, Warning Issued. Reuters. Retrieved
raised, which sent shock waves throughout the global from http://www.reuters.com/article/us-usa-nyfed-bangladesh
-malware-exclusiv-idUSKCN0XM0DR
banking community.44
4 Devnath, A. and Riley, M. (2016, May 11). Bangladesh Bank Heist
Probe Said to Find Three Hacker Groups. Bloomberg. Retrieved
In March 2017, it was reported by a US official that the from https://www.bloomberg.com/news/articles/2016-05-10/
CBB’s heist was “state-sponsored”.45 The US federal bangladesh-bank-heist-probe-said-to-find-three-groups-of-hackers
prosecutors believed that North Korea was behind this 5 Shevchenko, S. (2016, April 25). Two Bytes to $951m. BAE Systems
heist.46 It was also reported that CBB managed to recover Threat Research Blog. Retrieved from http://baesystemsai.blog
some funds that were stolen from the heist, “from a spot.sg/2016/04/two-bytes-to-951m.html
casino in the Philippines”.47 However, the pieces of the 6 Finkle, J. (2016, March 9). Criminals in Bangladesh Heist Likely
Studied Bank’s Inner Workings. Reuters. Retrieved from http://www.
puzzle have yet to be put together. To date, no one can
reuters.com/article/us-usa-fed-bangladesh-idUSKCN0WB2PI
say with certainty who pulled off this massive cyber-heist
7 Hecht, A. (2016, May 18). Lessons Learned from the Bangladesh
that has created chaos in the global financial sector and
Bank Heist. CyberArk. Retrieved from http://www.cyberark.com/
some funds have yet to be recovered. blog/lessons-learned-bangladesh-bank-heist/
8 Zetter, K. (2016, May 17). That Insane, $81m Bangladesh Bank
Heist? Here’s What We Know. Wired. Retrieved from https://www.
DISCUSSION QUESTIONS wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-
know/
1. Explain if you would consider the cyber-heist at CBB 9 Quadir, S. (2016, March 14). Bangladesh Bank Says Hackers Tried to
to be a Black Swan event. In your evaluation, assess Steal $951 Million; $68K Frozen by PHL. Retrieved from http://www.
the cyber risk management at CBB. With reference gmanetwork.com/news/money/economy/558942/bangladesh-bank
-says-hackers-tried-to-steal-951-million-68k-frozen-by-phl/story/
to publications made by Bank of International
Settlements (BIS), what do you think CBB should do to 10 Zetter, K. (2016, May 17). That Insane, $81m Bangladesh Bank
Heist? Here’s What We Know. Wired. Retrieved from https://www.
prevent a similar attack in the future? wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-
know/
2. Explain the significance of a cyberattack on a Central
Bank. Discuss some of the cybersecurity measures 11 Ibid.
taken by the Central Bank in your country to protect 12 Alam, S. (2016, March 15). Bangladesh Central Bank Governor
the country’s banking sector. Quits Over $81m Heist. Agence France-Presse. Retrieved from
http://www.rappler.com/world/regions/south-central-asia/125902
3. With regards to the cyber-heist at CBB, explain the -bangladesh-central-bank-governor-quits-over-heist
importance of different stakeholders’ roles in an 13 Mallet, V. and Chilkoti, A. (2016, March 18). How Cyber Criminals
organization’s risk management. Provide suggestions Targeted Almost $1bn in Bangladesh Bank Heist. The Financial
Times. Retrieved from https://www.ft.com/content/39ec1e84-ec45
on how SWIFT and its member banks can prevent -11e5-bb79-2303682345c8
similar future cyberattacks.
14 Hasanuzzaman, M. (2016, April). Bangladesh Bank Heist; How
4. Identify and explain the roles of the committee(s) Secure the Banking System? Perspective. Retrieved from http://
perspective bd.com/2016/04/bangladesh-bank-heist-how-secure-
and department(s) responsible for RCBC’s risk the-banking-system-by-md-hasanuzzaman/
management and anti-money laundering compliance.
15 Das, N. K. and Spicer, J. (2016, July 21). How Millions from the
Discuss the risk management and compliance Bangladesh Bank Heist disappeared. DZRH News. Retrieved from
controls, policies and procedures that were in place http://dzrhnews.com/how-millions-from-the-bangladesh-bank-
before RCBC was implicated in the cyber-heist saga. heist-disappeared/
Explain why you think they had failed in this incident. 16 Das, N. K. and Spicer, J. (2016, July 21). How the New York Fed
Fumbled Over the Bangladesh Bank Cyber-heist. Reuters. Retrieved
5. Who do you think is ultimately to blame for the losses from http://www.reuters.com/investigates/special-report/cyber
from the cyber-attack? Do you think that the RCBC’s -heist-federal/
board of directors and senior management should be 17 Ibid.
punished for the lapses at the bank? 18 Ibid.
19 Mallet, V. and Chilkoti, A. (2016, March 18). How Cyber Criminals 34 Reformina, I. (2017, April 24). DOJ Resolves to Indict Bank Manager,
Targeted Almost $1bn in Bangladesh Bank Heist. The Financial Several Others for Bangladesh Bank Heist. ABS-CBN News.
Times. Retrieved from https://www.ft.com/content/39ec1e84-ec45- Retrieved from http://news.abs-cbn.com/news/04/24/17/doj
11e5-bb79-2303682345c8 -resolves-to-indict-bank-manager-several-others-for-bangladesh-
bank-heist
20 Das, N. K. and Spicer, J. (2016, July 21). How Millions from the
Bangladesh Bank Heist disappeared. DZRH News. Retrieved from 35 Lucas, L. D. (2016, August 5). BSP Slaps Biggest Monetary Penalty
http://dzrhnews.com/how-millions-from-the-bangladesh-bank- of P1-B Fine on RCBC. Inquirer Business. Retrieved from http://
heist-disappeared/ business.inquirer.net/213012/bsp-slaps-p1-b-fine-on-rcbc-in-wake-
of-bangladesh-heist
21 Paz, D. C. (2016, March 17). Tracing the $81-million stolen fund from
Bangladesh Bank Rappler. Retrieved from http://www.rappler.com/ 36 Morales, J. N. and Das, N. K. (2016, August 5). Philippines Bank
business/industries/banking-and-financial-services/125999-timeline Challenges Bangladesh Bank to Sue over Heist. Reuters. Retrieved
-money-laundering-bangladesh-bank from http://www.reuters.com/article/us-cyber-heist-philippines-id
USKCN10G0QW
22 Cohen, M. (2016, April 12). Bangladesh Bank Heist Exposes
Laundering Links In Philippine Casinos. Forbes. Retrieved from 37 Das, N. K. and Spicer, J. (2016, July 21). How the New York Fed
http://www.forbes.com/sites/muhammadcohen/2016/04/12/ Fumbled over the Bangladesh Bank Cyber-heist. Reuters. Retrieved
philippine-flaws-exposed-in-bangladesh-bank-heist-casino from http://www.reuters.com/investigates/special-report/cyber
-connection/#2d20d5942065 -heist-federal/
23 Das, N. K. and Spicer, J. (2016, July 21). How Millions from the 38 Ibid.
Bangladesh Bank Heist disappeared. DZRH News. Retrieved from
http://dzrhnews.com/how-millions-from-the-bangladesh-bank-
39 Agencies. (2016, March 9). Bangladesh to Sue US Bank over $100m
heist-disappeared/ Lost to Hackers. Al Jazeera News. Retrieved from http://www.
aljazeera.com/news/2016/03/bangladesh-sue-bank-100m-lost
24 Durden, T. (2016, March 22). Mystery Man Behind $100 Million -hackers-160309104435299.html
Central Bank Heist Revealed As Bangladesh Moves To Sue Fed.
Zero Hedge. Retrieved from http://www.zerohedge.com/news/
40 Quadir, S. (2016, April 22). Bangladesh Bank Exposed to Hackers by
2016-03-22/mystery-man-behind-100-million-central-bank-heist Cheap Switches, no Firewall: Police. Reuters. Retrieved from http://
-revealed-bangladesh-moves-sue-fed www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO
25 Whaley, F. and Gough, N. (2016, March 16). Brazen Heist of Millions

