The astonishing Wells Fargo fraud
The news about the staff ‘scam’ (the word used in this article in SC magazine) is mind-boggling.
It’s not just that staff at Wells Fargo “opened an estimated 1.5 million deposit accounts and applied for roughly 565,000 credit card accounts according to the Consumer Financial Protection Bureau (CFPB). Once the accounts were opened the employees transferred money to temporarily fund the new accounts which allowed them to meet sales goals and earn extra compensation.”
It’s not just that Wells Fargo was fined $185 million (including the largest ever fine by the CFPB).
It’s not even that the scam lasted 5 years.
What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees.
In time, I am sure more details will surface.
But I have a problem with this statement from the bank’s CEO:
“Our entire culture is centered on doing what is right for our customers.”
How can he say that when 2% of the total Wells Fargo workforce was fired as a result, presumably, of being involved?
When 2% of employees were fired, you have to assume that more people knew or should have know. The prevailing Wells culture in reality was to do what was right for the staff, not the customers!
According to an article in the NY Times, “Wells said that the employees who were fired included managers and other workers. A bank spokesman declined to say whether any senior executives had been reprimanded or fired in the scandal.”
The lack of information implies, in my mind, that senior executives have not been held to account. Can that be right? I hope that will change.
The CFPB says, “Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly opening accounts and funding them by transferring funds from consumers’ authorized accounts without their knowledge or consent, often racking up fees or other charges.”
The Director of the CFPB adds, “Unchecked incentives can lead to serious consumer harm, and that is what happened here.”
It’s so easy to say that “unchecked incentives can lead to serious harm”. That’s so obvious. It applies to every organization.
It’s also easy to say, as they do, that internal controls failed.
But this incident raises so many questions!
- The culture was clearly massively flawed, despite what the CEO says. In fact, his statement reveals a lack of understanding not only of the word ‘culture’ but also of the real problem. I am not sure how the board can have confidence in his ability to change the culture. The surviving employees will be in shock and so risk-averse that the bank will suffer enormously.
- The PCAOB and others love to use the word ‘pervasive’. But here is an example of something that is truly pervasive. I believe senior executives either knew or should have known of the problem. Did no employees come forward? Did nobody see a trend in customer queries and complaints about accounts being opened they had not requested? Where was the Chief Compliance Officer?
- Was top management asleep or did they just have their eyes and ears closed?
- Should risk management have done something?
- Where was internal audit?
- Where was the board?
We have insufficient information with which to answer these questions.
I don’t know that risk management could or should have done anything. I doubt this kind of scam would be identified as a risk.
I do have to ask whether risk management:
- had satisfied themselves that the fraud risk assessment (assuming one was done) was complete;
- were monitoring the level or type of consumer queries and complaints, which should have been a leading risk indicator;
- had effective monitoring of customer satisfaction, which should have been a risk to assess and watch; and
- had done sufficient work relating to the organization’s culture.
The same questions apply to internal audit.
But, I would expect internal audit to be more aware of customer complaints and customer satisfaction than risk management. Controls over customer satisfaction risk, and especially responses to complaints, should have at least been considered in building the audit plan.
They should also be more skeptical than risk management can afford to be (for political reasons) of organizational culture, and I have to question whether any warning signals were picked up by auditors in the course of their work. Were they so focused on completing the audit program that they were not watching and listening to what was happening around them? Were they ‘auditing by walking around’? Did they listen to customers at all?
I don’t expect that the board had any reason to believe this was going on. They have to rely on management, risk management, and internal audit for information on culture, the management of fraud and other risks, and the performance of controls.
But I do expect the board to take swift and decisive action once a problem like this appears.
That includes educating the CEO that his comment about Wells’ culture is absurd and that the culture needs to be fixed.
It also includes holding senior management to account. Hopefully we will hear more about that in time.
What do you think?
Do you agree with my comments?
What would you expect from the board, risk management, and internal audit?
Leave a reply to Lars Christensen Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
There is nothing new under the sun…and still these deliberate acts of fraud continue to surprise us. Honesty and integrity are key ingredients that are clearly missing in Corporate America.
My question…how could this have gone on for 6 years and no one thought to expose the deceit? If pervasive, key people knew and made a conscious decision to turn their backs.
So many players in this disappointing web of deceit. Sales goals, bonuses, trips and incentives…at what price?
