With the Federal Reserve recently closing the books on major enforcement actions against two very different financial institutions, Goldman Sachs and Metropolitan Commercial Bank, the industry is closely watching what it takes to get back into regulators’ good graces. We’re joined by Priya Jaiswal, a recognized authority in banking and financial compliance, to unpack these developments. We’ll explore the rigorous remediation required after the massive 1MDB scandal, the nuances of managing third-party risk in the fintech era, and whether the steep financial penalties and executive consequences we’ve seen are truly effective in fostering a lasting culture of compliance.
The 2020 consent order required Goldman Sachs to overhaul its risk management related to the 1MDB scandal. Can you walk us through the specific, concrete steps a bank would take to satisfy a regulator on enhancing its due diligence and anti-bribery programs for complex global transactions?
To satisfy a regulator after a failure of this magnitude, a bank can’t just update a policy manual; it has to fundamentally rebuild its risk architecture from the ground up and prove it works. The first step is a complete overhaul of the due diligence process for what the Fed called “significant and complex transactions.” This means creating a much more intrusive and skeptical onboarding process for high-risk clients like a state-owned fund. You’d see the implementation of a dedicated, senior-level committee to approve such deals, completely independent of the dealmakers themselves. They would also have to demonstrate a radically expanded anti-bribery program, which involves intensive, scenario-based training for all global staff, not just a yearly click-through module. Finally, they must present the regulator with a bulletproof audit trail—showing not just that they have these new controls, but that the controls are being tested constantly and are actively flagging and stopping suspicious activity before it escalates.
Metropolitan Commercial Bank’s 2023 order stemmed from failures in overseeing the MovoCash prepaid card program. What are the key metrics and processes a bank must implement to prove to regulators that its third-party risk management and know-your-customer procedures are now robust enough to prevent future fraud?
For a situation like MCB’s, the proof is in the data and the demonstrated oversight. Regulators would need to see a complete turnaround in their third-party risk management. This starts with implementing a continuous monitoring dashboard for each fintech partner, tracking key metrics in real-time: fraud attempt rates, account application rejection rates for incomplete information, and the average time it takes to investigate a suspicious alert. They would need to prove their know-your-customer, or KYC, systems are no longer passive. This means actively pressure-testing the system by, for instance, attempting to open accounts with synthetic or stolen identities to ensure the controls actually work. The bank would also have to show a clear governance structure, proving they have the staff and authority to pull the plug on a third-party program like MovoCash the moment those risk metrics cross a pre-defined red line. It’s about shifting from a reactive “we’ll fix it when it breaks” posture to a proactive, data-driven one.
Goldman paid over $5 billion in global penalties for 1MDB, and its CEO faced a significant pay cut. In your experience, how effective are these massive financial penalties and executive consequences in driving fundamental, long-lasting cultural change regarding compliance and risk management within a major bank?
A $5 billion penalty is a number that is impossible for any board to ignore; it absolutely commands attention and forces immediate, structural changes. It’s a powerful shock to the system. Similarly, a 36% compensation decrease for a CEO like David Solomon sends a very clear message about accountability trickling down from the absolute top. However, these actions on their own are often more about treatment of the symptoms than a cure for the underlying disease. True, lasting cultural change happens when the lessons from that penalty are embedded into the bank’s DNA. It’s when compliance is no longer viewed as a “business prevention department” but as an essential partner in sustainable growth. The real measure of effectiveness isn’t just the fine paid, but the subsequent years of investment in compliance technology and talent, and the empowerment of risk managers to challenge even the most profitable business lines.
We saw two very different cases here: Goldman’s massive international scandal and MCB’s domestic prepaid card fraud. What are the core differences in the compliance remediation roadmaps for these distinct scenarios, and what fundamental lessons about oversight apply equally to both?
The remediation roadmaps are worlds apart in scale and focus. Goldman’s was a global, multi-jurisdictional undertaking involving complex financial instruments and sovereign entities. Their fix required navigating the differing demands of regulators from the U.S. to Singapore, focusing on sophisticated anti-bribery controls and the intricate risks of high-finance. In contrast, MCB’s failure was more of a fundamental breakdown in a high-volume, domestic retail product. Their roadmap was less about geopolitical risk and more about strengthening basic anti-money laundering controls, customer identification rules, and the nuts and bolts of vendor management. But despite these differences, the core lesson is identical: oversight cannot be delegated away. Whether it’s a multi-billion-dollar deal with a foreign government or a simple prepaid card program managed by a third party, the ultimate responsibility for compliance rests with the bank. The board and senior management must have a clear, unfiltered line of sight into the risks being taken in their name.
What is your forecast for the future of bank compliance and regulatory enforcement?
I believe we’re heading toward a far more technologically-driven and proactive era of enforcement. Regulators are no longer satisfied with simply reviewing policies; they expect banks to use advanced data analytics and even AI to identify and disrupt illicit activity in real time. The focus will continue to shift toward demonstrating the effectiveness of a compliance program, not just its existence. We’ll also see a greater emphasis on individual accountability for senior managers, moving beyond corporate fines. The termination of these two orders shows that there is a path back for institutions that take remediation seriously, but the bar is continuously being raised. Banks that treat compliance as a forward-looking, strategic investment will thrive, while those who see it as a backward-looking cost center will find themselves in a perpetual and very expensive cycle of regulatory trouble.