41 Reuters. (2016, April 22). Bangladesh Bank Exposed to Hackers by
Puts Focus on the Philippines. The New York Times. Retrieved from Cheap Switches, No Firewall: Police. Business Times. Retrieved
http://www.nytimes.com/2016/03/17/business/dealbook/brazen from http://www.businesstimes.com.sg/government-economy/
-heist-of-millions-puts-focus-on-the-philippines.html?_r=2 bangladesh-bank-exposed-to-hackers-by-cheap-switches-no
-firewall-police
26 Bangko Sentral Ng Pilipinas. (n.d.). Regulations. Retrieved from
http://www.bsp.gov.ph/regulations/regulations.asp?type=1&id
42 Qaudir, S., Miglani, S. and Mahlich, G. (2016, May 15). Bangladeshi
=1146 Probe Panel’s Chief Says SWIFT Responsible for Cyber Theft.
Reuters. Retrieved from http://www.reuters.com/article/us-usa
27 Rizal Commercial Banking Corporation. (2015). 2015 Annual Report. -fed-bangladesh-swift-idUSKCN0Y60PY
Retrieved from https://www.rcbc.com/annual_reports/RCBC2015ar.
pdf#zoom=100%25.
43 Riley, M., Robertson, J. and Katz, A. (2016, May 18). Bangladesh,
Vietnam Bank Hacks Put Global Lenders on Edge. Bloomberg.
28 Grimes, D. (2016, March 22). The Great Bangladesh Central Bank Retrieved from http://www.bloomberg.com/news/articles/2016
Heist of 2016: Whose Heads Should Roll in RCBC? Retrieved from -05-17/global-lenders-on-edge-as-hacks-embroil-growing-list
http://bancofilipinofailure.blogspot.sg/2016/03/the-great -of-banks
-bangladesh-central-bank-heist.html
44 Corkery, M. (2016, April 30). Hackers’ $81 Million Sneak Attack on
29 Punay, E. (2016, March 23). RCBC Fires Bank Manager. The World Banking. New York Times. Retrieved from https://www.
Philippine Star. Retrieved from http://www.philstar.com/headlines/ nytimes.com/2016/05/01/business/dealbook/hackers-81-million-
2016/03/23/ 1565815/rcbc-fires-bank-manager sneak-attack-on-world-banking.html
30 Punay, E. (2016, April 29). AMLC Files Criminal Complaint Vs 45 Lema, K. (2017, March 29). Bangladesh Bank Heist was ‘state
Philrem Execs. The Philippine Star. Retrieved from http://www. -sponsored’: U.S. official. Reuters. Retrieved from http://www.
philstar.com/headlines/2016/04/29/1577953/amlc-files-criminal reuters.com/article/us-cyber-heist-philippines-idUSKBN1700TI
-complaint-vs-philrem-execs
46 Reuters and AFP. (2017, March 23). FBI Prepares Charges Against
31 CNN Philippines Staff. (2016, April 19). PH Money Laundering North Korea Over Bangladesh Heist. Reuters. Retrieved from
Probe: What We Know So Far. CNN Philippines. Retrieved from http://www.dw.com/en/fbi-prepares-charges-against-north-korea-
http://cnnphilippines.com/news/2016/03/15/PH-money-laundering over-bangladesh-heist/a-38081602
-probe-what-we-know-so-far.html
47 Gautham. (2016, November 13). Bangladesh Central Bank Recovers
32 Jiao, C. (2016, May 6). RCBC President Lorenzo Tan Resigns. CNN a Portion of Funds Stolen over SWIFT Network. NEWSBTC.
Philippines. Retrieved from http://cnnphilippines.com/business/ Retrieved from http://www.newsbtc.com/2016/11/13/bangladesh
2016/05/06/RCBC-Lorenzo-Tan-resigns-money-laundering.html -central-bank-recovers-funds/
33 Adel, R. and Frialde, M. (2016, August 18). Deguito Camp Cries
Harassment over Perjury Arrest. The Philippine Star. Retrieved from
http://www.philstar.com/headlines/2016/08/18/1614815/deguito
-camp-cries-harassment-over-perjury-arrest
CAPITAL ONE: A BREACH IN

THE CLOUD
CASE OVERVIEW BANK AT THE FOREFRONT OF
On 19 July 2019, Capital One released an announcement TECHNOLOGY
stating that an outside individual, Paige Thompson, Capital One, the eighth-largest bank in the United
had gained unauthorised access to the bank’s cloud States, offers commercial lending as well as consumer
databases and obtained confidential customer lending products and services to retail consumers,
data, including approximately 100 million credit small businesses and commercial clients.5 The bank is
card applications. Further investigation revealed renowned amongst its peers for its unrelenting focus
that Thompson, a 33-year-old former Amazon Web on technology, placing it at the heart of its business.6
Services software engineer, had managed to exploit Through years of steady investment in information
a ‘configuration vulnerability’ in a misconfigured technology, the bank has managed to secure a captive
firewall, which allowed her to transfer critical data to cardholder base, as clients were attracted by its
her own personal server from as early as March 2019. technology-oriented banking services, which boasted
Before Capital One was informed of the breach by an capabilities such as cloud-based data management.7
anonymous tipster, Thompson had posted about her
access to the Capital One data on social media, and also
uploaded information relating to the Capital One data THE BIG LEAP TO THE CLOUD
breach on GitHub, a popular code-sharing platform.1 The
“We are entirely focused on moving to the public
data breach highlighted glaring vulnerabilities in Capital
cloud.”8
One’s cybersecurity systems and raised questions about
- Rob Alexander, Capital One’s Chief Information Office
the adequacy of the bank’s corporate governance and
risk management processes. The objective of this case is
Single-minded in its path towards cloud-based data
to facilitate discussion on issues such as the effectiveness
management, Capital One announced in 2015 that it
of Capital One’s risk management framework and
would slowly migrate its system to cloud computing and
measures; the remuneration policy for the board and
wind down the existing data centres ‘from eight in 2014
management; the adequacy of crisis management; as
to zero planned by the end of 2020’,9 making Capital
well as the influence of these factors on the cybersecurity
One one of the first large financial institutions to adopt
breach and its aftermath.
such a practice. To manage its massive stash of critical
data through the cloud, Capital One engaged Amazon
Web Services (AWS), one of the largest cloud-computing
TECHNOLOGY - BOON OR BANE? third party service providers in the world, to develop and
Technological advances have had a major impact on manage its digital infrastructure for cloud computing
many companies across various industries, and the solutions.10
banking sector is no exception. From contactless
payments to biometric security authentication to the
storage of critical data on the cloud, banks are starting to SAFEGUARDS AGAINST A STORM
leverage on technology to provide enhanced services at
Facing the need to secure customer data in the cloud
more competitive prices.2
platform properly, Capital One engaged both employees
across the bank and AWS to construct a risk management
However, the increased reliance on technology is
framework for the cloud system. According to George
accompanied by a growing threat of cybercrime,
Brady, the Chief Technology Officer of Capital One, the
perpetrated through lapses in cyber-security frameworks
framework was updated and refined quarterly as they
and systems.3 This growing threat is exemplified in the
moved their applications into the cloud.11
recent cybersecurity data breach suffered by Capital
One, which affected over 100 million individuals in the
To mitigate the risks of third-party cloud platforms,
United States and approximately six million in Canada.4
Capital One spearheaded the development of Cloud
Custodian, a programme specifically targeting the
enforcement of compliance and security of the cloud
infrastructure.12 The Cloud Custodian can detect and
This case written by Chen Yufang, Elizabeth Ho, Nicolas Lye, Yong Hui Ting and Zheng Tang Wei Hao under the supervision of Professor Mak Yuen Teen. The case was developed from
case are not necessarily those of the organisations named in the case, or any of their directors or employees. This case was edited by Professor Mak Yuen Teen and Professor Richard Tan.
146 CAPITAL ONE: A BREACH IN THE CLOUD
correct any policy violations automatically, thus allowing One’s cloud server. This included credentials sent from
Capital One to ‘keep the teams in guardrails’. The bank a security service to access any cloud resource that the
also bought a software company called Endgame around server has access to.19 Using this well-known method
late 2017 to enhance its ability to detect hacks and data called a ‘Server Side Request Forgery (SSRF)’ attack,
breaches. However, even after more than a year following Thompson was able to manipulate the credentials of
the software was purchased, Capital One had still not various employee accounts, giving her access to critical
completed the installation of the software. A reporting data, including 140,000 social security numbers of credit
portal was further established to monitor and ensure card customers, 80,000 linked bank account numbers of
compliance in the entire system.13 However, despite secure credit card customers, and a whopping 1,000,000
the gamut of measures put in place, it took just one social insurance numbers from Canadian customers.20
individual to breach the seemingly impenetrable walls of Thompson managed to remain undetected during her
Capital One’s cybersecurity systems. initial hacking attempt, having used several methods to
mask her identity and location, including a virtual private
network service and the anonymous TOR browser.21 Thus,
ONE WOMAN ARMY: PAIGE THOMPSON like a thief in the night, Thompson continued her hacking
spree, hiding under the veil of anonymity, with all the
The individual in question, Paige Thompson, was a
critical data at her fingertips.
33-year-old software engineer residing in Seattle. Her
resume lists eight different employers over a 12-year
period from 2005 to 2016, with almost all the jobs lasting
less than 18 months.14 Her most recent job was a stint HACK AND SLACK
at Amazon S3 (Simple Storage Service) from May 2015 After gaining access to victims’ cloud infrastructure
to September 2016. An AWS spokesperson confirmed using the stolen credentials, Thompson then allegedly
a former employee had been arrested in conjunction accessed and exfiltrated data over the following weeks.
with the investigation, but said that AWS “was not From April to June 2019, Thompson posted the data to
compromised in any way and functioned as designed.”15 her GitHub account, which included her full name and
According to the Justice Department, Thompson had resume, and openly described her hacking techniques
commenced her hacking attempts into corporate on Twitter.22 It is unclear whether anyone downloaded
databases as early as 12 March 2019. Thompson’s former the data after she allegedly posted it, but they very well
employers attested that she was a ‘very talented white may have given that Thompson allegedly talked openly
hat ethical hacker’ who excelled at testing clients’ about stealing the data, even on Slack.23 Immediately
security systems to uncover lapses.16 Her excellent after Thompson posted the contents of the data dump
hacking skills, together with her prior knowledge of under the handle “Erratic”, a friend replied “sketchy ****,
AWS’s cloud security systems, allowed her to bypass a don’t go to jail plz”.24 Thompson, seemingly aware of
faulty firewall which granted her access to Capital One’s the potential implications of her actions, posted a direct
customer information.17 This was the moment where all message on her Twitter account admitting she believed
hell broke loose. her actions were likely to be discovered, tweeting that
she ‘basically strapped (herself) with a bomb vest…’ and
that she aimed to ‘distribute those buckets’.25 However,
BURNING BREACHES - WHAT THE HACK while her concerns proved to be spot-on, it was already
HAPPENED too late; words of Thompson’s actions had spread like
wildfire across cyberspace, and eventually someone
Thompson, who also goes by the online handle “erratic,”
decided to spoil her party.
allegedly created a program in late March 2019 to
search for cloud customers for a specific web application
firewall misconfiguration.18 She managed to exploit a
‘configuration vulnerability’ in a misconfigured open- BLOWING THE WHISTLE
source Web Application Firewall (WAF) that Capital One One measure that differentiates Capital One from most
was using as part of its operations hosted in the cloud other banks is their Responsible Disclosure Program.26
with AWS, granting her access to the cloud databases. The Responsible Disclosure Program maintains security
This misconfiguration allowed Thompson to ‘trick’ the by enabling customers or any other parties to report any
firewall into relaying requests to a key backend resource, potential holes or vulnerabilities in Capital One’s systems.
called the ‘metadata’ service, to issue temporary These reports will then be promptly acted upon to
information to the targeted cloud server, i.e. Capital secure Capital One’s systems and data.27 This disclosure
program worked in Capital One’s favour during the The bank subsequently made an official apology and
breach, as the leak was anonymously reported to Capital announced that those affected would be notified by mail
One through the program.28 to the breach by Capital One and offered free identity
theft and credit monitoring protection.36 The bank further
On 17 July 2019, an unidentified tipster informed Capital clarified that it would not be calling, texting, or emailing
One of its existence by emailing the bank’s responsible customers regarding their account information or Social
disclosure address with a brief warning about the data Security numbers. The bank also set up an FAQ, as well as
and a link to it on GitHub, with the message ‘there a dedicated hotline, for people looking for more details.37
appeared to be some leaked S3 data of yours’ (S3 data
refers to a type of file that is normally stored on Amazon’s Richard Fairbank, Capital One’s CEO and chairman,
cloud network).29 The online Slack room which held the was quick to call the bank out. “While I am grateful that
links to the data was subsequently taken down. The the perpetrator has been caught, I am deeply sorry for
bank swiftly alerted law enforcement to the data theft what has happened,” he said in a statement. “I sincerely
and immediately fixed the configuration vulnerability apologize for the understandable worry this incident must
discovered. The FBI connected the incident to Thompson be causing those affected and I am committed to making
quickly, as it was relatively easy to link the Github page it right.”38 In its official statement published post breach,
where she posted information about the stolen data to the bank reaffirmed its commitment to safeguard critical
her handle and real identity. Thompson was subsequently information and promised to incorporate learnings from
arrested by the authorities in less than two weeks at her this incident to further strengthen its cyber-defenses.39
residence and has been under police custody ever since.30 Whether or not it lives up to this promise, only time will tell.
While it might have been convenient to close the case
there and then, given that the perpetrator had been
caught, the ease in which the cloud servers had been LEFT IN THE LURCH
breached called for a more comprehensive investigation.
During a briefing on 31 July 2019, Capital One specifically
promised to the United States Senate Committee on
Banking, Housing and Household Affairs (Committee)
UNCOVERING THE TRUTH that it would provide free credit monitoring and identity
As part of their investigation, Capital One examined protection to all Capital One’s customers who request
the material on the GitHub page, which contained it, regardless of whether they are part of the affected
three commands and a list of 700 folders.31 The bank consumers.40 However, subsequent checks by the
determined that ‘a firewall misconfiguration permitted Committee led some to believe that Capital One has not
commands to reach and be executed by that server, which taken sufficient steps to make good on its commitment to
enabled access to folders or buckets of data in Capital protect consumers from further harm.
One’s storage space at the cloud computing company’.32
Apparently, Thompson had utilised a combination of four On 22 August 2019 and 4 September 2019, the
main software commands to access the cloud folders. Committee called the 1-800-227-4825 customer service
The first command allowed Thompson to obtain security number listed on the Capital One webpage that provides
credentials to access the folders; another two commands information regarding the data breach.41 However,
listed the available buckets, and the final command the telephone number linked back to Capital One’s
allowed Thompson to copy or sync the data over to her general customer service line, and not the dedicated
own personal server.33 Most of the data that was copied line for consumers to call about the data breach or to
was related to credit card applications.34 With the details request free credit monitoring and identity protection.42
of the investigation finalised and confirmed, Capital One Furthermore, there was no dedicated numerical option for
then moved on to addressing the repercussions of the inquiries about the data breach or to request free credit
breach. monitoring.43
Eventually, staff were able to reach a Capital One’s

