When the CRO and CAE are prosecuted for negligence

Last month, the head of Wells Fargo’s community bank business unit (Carrie Tolstedt) pled guilty and was sentenced to three years’ probation for her role in the highly publicized sales frauds. That was in addition to a fine of $17 million.

Soon, three more members of management are going to trial: the CRO, the CAE, and an internal audit director.

This is important for board members as well as risk and internal audit practitioners.

The regulators may have set a new and very high level of expectations for CRO and CAE performance.

How many of us can say we would have done better than they did?

Were they negligent (a word the regulators did not use)? Were the regulators fair?

Have the regulators set a new and possibly unrealistic bar?

X

This is a long post because I will first remind you of the case, then excerpt from the administrative judge’s report that recommended actions against the practitioners, before considering where the practitioners went wrong.

X

According to CNN:

Former Wells Fargo executive Carrie Tolstedt was sentenced to three years’ probation on Friday for her role in the bank’s sprawling fake-accounts scandal.

Tolstedt had agreed to plead guilty to the criminal charge of obstructing regulators’ investigation of the bank, which she left in 2016 as the scandal burst into the public arena. Her lawyers argued for her to be sentenced to probation, including six months of home confinement, rather than the 12-month prison sentence sought by prosecutors.

Earlier, Wells’ former CEO, John Stumpf, agreed to a $17.5 million penalty. He also forfeited $41 million in equity awards and the bank clawed back $28 million.

The cross-selling scandal is explained in Wikipedia.

The Department of Justice (DoJ) reported in 2020:

Wells Fargo & Company and its subsidiary, Wells Fargo Bank, N.A., have agreed to pay $3 billion to resolve their potential criminal and civil liability stemming from a practice between 2002 and 2016 of pressuring employees to meet unrealistic sales goals that led thousands of employees to provide millions of accounts or products to customers under false pretenses or without consent, often by creating false records or misusing customers’ identities, the Department of Justice announced today.

As part of the agreements with the United States Attorney’s Offices for the Central District of California and the Western District of North Carolina, the Commercial Litigation Branch of the Civil Division, and the Securities and Exchange Commission, Wells Fargo admitted that it collected millions of dollars in fees and interest to which the Company was not entitled, harmed the credit ratings of certain customers, and unlawfully misused customers’ sensitive personal information, including customers’ means of identification.

The DoJ said (note my highlights):

Beginning in 1998, Wells Fargo increased its focus on sales volume and reliance on annual sales growth.  A core part of this sales model was the “cross-sell strategy” to sell existing customers additional financial products.  It was “the foundation of our business model,” according to Wells Fargo.  In its 2012 Vision and Values statement, Wells Fargo stated: “We start with what the customer needs – not with what we want to sell them.”

But, in contrast to Wells Fargo’s public statements and disclosures about needs-based selling, the Community Bank implemented a volume-based sales model in which employees were directed and pressured to sell large volumes of products to existing customers, often with little regard to actual customer need or expected use.  The Community Bank’s onerous sales goals and accompanying management pressure led thousands of its employees to engage in unlawful conduct – including fraud, identity theft and the falsification of bank records – and unethical practices to sell product of no or little value to the customer. 

Many of these practices were referred to within Wells Fargo as “gaming.”  Gaming strategies varied widely, but included using existing customers’ identities – without their consent – to open checking and savings, debit card, credit card, bill pay and global remittance accounts. From 2002 to 2016, gaming practices included forging customer signatures to open accounts without authorization, creating PINs to activate unauthorized debit cards, moving money from millions of customer accounts to unauthorized accounts in a practice known internally as “simulated funding,” opening credit cards and bill pay products without authorization, altering customers’ true contact information to prevent customers from learning of unauthorized accounts and prevent Wells Fargo employees from reaching customers to conduct customer satisfaction surveys, and encouraging customers to open accounts they neither wanted or needed.

The top managers of the Community Bank were aware of the unlawful and unethical gaming practices as early as 2002, and they knew that the conduct was increasing due to onerous sales goals and pressure from management to meet these goals.  One internal investigator in 2004 called the problem a “growing plague.”  The following year, another internal investigator said the problem was “spiraling out of control.”  Even after senior managers in the Community Bank directly called into question the implementation of the cross-sell strategy, Community Bank senior leadership refused to alter the sales model, which contained unrealistic sales goals and a focus on low-quality secondary accounts.

