Enterprise Fraud Risk Governance: CEO’s Ouster Doesn’t Mean Jack!

Enterprise Fraud Risk Management

The Cover-ups Always Worse Than the Crime

The Coverups Always Worse Than the CrimeCalling Messrs. Nixon, Ehrlichman, Mitchell, Haldeman and Dean. The Watergate crew: guys who put teeth into the phrase “the coverup’s always worse than the crime.” Add Rose Mary Woods, in case you accidentally need 18 minutes of tape erased, and you have a full house.

Oh sure, there have been other bad actors who’ve contributed to civil and criminal cover-ups over the years but the Watergate boys (and girls) are probably history’s most famous poster children for this phrase.

Enter Wells Fargo and their management team. The most recent corporate management debacle involving the Stagecoach Bank isn’t exactly the political Watergate juggernaut however it’s quickly becoming an example of corporate governance, risk and compliance (GRC) gone bad… really, really bad.

The Timeline

Fraud WhistleblowerTimelines are always integral in long running events and the CEO’s 2016 Senate testimony suggests that he either didn’t know about the account practices until 2013, or alternatively, that he only became aware the practices had escalated in certain regions in 2013. Either way, the “I didn’t know” defense is not a good response from the executive overseeing a large financial services organization with a big governance problem.

In 2007, it’s been reported that a former employee sent a letter to the CEO making him aware of the unethical account practices. Ultimately, the same employee won a federal whistleblower case against the bank in 2008.

A lot of time elapsed between 2007, when the company was served noticed that there was an issue with unethical account practices, and 2013. This suggests that employees, including the CEO, “should have known” (prior to 2013) what was going on.

Bad Governance Practices

Governance, risk and complianceEveryone’s discussing this case like it’s solely about unethical or illegal account opening practices. There’s always a “story behind the story” and the account practices are simply the symptoms of bigger issues involving serious, systemic and big picture, GRC deficiencies at Wells Fargo.

Whistleblower lawsuits are a big deal and should have triggered executive, audit, governance, legal, board and CEO notifications. At a minimum, the employee’s original letter should have also gone to internal investigators, compliance, legal, and other internal departments with governance accountability responsibility, before moving on to the audit committee and board.

So, any testimony which suggests that executives “didn’t know about the unethical or illegal account practices until 2013” is a bit hard to swallow.

In 2016, for the bank to say “they’re adding this information to their ongoing investigation” is ridiculous since it would be hard to fathom that they haven’t already known about the existence of these practices for almost TEN years! Starting to sound like a cover-up.

The Doctor is In (Not Really)

The Doctor is InHospitals have all types of medical personnel who treat illnesses. Likewise, corporations have a variety of governance employees to ensure the fiscal, regulatory, financial and legal health of the business.

In 2013, six years after initial notification, which is more than enough time to diagnose, treat and shut down fraudulent, illegal or unethical business activities, shady account practices were still in existence at Wells. This seriously calls into question the GRC policies, practices, procedures and management oversight (or lack thereof) in place at the bank.

So, it would appear that Wells either condoned the profitable account activity (as executives financial compensation incentives are tied to company performance), or tried to take action but ultimately didn’t have the right personnel, infrastructure or business culture in place to implement change. It’s absolutely incredulous that this went on for so long and appears that Wells ultimately ignored the issues raised by the whistleblower.

Where Were The Regulators?

Federal Banking RegulatorsFinancial institutions are one of the most heavily regulated industries on the face of the planet. So, while everyone’s talking about Wells account practices, I’m not sure that’s the biggest issue here.

The bigger question, which begs asking, is “where were the federal regulators during this time period?” You know, the government entity responsible for protecting consumers. With the massive amount of news, legal, data feeds, audits and legal powers  federal regulators have it seems odd that this practice could have gone unnoticed for six years, or longer, without regulatory detection, intervention and elimination.

The Bottom Line

The symptoms of this illness are unethical, and more than likely illegal, account practices which have certainly been well documented. However, most people are focusing on the symptoms in this case and not the illness which is much bigger in scope.

Doctors treat illnesses not symptoms. In this case however, it appears that employee’s with GRC, auditing, ethics and legal responsibility for treating the banks illness were “asleep at the switch.”

If a sick patient were in the hospital for six years, and showed no signs of improving, we’d seriously question the doctors prescribed course of treatment and medications. Why should we think of Wells Fargo’s illness any differently?

The CEO departed and that’s supposed to leave us thinking that the patient is going to get better. The reality, however, is that the CEO’s leaving “don’t mean jack!” To think this solves Wells Fargo’s issues is comical, just like the image. The bank’s bigger governance problems, along with much of the personnel responsible for administering GRC efforts during these years, are still in place and this should seriously bother everyone, including federal regulators.

Dan casual headshot

About the Author: Daniel Draz, M.S.,CFE is a recognized leader in the fraud profession. Fraud Solutions provides innovative enterprise fraud risk management consulting, fraud strategies, fraud risk assessments, fraud training, fraud content, subject matter expertise, thought leadership and insightful observations to clients across industry verticals.