CLEANING UP THE MESS customer service representative by pressing ‘0’.44
Based on the Committee’s discussion with the Capital
“This is a defining moment for us to put our values
One’s customer service representative, the Committee
on display and to be swift, open, and profoundly
concluded that Capital One did not adequately inform
empathetic”35
consumers of their eligibility for free credit monitoring
- Richard Fairbank’s internal address to employees
and identity protection services, nor does it appear that
those services were yet available for consumers when 2019 was US$98.08. After the news broke on 29 July 2019,
they call in to request them. According to the Committee, its share price plunged to US$91.21 on 30 July 2019, and
these deficiencies suggest that consumers may not know subsequently dropped to a low of US$83.11 over the next
whether their personal information has been breached two weeks. It has languished below its pre-breach peak
and that Capital One may have limited the number of since.54
consumers who are eligible for free credit monitoring and
identity protection services.45 As of 23 September 2019, Share price decline aside, Capital One estimated that
Capital One announced that they had finished sending the total expense attributable to the remedy of the data
notifications to Canadians by mail or email, and not by breach (including customer notification, credit monitoring,
phone or text message. Furthermore, according to the technology support, and legal advisory costs) could
Capital One website, it has completed notifying all the range anywhere from US$100 million to US$150 million.55
affected customers.46 However, some experts believe the actual figure to be
significantly higher as current estimates exclude related
expenses from lawsuits filed against the bank, the loss
CUSTOMERS’ DATA COMPROMISED of customer confidence and lower business revenues.
Evercore ISI analyst John Pancari wrote to clients, “We
In the aftermath of the breach, the subsequent adverse
are skeptical of management’s implication that an issue of
impacts on various stakeholders were both significant
this magnitude will not impact go-forward earnings and
and extensive. Considering the scale of the data breach,
efficiency expectations”.56
it is worth noting that only 140,000 US Social Security
Numbers (SSN), 1,000,000 Canadian SSN, and 80,000
Betsy Graseck, an analyst from Morgan Stanley, estimated
linked bank account numbers were compromised out of
that Capital One could pay between US$100 million to
the 106 million individual sets of critical data leaked.47
US$500 million in regulatory fines and state settlements
Capital One was quick to point this out to assuage
as a result of the breach.57 The possibility of higher fines
concerns, “Importantly, no credit card account number or
is not unimaginable; in Equifax’s 2017 data breach, where
log-in credentials were compromised and over 99 percent
nearly 150 million personal data were exposed, the
of Social Security numbers were not compromised,”48 it
company paid a total of US$800 million in settlements.58
said in a statement regarding the data breach.
The incident also exposed the bank to several class-
However, as Adam Garber of US Public Interest Research
action lawsuits and potential regulatory fines,59 which are
Group (PIRG) highlighted, “Fraud doesn’t necessarily
expected to cost well above the bank’s estimated 2019
occur immediately after breaches. But that doesn’t mean
outlays.60 Many affected customers have filed a Class
consumers can breathe easily”.49 A majority of the stolen
Action under the law firm, Morgan & Morgan, which has
critical data belonged to consumers and small businesses,
been appointed to represent them to obtain a class-wide
who are more vulnerable to fraud as they do not possess
relief against Capital One for its purported negligence in
the necessary internal controls and security measures
the data breach.61
compared to larger institutional clients.50 Stolen Social
Security Numbers could potentially be used to access According to the US Class Action system, affected
existing credit accounts or authorise the creation of new customers are not required to pay the law firm prior to
ones.51 Furthermore, as Social Security Numbers cannot the lawsuit with the contingency fee agreement. If the law
be changed, there will always be a risk that these numbers firm wins the case, the client will pay a percentage of the
will be misused for fraud in the future.52 This risk is noted damages awarded by the court. However, if the case is
by Garber, “Sometimes people hold onto it for years lost, the clients are not required to pay any fee at all.62
before they take action. So you might not see something
tomorrow, but you could see something years from The lawsuit seeking class-action status was first filed in
now”.53 the federal court in Washington, D.C. by Kevin Zosiak,
a Capital One’s credit card customer whose personal
information was compromised.63 It is likely to herald many
BURNING A BIG HOLE IN THE POCKET similar lawsuits over the breach. As of 2 October 2019,
Even though Capital One claimed that most customers the federal judicial panel has consolidated more than 40
did not suffer any material financial loss, the same could lawsuits against Capital One over its alleged negligence
not be said for the bank itself. Capital One’s share price in data security.64
before the announcement of the data breach on 26 July
Amidst the onslaught of potential litigation, one of the board, another two serve on three other public boards,
bank’s contingencies is its cyber-risk insurance policy while the other six do not serve on any other public
with a US$10 million deductible for a US$400 million boards.
cyber insurance coverage. However, it is still uncertain if
Capital One’s cyber insurer is obligated to cover the full Capital One’s Risk Committee consisted of seven
costs associated with Capital One data breach.65 Cyber directors, with Peter E. Raskind serving as the
insurance normally covers customer support, credit chairperson.72 Raskind was the former Chairman,
monitoring and some legal costs of the data breach.66 President and Chief Executive Officer of National
They may not be liable to insure the full amount if it can City Corporation. He has more than 30 years of
be proven that Capital One lacked adequate internal banking experience, including in corporate banking,
security controls to prevent such a data breach. In Capital retail banking, wealth management/trust, mortgage,
One’s Quarter Three earnings release, the bank reported operations, technology, strategy, product management,
US$22 million of net Cybersecurity Incident expenses.67 asset/liability management, risk management and
The total Cybersecurity Incident expense incurred by acquisition integration. He does not serve on any other
Capital One is expected to be US$49 million, in which public board.
US$27 million is accounted as probable insurance
recoveries.68 Among the six other members of the risk committee, Mr
Peter Thomas Killalea, Owner and President of AOINLE
LLC and Former Vice President of Technology at Amazon,
BOARD INQUISITION previously led Amazon’s Infrastructure and Distributed
Systems team, which later became a key part of the AWS
While the breach had mostly highlighted the bank’s
Platform. Killalea serves on three other public boards.73
lapses in cybersecurity, the incident also thrust Richard
Fairbank, the bank’s low profile CEO and Chairman, into
the spotlight. Being one of the founders of Capital One,
KEEPING BOTH EYES OPEN
he has been recognised as a CEO who is knowledgeable
about credit card laws and bank technology, and a Given that Capital One relies heavily on technology in
‘visionary’ who speaks about dreams and revolutions.69 As the processing and management of highly confidential
reported by the Wall Street Journal, his mantra is to be information, the board is actively engaged in the
“strategically bold but risk averse”.70 The recent boom oversight of the bank’s cyber risk profile, enterprise
of the financial-technology industry has put immense cyber program, and key enterprise cyber initiatives.74 In
pressure on him to keep Capital One ahead in the particular, the Risk Committee receives regular quarterly
technology arm-race with the rival start-ups and attract reports from the Chief Information Security Officer (CISO)
customers through different avenues. on the above matters and meets with the CISO at least
twice annually.75 It is also stated that the Risk Committee
Fairbank was not the only one to face the scrutiny of meets periodically with third-party experts to evaluate the
the media and observers; the rest of the board was bank’s enterprise cyber program, and reviews annually
also placed on the hot seat, and the competencies and and recommends the bank’s information security policy
experience of each of the members were called into and information security program to the board for
question. To put themselves ahead of their competition, approval.76 In addition, in the event of a significant cyber
especially in areas like cyber risk, financial performance, incident impacting the bank, the Chief Information Officer
and business strategy, Capital One claimed to have (CIO) and the CISO are required to submit a report
cultivated a board that encompasses an optimal mix of to the Risk Committee, which includes management’s
diverse backgrounds, experiences, skills, expertise, and assessment of the root cause and the relevant areas of
qualifications to ‘cover all vectors or effective challenge improvement gathered from the incident.77
of management’.71 According to its website, out of the
11 directors, 10 (excluding the CEO) have skills and prior
experience in Digital, Technology, and Cybersecurity. CARROT AND THE STICK
Furthermore, five of the directors also possessed
The remuneration policies and structure implemented
executive-level experience with direct oversight and
by a company for its board and management are critical
expertise in technology, digital platforms and cyber risk.
in ensuring good corporate governance as it aligns the
All the 10 directors (excluding the CEO) are deemed to
incentives and interests of the key officers with other
be independent directors. Three are female directors.
stakeholders.78
Two of the independent directors serve on 1 other public
The compensation program for directors consists of an elaborating much on what these ‘enhancements’ were.85
annual cash retainer of US$90,000 for their services, as For the CEO’s compensation program, while Performance
well as annual cash retainers for committee services. The Shares and the Year-End Incentive Opportunity are the
Chair of the Risk Committee received US$60,000, while only two compensation determinants, performance and
a member of the Risk Committee received US$30,000. recovery provisions for these elements only include
In addition, each non-management director serving on clawbacks for misconduct and financial restatement,
2 May 2018 received an award of 1,907 restricted stock with no clawbacks for breaches of regulations or cyber-
units of Capital One common stock (RSUs) under the security lapses.86
2004 Stock Incentive Plan with a grant date fair value of
US$170,066 valued at US$89.18 per share. The RSUs can For NEOs, starting from the 2018 performance year, the
vest one year from the date of grant, but the delivery compensation program has been simplified, with three of
of the underlying shares is deferred until the director’s the six compensation elements having been eliminated,
service with the board terminates.79 increasing the proportion of NEOs’ total target
compensation that is performance-based from 65% to
Starting from 2019, the Compensation Committee and 80%.87 The compensation program now comprises of a
the Independent Directors increased the alignment of 20% base salary, 25% cash incentive, and 55% long-term
CEO compensation with the bank’s performance and incentive opportunity.88
shareholders’ interest by increasing the percentage of