Despite knowledge of the illegal sales practices, Community Bank senior leadership failed to take sufficient action to prevent and reduce the incidence of such practices.  Senior leadership of the Community Bank minimized the problems to Wells Fargo management and its board of directors, by casting the problem as driven by individual misconduct instead of the sales model itself.  Community Bank senior leadership viewed negative sales quality and integrity as a necessary byproduct of the increased sales and as merely the cost of doing business.

X

An administrative law judge (hired by the Office of the Comptroller of the Currency (OCC)) presided over 35 days of hearings in 2020.

In addition to Carrie Tolstedt, the OCC also charged James Strother, former General Counsel; Matthew Raphaelson, former Community Bank Group Finance Officer; Kenneth Zimmerman, former Head of Community Bank Deposit Products Group; Tracy Kidd, former Head of Community Bank Human Resources; and three risk and audit practitioners. As far as I can tell, the members of the Wells Fargo board escaped prosecution, except in the media.

The OCC published “recommended decisions” for each of the three. Quoting from the executive summary with my highlights (there are separate reports for each individual) the judge wrote:

This is an administrative enforcement action taken by the Office of the Comptroller of the Currency and initiated through a Notice of Charges that was issued on January 23, 2020, by the OCC’s Deputy Comptroller for Large Bank Supervision, Gregory J. Coleman. The enforcement action was taken against three senior bankers formerly affiliated with Wells Fargo Bank, N.A. (WFB-NA or the Bank). The action was taken pursuant to the federal Administrative Procedure Act as authorized by the Federal Deposit Insurance Act and uniform procedural rules of the Office of the Comptroller of the Currency.

The facts summarized here are based solely on evidence in the record, including testimony and documentary evidence taken during a hearing that began on September 13, 2021 in Sioux Falls, South Dakota and continued through intermittent presentations that concluded on January 6, 2022. After 35 days of sworn testimony and the presentation of documentary evidence, the parties presented their arguments through final briefs filed on June 26, 2022.

Through the Notice of Charges, the OCC identified David Julian as the Bank’s Chief Auditor. It identified Claudia Russ Anderson as the Group Risk Officer for the Bank’s Community Banking group. It identified Paul McLinko as a direct report of Mr. Julian and the Executive Audit Director for the Bank’s Community Banking group.

The Notice advised Ms. Russ Anderson that the OCC contends her conduct as Group Risk Officer constituted violations of law, constituted unsafe or unsound practice, and breached fiduciary duties she owed to the Bank. The Notice seeks an order prohibiting her from engaging in regulated banking activity.

The Notice advised Mr. Julian and Mr. McLinko that the OCC contends their conduct as Chief Auditor and Executive Audit Director (respectively) constituted unsafe or unsound practice and breached the fiduciary duties each owed to the Bank. There is no allegation that either Mr. Julian or Mr. McLinko violated any statute or regulation. The Notice seeks orders that they cease and desist engaging in certain prohibited activity.

My recommendations are that the Comptroller issue a prohibition order against Ms. Russ Anderson as proposed in the Notice of Charges, along with an order that Ms. Russ Anderson pay a $10 million civil money penalty.

Although the Notice of Charges seeks a cease and desist order be issued regarding Mr. Julian, and while the evidence supports the issuance of such an order as was presented in the Notice of Charges, I recommend the Comptroller issue a prohibition order against Mr. Julian, based on inculpatory evidence that was not available to the Comptroller at the time the Notice of Charges was issued. Alternatively, I recommend the Comptroller issue a cease and desist order against Mr. Julian, as proposed in the Notice of Charges. I also recommend an order that Mr. Julian pay a $7 million civil money penalty.

I recommend the Comptroller issue a cease and desist order against Mr. McLinko, as proposed in the Notice of Charges, along with an order that he pay a $1.5 million civil money penalty[1].

The judge explained:

Five key conditions led to the presentation of charges against Mr. Julian, Ms. Russ Anderson, and Mr. McLinko.

First, Bank employees working in the Bank’s Community Banking unit, who were referred to as team members, engaged in sales practices misconduct throughout the relevant period – which for the purposes of these Reports and this Executive Summary was the beginning of 2013 to the end of 2016. During the relevant period, such misconduct was widespread throughout the Bank’s branch system, and materially threatened the safety, soundness, and reputation of Wells Fargo Bank, N.A. and its holding company, Wells Fargo & Company.

Second, as Chief Auditor, Mr. Julian failed to timely identify the root cause of team member sales practices misconduct in the Community Bank, failed to provide credible challenge to Community Bank’s risk control managers, failed to timely evaluate the effectiveness of Community Bank’s risk management controls, and failed to identify, address, and escalate risk management control failures that threatened the safety, soundness, and reputation of Wells Fargo Bank, N.A.

