Epstein, Bank of America, JPMorgan, and Deutsche:

• Where was risk oversight, compliance, internal and external audit and the apex regulator?

The trigger for this writing was last week›s report in the Wall Street Journal concerning Bank of America. The issues it raised however, are neither new nor isolated. The name Jeffrey Epstein, and the long-standing concerns surrounding the role of global financial institutions in facilitating activities, for him and the likes of him, have been in the public domain for years.

The shift of risk

Might I nevertheless add, that the Bank of America case is particularly instructive because it shifts the focus away from a direct client relationship with Epstein to transactions flowing through his wider network of associates. This marks an important evolution in how liability is conceived. The question is no longer confined to whether a bank knowingly served a problematic client. It now extends to whether the institution enabled the broader ecosystem within which misconduct was sustained. In that shift—from client-based risk to network-based risk—we begin to see the contours of a much larger transformation.

Not our benchmarks

I find it deeply concerning that some of the world’s largest banks did not fail to see the risk—but yet, failed to act on it. Thus these high profile banks, with exceptionally handsomely well remunerated CEO’s operating within a regulatory environment humongously better resourced  than ours, cannot serve as benchmarks, let alone examples, for Sri Lanka’s banks or regulators.

Institutional integrity

What should the focus be? Not merely on profitability, incentives, and performance metrics, but on the deeper foundations of institutional integrity. Leadership—whether at the level of boards, CEOs, or relationship managers—must ultimately be measured not only by what is achieved, but by what is permitted, overlooked, or ignored.

AML, KYC, Basel et Al

The modern framework for customer due diligence has its roots in the US Bank Secrecy Act of the 1970s, which introduced basic record-keeping and reporting obligations to combat illicit financial flows, later reinforced through global AML (Anti Money Laundering) efforts in the 1980s. However, the formal concept of Know Your Customer (KYC) as a structured, risk-based discipline emerged much later, gaining prominence through guidance issued by the Basel Committee on Banking Supervision in the early 2000s (notably 2001–2004), which established customer due diligence as a core prerequisite to onboarding and ongoing banking relationships.

Rationale for this writing

Arising from Bank of America’s agreement to settle claims, I thought I should research the events that led to this outcome, in order to share the lessons learned through a publication in this column- The Thought Leadership Forum.

 But before that, let me reflect upon a few practical experiences that are clearly related,  demonstrating courage to be independent and vigilant, though with difficulty, particularly at a time, three decades ago, when even the largest conglomerates in Sri Lanka were yet under exposed to the concept of and rationale for «Due Diligence.»

 Given the events that have transpired, globally and indeed in Sri Lanka, I believe It is compellingly necessary that I reflect on these examples of immediately relevant personal, professional, hands on practical experience. I will do so only very briefly and leave for a later day, a deeper narration, which can serve as learning outcomes for corporates, banks and professional service firms.

Client, project and promoter screening, due diligence and their institutionalisation

Let me take my mind back to the 1980’s when I worked overseas with the global professional services firm Deloitte. Well before the formalisation of modern compliance frameworks, introduced or mandated by global bodies, while working with Deloitte in the Bahamas, I attended a session on client screening conducted by a resource person from our New York office.

Later, while managing a new branch in Freeport, Bahamas, I fully embedded these principles into practice and was privileged to have hands-on experience in client screening and project and promoter due diligence. What stood out was the responsiveness of the Deloitte network globally—across Europe, Asia, and the Americas—in supporting assessments of the background, credibility and integrity of the individual, institutional client, or key promoter behind any proposed venture.

On returning to Sri Lanka in 1989, I institutionalised these practices within a new division at John Keells Holdings. I must place on record the manner in which then Deputy Chairman, later Chairman late Ken Balendra who invited me back to the Group, after my almost 10 year stint overseas, embraced the concept of project and promoter screening and due diligence. Better known for gut feel and quick decisions, many were and perhaps are yet unaware that Late Ken Balendra was totally secure, about these concepts which were new to him. He had a passion to learn and the courage to say yes or no to any party, regardless of whether they came from the most developed country or high profile company and had a halo around them. This was a perfect fit to my independence and objectivity, and sincerity of purpose. The result was that several high-profile foreign project promoters—five or six in number—had to be politely turned away.

Two were referred to us by the United States Embassy, who were unaware of the background to such parties who had simply registered and joined inward missions of OPIC (the then Overseas Private Investment Corporation) out of Washington. One party was based in Boston, the other in New York.

