IIA training and events

Wells Fargo: what happens when all three lines of defence fail

Blog by Liz Sandwith, chief professional practice advisor |  19 September 2016


US Bank fined $185 million. Internal audit of sales incentives, anyone?

I have been reading with some interest the various press releases regarding the recent fine received by Wells Fargo Bank from the Consumer Financial Protection Bureau (CFPB) – the largest fine ever by CFPB. It reminded me of the South Sea Bubble I studied as a student.

Wells Fargo Bank created fictitious policy holders in order to meet sales targets and objectives. But it didn’t end there. In order to create sufficient funds to pay the premiums of this policy holders, it had to ‘kill off’ some of the policy holders and then, because it had funds it didn’t know what to do with, it created new policy holders. You can see the circle. Just before the bubble burst the information indicated that they were insuring more people than resided in the US. 

The Director of the CFPB adds, 'Unchecked incentives can lead to serious consumer harm, and that is what happened here'.

The Wells Fargo scandal is sure to reshape the discussion on how much regulation we should impose on the banking sector, and how well banks' systems of internal controls and risk management are functioning. In its brazenness, with so many people taking part in activities that are so clearly wrong, it's obvious that Wells Fargo suffered from a crisis of culture. It's hard to attribute bad behaviour to 'a few bad apples', when it involved thousands of employees 

Wells Fargo: What do we know? 

Staff at Wells Fargo 'opened more than 1.5 million unauthorised deposit accounts and applied for roughly 565,000 credit card accounts' according to the Consumer Financial Protection Bureau (CFPB). Once the accounts were opened the employees transferred money to temporarily fund the new accounts which allowed them to meet sales goals and earn extra compensation. The 'scam' lasted 5 years, but also Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees).

According to the press the statement from the bank's CEO said, 'Our entire culture is centred on doing what is right for our customers'. How can he say that when 2% of the total Wells Fargo workforce was fired as a result, presumably, of being involved? When 2% of employees are fired, surely there is an assumption that more people knew or should have known.  One might suggest that the prevailing culture was in reality to do what was right for the staff, not the customers! 

Questions are being asked, as always happens when events like this occur:

  1. As top management asleep or did they just have their eyes and ears closed?
  2. Should risk management have done something?
  3. Where was internal audit?
  4. Where was the Board? 

Currently there isn’t sufficient information available to enable the commentators to answer these questions.  

What is scary about the Wells Fargo event is that a bank that is well known for its risk management prowess allowed poorly designed business objectives and incentive compensation to overtake its strong risk culture. 

Could Wells Fargo happen in a UK company?   

As internal auditors, we must ask ourselves these questions: 

  1. Have we satisfied ourselves that the fraud risk assessment was complete, assuming one was done?
  2. Are we monitoring the level and type of consumer queries and complaints which, if so, might have been a useful key risk indicator?
  3. Have we done sufficient work relating to the organisations culture, particularly the sale culture within out company? 

These are questions we need to be able to answer as internal auditors in any company where there are sales incentive schemes in place. 

The culture at Wells Fargo was clearly massively flawed, despite what the CEO says, wrote risk-management expert Norman Marks in his blog. According to Marks, there is no indication that internal audit did in the past, or would in the future, look at: 

  1. The setting of compensation targets (for example to confirm they will drive desired behaviour and are consistent with the achievement of corporate goals, not just that they deter undesirable behaviour as referenced by the regulator)
  2. The culture of the organization, how whistle-blowers are treated and whether employees are willing to come forward
  3. The design and operation of controls over the opening of customer accounts
  4. The design and operation of controls around customer complaints, for example to identify trends 

Internal audit should also be more sceptical than risk management can afford to be (for political reasons) of organisational culture. Norman Marks questions whether any warning signals were picked up by auditors in the course of their work. Were they so focused on completing the audit programme that they were not watching and listening to what was happening around them? Were they 'auditing by walking around'? Did they listen to customers at all? These are all valid questions and ones we need to ask ourselves otherwise we might well be the next Wells Fargo Bank! 

