As a risk professional who has admired Wells Fargo for many years as a paragon of risk management, reading the Consumer Financial Protection Bureau's press release regarding the bank's alleged pervasive and fraudulent practices of opening unauthorized deposit and credit card accounts was like finding out your favorite professional athlete just failed a drug test.
What lessons can be learned from this episode? First, the extensive set of risk governance practices imposed on the largest banks in the country failed miserably. Regulatory lapses must be plugged. And, if the banking sector is ever going to extricate itself from periodic bouts with stupidity, investors, regulators and bankers must address incentive compensation plans squarely.
What's interesting about Wells Fargo is that they have historically managed risk well. But unlike credit or market risk, which both can be measured and monitored fairly well, the bank clearly was unable to identify the degree to which employee business practices were creating extensive operational, reputational and regulatory risk for the firm.
Now, a collective set of penalties totaling $185 million isn't even a flesh wound to the bank's net income, which in the second quarter of 2016 was $5.6 billion. But the fallout for a company like Wells Fargo, notwithstanding its status as a favorite of Warren Buffett, is costlier in terms of the tarnish to a great brand. When another bank with strong risk management roots, JPMorgan Chase, stepped into major headline risk with the London Whale scandal, the company faced massive scrutiny (albeit well after the fact) by the Office of the Comptroller of the Currency, an angry Congress and investor turmoil for some time. However, Wells Fargo finds itself in a bit of a different predicament as the incident wasn't just some arcane derivatives trading gone wrong but a pervasive effort to create a massive number of unauthorized consumer accounts. This activity severs the very foundation of the bond between customer and bank that even in the digital age is priceless.
Fundamentally, the nature of Wells Fargo's activity in this instance appears to be a failure across the board at identifying and addressing the risk that was present at the bank. And, unfortunately, it starts with a breakdown in the application of the regulatory edict for large banks referred to as "Heightened Expectations" and the related concept of "Three Lines of Defense."
Heightened Expectations was an expansive set of regulatory guidance intended to firm up the risk management governance practices of large banks that were clearly lacking in the years leading up to the financial crisis. It set out clear expectations for the board of directors and a three-layered firewall of protection against risk events. Line management under this construct serves as the first line of defense by owning the risk. In this role they are on point to identify and call out risks that are going on in their business. If, as the reports suggest, Wells Fargo terminated more than 5,000 employees over a five-year period for opening unauthorized accounts, the first line of defense collapsed.
The second line of defense in this structure, namely the corporate risk management function, is supposed to oversee and identify material risks that differ from line management. Given the result, the second line of defense also failed the company. Internal audit as the third line of defense is meant in part to monitor and report on emerging risks through its periodic audit program. The results suggest that all three lines of defense let Wells Fargo down.
Creation of more than 1.5 million unauthorized deposit accounts and more than a half million bogus credit card accounts is not just some isolated event. While there was clearly a major breakdown in risk management's accordance with the heightened expectations guidance, it also raises question about the vigilance of the OCC, which wrote the guidance.
Wells Fargo, like all large national banks, has on-site supervision by its primary regulator, the OCC. It seems surprising that as widespread as this activity was that the regulators apparently had no idea until sometime later.
Of course, imposing risk management rules such as heightened expectations on banks is relatively ineffective no matter how much it might seem appropriate. People respond to incentives. In banking, management and employees are rewarded for delivering on their business objectives. Over-the-top business objectives will invariably lead otherwise good people to do stupid things. We saw this during the mortgage boom and it will always be lurking below the surface.
What is scary about the Wells event is that a bank that is well known for its risk management prowess allowed poorly designed business objectives and incentive compensation to overtake its strong risk culture. Shareholders of Wells Fargo and customers should demand management take ownership of this debacle by investigating how this activity was allowed to take place and holding managers found responsible for this activity accountable. At the same time, more investigation is needed of what the regulatory community is adding to the oversight process. From the financial crisis, to the Libor rigging and London Whale scandals to now the Wells Fargo incident, we must question the effectiveness of those charged with overseeing the safety and soundness of our financial institutions.
Wells Fargo will no doubt move on from this event in time, but no bank wants or needs the type of media exposure that comes with these sorts of incidents. This underscores the need for bank boards to insist on strategic plans that contain realistic objectives, incentive compensation plans that balance risk and return, and a risk culture that allows any employee to elevate wrongdoing and risky activities without fear of retribution. Only when these practices are in place will these types of events cease.
Clifford Rossi is Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business at the University of Maryland.