Big Frauds

A clueless organization?

Wells Fargo phony-account fraud teaches us lessons



This new column will analyze the big frauds that all of us see in the media but don't always have time to ponder how they relate to our jobs.  — ed.

As reported in the media on September 9, Wells Fargo negotiated a deal to settle a lawsuit filed by the U.S. Consumer Financial Protection Bureau, the Office of Comptroller of Currency, and the City and County of Los Angeles. As part of the $185 million settlement Wells Fargo didn't admit to any wrongdoing. However, it did confirm to the regulators and media that employees had opened more than two million checking, savings and credit card accounts without customer approval. Apparently this was done to meet "cross-selling" quotas for five years beginning in 2011.

I first read about this settlement on the morning of September 9 during a BART ride into San Francisco. I was on my way to our San Francisco ACFE Chapter Fall Fraud Conference, which coincidentally was being held at the Wells Fargo Penthouse conference center, one floor above the C-suite offices at WF Headquarters. Attending the conference were 75 ACFE members eager to learn about building resilience into a fraud risk management program.

Like a Phoenix rising from the ashes, management at Wells Fargo initially brushed aside complaints from regulators and the public that they share responsibility for the "bad behaviors" of the 5,000 plus employees. "There was no incentive to do bad things," Wells Fargo CEO John Strumpf told The Wall Street Journal in a September 13 article. (See Wells Fargo CEO Defends Bank Culture, Lays Blame With Bad Employees, by Emily Glazer and Christina Rexrode, September 13.)

A week later, Strumpf appeared to be more contrite. During his testimony to the Senate Banking Committee on September 20, he said he was "deeply sorry that we failed to fulfill our responsibility to our customers, to our team members, and to the American public" and that he takes "full responsibility" for the unethical activity. "I do want to make very clear that there was no orchestrated effort, or scheme as some have called it, by the company," Strumpf said. "We never directed nor wanted our employees … to provide products and services to customers they did not want or need."

Then, was the incentive to do 'good things'?

In ACFE language incentive is often termed "pressure." This is a great example of a disconnect between an organization's executive management and the ACFE members fighting fraud on the front lines.

While we daily live and breathe fraud prevention, detection and investigation, management of large organizations are often blind to the battle. We know through our years of academic research and real-world experiences that the majority of employees can be manipulated to make unethical decisions if given the right circumstances. We've clearly defined what these circumstances are: opportunity, pressure and rationalization as depicted by the Fraud Triangle. Therefore, it comes as no surprise to us that employees under extreme pressure to sell products at a bank known for the phrase, "either you are moving up or moving out," would find any possible opportunity to survive.

Cross-selling products' curse

For years Wells Fargo had been viewed as a jewel shining bright in the banking industry. It maintained a reputation for high-quality customer service based on building long-term relationships. In fact, the firm had been so successful coming out of the financial crisis of 2008, that until this fraud, it had been the largest bank in the U.S. based on market capitalization. (After Wells Fargo shares fell, JPMorgan Chase moved up on September 13. See JPMorgan tops Well Fargo as biggest US bank by market cap, by Evelyn Chang, September 13, CNBC.)

However, much of Wells Fargo's success has been based on their ability to "cross-sell" products to existing customers: trying to get you to bundle all your banking needs with them. This practice isn't bad, unethical or illegal. Apparently, however, Wells Fargo's corporate leadership set unrealistic goals for branch employees to hit in their cross-selling activities.

As anti-fraud professionals we know that this kind of pressure can easily lead to rationalization: normally ethical persons making unethical decisions."

Management scrutinized hourly, daily, weekly and monthly goals during team meetings and individual performance evaluations. These evaluations cascaded down from corporate executives to corporate and branch managers, all the way down to each individual banker, teller and other branch employees. According to The Wall Street Journal article, some branch employees met with their managers "several times a day to report their progress on meeting cross-selling targets."

Apparently the targets set by management were so unachievable that it created a climate of extreme anxiety within the culture of the consumer banking division of Wells Fargo. "It became a living nightmare," said Julie Miller, a former Wells Fargo employee. "They almost doubled our goals and decreased our incentive pay. It drove me to drink."

Miller said her health began deteriorating as she tried to meet daily requirements that her branch sell 42 products, such as mortgages and lines of credit, and open seven checking accounts. (See the article, Former Wells Fargo banker says pressure to sell products was ‘living nightmare,' by Deon Roberts, September 9, The Charlotte Observer.)