the CEO’s total target compensation tied to a year-end
evaluation of CEO and company performance from 40% TECH-CENTRIC CULTURE
to 90%.80 Under the current performance management
Before the data breach, there was a popular perception
process, Capital One includes an individual assessment
among industry players that Capital One was ahead of
specifically designed to evaluate the degree to which the
the game in terms of technology, and the bank stood
executive balanced risks inherent to the role. This report
out as the dream workplace for top technology talents.
is compiled by the Chief Risk Officer, and is separately
Technology employees were ‘often given leeway to
reviewed by the Chief Auditor before the assessments
operate as they saw fit’.89 However, according to people
are submitted to the Compensation Committee in
associated with the technology teams, the broader tech-
making their determinations regarding individual
centric culture of the bank had complicated security;
performance and compensation levels.81
technology employees were given free rein to write
in many coding languages, making it harder for the
The CEO does not receive a cash salary and 100% of his
cybersecurity unit to detect problems within the code.90
compensation is at risk based on his and the company’s
performance. In 2018, 76% of his pay is equity-based
compensation, with all his compensation deferred
for three years. A majority of the Named Executive KNOWING THY ENEMY
Officers (NEOs) are provided with long-term equity or Prior to the data breach, Capital One had made visible
equity-based compensation.82 In deciding the CEO’s efforts to understand the nature of its technology risks
compensation, the compensation committee considered and its characteristics by considering the uncertainties,
both quantitative and qualitative performance of likelihood, and severity of the impact of its risks, which
the bank, which include (1) Financial and Operating were listed under the Operation Risk Assessment section
Performance; (2) Governance and Risk Management; of its 2018 annual report.91
(3) Strategic Performance; and (4) Winning with our
Customers and Associates.83 The bank acknowledged that given a large part of its
business is involved in the management of sensitive
However, in the 2018 Performance for Governance information, cyber-attacks designed to obtain
and Risk Management, the bank did not disclose confidential information or sabotage systems may be
much information about its performance in cyber- derived from human error or fraud from insiders or
security measures, and simply provided a cookie-cutter external parties. In addition, due to the proliferation of
statement relating to risk management and operational new technologies and the increased sophistication of
risk capabilities across all three lines of defence.84 The hacking methods, Capital One has recognised that the
bank simply stated that it had accelerated its focus on cyber and information security risks for large financial
cloud capabilities, modern software, engineering and institutions, such as itself, have increased significantly in
delivery, and enhanced cybersecurity capabilities, without recent years.92 Moreover, with more customers opting
to access the bank’s products and services via mobile of Social Security and bank account numbers, to mitigate
devices such as smartphones and tablets which are the risks of unauthorised access, given that the bank may
beyond the bank’s security control systems, the risks are not be able to watch every piece of data that sits in its
amplified as well.93 cloud.98 Furthermore, managing and keeping all identity
and access management rules secure remains a key
In addition, virtually all of Capital One’s core information challenge for cybersecurity departments. As Capital One
technology systems and customer-facing applications are had integrated many critical information management
migrated to third-party cloud infrastructure platforms, processes into the cloud, the list of rules that dictate who
principally AWS. The bank thus recognised that if its got access swelled, snowballing into an issue that system
service providers experienced system disruptions arising administrators found hard to manage.99 As mentioned
from the vulnerability of patches from key vendors and by a senior cloud security engineer from a reputable
cyber-attacks (including Distributed Denial Service DDOS cybersecurity firm, “Sometimes, the rules for these things
attacks), it could result in a material adverse effect on the span into six, eight pages of dense JSON text. You can’t
bank’s business and reputation. However, it continued just point to a folder and say ‘Administrators can read
to engage AWS, even though it was aware that larger this, analysts can read that,’ It doesn’t work like that. It’s
third-party service providers often are unable to offer all these weird inherited side effects. It’s not that obvious
dedicated servers, which meant that the servers could at all”.100
not be comprehensively customised and monitored
regularly to safeguard against potential cyber-attacks.94 The ‘Second Line of Defence’, which oversees the first
line, comprises of the risk management committee.101 Key
Capital One also recognised that it may not be able to officers in the risk management committee are Robert
anticipate or identify certain attack methods in order M. Alexander, the Chief Information Officer; and Sheldon
to implement effective preventative measures despite “Trip” Hall, the Chief Risk Officer.
having a ‘robust suite of authentication and layered
information security controls (cyber-threat analytics, data Alexander has served as the Chief Information Officer
encryption, tokenization technologies, anti-malware since May 200, and is responsible for overseeing all
defenses) as these controls may not have been updated technology activities for Capital One. Prior to taking
to recognise and deal with newer hacking methods. Thus, up this role, he worked under Capital One’s lending
in the event of a breach, the bank highlighted several businesses, including the U.S. consumer credit card
costs, from operational costs such as those associated and instalment loan businesses.102 Hall stepped up
with replacing compromised cards and remediating as Chief Risk Officer in August 2018, and has since
fraudulent transaction activity, to broader implications been responsible for all aspects of Capital One’s
such as a general loss of customer confidence and risk management, which includes oversight of risk
poor market perception of the effectiveness of security management activities in areas such as credit risk,
measures, both which could lead to reduced use of the operational risk, compliance, and information security
bank’s products and services.95 risk. Hall has been with Capital One since June 1997,
working in various departments, and taking up executive
positions since November 2012.103
RED FLAGS IGNORED
The ‘Third Line of Defence’, comprising Capital One’s
Capital One was aware of the fact that it was an
Internal Audit and Credit Review functions, provides
attractive target for cyber threats due to its strong
assurance to management and the board of directors
online presence. Hence, it uses a ‘Three Lines of
regarding the risk management capabilities of their
Defence’ risk management model to structure the roles,
internal controls and processes.104 Celia Karam, has
responsibilities and accountabilities in the organisation
been Capital One’s Chief Auditor Officer since June
for taking and managing risk.96
2018, leading a team of 300 for Capital One’s internal
audit function.105 Furthermore, as Capital One is a highly
The ‘First Line of Defence’ consists of the various
data-driven bank, it also has a Tech audit team run by
business units that take on risk throughout their daily
Chris Kyriakakis. In order to improve the audit process
operations. On a business-wide scale, the CEO and the
and resolve issues quickly, the internal audit team has
other business heads are accountable for managing risks
involved management earlier in the audit process.
and own their respective risk decisions.97 Within the more
granular day-to-day operations, Capital One deploys
“post-compromise protections,” such as the tokenization
Celia Karam’s vision for Capital One’s internal audit security issues to Johnson and other executives that they
is to “provide high value, independent and proactive believed had not been fully resolved.115
insights, innovating with technology and being a
destination for top talent”. Additionally, Capital One has
an internal group, “red team” that helps to supplement HOARDING THE PAST
the firm’s cybersecurity systems through identifying
The personal data breached covered 100 million and
vulnerabilities.106 However, although vulnerabilities had
were dated back up to 2005. Credit card application
been identified months before the breach, there was
data included names, addresses and credit histories
no follow up. For example, in the months prior to the
of applicants.116 It is also estimated that 600,000 of the
breach, employees were concerned when the bank
saw high turnover in its cybersecurity unit as well as a people who had suffered a loss of personal information
failure to promptly install some software to help spot were former customers of Capital One.117 Although there
and defend against hacks.107 In light of these situations, is no specified time limit for retaining information as
employees raised their concerns to internal audit, but set out by the law, Halifax privacy lawyer David Fraser,
their concerns were not acted upon.108 stated that Capital One could have followed the industry
practice of moving the information kept for longer than
seven years to a secured offline archive. In storing data
that are no longer relevant, it raises questions as to why
DIVIDED WE FALL
Capital One would choose to retain such information.118
In 2017, Michael Johnson was appointed as the Chief
Information Security Officer. Prior to his appointment,
Johnson served the US Department of Energy as their
LOST IN THE AMAZON
Chief Information Officer. Johnson’s experience, however,
did not translate well into the private sector, especially While both Capital One and Amazon claimed that its
for the employees.109 He reprimanded employees and cloud services were not compromised during the data
prioritised forming what he called his own “front office” breach and the breach was not a result of any flaws in
that comprised of ‘administrators and employees who AWS, many have questioned the role played by Amazon
helped with internal public relations’.110 in the events leading up to the breach.119 The partnership
between Amazon and Capital One has been cited by
With the change in management, employees clashed Amazon as one of the exemplars on how its AWS service
with the new style of work and some doubted his is empowering the business and transforming the
knowledge of security issues. Senior cybersecurity industry. While AWS is renowned for being one of the
employees, being unhappy working under Johnson, left largest cloud service providers, there was a disadvantage
for better jobs. Most of Johnson’s initial direct reports to its size; unlike smaller companies, larger third-party
and some of their replacements left.111 In 2018, Capital service providers often are unable to offer dedicated
One lost one-third of its employees in the cybersecurity servers, which meant that the servers could not be
unit, which was responsible for ensuring Capital One’s comprehensively customised and monitored regularly
firewalls were properly configured and scanning the to safeguard against potential cyber-attacks.120 It was
internet for evidence of data breaches.112 precisely because the servers were not updated regularly,
that a former employee could gain access to Capital
Adding to the problems of the cybersecurity department, One’s cloud database.121
the unit also faced difficulties working within their
budget. Additionally, the security operations centre,
