First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

The astonishing Wells Fargo fraud

Wells FargoThe news about the Wells Fargo staff ‘scam’ (the word used in SC magazine[1]) is mind-boggling.

It’s not just that staff at Wells Fargo “opened an estimated 1.5 million deposit accounts and applied for roughly 565,000 credit card accounts according to the Consumer Financial Protection Bureau (CFPB). Once the accounts were opened the employees transferred money to temporarily fund the new accounts which allowed them to meet sales goals and earn extra compensation.”

It’s not just that Wells Fargo was fined $185 million (including the largest ever fine by the CFPB).

It’s not even that the scam lasted 5 years.

What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees).

In time, I am sure more details will surface.

But I have a problem with this statement from the bank’s CEO:

Our entire culture is centered on doing what is right for our customers.

How can he say that when 2% of the total Wells Fargo workforce was fired as a result, presumably, of being involved?

When 2% of employees were fired, you have to assume that more people knew or should have known. The prevailing Wells Fargo culture in reality was to do what was right for the staff, not the customers!

According to an article in the NY Times, “Wells said that the employees who were fired included managers and other workers. A bank spokesman declined to say whether any senior executives had been reprimanded or fired in the scandal.”

The lack of information implies, in my mind, that senior executives have not been held to account. Can that be right? I hope that will change.

The CFPB says, “Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly opening accounts and funding them by transferring funds from consumers’ authorized accounts without their knowledge or consent, often racking up fees or other charges.”

The Director of the CFPB adds, “Unchecked incentives can lead to serious consumer harm, and that is what happened here.”

It’s so easy to say that “unchecked incentives can lead to serious harm”. That’s so obvious. It applies to every organization.

It’s also easy to say, as they do, that internal controls failed.

But this incident raises so many questions!

  1. The culture was clearly massively flawed, despite what the CEO says. In fact, his statement reveals a lack of understanding not only of the word ‘culture’ but also of the real problem. I am not sure how the board can have confidence in his ability to change the culture. The surviving employees will be in shock and so risk-averse that the bank will suffer enormously.
  2. The PCAOB and others love to use the word ‘pervasive’. But here is an example of something that is truly pervasive. I believe senior executives either knew or should have known of the problem. Did no employees come forward? Did nobody see a trend in customer queries and complaints about accounts being opened they had not requested? Where was the Chief Compliance Officer?
  3. Was top management asleep or did they just have their eyes and ears closed?
  4. Should risk management have done something?
  5. Where was internal audit?
  6. Where was the board?

We have insufficient information with which to answer these questions.

I don’t know that risk management could or should have done anything. I doubt this kind of scam would be identified as a risk.

I do have to ask whether risk management:

  • had satisfied themselves that the fraud risk assessment (assuming one was done) was complete;
  • were monitoring the level or type of consumer queries and complaints, which should have been a leading risk indicator;
  • had effective monitoring of customer satisfaction, which should have been a risk to assess and watch; and
  • had done sufficient work relating to the organization’s culture.

The same questions apply to internal audit.

But, I would expect internal audit to be more aware of customer complaints and customer satisfaction than risk management. Controls over customer satisfaction risk, and especially responses to complaints, should have at least been considered in building the audit plan.

They should also be more skeptical than risk management can afford to be (for political reasons) of organizational culture, and I have to question whether any warning signals were picked up by auditors in the course of their work. Were they so focused on completing the audit program that they were not watching and listening to what was happening around them? Were they ‘auditing by walking around’? Did they listen to customers at all?

I don’t expect that the board had any reason to believe this was going on. They have to rely on management, risk management, and internal audit for information on culture, the management of fraud and other risks, and the performance of controls.

But I do expect the board to take swift and decisive action once a problem like this appears.

That includes educating the CEO that his comment about Wells’ culture is absurd and that the culture needs to be fixed.

It also includes holding senior management to account. Hopefully we will hear more about that in time.

What do you think?

Do you agree with my comments?

What would you expect from the board, risk management, and internal audit?

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

[1] SC magazine

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , , , , ,

Comments are currently closed.