Not only were employees afraid of not getting promotions or bonuses, they were afraid they'd lose their jobs. Stakes couldn't have been higher.

As anti-fraud professionals we know that this kind of pressure can easily lead to rationalization (the second leg of the Fraud Triangle): normally ethical persons making unethical decisions.

Unprecedented simultaneous and independent fraud

Many Wells Fargo employees had told management that the goals were too high, even impossible, but this kind of dialogue was neither appreciated nor tolerated at the bank. Therefore, we get to the third element of the Fraud Triangle: opportunity. This is where this fraud really deserves to take its place in the "Fraud Hall of Shame." To my knowledge there has never been anything like this before.

Most frauds are committed by individuals or small groups of people colluding with one another. Not so at Wells Fargo. In this instance, an entire sub-section of the retail banking workforce — approximately 5,300 employees out of about 270,000 — simultaneously and independently from each other exploited the same weaknesses in the Wells Fargo internal controls to open fictitious accounts. Yes, there might have been some sharing or collusion within a branch, but we're talking about a national bank with thousands of branches across the country.

The fact that two employees — one in San Francisco and the other in Chicago, for example — could use the same gap in internal controls to independently and simultaneously create fictitious accounts to meet the same targets destroys the notion that this was a case of a "few bad actors" or "under-performers" as Wells Fargo CEO John Stumpf said in the September 13 Wall Street Journal article.

This fraud validates that persons with diverse backgrounds, experience, geographic location, etc. will tend to behave in a similar manner with everything else being equal — in this case, going into survival mode.

Consider this the American banking sector's Lesson 101 on successfully confirming the elements of the Fraud Triangle on an unprecedented level. Unless there was an unreported secret "chat room" that instructed employees how to meet quotas by opening fake accounts, this was nothing short of a grass-roots fraudulent movement.

We know that one of the greatest fraud threats to any bank has to be employee embezzlement of funds. Therefore, every bank that I know has strict internal controls to prevent, detect and investigate any potential threat in this area. It's scary that thousands of employees over a period of more than five years (and possibly more) committed this misbehavior. I would think that once bank management became aware of several cases of this type of behavior, it would have quickly remedied the problems.

Fraud risk assessment was MIA

We know that fraud prevention is preferable to detection. It's less harmful, less costly and sends the right signals to the organization. One of the strongest tools we have in our anti-fraud toolbox is the fraud risk assessment (FRA). A properly performed FRA helps us identify potential threats to an organization and requires us to evaluate the existing internal controls to prevent them from harming it.

If Wells Fargo had completed an FRA on its retail-banking strategy years ago it could've identified the potential phony-account scam before it even started. It could've warned management about the risks of creating too much pressure on employees and the potential consequences. Based on that information, management could've evaluated the program risks and internal controls to ensure they were in equilibrium with one another plus considered potential monitoring activities that would be needed to detect improper behavior swiftly.

This is another "brilliant" example of how a legal corporate strategy 1) designed in the C-suite 2) approved by the board and 3) applauded by Wall Street analysts and investors had an unknown, indirect change on the organization's fraud risk profile.

Because Wells Fargo management didn't link its strategy to the underlying fraud risks of implementation, it missed an obvious risk created as a byproduct of its efforts to grow the business. Also, it possibly didn't understand its ethical culture. Management's poor read on an organization's culture can severely affect the results of any FRA.

The larger the organization, the more its top execs will be isolated, and the likelihood increases that management's perception of the company culture will differ from reality. All these combined components created a perfect storm at Wells Fargo and provided us with an exemplary case study.

Being a Certified Fraud Examiner is great, but actually using CFE skills to steer a ship clear of unethical or fraudulent behaviors is fantastic. CFEs are experts in fraud prevention and detection, so it's time to ask for the keys! Otherwise, we're just back-seat drivers, and our organizations are driving us from one crisis to the next.

Steve C. Morang, CFE, CIA, CRMA, is senior manager – leader advisory, fraud & forensics for Frank, Rimerman + Co. LLP and president of the ACFE's San Francisco Chapter. His email address is: SMorang@frankrimerman.com.

For more, see the sidebar, "As concerned CFE, Morang writes to Forbes."