which experienced burnout and attrition due to alert THE DEVIL IS IN THE DETAILS
overload, long hours, and incomplete visibility into
systems and threats, contributed to an increasing It appeared that Thompson possessed sensitive
shortage of cybersecurity skills within Capital One.113 information relating to Amazon’s cloud systems because
of her previous employment with the tech giant, allowing
While Capital One’s spokeswoman emphasised her to leverage on her prior knowledge to exploit the
how Capital One constantly scans for configuration misconfiguration.122 She was vocal about the hack and
lapses and “address them where they’re found”, the even posted on Twitter about a few companies whose
misconfiguration of firewalls was not addressed fast data she believed was prone to exposure as a result
enough.114 Since the disclosure of the breach, ‘at least of the faulty Amazon cloud technology.123 According
a dozen experienced cybersecurity employees’ have to Grinius, who is the CEO of a company providing
departed as many of them were frustrated at reporting dedicated server solutions, the obvious security flaws
simply ‘went under the radar’ of Amazon probably at security firm Positive Technologies found that 85%
because it is just impractical for a company of Amazon’s of the web bank applications had flaws that allowed
size to notice these seemingly minute details.124 However, attackers to steal information from users using phishing
other security experts asserted that AWS should put in attack and stealing users’ cookies.132
more effort to ‘implement mitigations to help prevent
SSRF attacks on its platform’, especially since its With the incidence of cyber threats on the rise, the
competitors- Microsoft and Google- have ramped up SEC has warned companies of the cybersecurity risks
measures against SSRF attacks.125 that they face, whilst emphasising the need for timely
and transparent disclosures and internal accounting
controls.133 The SEC subsequently issued a new guidance
REGULATORY AND LEGAL CHALLENGES on cybersecurity disclosure, focusing on cybersecurity
policies and procedures, specifically those regarding
On 24 October 2019, Democratic presidential candidate
disclosure controls and procedures, insider trading as
Sen. Elizabeth Warren and Senator Ron Wyden penned
well as disclosure prohibitions.134 This addressed the
an open letter to the Federal Trade Commission to
necessity for companies to improve their response plans,
investigate Amazon’s role in Capital One’s data breach.126
ensuring that their cybersecurity risks and incidents are
However, it was met with criticism from an Amazon
promptly recorded and reported where required. With
spokesperson for “conflating the client and host”.127
the new guidance on disclosures, companies would
The spokesperson brushed aside the letter as merely
have to review and adjust their disclosure procedures
“a publicity attempt from opportunistic politicians”
to ensure that any cybersecurity considerations are
and restated “the SSRF technique used in this incident
disclosed.135
was just one of many subsequent steps the perpetrator
followed after gaining access to the bank’s systems
As the cybersecurity landscape continues to change and
and could have been substituted for a number of other
evolve, the SEC has signalled its intention to continue
methods given the level of access already gained” in the
observing and evaluating developments in the field
email.128
and provide further guidance and rules where needed.
Furthermore, the SEC has been looking to improve
The data breach at Capital One highlighted the
cybersecurity through a deeper understanding of cloud
vulnerabilities of the cloud system and renewed
computing and other technologies. To improve on their
concerns among regulators. According to a U.S. Treasury
enterprise security controls, the SEC is researching on
report last year, bank regulations had not ‘sufficiently
ways to reduce the potential for cyberattacks.136
modernised to accommodate cloud and other innovative
technologies’.129 It may be important to note that around
the time of the Capital One data breach, the Federal
Reserve orchestrated an official investigation of an CALL FOR STRICTER REGULATIONS - A
Amazon facility in Virginia. The Fed focused on Amazon’s PANACEA?
resiliency and backup systems, people familiar with the The SEC was not the only regulator to voice out its
matter said, describing the visit as the first of what is concerns; there have been several other calls to enforce
expected to be a period of ongoing oversight on the stricter rules and regulations against a data breach.
tech giant and other cloud providers.130 CUNA (Credit Union National Association) tweeted
“There is an urgent need for Congress to act to set
federal #data #privacy standards. We’ve urged Congress
INDUSTRY-WIDE WAKE UP CALL to treat data privacy as a national security issue, fix
Lapses in data security, which was exaggerated by the the weak links in the system, and set strong federal
improper maintenance of historical data, are not unique standards. #StopTheDataBreaches”.137 Even before this
to Capital One’s case and have become a prominent incident, CUNA has already made similar requests to
issue in banks, with the increasing application of Congress to treat data security as a national issue.
Information Technology in bank’s day-to-day operations,
such as electronic transfer and online transactions. In a letter to the Senate Banking Committee, CUNA
According to a 2018 study done by Accenture on 30 wrote “Congress should not expect any data privacy
major banking applications, all 30 applications were law it may enact to succeed in providing the desired
found with vulnerabilities, including insecure data level of privacy if such legislation does not also require
storage, insecure authentication, and tempering of all businesses and organizations that collect, use
code.131 In a similar study conducted in 2018, researchers and house personally identifiable information (PII) to
protect that data consistent with strong, federal security Michael Johnson. “Michael Johnson is moving from
requirements”.138 his role as chief information security officer to serve as
senior vice president and special advisor dedicated
However, there is another school of thought that stricter to cybersecurity,”144 said the spokesperson of Capital
regulations are not a panacea to a potential data breach. One. Mike Eason, who served as the chief information
Steve Soukup, Chief Revenue Officer for cybersecurity officer for the bank’s commercial banking division, will be
firm DefenseStorm draws attention to the bigger issue replacing him, while the bank searches for a permanent
behind the scenes, “Meeting the bar of regulatory replacement.145
requirements is not enough and should not be the
standard. It’s the lowest bar for measuring preparedness.
For those that are doing the minimum to pass their LESSONS LEARNED?
exams, more regulation will help on the margins. But it
Capital One’s data breach serves as a poignant reminder
won’t address what needs addressing.”139 Going forward,
that technology is a double-edged sword; while it has its
it still remains a question whether the U.S. law authorities
merits in improving operational efficiency and enhancing
will enforce stricter regulations against a data breach.
customer experience, it also exposes banks to a plethora
of technology risks, such as cybersecurity breaches.
Capital One had the misfortune of experiencing this
DETENTION OF PAIGE THOMPSON duality first-hand; the bank’s unprecedented progress in
Paige Thompson had been held despite her protests technology ironically became an instrument of its own
in the men’s wing of the Federal Detention Center in undoing. While the bank has promised to learn from
SeaTac. According to Prosecutors, the 33-year-old woman this setback and make improvements for the future, it
was a flight risk and a possible danger to the public. remains to be seen if the bank can make good on its
Thompson’s attorneys disputed all of those allegations. commitment. With the SEC’s newly issued guidance on
U.S. District Judge Robert Lasnik, continuing a detention cybersecurity disclosure focusing on the cybersecurity
hearing that began in August 2019, imposed stringent policies and procedures, the ball is in the hands of
rules on Thompson’s release, including that she be the banks to ensure that their corporate governance
moved to a federal halfway house and be subjected and risk management frameworks are appropriate and
to GPS monitoring at all times. Paige Thompson will adequate in the context of a more tech-oriented banking
be banned from accessing the internet and using landscape. As articulated by writer and philosopher
computers, handphones or other electronic devices George Santayana: ‘Those who do not learn history are
without explicit permission from the court or federal doomed to repeat it’.
Pretrial Services.140
PENDING CLASS ACTION 1. Discuss the extent to which the composition of the
In the United States (US), a Securities Class Action was Board, especially the Board Risk Committee, and the
filed against Capital One by Faruqi & Faruqi, LLP due to competencies of its members are effective in ensuring
the data breach. Faruqi & Faruqi encouraged investors sound cyber risk management within Capital One.
who suffered losses exceeding US$100,000 to join in the
2. How effective is class action in protecting the rights
class action and the deadline of joining was 2 December
of various stakeholders such as customers and
2019.141 A Consumer Class Action was also filed in the
shareholders of Capital One? Assess the effectiveness
US by Morgan & Morgan, which has been appointed to
or applicability of class action in both the US and your
represent consumers to obtain a class-wide relief against
country.
Capital One for its purported negligence in the data
breach.142 Vancouver, in Canada, is filing a class action 3. Evaluate the extent to which existing remuneration
against Capital One on behalf of six million Canadians policies and structures affect the behaviour and
whose personal data are compromised.143 decision-making of directors and management in
the context of the data breach. Discuss the potential
corporate governance pitfalls associated with
CHANGE IN CYBERSECURITY LEADERSHIP improper remuneration packages.
On 7 November 2019, four months after the data
breach, Capital One replaced the cybersecurity chief,
4. Evaluate the effectiveness of Capital One’s risk 13 Miller, R. (2016, April 20). Capital One open sources Cloud
Custodian AWS resource management tool – TechCrunch.
management frameworks and processes in the
Retrieved from https://techcrunch.com/2016/04/19/capital-one
context of the data breach. Identify some of the -open-sources-cloud-custodian-aws-resource-management-tool/
potential lapses in its cyber-security systems that 14 Gandel, S. (2019, July 31). What we know so far about accused
could have led to the breach. Assess the extent Capital One Paige Thompson. Retrieved from https://www.
to which Capital One’s risk assessment process is cbsnews.com/news/paige-thompson-what-we-know-about
-accused-capital-one-breach-hacker-2019-07-31
adequate.
15 Leggate, J. (2019, July 30). Who is Paige Thompson? Alleged
5. Evaluate the effectiveness of Capital One’s response Capital One hacker went by alias ‘erratic’. Retrieved from https://
to the data breach and provide suggestions on how www.fox business.com/financials/who-is-paige-thompson-alleged-
capital-one-hacker-alias-erratic
it could have better managed the crisis. Provide
suggestions on how Capital One can develop and 16 Gandel, S. (2019, July 31). What we know so far about accused
Capital One Paige Thompson. Retrieved from https://www.
improve its crisis risk management framework and cbsnews.com/news/paige-thompson-what-we-know-about
policies to minimise the impact of disruptions. -accused-capital-one-breach-hacker-2019-07-31/
6. Examine Amazon’s role in Capital One’s cyber- 17 Ibid