My due diligence extended to the Americas

 Yet another was referred to my division by no less than  the Arthur C. Clarke Centre - Institute for Modern Technologies and an Information Technology sector managing director. This project promoter party, comprised two Australians and their company was based in Perth. My due diligence was finally supported by Ernst & Young Perth.

 On another occasion, a South African party recommended by a local development bank, proposed a project to a Venture Capital company, which was an associate of John Keells. I was a founder director, and after a series of discussions, independent investigations to risk manage for John Keells, finally recorded a lone dissent, given my serious doubts about the credibility of the concept proposed by this promoter party.

Initially, though my view barely prevailed, later only a small amount of funding was released pending receipt of a key approval from authorities, which  I had requested. That approval never came. We thus saved hundreds of millions of private equity and prevented a potential reputation loss to ourselves, a key conglomerate, a Japanese institutional investor,  a local development bank and a regional development bank. On another occasion, a party in the Asia Pacific region, who we had reluctantly turned down after due diligence of his project, went on to dupe another major conglomerate. I was vindicated. 

I have cited only a few, necessarily briefly, but in each of these cases, my perseverance, patience, and careful screening generated results, enabling vitally necessary risk management. Not once did the Chairman ask me to pause or rethink my due diligence. It is important I place this on record.

Beyond perceived gut feel - structured judgment

I am happy the then Chairman endorsed this newly  infused culture, and a progressive, refreshing tone at the top was thus institutionalised. Ultimately, protecting institutions and consequently the country must take precedence over the mere pursuit of  transactions or “new projects” as fuel for upward mobility in a corporate hierarchy. This is not a matter of instinct alone, but of structured judgment—grounded in discipline, evidence, and sound risk management. In many ways, it should be part of one’s professional raison d’être.

Architecture of modern oversight

Let us now flash forward many decades, to today. The Wall Street Journal reported that  Bank of America agreed to pay $72.5 million to settle claims linked to Jeffrey Epstein. The bank, like others before it, had denied wrongdoing. Yet when this development is viewed alongside earlier actions involving JPMorgan Chase and Deutsche Bank, it becomes increasingly difficult to treat these as isolated events. They instead reveal a pattern—one that raises a far more fundamental question about the architecture of modern oversight.

Bank of America penalties, settlements, suspicious transactions

Across several institutions, nearly $600 million in penalties and settlements have been imposed (including approximately $365 million on JPMorgan Chase, $150 million on Deutsche Bank, and $72.5 million on Bank of America), against a backdrop of more than $1 billion in suspicious transactions that were internally flagged, monitored, and, at least in part, understood. Complex networks of accounts, intermediaries, and financial flows operated over extended periods, often well after the risks associated with Epstein were widely known. This was not hidden misconduct buried deep within opaque systems. It was visible, patterned, and, crucially, actionable. And yet, it persisted.

Control over systems, responsibility for consequences

Let’s reflect on a similar transformation I had written about in the Daily FT in May and June 2025, one that has already taken place in the digital domain. The Cambridge Analytica episode involving Facebook, demonstrated that platforms could no longer claim neutrality simply because misuse occurred through third parties. The subsequent $5 billion penalty imposed by the Federal Trade Commission was not merely punitive; it was declaratory—signalling a clear regulatory stance on institutional responsibility. It established that control over a system entails responsibility for its consequences, even where harm is indirect.

Chiefs of risk, compliance, audit, CIO's , et al

Chief Risk Officers oversee enterprise-wide risk. Chief Compliance Officers manage regulatory obligations. Chief Internal Auditors provide independent assurance. Chief Information Security Officers, Chief Data Protection Officers, and Chief Information Technology Officers collectively oversee the technological and data environments through which transactions flow. These roles, together with traditional audit committees and board oversight mechanisms, form a comprehensive architecture designed to detect, escalate, and mitigate risk. Yet, in these cases, that architecture did not fail in isolation; it failed collectively.

An outcome- despite convergence of capability

Internal compliance functions identified suspicious transactions and flagged anomalies. Risk frameworks were in place, and data was available. Internal audit functions, in principle, had the mandate to evaluate control effectiveness and escalate systemic weaknesses. Technology and data functions possessed the capacity—at least in theory—to map patterns, identify networks, and detect behavioural irregularities. External auditors assessed control environments and governance structures. Regulators, for their part, ultimately intervened with significant penalties and strong findings. And yet, despite this convergence of capability, the outcome remained unchanged. Relationships continued. Transactions flowed. Risks accumulated.

Intervention, after the fact?

