On October 19, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that Credit Suisse Group AG (Credit Suisse) agreed to pay $100 million to the SEC (among other penalties to other agencies) for violations of the Foreign Corrupt Practices Act’s (“FCPA”) internal controls and books and records provisions. The violations in the Credit Suisse case include a series of financial transactions involving the bank and Mozambican state-owned entities. As part of those transactions, the SEC found that Credit Suisse fraudulently misled investors and hid underlying corruption that included kickbacks to bankers and bribes to public officials. Although the conduct in the Credit Suisse case involves massive transactions, complicated networks of intermediaries, and Mozambique entities and government officials (which is not a typical scenario for most companies) there is a broader lesson applicable to all businesses – the importance of internal controls to protect reputational risk.
There is no single widely-accepted definition of reputational risk. For that reason, it is often left out of risk-based compliance processes. At its core, reputational risk is a threat to the name, standing, or image of an entity that can result in the reduction of revenues, value, or market share. Although reputation may be intangible, harm to an entity’s reputation can result in very tangible losses. When obvious red flags are ignored due to an inadequate focus on reputational risk, the results can be dollars and cents to your business.
The Credit Suisse Cease-and-Desist Order discusses failings applicable to all businesses large and small – not only international billion-dollar transactions. A key finding by the SEC was that Credit Suisse continued forward with these transactions after it discovered numerous irregularities, red flags, and risks. This was a result of a simple cause – the inadequate appreciation of the risk associated with the irregularities identified by the bank’s compliance groups. Every business should learn a lesson from this story. For example, the problematic scheme resulted in part from a basic failure in the bank’s internal controls. Credit Suisse’s compliance group received a third-party diligence report that identified a certain intermediary as a “master of kickbacks” and highlighted past involvement in bribery schemes and concerns about integrity. Yet, the bank failed to properly consider the totality of these risks surrounding the transactions and moved forward with the transactions despite these red flags. The SEC specifically noted the lack of attention to the bank’s reputational risk in making its findings.
An improved focus on reputational risk within the compliance and risk management process will help avoid basic pitfalls that may otherwise be ignored.