security systems and analyse the extent to which 18 Leggate, J. (2019, July 30). Who is Paige Thompson? Alleged
lapses in Amazon’s corporate governance and risk Capital One hacker went by alias ‘erratic’. Retrieved from https://
www.fox business.com/financials/who-is-paige-thompson-alleged-
management frameworks may have led to the data capital-one-hacker-alias-erratic
breach. Discuss how banks can better manage the
19 Ibid
risks involved with outsourcing services to third-party
vendors. 20 Gregory, M. (2019, July 31). Capital One’s data breach affected over
100 million customers. Retrieved from https://www.businessinsider.
com/capitol-one-data-breach-has-heavy-implications-2019-7?IR=T
21 Fazzini, K. (2019, July 30). The Capital One breach is unlike any
ENDNOTES other major hack, with allegations of a single engineer wreaking
1 Gregory, M. (2019, July 31). Capital One’s data breach affected over havoc. Retrieved from https://www.cnbc.com/2019/07/30/capital
100 million customers. Retrieved from https://www.businessinsider. -one-hack -allegations-describe-a-rare-insider-threat-case.html
com/capitol-one-data-breach-has-heavy-implications-2019-7?IR=T 22 Leggate, J. (2019, July 30). Who is Paige Thompson? Alleged
2 Orme, D. (2019, November 1). Biometric authentication: putting an Capital One hacker went by alias ‘erratic’. Retrieved from https://
end to contactless fraud. Retrieved from https://www.itproportal. www.fox business.com/financials/who-is-paige-thompson-alleged-
com/features/biometric-authentication-putting-an-end-to-contact- capital-one-hacker-alias-erratic
less-fraud/ 23 Ibid
3 Simmons, D. The Dark Side of Technology - The Evolution of Cyber 24 Ibid
Crime.
25 Ibid
4 Capital One. (2019, September 23). Information on the Capital
One cyber incident. Retrieved from https://www.capitalone.com/ 26 Capital One. Responsible Disclosure Program. (2019). Retrieved
facts 2019/ from https://www.capitalone.com/applications/responsible
-disclosure/
5 Capital One Financial Corp. | Corporate finance institution.
Retrieved from https://corporatefinanceinstitute.com/resources/ 27 Ibid
careers/companies/capital-one-financial-corp/ 28 Laura, P. (2019, July 31). Capital One Benefits From Responsible
6 Capital One. Digital Transformation means setting audacious Disclosure Program Following Massive Data Breach. Retrieved from
goals. Retrieved from https://www.capitalone.com/tech/culture/ https://www.veracode.com/blog/security-news/capital-one-benefits
digital -transformation-means-setting-audacious-goals/ -responsible-disclosure-program-following-massive-data-breach
7 Ibid 29 Business Insider. (2019, July 30). Capital One only found out about
its 106 million-customer data breach because a member of the
8 Davis, J. (2019, August 12). Enterprises put more data infrastructure public emailed them a tip-off. Retrieved from https://www.business
in the cloud. Retrieved from https://www.informationweek.com/ insider.sg/capital-one-hack-data-breach-email-tip-off-2019-7/ ?r=
cloud/enterprises-put-more-data-infrastructure-in-the-cloud/a/d US&IR=T
-id/1335433
30 Ibid
9 Hackett, R. (2019, August 24). After the Capital One breach should
big business fear the public cloud. Retrieved from https://fortune. 31 Jeremy, K. (2019, July 30). Woman arrested in Massive Capital One
com/ 2019/08/24/capital-one-data-breach-cloud-computing/ data breach. Retrieved from https://www.bankinfosecurity.com/
woman -arrested-in-massive-capital-one-data-breach-a-12852
10 Ibid
32 Schwartz, S. (2019, August 1). 5 things to know about Capital One’s
11 Capital One Financial Services Case Studies. (2019). “How to breach. Retrieved from https://www.ciodive.com/news/5-things-to-
Cloud” with Capital One. Retrieved from https://aws.amazon.com/ know-about-capital-ones-breach/559909/
solutions/case-studies/capital-one-enterprise/
33 Jeremy, K. (2019, July 30). Woman arrested in Massive Capital One
12 Capital One. (2019). Tech - Cloud Custodian. Retrieved from data breach. Retrieved from https://www.bankinfosecurity.com/
https://www.capitalone.com/tech/solutions/cloud-custodian/ woman -arrested-in-massive-capital-one-data-breach-a-12852
34 Ibid 57 Lucinda, S. (2019, July 31). Capital One’s Data Breach Could Cost
the Company up to $500 Million. Retrieved from https://fortune.
35 Benoit, D., Eisen, B., & Andriotis, A. (2019, August 3). Capital One com/ 2019/07/31/capital-one-data-breach-2019-paige-thompson-
hack put low-profile CEO in spotlight. Retrieved from https://www. settlement/
wsj.com /articles/capital-one-hack-puts-low-profile-ceo-in-spot-
light-11564837200 58 LexisNexis. (2019, September 3). Capital One® Data Breach |
Lexis® Legal Advantage. Retrieved from https://www.lexisnexis.
36 Capital One. (2019, September 23). Information on the Capital com/community/lexis-legal-advantage/b/insights/posts/capital
One cyber incident. Retrieved from https://www.capitalone.com/ -one-data-breach-raises-liability-questions
facts2019/
59 (2019, July 30). Capital One Data Breach Lawsuit. Class Action.
37 Ibid Retrieved from https://www.classaction.org/capital-one-credit-card-
38 Ibid data-breach-lawsuit
39 Ibid
60 Lucinda, S. (2019, July 31). Capital One’s Data Breach Could Cost
the Company up to $500 Million. Retrieved from https://fortune.
40 Sherrod Brown Senator for OHIO. (2019, September 12). Senate com/ 2019/07/31/capital-one-data-breach-2019-paige-thompson-
Banking Committee democrats demand capital protect consumers settlement/
impacted by data breach. Retrieved from https://www.brown.
senate.gov/newsroom/press/release/senate-banking-committee
61 Morgan & Morgan. Capital One data breach lawsuit. Retrieved
-democrats -demand-capital-one-protect-consumers-impacted from, https://www.forthepeople.com/class-action-lawyers/capital
-by-data-breach -one-data -breach-lawsuit/
41 Ibid
62 staff, F., & staff, F. (2019). How Does a Contingent Fee Agreement
Work?. Retrieved from https://law.freeadvice.com/litigation/
42 Ibid litigation/lawyer_contingency_fee.htm
43 Ibid 63 Jonanthan, S., & Nick, Z. (2019, July 30). Capital One is sued over
data breach in proposed class action. (2019, July 30). Retrieved
44 Ibid
from https://www.reuters.com/article/capital-one-fin-cyber-lawsuit/
45 Ibid capital-one-is-sued-over-data-breach-in-proposed-class-action-id
USL2N24V0NY
46 Capital One. (2019, September 23). Information on the Capital
One cyber incident. Retrieved from https://www.capitalone.com/ 64 Caroline, S. (2019, October 3). MDL Watch: Panel consolidates suits
facts2019/ over Capital One data breach. Retrieved from https://www.reuters.
com/article/mdl-capital-one/mdl-watch-panel-consolidates-suits-
47 Gregory, M. (2019, July 31). Capital One’s data breach affected over over-capital-one-data-breach-idUSL2N26O018
100 million customers. Retrieved from https://www.businessinsider.
com/capitol-one-data-breach-has-heavy-implications-2019-7?IR=T 65 Lindsey, N. (2019, August 15). What happens next after the massive
Capital One data breach. Retrieved from https://www.cpomagazine
48 Capital One. (2019, September 23). Information on the Capital .com/cyber-security/what-happens-next-after-the -massive-capital
One cyber incident. Retrieved from https://www.capitalone.com/ -one-data-breach/
facts2019/
66 Steve, E. (2019, July 31). Capital One data breach puts $400m
49 Baig, E., Herron, J., & Bomey, N. (2019, July 30). Capital One data insurance tower on-watch - Reinsurance News. Retrieved from
breach: What’s the cost of data hacks for customers and business- https://www.reinsurancene.ws/capital-one-data-breach-puts-400m-
es? Retrieved from https://www.usatoday.com/story/tech/2019/07/ insurance-tower-on-watch/
30/capital-one-data-breach-2019-what-cost-you/1869724001/
67 Capital One. Capital One Financial Corp 2019 Quarter 3 Earnings
50 Ibid Release. Retrieved from, https://ir-capitalone.gcs-web.com/static
51 Fottrell, Q. (2019, September 28). Everything you wanted to know -files/b78cc958-a133-4b57-b188-5a553b01e80b
about data breaches and privacy violations after Door Dash hack 68 Ibid
hits 4.9 million people. Retrieved from: https://www.marketwatch.
com/story/100-million-capital-one-customers-were-hacked 69 Benoit, D., Eisen, B., & Andrioits, A. (2019, August 3). Capital One
-everything-you-need-to-know-about-data-breaches-but-are hacks put low-profile CEO in spotlight. Retrieved from https://www.
-afraid-to-ask-2019-07-30 wsj.com/articles/capital-one-hack-puts-low-profile-ceo-in-spotlight
-11564837200
52 Ibid
70 Ibid
53 Baig, E., Herron, J., & Bomey, N. (2019, July 30). Capital One data
breach: What’s the cost of data hacks for customers and 71 DEF 14A. Proxy Statement. (2019). Retrieved from https://www.sec.
businesses? Retrieved from https://www.usatoday.com/story/ gov/Archives/edgar/data/927628/000119312519080807/d564582