Since Berkshire Hathaway owns about ten percent of Wells Fargo’s outstanding shares, this quote from Warren Buffett seems appropriate: “In the world of business, bad news often surfaces serially: You see a cockroach in your kitchen; as the days go by, you meet his relatives.”
As a shareholder, I would obviously be concerned about senior management’s failure in this case, but also wonder, “What else is out there?” Is the mortgage portfolio going to suffer problems X years down the line because of problems happening today, or even a few years ago? It seems like large American financial institutions just can’t help themselves, which is why they tend to implode spectacularly every generation or so.
Let’s see how well “corporate governance” functions based on the board’s response. IMHO, the CEO should be fired: if two percent of the company is engaged in systemic and widespread fraud, I simply cannot trust him to run things competently and honestly.
I think this going to be a perfect example of the need for behavioral regulations and risk management practices. I agree this is huge and could trigger a seismic shift in the way consumer compliance is regulated and supervised. People are already saying this enforcement action proved the need for the CFPB.
I share your views. It’s a stunning breach and an outrageous explanation. Surely there is more to this story. We deserve to know more.
As long as senior mgt in the chain of command escape accountability nothing will change. CFPB should campaign for laws that treat this sort of fraud just like wire or mail fraud. In fact since fraudulent bills were sent either through the mail or electronically it did involve prosecutable fraud under federal law.
Perhaps CFPB should refer their data to DOJ/FBI.
Board should strip everyone in the chain of command of bonuses and claw back anything issued or paid. Right up to the CEO.
I share your disgust for their colleague actions and their leaders that constructed and condoned a fraudulent culture at Wells Fargo. The response from the C Suite and lack of recent BOD involvement in describing the ethical protocals they oversaw is amazing. Very poor response and Wells on Notice.
Trust and Integrity are the bedrock of Financial Institutions. This is a clear failure of Risk Management; Compliance; and Internal Audit (the 2nd and 3rd Lines of Defence) who are the “stops” to weakness/failure in the 1st LOD and “eyes” of the Board. We know and therefore can and should anticipate risks that certain “incentive” actions may create. Therefore controls are put in place to first prevent these risks (operational in this instance) from crystallising, key risk indicators set and monitored, active monitoring of customer complaints and an efficient whistle blowing system put in place. These are the basic risk management 101.
You have managers of credit risk, market risk and operational risk but where does the management of “business” risk reside? When Boards launch new business initiatives (as seems to be the case here) do they really consider what “too good to be true” looks like? Do they ever think about how that risk is monitored and will be reported to them? Does IA ever look for that as part of its assessment of risk management?
A great article and the other comments are spot-on. The regulators and enforcement people are currently doing a deep dive into many of Wells practices as it suspects more unethical conduct in other parts of the bank. We have not heard the end of this story.
I think it’s also worth noting that Wells Fargo almost certainly had been rated as having effective controls in accordance with COSO. Now that’s something to think about, particularly on the part of their external auditor
Another classic example of management skewing pressure toward profits at the expense of propriety. Clearly at least 5300 employees got the message from the top that it was OK to steal from customers. Clearly little has been learned about building a culture of ethics since the bad old days of the early 2000’s. Will anyone go to jail for these multiple crimes? Doubtful. The latest standard of punishment for fraud in the post-crisis era is to fire the lawbreakers, pay the fine and go back to work.
It’s difficult to comment without the full detail, but how could internal audit miss this? (and what about management and their compliance units? The explanation does appear to be rather sub standard.
No Internal Audit or control can mitigate collusion…
Obviously we haven’t heard the last word on this case. Did the management and the board examine the downside of setting such high targets. In offering new products and services the banks and other financial institutions tend to set unrealistic targets. In the end the customer looses.
Where has the three lines of defence gone…………..?
really astonished- we have heard of frauds of where 2 people collide to create frauds or misuse flexibility ; but 2% of employee strength !!!. it is indeed a culture problem rather than ERM..
I think the only effective way to get the message across to the C suite at Wells is for there to be a significant migration of customers from the bank- who would be quite justified in doing so regardless. Morale outrage seems to die away, impact to business results , not so much…
Moral outrage from customers will do a little bit, however moral outrage of stockholders making appeals to the BOD and possibly asking for some replacements might do more. How much of company assets were fraudulently given out as a bonus? Been a while since I took an accounting class, but what is it that belongs to the stock holders? I know the answer, do you?