Comments from internal auditors 

The lesson here for all companies is that pressure and incentives on sales goals are an important part of the culture of an organisation. Messaging and communications to employees, especially informal ones, that sales targets must be met at all costs will often override those that encourage employees to do the right thing. 'This is very likely a case where there was a classic environment of pressure to achieve numbers, which caused employees to rationalize their fraudulent behaviour', says Anne De Traglia, director of internal audit at United Airlines. 

According to Clifford Rossi Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business at the University of Maryland, ‘All Three Lines of Defence Failed.’ The major risk-management breakdown at Wells Fargo, apparent by the bank's recent phony accounts scandal, proves that when it comes to the concept of ‘Three Lines of Defence,’ all of them failed to stop the wave of fraud.

In successive order, line management, the corporate risk-management function, and finally, internal audit must all have collapsed for the scandal to take place.

For a financial institution known for its risk culture, it’s surprising to discover the poorly designed business objectives and incentive compensation plans put in place. The bank will undoubtedly suffer reputational damage, but the strategic changes the bank’s board must now implement will likely have a resounding impact on others in the industry. 

Sense checks? 

The scandal also serves as an important reminder to all companies: revisit your compensation and incentive plans. People will always do what you pay them to do 

Fundamentally, the nature of Wells Fargo's activity in this instance appears to be a failure across the board at identifying and addressing the risk that was present at the bank. And, unfortunately, it starts with a breakdown in the application of the regulatory edict for large banks referred to in the US as ‘Heightened Expectations’ and the related concept of ‘Three Lines of Defence.’ The second line of defence in this structure, namely the corporate risk management function, is supposed to oversee and identify material risks that differ from line management. Given the result, the second line of defence also failed the company.   

The scandal is in its infancy and we will surely learn much more about it in the weeks and months ahead, remember WorldCom and Enron and how over time the full story started to appear. The big question is how pervasive these same practices were at other big retail banks, could these same practices exist within the UK? With the problematic practices so widespread at Wells Fargo, it's hard to imagine it wasn't happening elsewhere to some degree. Depending on how much the scandal widens, there are likely to be calls for tighter regulation and better internal controls to guard against this type of behaviour in the future. Those may be wise, but don't expect them to be the last word on major banking scandals, says Joseph McCafferty director of audit content for MIS Training Institute. 

Internal audit as the third line of defence is meant in part to monitor and report on emerging risks through its periodic audit programme. The results suggest that all three lines of defence let Wells Fargo down.

Lessons learnt? 

First, the extensive set of risk governance practices imposed on the largest banks in the country failed miserably. Regulatory lapses must be plugged. And, if the banking sector is ever going to extricate itself from periodic bouts with stupidity, investors, regulators and bankers must address incentive compensation plans squarely. What is apparently interesting about Wells Fargo is that they have historically managed risk well. But unlike credit or market risk, which both can be measured and monitored fairly well, the bank clearly was unable to identify the degree to which employee business practices were creating extensive operational, reputational and regulatory risk for the firm. 

Fundamentally, this is an issue about the culture of the company and the behaviours of its people. Internal audit we need to take note and refer back to the recent research publication the institute produced on auditing culture. There has been discussions around whether or not it is possible to audit the culture of the whole organisation in one audit and that perhaps there is merit in taking bite size chunks, we have discussed auditing the risk culture now perhaps we need to add to our list auditing the sales incentive culture! 

Potentially, this will be an epic example of how the internal audit, risk management and anti-fraud professions have once again failed to rise to the occasion and prevent a simple fraud from occurring in the first place. We cannot hold management responsible, before we have admitted our failure to make a difference. 

A review of our 2016/17 annual internal audit plan might make sense is there anything in the plan relating to sales incentives and culture and perhaps we would do well to undertake a risk assessment of sales incentives to ensure that there are appropriate internal controls, that the control environment is strong and that the culture supports expected behaviours. 


Further reading

Chartered IIA's guide to Culture Embedding and Assurance


Back to all blog posts

Content reviewed: 20 January 2022