tech/2019/07/30/capital-one-data-breach-2019-what-cost-you/ ddef14a.htm
1869724001/ 72 Ibid
54 Yahoo Finance. (n.d.). Capital One Financial Corp (COF) Stock 73 Ibid
Historical Prices & Data. Yahoo Finance. Retrieved from https://
finance.yahoo.com/quote/cof/history/ 74 Ibid
55 Chris, N. (2019, July 30). Capital One’s Hack with a capital H | 75 Ibid
Financial Times. Retrieved from https://www.ft.com/content/ 8418
426e-b2ec-11e9-bec9-fdcab53d6959
76 Ibid
56 David, H. (2019, July 30). Capital One customer data breach rattles
77 Ibid
investors. Retrieved from https://www.reuters.com/article/us-capital 78. Ibid
-one-fin-cyber-amazon-com/capital-one-customer-data -breach
-rattles-investors-idUSKCN1UP1LD 79 Ibid
80 Ibid 108 Kundaliya, D. (2019, August 16). Capital One management alerted
by staff of multiple security issues prior to data breach. Retrieved
81 Ibid from https://www.computing.co.uk/ctg/news/3080540/capital-one
82 Ibid -cybersecurity-staff-alerted-banks-management-of-multiple-issues
-before -data-breach
83. Ibid
109 Thomas, B. (2019, August 30). As the Capital One Breach Proves,
84 Ibid Effective CISO Leadership Starts with Culture. Retrieved from
https://www.bitsight.com/blog/as-capital-one-breach-proves
85 Ibid
-effective-ciso-leadership-starts-with-culture
86 Ibid 110 Ibid
87 Ibid 111 Ibid
88 Ibid 112 Ibid
89 Ensign, R, L., & Andriotis, A. (2019, August 15). Capital One Cyber 113 Ibid
Staff Raised Concerns Before Hack. Retrieved from https://www.
wsj.com/articles/capital-one-cyber-staff-raised-concerns-before- 114 Ibid
hack -11565906781
115 Andriotis, A. (2019, November 7). WSJ News Exclusive | Capital
90 Ibid One Senior Security Officer Being Moved to New Role. Retrieved
from https://www.wsj.com/articles/capital-one-senior-security-offi-
91 Capital One Financial Corporation. (2019). Capital One Financial
cer-being-moved-to-new-role-11573144068
Corporation Annual Report for Fiscal Year ended 2018. Retrieved
from https://www.sec.gov/Archives/edgar/data/927628/000092 116 Levy, N. (2019, August 9). Amazon and Capital One face legal
762819000093/cof1231201810kfinal.pdf backlash after massive hack affects 106M customers. Retrieved
from https://www.geekwire.com/2019/amazon-capital-one-face
92 Ibid
-lawsuits -massive-hack-affects-106m-customers/
93 Ibid 117 Ibid
94 Ibid 118 Luck, S. (2019, October 1). Man hit by Capital One data breach calls
95 Ibid for stricter privacy laws. Retrieved from https://www.cbc.ca/news/
canada/nova-scotia/capital-one-data-breach-former-customers
96 Capital One Financial Corporation. (2019). Capital One Financial -1.5303126
Corporation Annual Report for Fiscal Year ended 2018. Retrieved
from https://www.sec.gov/Archives/edgar/data/927628/000092 119 Lindsey, O. (2019,October 25). Is AWS Liable in Capital One
762819000093/cof1231201810kfinal.pdf Breach?. Retrieved from https://threatpost.com/capital-one-breach
-senators- aws-investigation/149567/
97 Ibid
120 Farrell, N. (2019, October 16). Capital hack showed problem of
98 Otto,G. (2019, August 2). What Capital One’s cybersecurity team Amazon cloud. Retrieved from https://www.fudzilla.com/news/
did (and did not) get right. Retrieved from https://www.cyberscoop. memory-and-storage/49595-capital-one-hack-showed-problems-
com/capital-one-cybersecurity-data-breach-what-went-wrong/ on-amazon-cloud
99 Ibid 121 Ibid
100 Ibid 122 Feuer, W. (2019, October 24). Sens. Warren and Wyden urge FTC to
101 Capital One Financial Corporation. (2019). Capital One Financial investigate Amazon’s role in Capital One hack. Retrieved from
Corporation Annual Report for Fiscal Year ended 2018. Retrieved https://www.cnbc.com/2019/10/24/senators-urge-investigation
from https://www.sec.gov/Archives/edgar/data/927628/000092 -of-amazons-role-in-capital-one-hack.html
762819000093/cof1231201810kfinal.pdf 123 Kate, F. (2019, October 24). Elizabeth Warren’s move on Amazon
102 DEF 14A. Proxy Statement. (2019). Retrieved from https://www.sec. over Capital One hack is a warning shot to cloud providers.
gov/Archives/edgar/data/927628/000119312519080807/d564582 Retrieved from https://www.cnbc.com/2019/10/24/elizabeth
ddef14a.htm -warrens-move-on-amazon-could-be-a-precursor-to-sifmu
-status.html
103 Ibid
124 Farrell, N. (2019, October 16). Capital One hack showed problems
104 Capital One Financial Corporation. (2019). Capital One Financial on Amazon Cloud. Retrieved from https://fudzilla.com/news/
Corporation Annual Report for Fiscal Year ended 2018. Retrieved memory-and-storage/49595-capital-one-hack-showed-problems-
from https://www.sec.gov/Archives/edgar/data/927628/000092 on-amazon-cloud
762819000093/cof1231201810kfinal.pdf
125 Muncaster, P. (2019, October 25). Senators Urge AWS Investigation
105 Brian, C., & Andrew, S. (2019, July). Next-Gen Internal Audit: Are After Capital One Breach. Retrieved from https://www.infosecurity
You Ready? Internal Auditing Around the World, Volume 15. -magazine.com/news/senators-urge-aws-investigation/
Retrieved from https://www.protiviti.com/sites/default/files/
united_states/insights/internal-auditing-around-the-world-vol
126 Fordham, E. (2019, October 24). Elizabeth Warren pushes for
15-protiviti.pdf Senate investigation of Amazon over Capital One hack. Retrieved
from https://www.foxbusiness.com/markets/amazon-elizabeth
106 Ibid -warren -investigation-capital-one
107 Ensign, R, L., & Andriotis, A. (2019, August 15). Capital One Cyber 127 Kate, F. (2019, October 24). Elizabeth Warren’s move on Amazon over
Staff Raised Concerns Before Hack. Retrieved from https://www. Capital One hack is a warning shot to cloud providers. Retrieved
wsj.com/articles/capital-one-cyber-staff-raised-concerns-before- from https://www.cnbc.com/2019/10/24/elizabeth-warrens-move-on-
hack -11565906781 amazon-could-be-a-precursor-to-sifmu-status.html
128 Ibid 140 Carter, M. (2019, November 4). Federal judge releases Capital One
hacking suspect pending trial, but orders her to stay away from
129 Pymnts. (2019, August 2019). Bank Regulators Probe Amazon computers. Retrieved from https://www.seattletimes.com/seattle
cloud. Retrieved from https://www.pymnts.com/news/security-and -news/crime/federal-judge-releases-capital-one-hacking-suspect-
-risk/ 2019/tech-oversight-ushered-in-as-feds-probe-amazon-cloud/ pending-trial-but-orders-her-to-stay-away-from-computers/
130 Ibid 141 (2019, October 7). CAPITAL ONE DEADLINE ALERT: Faruqi &
131 Accenture. (2018). Building the future ready bank - Banking Faruqi, LLP Encourages Investors Who Suffered Losses Exceeding
technology 2018. Retrieved from https://www.accenture.com/ $100,000 In Capital One Financial Corporation To Contact The
gb-en/_acnmedia/pdf-78/accenture-banking-technology-vision Firm. Market Watch. Retrieved from https://www.marketwatch.com/
-2018.pdf press -release/capital-one-deadline-alert-faruqi-faruqi-llp-encourages
-investors-who-suffered-losses-exceeding-100000-in-capital-one
132 Whittaker, Z. (2018, April 16). Bank web apps are the ‘most -financial-corporation-to-contact-the-firm-2019-10-07-231975840
vulnerable’ to getting hacked, new research says. Retrieved from
https://www.zdnet.com/article/bank-sites-and-web-apps-are-most-
142 Morgan & Morgan. Capital One data breach lawsuit. Retrieved
vulnerable-to-hackers/ from, https://www.forthepeople.com/class-action-lawyers/capital
-one-data- breach-lawsuit/
133 SEC Guidance on Public Company Cybersecurity Disclosures.
(2019). Retrieved from https://corpgov.law.harvard.edu/2018/03/13/
143 (2019, August 2). Class action lawsuit launched in Vancouver over
secguidance-on-public-company-cybersecurity-disclosures/ Capital One data breach. Bloomberg. Retrieved from https://www.
bnn bloomberg.ca/class-action-lawsuit-launched-in-vancouver-over
134 Year in Review: The SEC and Cybersecurity. (2019). Retrieved from -capital-one-data-breach-1.1296725
https://www.securitymagazine.com/articles/90219-year-in-review
-the-sec-and-cybersecurity
144 Ibid
135 Ibid
145 Ibid
136 Ibid
137 Shevlin, R. (2019, August 1). After the Capital One leak: Can
anything stop the data breach?. Retrieved from https://www.forbes.
com/sites/ronshevlin/2019/08/01/after-the-capital-one-da-
ta-breach/#5d7268044ad1
138 CUNA. (2019, March 17). Strong, national data security/privacy
standard only way to stop breaches. Retrevied from https://news.
cuna.org/articles/115740-strong-national-data-securityprivacy
-standard-only-way-to-stop-breaches
139 Shevlin, R. (2019, August 1). After the Capital One leak: Can
anything stop the data breach?. Retrieved from https://www.forbes.
com/sites/ronshevlin/2019/08/01/after-the-capital-one-data-
breach/ #5d7268044ad1
SINGAPORE
1 Raffles Place
Singapore 048616
P: +65 6671 6500