CEO needed to be the one to take responsibility. Customer about to become a former customer
Please see this: https://twitter.com/intent/tweet/complete?
http://www.americanbanker.com/bankthink/wells-risk-management-tools-should-have-caught-this-sooner-1091229-1.html
Norman what is most unbelievable when looking at the failure of the 2nd and 3rd lines of defence is that there is evidence of “customers cry-out” since 2015 (over a year ago). If this is in the news, what clear actions did risk, compliance and audit take to address this?
Well on the other hand, maybe the “employee syndicate” were also able to “block” their access to the wide-spread information and lawsuit…….
Please see:http://www.latimes.com/business/la-fi-wells-fargo-suit-20150505-story.html
Great article, and I agree with most of the comments. This is a classic example of the unintended consequences of an aggressive use of employee compensation that actually encouraged the malfeasance. Bonuses for sales in any financial institution must be very closely monitored, with internal audit having multiple in-depth analytics and more to ensure that there is no fraud. Without the monitoring, the initiators of the scheme found out they could get away with it and told their friends until it was being done by 2% of employees.
C-Suite managers need to be able to see beyond the balance sheet. Internal audit needs to understand all compensation rules and understand the temptations that each poses. We see it in industry safety all the time – bonuses for accident-free workplaces translates to heavy, illegal pressure on employees to not report any injuries.
How dare the Wells Fargo CEO state that their culture is about doing what’s right for the customer. How DARE the company fire 5300 workers for participating in this scam. I once worked as a WF small business banker, and every day for ten months I faced termination unless I got on board with the District Manager’s directive to open new accounts, by any means necessary. I was told that even if I hit every performance metric (six daily solutions, a mix of debit or credit cards, SBA loans, merchant services, Payroll, etc.), I’d still get fired unless at least half of the solutions were new accounts. When I questioned the DM about this policy, he stated, flat out, that his bonus was tied to new account openings, and that if he didn’t get his bonus, I didn’t get to keep my job. The branch manager met with my team daily to discuss ways we should open new accounts simply by using the information we already had on existing customers. And if a business owner came in to open ONE new account, we were REQUIRED to talk them into opening an Operating Account, a Payroll Account, and a Petty Cash account because “it’s important to segregate those activities”…but it’s the front line employees’ fault for executing this scam…right.
Integrity should be highly prized. Principles and Ethics should not be negotiated. I do know that employment is important but lowering your own standards is a slippery slope.
Obviously both the Internal Audit and the Risk Management arms of governance were not functional. Or the BOD chose to look the other way. Many Boards do not act on Risk Management reports until such an incident occurs then everybody wakes up to dig up the previous reports made to them.
We have very few facts, everybody.
It’s always possible that the problem was found by internal audit or a compliance function.
This may well be true Norman. However, from the known “few” facts (including customer complaint / lawsuit) no matter how we slice and dice the issue, it is difficult to exonerate the 2 & 3LODs. 6 years is a pretty long time.
The fact that this scam was going on for over 6 years is an indication of failures at various levels, from line management, compliance, risk management, internal audit and even the board, what one would call a catastrophic failure. I wonder what a company can do to address this
I am curious to know if these 5300 employees were all from one region or district. How wide spread is the problem? If from all areas and districts/regions then this makes certain implications. If only from one or a few areas this implies that only that local and regional management need to go. There needs to be a thorough investigation that should probably involve law enforcement (fraud is illegal after all). Unfortunately the CEO (where the buck does actually stop) should step down voluntarily and the BOD should allocate for employee education to help build proper cultural values of fidelity, integrity and intracompany communication from all levels. Do I really need to mention that aggressive practices applied towards customers should no longer receive a bonus? Managers should receive a bonus for good management of employees, assets (including facilities) and cost effective operations after being independently verified. Since this went on for 6 years, I have to assume that there is no open door policy and extremely poor communications from regular employees to HR and upper management. This all falls on upper management shoulders first and then on the actual perpetrators.
If its at Wells Fargo, where else is it?
Norman thank you for expounding on some areas that should be re-examined. Unfortunately this financial institution used risk the same way other companies have used them to justify a decision to do wrongdoing figure that the fine was less than the revenue was generated by this wrongdoing.
