After its account-opening scandal last year, you’d think Wells Fargo would have examined all its policies and procedures to ensure the bank was following the letter of the law and keeping customers and their data safe.
When thousands of employees secretly open over 2 million deposit and credit card accounts for unwitting customers by transferring customers’ funds into them and often collecting fees, then the CFPB fines you $185 million, it should be a pretty big wake-up call.
When I first wrote about this last fall, I pointed out that this wasn’t a case of a few bad apples. It was a systemic problem caused by a lack of risk management. And if you’ve got one huge systemic flaw like that, who knows what else is slipping under the radar?
As it turns out, many things. So far we’ve learned that the company has charged as many as 570,000 customers with auto loans for car insurance they didn’t need or buy (an act for which they are “extremely sorry”), illegally repossessed cars from service members, and is being sued for overcharging small businesses for credit card transactions, CNN reports.
Now Wells Fargo is making headlines once again, this time for improperly handing over files containing the personal information of an estimated 50,000 high-net-worth customers of Wells Fargo Advisors, The New York Times reports. We’re talking names, tax-payer ID numbers, assets under management and the performance of those assets. Information about the firm’s financial advisors was also included, everything from compensation to client lists.
Not only did Wells Fargo’s third party turn over a huge amount of confidential data that wasn’t requested, it didn’t attach any confidentiality agreement to the documents or appear to follow other legal best practices for protecting data, the Times reports. There are basic questions that should be addressed by any good vendor management and customer privacy protection program as part of the bank’s overall risk management efforts. Third-party risk and privacy are hot button issues for regulators, and they’re not going anywhere any time soon. This is especially if big banks like Wells Fargo keep messing up.
According to the article published in the Times:
“We went through a long process of a very large email review with an outside vendor with instructions on exclusion which was spot checked. Clearly there was some type of vendor error — which I am confirming now.”
If that’s true, that’s an ugly example of fourth-party risk. I wonder if Wells Fargo’s contract with the firm included provisions to alert the bank to the use of subcontractors and provide insight into their data security practices. That’s vendor risk management 101.
Now Wells Fargo could be on the hook for violating customer privacy laws, and not just the ones in the U.S. Some of the accounts are foreign-owned and may be subject to the laws of those countries, including Europe’s stricter privacy rules, the Times reports. Not to mention the wrath of well-heeled customers who expect their bankers to keep their personal finances private.
Even proxy adviser Institutional Shareholder Services Inc. blamed the first scandal on the board failing “to implement an effective risk-management oversight process in a timely way and that could have mitigated the harm to its customers, its employees and the bank’s brand and reputation,” Bloomberg reported.
It can’t be said enough. Risk management touches every element of a financial institution’s operations. An institution’s board needs to promote a top-down culture of risk management if it wants to protect customers and the institution itself from undue risk. Failing to do so can only lead to trouble.
It will be very interesting to see what the regulators will have to say about this latest transgression.