E: sg@cpaaustralia.com.au
ISBN: 978-981-14-6595-6
Scan this QR code to download

a soft copy of this report.
cpaaustralia.com.au

Banking On Governance, Insuring Sustainability

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Banking On Governance, Insuring Sustainability

Hochgeladen von

Copyright:

Verfügbare Formate

BANKING ON

Copyright ©2020 Mak Yuen Teen and CPA Australia

BANKING ON GOVERNANCE, INSURING SUSTAINABILITY

Authors : Mak Yuen Teen, PhD, FCPA (Aust.) Email: bizmakyt@nus.edu.sg

Richard Tan MBA, FCA (S’pore) Email: biztclr@nus.edu.sg

Published by : CPA Australia Ltd

PROFILE OF THE ASIA-PACIFIC BANKS AND

ABOUT THE BANKS AND INSURANCE COMPANIES 1

CORPORATE GOVERNANCE, REMUNERATION AND

RISK GOVERNANCE AND MANAGEMENT 44

Banking on Governance, Insuring Sustainability

ABOUT THE BANKS AND

We selected the 50 largest listed banks and 50 GOVERNMENTS, INSTITUTIONAL

BANKS ARE SUBSTANTIALLY LARGER

The insurance companies are considerably smaller,

FIGURE 1: TYPES OF SUBSTANTIAL SHAREHOLDERS IN BANKS

Institutional Investors 22%

Financial Corporates 26%

0% 10% 20% 30% 40% 50%

FIGURE 2: TYPES OF SUBSTANTIAL SHAREHOLDERS IN INSURANCE COMPANIES

Institutional Investors 36%

Financial Corporates 32%

0% 5% 10% 15% 20% 25% 30% 35% 40%

FIGURE 3: DISTRIBUTION OF BOARD SIZE FOR BANKS

Board of Directors Supervisory Board

TABLE 1: BOARD SIZE OF G-SIBS ACROSS US AND EUROPE

FIGURE 4: DISTRIBUTION OF BOARD SIZE FOR INSURANCE COMPANIES

Board of Directors Supervisory Board

BOARD LEADERSHIP PATTERNS ARE SIMILAR FOR BANKS AND INSURANCE

FIGURE 5: SEPARATION OF CHAIRMAN AND CEO ROLES IN BANKS

0% 10% 20% 30% 40% 50%

PROPORTION OF INDEPENDENT DIRECTORS IS COMPARABLE FOR BANKS AND

FIGURE 6: PROPORTION OF INDEPENDENT DIRECTORS IN BANKS

0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00%

Two-tier BOD Unitary BOD All BOD

FIGURE 7: PROPORTION OF INDEPENDENT DIRECTORS IN INSURANCE COMPANIES

0.00% 20.00% 40.00% 60.00% 80.00% 100.00%

Two-tier Board Unitary Board All BOD

SLIGHTLY LESS THAN HALF OF INDEPENDENT DIRECTORS/COMMISSIONERS

FIGURE 8: FINANCIAL SERVICES EXPERIENCE OF INDEPENDENT DIRECTORS IN BANKS

Number of Independent Directors

No Experience Senior Management Consultant / Advisory Regulator

2 IN 5 BANKS HAVE INDEPENDENT DIRECTORS WITH TECHNOLOGY EXPERIENCE

FIGURE 9: TECHNOLOGY VS BANKING INDUSTRY EXPERIENCE OF INDEPENDENT DIRECTORS

Number of Independent Directors

Banking Technology (General) Cybersecurity

A MAJORITY OF INSURANCE COMPANIES HAVE INDEPENDENT DIRECTORS

FIGURE 10: FINANCIAL SERVICES EXPERIENCE OF INDEPENDENT DIRECTORS IN INSURANCE

Number of Independent Directors

No Experience Senior Management Consultant / Advisory Regulator

LESS THAN HALF OF THE INSURANCE COMPANIES HAVE AT LEAST

FIGURE 11: TECHNOLOGY VS INSURANCE INDUSTRY EXPERIENCE OF INDEPENDENT DIRECTORS OF

Number of Independent Directors

Insurance Technology (General) Cybersecurity

CHINESE BANKS HAVE RELATIVELY YOUNGER DIRECTORS, WHILE JAPANESE

Seventy six percent of banks disclosed a board of directors/commissioners’ diversity policy.

AUSTRALIAN BANKS HAVE THE LEAST AGE DIVERSITY BASED ON

LESS THAN 7% OF INDEPENDENT DIRECTORS OF BANKS ARE YOUNGER

FIGURE 13: AVERAGE AGE OF DIRECTORS ACROSS BANKS

Sixty-eight percent of insurers disclosed a board of directors/commissioners diversity policy.

0.00% 10.00% 20.00% 30.00% 40.00% 50.00%

AVERAGE AGE OF DIRECTORS OF INSURANCE COMPANIES IS SIMILAR TO BANKS

SINGAPOREAN INSURERS HAVE OLDER DIRECTORS ON AVERAGE BUT ALSO HAVE