The explanation lies not in the absence of systems, but in the failure of action. Where multiple control functions exist, responsibility can become diffused. Where commercial incentives are strong, risk signals may be interpreted narrowly or deferred. Where audit focuses on process rather than behaviour, systemic exposure may remain obscured. Where regulators depend on reported information, intervention may arrive only after the fact.

An overview of specific delays

At JPMorgan Chase, the relationship with Jeffrey Epstein continued until 2013 despite earlier internal concerns, with significant Suspicious Activity Reports filed around or after the relationship was terminated—indicating reporting that was late relative to internal knowledge. At Deutsche Bank, which banked Epstein from 2013 to 2018, services continued even after his 2008 conviction, and while reporting did occur, regulatory findings highlighted monitoring failures and delays that rendered controls ineffective. In contrast, Bank of America had no direct relationship with Epstein, but exposure arose through accounts linked to his wider network; here, the recognition and reporting of suspicious patterns appear to have been more diffuse, with elements becoming clearer in the period surrounding and following his death in 2019.

Large financial flows—such as the substantial payments made by Leon Black to Epstein—moved through the formal banking system, intersecting at various points with institutions including Bank of America, underscoring how network risk arises not from a single channel, but from the cumulative pathways through which funds circulate.

This is perhaps the most important lesson of the Epstein cases. The challenge is no longer one of building systems to detect risk. Those systems largely exist. The challenge is to ensure that when risk is detected, it is acted upon—promptly, independently, and without compromise.

Personal, professional, practical relevance

The reflections set out here are influenced not only by global developments, but by my personal experience within Sri Lanka’s own financial and regulatory landscape, including serving on the Board of the Bank of Ceylon, Chairing its Audit Committee; serving on the Consumer Affairs Council of the  nation’s Consumer Affairs Authority which has jurisdiction over financial products and services; serving on the Securities and Exchange Commission of Sri Lanka; the Sri Lanka Accounting and Auditing Standards Monitoring Board, while  currently serving on the Board Risk Oversight Committee of the Central Bank of Sri Lanka.

These experiences reinforce a simple but often overlooked truth: structures, committees, and titles do not, in themselves, guarantee effective oversight. What matters is how they function in practice—how information flows, how decisions are made, and how conflicts between risk and reward are resolved.

Plausible deniability

The Epstein-related cases, viewed in conjunction with developments in data governance and digital platforms, signal the end of plausible deniability. Institutions can no longer claim neutrality when their systems are instrumental in enabling harm. The expectation—whether in finance or technology—is shifting toward a more demanding standard: that those who design, control, and benefit from complex systems must also take responsibility for their consequences.

Epstein's financial flows

As for Jeffrey Epstein, financial flows often extended beyond direct accounts to networks of associates, intermediaries, and linked entities, including those connected to Ghislaine Maxwell. She was found by a U.S. court to have recruited and groomed underage girls for Epstein and to have facilitated his abuse over a sustained period. In 2021, she was convicted on multiple federal charges, including sex trafficking–related offences, and subsequently sentenced to a lengthy term of imprisonment.

Network risk as the unifying lens

If one were to distil the underlying lesson from the evolution of financial scandals, regulatory responses, and institutional accountability, it is that risk can no longer be adequately understood in isolation. The traditional model—where risk is assessed at the level of a single client, transaction, or entity—is increasingly insufficient in a world defined by interconnected systems.

The presence of associates like Ghislaine Maxwell, and financial relationships involving intermediaries such as Leon Black- a private equity financier, art collector, and co-founder of Apollo Global, who paid Epstein substantial sums, reported at over $150 million—over several years, described as fees for tax advice, estate planning, and philanthropic structuring- illustrate how risk can propagate through interconnected channels rather than remain contained within discrete boundaries. The relationship continued even after Epstein’s 2008 conviction, raising serious governance and reputational concerns.

A broader unifying lens-beyond functional silos

The roles of internal governance functions—chief risk officers, chief compliance officers, chief internal auditors, chief information security officers, chief information technology officers, and chief data protection officers—must also be viewed through a broader lens. Their effectiveness is no longer determined solely by their performance within functional silos, but by their ability to understand, monitor, and respond to risks that traverse institutional and jurisdictional boundaries.

 Ultimately, the concept of network risk provides a unifying lens through which these developments can be understood. It reflects a fundamental shift in both regulatory philosophy and institutional practice—from viewing risk as a series of isolated events to recognising it as an emergent property of interconnected systems. Yet in the end, the question is no longer whether institutions can detect risk—but whether they have the courage to act when it matters most.