For those wanting to know what happened to the CEO who headed this consumer business unit she was allowed to retire which in short is a great lesson in why have a lawyer right your employment contract to absolve you or criminal and civil liability. She also got a bonus for helping to meet their objectives and is leaving Wells Fargo with 124.6 million dollars in stock options that is not able to be touched because she retired instead of being terminated.
http://fortune.com/2016/09/12/wells-fargo-cfpb-carrie-tolstedt/
If nothing else it shows that there was a big enough gap in how their auditing practice allowed this practice to continue even though there were warning signs prior to the City of Los Angeles Attorney suing them and listing Carrie Tolstedt as a defendant in the legal action to attempt to stop the wrongdoing.
What seems to be amiss in this case is the overall lack of situational leadership, thought and moreover behaviors among senior management that are a vital conduit to effective GRC function. Corporate ‘psychopaths’ create a ring of ‘truth’ veiled behind a traditional GRC framework that enables unchallenged risk taking and frauds to go undetected. In this context transactional leaders are positioned to exploit their powers and tend to show no remorse to their actions as opposed to transformational leaders who underpin trust in the work ethos and embed a culture of transparency, trust and ethics in the GRC framework.
The most striking comment from the article for me was this one, “I doubt this kind of scam would be identified as a risk.”
Why not?
It is also interesting that almost all the suggestions are about 2nd level controls (detection controls) and 3rd level controls (consequence management) and nothing about 1st level controls (prevention controls – this being a threat).
In response to Tim Leech’s comment, “I think it’s also worth noting that Wells Fargo almost certainly had been rated as having effective controls in accordance with COSO”, (any barely competent CAE would suggest that an organisation ADAPT to its needs any risk management framework it has ADOPTED), the result is to be expected from grain by grain methodologies (as evidenced by the suggested discrete rather than integrated engagements) which focus on outputs of governance, risk management and control processes rather than the processes themselves.
The 3LoD and 5LoA simply paper over the flaws of the grain by grain methodologies.
Rather than speculate on what happened and comment based on that speculation, I think we should ask questions which might enlighten us on, speaking from an internal audit perspective, what role was played by internal auditing.
I personally would be interested in whether or not internal auditing was providing an overall opinion (given the 5 years mentioned), and whether or not that opinion was favourable, representative, current and on what it was provided.
For a mature (my assumption) internal audit fuction, I would also be interested in how often that overall opinion was provided. I would expect the major focus for such a mature internal audit function to be ensuring that all WF organisational units were maintaining (not establishing) adequate and effective governance, risk management and control processes.
I would be interested in on what basis the WF internal audit function decided on whether an engagement was to be an assurance or consulting engagement and when. Probably most telling in this respect would be WF’s internal audit plan! Is it an “audit” plan (as implied by Norman) or an “internal audit” plan?
I would be interested in whether or not the 1010 discussions had ever taken place and what issues regarding management acceptance of risks internal audit had referred to the audit committee for final resolution.
Failures as are highlighted by this article are a natural consequence of the grain by grain methodologies. Answers to the above questions will be found to be similar in all such failures – the common denominator being the risk basis (the objective centric methodology included) the organisations were depending on to prevent those failures
See this interview with the CEO: http://www.huffingtonpost.com/entry/john-stumpf-wells-fargo_us_57d87d54e4b0fbd4b7bc4c85?
Again, ‘The most striking comment from the article for me was this one, “I doubt this kind of scam would be identified as a risk.”
Why not?’
Is this not “a risk that matters”? If it is, why was it not identified or not expected to be identified? If it is not, why is it not?
The interview referred to says nothing about the role of internal auditing or risk management nor does it answer the questions I feel we as internal auditors should be asking about the goings on at WF.
In fact, the responses are exactly what I would expect from organisations which follow what I have characterised as “grain by grain methodologies”.
Anyone who knows what is currently happening (and encouraged by proponents of the “grain by grain methodologies”) as opposed to what is required by the IIA Standards would not be surprised at those responses.
So far, in the absence of answers to the questions I have asked, this appears to me to be 100% a failure of internal auditing, typified by the “grain by grain methodologies” – the risk-based and objective centric methodologies – on the basis that if the WF internal audit function was conforming to the IIA Standards as they are now, it would be clear where the fault lies.
I think the fault lies in a flawed objective setting process. As a consequence of that flaw, the risk identification process could not have been expected to identify a risk to an aspect not specified in the objective setting process. In short, as encouraged by the “grain by grain methodologies”, risk identification was a thumb sucking exercise.
