After five years of wondering, we’ve finally solved the mystery of Wells Fargo’s failed culture of risk management—and it’s even more shocking than I thought it would be.
In 2016 the banking giant paid $185 million in fines and fired 5,300 employees after thousands of employees secretly opened over 2 million deposit and credit card accounts for unwitting customers—transferring customers’ funds into them and often collecting fees, according to the Consumer Financial Protection Bureau (CFPB).
This account opening scandal was huge news, and it the time I warned that there must be serious weaknesses in Wells Fargo’s policies, procedures, and internal controls for this to happen. I even wondered if “Perhaps these issues go even deeper than anyone thought.”
Nearly five years later, we finally have the answer—and it’s not the answer we were given in the 110-page “independent” report commissioned by the board of directors. That report placed the blame entirely on management and provided fuel to regulator efforts to fine management for their malfeasance.
Now it’s clear that Wells Fargo’s poor risk management culture comes from the very top.
The Wells Fargo directors’ report on the account opening scandal is long and detailed. There’s just one problem: The law firm Wells Fargo’s board hired to investigate the bank’s sales practices, conduct 100 interviews, and review more than 35 million documents was also representing the board in a shareholder lawsuit questioning the board’s role in the scandal—a fact not mentioned in the report. It merely stated that the firm “had been determined to be independent of Wells Fargo.”
The board’s lead independent director at the time even went so far as to tell CNBC, “Well, the investigation findings concluded that the board acted appropriately based on the information it had at the time that it had it. And this is one of the reasons that we wanted to engage Shearman & Sterling, because the board and I wanted an independent, objective assessment of how the board performed in this instance,” according to a report in American Banker.
It doesn’t take a great legal mind to recognize this as a conflict of interest. As the lawyers representing a former Wells Fargo auditor facing regulatory scrutiny notes in an April court filing, according to American Banker:
“If the term ‘conflict of interest’ has any meaning, it describes the board report. The members of the oversight committee were concurrently accused in a shareholder lawsuit of the very wrongdoing that they were purportedly ‘investigating.’
“Thus, the committee members had a clear motive to shade the facts and conclusions to exculpate themselves. And the drafters—the committee’s own attorneys—were ethically disabled from impartially addressing the facts given their duties to their clients.”
The account opening scandal was just one of many (and the most prominent) regulatory issues Wells Fargo experienced over the last five years.
The company charged as many as 570,000 customers with auto loans for car insurance they didn’t need or buy (an act for which they are “extremely sorry”), illegally repossessed cars from service members, was sued for overcharging small businesses for credit card transactions, and improperly handled files containing the personal information of an estimated 50,000 high-net-worth customers of Wells Fargo Advisors. (See: Déjà vu: Wells Fargo Can't Stay Out of Trouble)
Barely a month after launching its “Re-Established” ad campaign with ads about “Earning Back Your Trust”, Wells Fargo was in trouble again, settling Securities and Exchange Commission (SEC) charges for violating its own internal policies by encouraging consumers to actively trade a product meant to be held to maturity. (See: Wells Fargo Scandals: Re-Established 2018)
The bank even drew the ire of Sister Nora Nash of the Sisters of St. Francis of Philadelphia. (See: Wells Fargo Answers to a Higher Power Over Poor Risk Management)
When fraud and unethical behavior is this common, it’s a sign of a real problem with an institution’s culture of risk management and compliance.
Good governance is at the heart of every risk management framework. Guidance makes it clear that a financial institution’s board of directors is ultimately responsible for risk management. It must promote a risk management culture, determine the bank’s risk appetite, develop a strategic plan that takes risk into account, and approve how risk is governed. A board must also be independent with no conflicts of interest so they can objectively evaluate the institution and its performance.
It's a common theme in risk management, one that’s been gaining even more momentum. The Three Lines of Defense model was recently updated to The Three Lines model, focused more on governance, collaboration, and the role of risk management in creating and protecting value. COSO’s ERM framework includes governance and culture as one of its five basic components. Discussions of ethics and culture are commonplace.
Lack of appropriate governance, oversight, and risk management systems and controls are the leading cause of enforcement actions. From Wells Fargo to Citibank’s $400 million penalty, which stemmed in part from not having an effective governance framework, regulators are not tolerating lax oversight or tolerating directors who shrug their shoulders in response to questions about why a problem occurred.
They’ve seen what happens when risk management culture and governance are weak. They know that, whether intentional or unintentional, it sends a message to management and down through the rank in file: it’s not necessary (or even desired) for employees to do the right thing. No one is watching, and no one cares.
Your board should be setting a good example when it comes to risk management, behaving ethically, and signing off on policies that support risk management and compliance goals. If they are not setting a risk management tone from the top, they are inviting problems and unscrupulous behavior.
How strong is the culture of risk management and compliance at your FI? Ask yourself these 6 questions to find out.