Goldman Blamed Two Rogue Bankers for 1MDB. Every Regulator Said the Rot Ran Deeper.

In 2009, Goldman Sachs's own compliance department looked at a young Malaysian financier named Jho Low, tried to figure out where his money came from, couldn't — and refused him as a client.⁸ That should have been the end of the story. A bank's compliance function exists precisely to say no to people whose wealth can't be explained, because unexplained wealth is the oldest red flag in money laundering. The flag went up. The system worked. And then it didn't: senior bankers kept working with Low anyway, and he met at least twice with the firm's chief executive after compliance had already raised the alarm.⁸

Three years later, Goldman arranged $6.5 billion in bonds for a Malaysian sovereign wealth fund called 1MDB, in three offerings inside ten months, and collected fees of over $580 million for the work.⁴ More than $1.6 billion of the money raised was paid out as bribes to officials in Malaysia and Abu Dhabi.¹ When the scheme finally surfaced, Goldman had a story ready.

Two rogue bankers lied to us and deceived the entire institution. Every regulator that examined the firm found the failure was the institution's, not just two men's — and five years later, Goldman admitted it.

The defense that every regulator rejected

Here is the thesis, stated plainly: the 'rogue employee' framing was a legal strategy, not a factual account of what happened. It was the most useful thing Goldman could say while litigation was live — it isolates blame in two named individuals, preserves the firm's claim to be a victim, and buys time. But it was never how the regulators saw it, and eventually it stopped being how Goldman described it either. The firm's defense and the official record diverged from the start, and the gap is the whole story.

The Federal Reserve did not find that two men slipped one past a sound institution. It fined Goldman $154 million for a failure to maintain appropriate oversight, internal controls, and risk management — concluding that the firm's transaction approval processes failed to detect or prevent the scheme or even address obvious red flags.³ New York's Department of Financial Services reached the same place from a different angle, penalizing Goldman $150 million for failing to detect or adequately address the red flags in the bond transactions.⁴ These are not the findings you write up when an institution was fooled. They are the findings you write up when an institution had the warning lights blinking and drove on.

Why a 'rogue banker' couldn't have done this alone

The mechanism matters more than the morality here, because it explains why the defense was always going to fail. A single banker cannot underwrite $6.5 billion in sovereign bonds. Deals that size move through credit committees, legal review, capital approvals, and — crucially — the compliance function that had already flagged Jho Low by name. The whole point of those layers is that no individual can route a transaction around them. So for the 1MDB deals to close, the controls didn't have to be deceived. They had to be overridden, or staffed by people who chose not to look. The DOJ's own framing was that Goldman employees in control functions ignored significant red flags. That is a verdict on the architecture, not on two men inside it.

The day the firm stopped saying 'rogue'

On October 22, 2020, the words changed. Goldman signed a three-year deferred prosecution agreement with the DOJ, agreed to the $2.9 billion coordinated resolution, and — on the same day — its board announced clawbacks, forfeitures and compensation reductions for current and former executives.¹² You do not claw back the pay of executives who were merely deceived. The SEC's piece of it alone ran to $606.3 million in disgorgement and a $400 million civil penalty.⁵ But the most telling line wasn't a number. After years of describing this as a matter of employees who broke the law, the firm acknowledged 'institutional failures.' That is the rare moment when a crisis-response posture is abandoned in public, because the legal cost of maintaining it had finally exceeded the cost of admitting the truth.

But weren't two men actually guilty?

The honest counter is that the bankers really were criminals, and the firm really was lied to in part. Roger Ng was sentenced to 10 years for his role in laundering billions and paying more than $1.6 billion in bribes to a dozen officials.⁶ Tim Leissner pleaded guilty in 2018, and even Goldman's own court filing against his leniency argued that 'absent his misconduct, the 1MDB transactions would not have occurred.'⁷ So the individuals were not a fiction. The deception was real.

But that is exactly where the defense quietly concedes the point. 'Absent his misconduct, the deals would not have occurred' is a statement about Leissner — and it is also an admission that a single banker carried multi-billion-dollar transactions past the firm's controls. Both things are true at once: the men were guilty, and the institution failed. The regulators never claimed Goldman invented the bribes. They claimed Goldman's systems were supposed to catch them and didn't, and that the people in the control functions saw enough to stop it and chose the fee. Individual guilt and institutional failure are not competing explanations. They are the same explanation, told from two heights.

Goldman spent half a decade insisting it had been the victim of two men, and the firm was right that two men were guilty. What it was wrong about was the thing that actually decided the case: a bank does not get to claim it was deceived by transactions its own controls were built to stop and chose not to. The compliance department said no to Jho Low in 2009. The institution said yes to the fees in 2012. The $2.9 billion, the clawbacks, and the single phrase 'institutional failures' were just the firm catching up, on the record, to a no it had overruled eleven years earlier.