Internal auditors are to blame for flawed governance, risk management and control PROCESSES if they had not provided assurance or consulting (as is appropriate for particular circumstances) on them as required by 2100.
The irony is that regulators will paper over the fault line and everyone will be happy (until the next time) that (at least) they have done something – the same mentality which gave rise to the 3LoD and 5LoA!
Another institution, another bank in a long list of breech of trust by world class institutions. During the last decade we are witnessing more and more institutions shocking us by the way they are being managed. And this is happening in an environment of tighter regulation and better awareness of corporate governance issues. So what’s really going on?
*This* is a very good and proper question. Beyond, Wells Fargo (which obviously has a culture problem), this is a growing problem in the way business is done in general across all industries. (Volkswagen comes to mind.)
Whether from an internal audit or risk management perspective, we should relook the practices we encourage, rather than point fingers elsewhere.
It is one thing to say a manager looked at a particular direction and saw nothing to be concerned about (understandable) compared to saying the manager did not look at that direction at all in specifying KSFs during objective setting.
In most circumstances, the latter is the case, simply because the organisation did not require the manager to do so and internal auditing and risk management did not advise the organisation to make this a requirement.
Subordinates cannot identify risks to unspecified KSFs and therefore have to thumb suck during the risk identification process.
Every internal audit engagement has to consider governance issues like ethics, accountability and oversight and has to consider other aspects like compliance and anti-fraud. Integrated engagements rather than discrete engagements are what is required by the IIA Standards.
In considering these, how does the organisation test how effective whatever controls they come up with are, other than after the fact, when a VW and WF situation comes to light? Does it ever test the subordinate response when instructed to flout the controls by a senior person?
I am of the attitude that internal auditing and risk management must themselves be clean to earn the right to point fingers elsewhere.
A small percentage of the population are “crooked” or “corrupt”. It is the responsibility of the executive to know this and check for “loopholes” in the system. Incentives are an obvious opportunity to game the corporation. I am appalled to see a large corporation getting played this way and being asleep at the switch for so long. Audit groups, management and all the way to the CEO need to take the responsibility for such a breach of trust and fall on their knife, a mere mea culpa is insufficient.
I wonder if Wells Fargo has a “whistle blower” program and if so, how did 5,300 get away with this activity for so long without someone lodging a complaint. I find it hard to believe that a manager at a relatively senior level would not have been a party to this (and potentially suppressed knowledge of it).
I have been engaged in various dialogues with WF in London around risk and culture for the last 3 years. Sadly the big decisions are made in the US and I never got a chance to meet the “right people” there. Despite warning them about over complacency etc all I received was a copy of their in house booklet the Vision and Values of WF – which reads superbly but v clearly was not read seriously by the 500 odd employees since departed OR (as Norman implies) the considerable numbers of managers who must have know something was afoot?
Seems horribly like VW and emissions when no-one in senior management was supposedly aware of this dreadful cheating by the technicians” Oh really??
Always the same reaction by the C suite and yet it is precisely their responsibility to sniff out this stuff to ensure the business is run safely, responsibly, ethically and sustainably.
Time we saw some of these jerks parading in orange boiler suits and made to pay properly for their flagrant incompetencies and criminal negligence.
Is this too much to hope for?
Peter Neville Lewis MIRM – Founder Principled Consulting
We don’t actually know that compliance or internal audit didn’t identify issues on this. I also beg to ask where the regulators were prior to this as well.
In my experience often times, the examiners regurgitate or just expand further on what compliance and internal audit identified and previously reported to management and the BOD, on.
There is no doubt that there needs to be better audits of incentive plans for these organizations but whose to say that audit didn’t report on it? I don’t think we can, yet.
It’s the culture and its deeply concerning.
I will tell you now what I have previously told you and that is that you should hold yourself out to the most premier of companies in helping them implement a properly functioning risk management system. Watch Elizabeth Warren’s takedown of the the CEO and then figure out how to get to the Board Chair or to Elizabeth Warren directly. Although we are all disgusted by what we have seen, none of us should be shocked by it. But the clowns running the company or the clowns peddling useless consulting services cannot help them. So foregive me for once again imploring you to take your acumen in this field to a new level. You deserveit and so do the companies that could benefit. Start with this company and serve as an expert witness for either the prosecution or the defense