Third, as the Community Bank’s Group Risk Officer, Ms. Russ Anderson failed to timely identify the root cause of team member sales practices misconduct in the Community Bank, failed to timely and independently evaluate the effectiveness of Community Bank’s risk management controls, and failed to identify, address, and escalate risk management control failures that threatened the safety, soundness, and reputation of Wells Fargo Bank, N.A. Aligned with her failure to act in the best interest of the Bank, Ms. Russ Anderson violated federal laws relating to the required disclosure of material information to the Bank’s Board of Directors and federal bank examiners engaged in the examination of the Bank.

Fourth, as the Community Bank’s Executive Audit Director, Mr. McLinko failed to timely identify the root cause of team member sales practices misconduct in the Community Bank, failed to provide credible challenge when evaluating the effectiveness of Community Bank’s risk management controls, and failed to identify, address, and escalate risk management control failures that threatened the safety, soundness, and reputation of the Bank.

Fifth, throughout the relevant period, Ms. Russ Anderson, Mr. Julian, and Mr. McLinko separately and collectively engaged in unsafe or unsound banking practices by individually failing to identify and effectively address known issues of risks related to sales goals pressure in the Community Bank, knowingly and purposefully failed to escalate known issues related to those risks, misleading regulators and members of the Bank’s Board of Directors regarding the efficacy of controls over risks related to sales goals pressure, and advanced their individual pecuniary interests over the safety, soundness, and reputational interests of Wells Fargo Bank, N.A. and its holding company, Wells Fargo & Company, thereby breaching fiduciary duties each owed to the Bank. Further, Ms. Russ Anderson’s efforts to restrict material information from being disseminated among the Bank’s senior leaders and the WF&C Board of Directors constituted violation of federal laws.

The OCC later revised the recommended penalties downward: Russ Anderson, $5 million; Julian, $2 million; and McLinko, $500k.

The OCC also assessed fines of $1,250,000 on the (corporate) Chief Risk Officer, Michael Loughlin, and $2,250,000 on the Chief Administrative Officer and Director of Corporate Human Resources, Hope Hardison.

I encourage risk practitioners to review and consider the judge’s report on the CRO.

Internal audit leaders should read through and think about the judge’s report on the CAE. There is a separate document on his direct report, McLinko.

X

Now to the facts as I see them. I am not an attorney and have no special knowledge. I just read (most of) the judge’s reports.

• Unrealistic sales targets were established for the thousands of employees in the business unit. That was not just in one year, but in several years.
• In order to achieve them, as many as 5,300 employees (and probably more) defrauded customers.
• Hundreds of employees and customers called into the company’s whistleblower line (EthicsLine). Most but not all of the allegations were investigated by an investigations department that did not report either to the CRO or to the CAE. However, both the CRO and CAE received reports from the investigations unit as well as reports from EthicsLine, and both were members of or at least attended meetings of the management committees that considered them.
• Apparently, investigations found that only 20% of the whistleblower allegations were substantiated.
• The newspapers, especially the LA Times in 2013, ran stories that received massive national attention.
• The CRO and others involved were reluctant to call this a systemic problem. Even though thousands had been involved, they referred to it as a localized situation.
• Few members of management were disciplined for allowing the situation to develop and continue. The issue of inappropriate pressure by managers was not addressed from what I have read. Similarly, the fact that the quotas (or objectives) were unreasonable was not identified as a problem.
• In fact, nobody seems to have considered what the regulators called the root cause of the problem: a combination of unreasonable objectives and management pressure to achieve them.
• These two factors were not identified as a source of risk in any risk reports to top management and the board.
• The CAE believed that there were adequate internal controls over the sales activity, pointing to the detective controls of whistleblower calls, investigations, and employee terminations. The judge believed that preventive (or proactive) controls should have been assessed as well and were deficient.

X

Would we (you, the reader, and I) have done better as either the CRO or CAE?

If we were on the risk or audit committees of the board, would we have asked better questions?

X

Questions for us to consider:

For the CRO:

1. Should the CRO have insisted that when as many as 3% of employees have been found to be involved in unlawful conduct there was a systemic rather than an isolated problem (to a handful of locations)?
2. Was it fair to expect the CRO to investigate the root causes of these employee frauds? Is this generally expected of all risk practitioners?
   • Do you expect a CRO to investigate (however loosely) possible inappropriate pressure on employees by management – especially as it seems at least reasonably likely that senior management was involved to some degree, because so many were involved across the business? In other words, should the CRO have challenged senior management for setting unreasonable goals and then pressuring employees to meet them?
   • Should we expect the CRO to investigate the root causes of all risks (whether there are actual losses or other incidents or not)? Should those root causes be included in risk assessments and risk reports? For example:
     • Should they investigate why there is a failure of top management and the board to understand reports by cyber and InfoSec functions?
     • Should they assess the risk that decisions (both strategic and tactical) are made without a full understanding of all related risks?
     • Should they investigate and report the failure of management to invest in risk prevention (whether in cyber, employee retention, etc.)?
     • Should they report the fact that risk management at their organization is not mature?
     • Should they report the fact that risk and performance reporting are not integrated?
3. Is it fair to ask CROs to assess the quality of internal controls over risks?
4. Should the CRO have challenged senior and top management on why few members of management were investigated and disciplined?
5. Given the state of the profession and the generally immature state of risk management, was it fair to say this CRO was negligent and hold her accountable for the widespread employee – and management – fraudulent activities?
6. The internal audit function received a passing grade in its quality assurance review, indicating that it was (at least) conforming to the IIA’s Standards.

I don’t find it easy to defend this CRO in this situation. The facts do not appear to be in her favor. But that’s in hindsight, when it is clear that there was a systemic problem and the risk was understated in reports to top management, the board, and the regulators.

At the same time, I didn’t see in the OCC reporting any evidence that there was a deliberate act by the CRO to mislead leadership or the regulators.

Given that, was it fair to take 50% or more of the CRO’s wealth and ban her from working in the industry?

X

For the CAE:

1. When management and the CRO were reporting this as a localized and not systemic problem, should the CAE have challenged them?
2. Was it sufficient for the CAE to assert that he was placing reliance on detective controls, which appeared to have been working?
3. Should the CAE have assessed the performance objective setting process?
4. Should the CAE have assessed the control environment and whether management was treating employees appropriately?
5. Was the CAE negligent for not including an audit of why there were sales practice frauds in the audit plan?

I also don’t find it easy to defend the CAE, but I am not sure how many audit practitioners would have done much better.

In my opinion, and with the great benefit of hindsight, I believe there were several defects in the Wells Fargo internal audit approach, including:

• They might have called their approach risk-based, but it was in fact cyclical.
• They identified the auditable processes within auditable entities, risk-ranked them, and then audited them on a 12- or 24-month cycle. That is not enterprise risk-based auditing. (Despite what the IIA’s draft GIAS says.)
• If they had started with the enterprise objective (which they stated often) of satisfying customers with the products they needed, and then considered risks to that objective, they might have identified as high the risk of unreasonable quotas and management pressure on employees. They certainly should have once the stream of disciplinary actions was reported.
• Nobody seems to have asked why so many employees were committing unlawful acts.
• I believe he was too hands-off, relying far too much on his direct reports and the processes he had in place. Even though he had a huge department (it grew under him from 500 to over a thousand), he should have made sure the more significant enterprise risks were being addressed.
• He relied on the work of other assurance providers without, as far as I can tell, auditing their work to confirm it was of sufficient quality.
• His people were not in the branches. Even though they relied on a separate team to audit the branches, they needed to visit from time to time and listen to employees to know what is happening.
• He defended himself by saying that his program had passed the IIA’s Quality Assurance Review and had received positive grades in the past from the OCC examiners. That is not an indicator of quality, nor that the audit plan included all significant risks to enterprise objectives.

As I reflect on my own career and experience, I can recall when I had reason to investigate (carefully) why accounting frauds were being committed in different geographies. I identified a control environment issue and reported to the audit committee of the board that several controllers and business managers felt pressure from more senior financial and operational managers to achieve financial targets – and only did so by manipulating the accounting.

But I am not sure how many practitioners, whether CROs or CAEs, would have done better than the two who were caught up in this situation and will probably be severely hurt financially – without much hope of further employment.

Was it fair to ban Julian and levy such a huge fine?

How many CAEs routinely consider whether poor management is the reason for lower earnings, compliance failures, or simply poor decisions?

It may not be everybody’s opinion, but while I fault both the CRO and the CAE (and the board!), I am not sure the penalties recommended by the OCC are fair.

I am also pretty sure that the Internal Audit Auditing Standards Board is not considering the high bar set by the OCC in its update of the IIA’s Standards.

What do you think?

====================================================================

[1] The judge recommended fines of $3.5 million for the General Counsel; $925,000 for the Finance Officer; $400,000 for the head of the Deposit Products Group; and, $350,000 for the head of Human Resources.