What Wells Fargo taught us about culture and compliance


"While we rely on risk professionals to take primary responsibility for managing and escalating risks, we firmly believe that managing risk is everyone’s business. All team members have a responsibility for managing risk. Compliance and risk management are part of our culture and are an extension of our code of ethics. We expect team members to identify and escalate potential risks, and we must give them a safe-haven to report their concerns without fear of retaliation. Wells Fargo, “ Our Culture 

There’s a Hans Christian Anderson tale that’s particularly relevant to the financial services. In “The Emperor’s new clothes” two swindlers (neither of whom were merchant bankers) secure from the Emperor a large sum of money after promising to provide him with spectacular new clothes. They ‘delivered’ glorious raiment that they claimed was invisible to the stupid, the incompetent and those unfit for high positions. Naturally enough, the Emperor and his courtiers marvelled at the quality of these invisible (and logically intangible) clothes until a child saw the truth and exposed the Emperor’s nudity.

Traditionally, fairy stories don’t simply entertain, they teach. Anyone who endured last year’s coverage of the financial services industry might regard “The Emperor’s New Clothes” as an appropriate metaphor for 2016. In a year of scandals, regulatory action and relentless media scrutiny, the failure of licensees – or their highly paid and well-promoted management teams – to honestly assess and check their own conduct is both incredible and disheartening.

While it’s tempting to rationalise these failures “bad apples”, the causes of most of these failures were, as ASIC assert, cultural failures.

The marriage of culture and compliance

One could explore the relationship between culture and compliance by focusing on Australia’s “ethical” banks, our Insurers and Fund Managers. We’ve written on Australian compliance culture previously (Crises of Culture and Gliding Over All) and even though the Wells Fargo scandal is not directly comparable to our experience, it provides such an interesting case study that it justifies some consideration.

                         Click here to access Planet Money’s report titled “The Wells Fargo Hustle

For those of you who routinely pass over reports of international regulatory scandals, the plight of one of the United States’ largest banks is too important to overlook. In a nutshell, the Bank opened almost two million bank accounts without customers' knowledge or permission and collected fees and bonuses for these bogus accounts.

Australians know how difficult it is to switch banks so perhaps we’d appreciate it if one of our Banks made opening accounts so easy that it didn’t even require our involvement, knowledge or consent.

Unfortunately, the American Regulators called this misconduct, rather than lauding it as "out of the box thinking" or “proactive, customer service”.

In what is a remarkable departure from Australian tradition, Wells Fargo's CEO, John Stumpf, responded to the public scandal by declaring that

“the bank's upper management wasn't responsible for the giant scam …. it was just a bunch of bad apples working at bank branches. Mostly low-level employees.” Planet Money Episode 728

It’s generally accepted that aggressive sales targets can lead to mis-selling, but the Wells Fargo scandal suggests misconduct an order of magnitude greater than traditional mis-selling. It appears to be institutionalised, prolonged and broadly tolerated.

You might argue that, like many financial services organisations, Wells Fargo simply had a blind spot about their corporate culture. It’s a reasonable thesis until you realise that, like the Emperor with his new clothes, the ‘blindness’ seems deliberate and consensual. While it’s dangerous to impute motives to Bank Executives, you’ll recall that, in the fairy tale, the Courtiers were aware the Emperor was naked but they maintained his delusion and protected him from the truth in order to maintain their own power, position and benefits.


Assessing culture

"Measure what is measurable. Make measurable what is not". Galileo Galilee


In reality, it’s not uncommon for an organisation’s espoused culture to differ from its actual culture. Great leaders recognise the gap between the two and work assiduously to make reality better match their aspirations. Managers, in contrast, prioritise definite (financial) measures over corporate vision. One additional complication of assessing culture is that while “cultural failures” are obvious in retrospect, the "quality" of an organisation's culture is difficult to identify, assess and measure with any degree of confidence. Perhaps this is the reason why, in the wake of the Wells Fargo scandal, FINRA, the Financial Industry Regulatory Authority, has retreated from emphasising the “culture of compliance” to focusing on rogue representatives and recidivism.

(Some critics have even suggested that Regulators’ focus on “culture” is a fools’ errand; it distracts focus from incentives and conflicts and fails to recognise that complex organisations are not mono-cultures but a multitude of loosely associated sub-cultures.)

                         For an excellent perspective read Matt Kelly’s “Ideas on Auditing Organizational Culture

Despite the obvious difficulties in assessing an organisation’s culture, we should still make the attempt - if only to anticipate risks and identify points of vulnerability.

“Tone from the top” is a good place to start unless, or until, you recognise that CEO's soundbites don't translate into behavioural expectations when those expectations are divorced from consistent, and consistently applied, consequence management processes.

In the end, the Wells Fargo example shows that employees are more motivated by "likely" financial consequences than they are to be dissuaded by "possible" regulatory ones. In an extremely competitive industry, and one that based rewards on client numbers, retention rates and product sales, was the Wells Fargo misconduct really unforeseeable?

In context of the broader industry, is the conduct really atypical?


Incentives eat Culture

“Culture is the attitude we bring to work every day- the pattern of thinking and acting with the customer in mind …..It’s contrary to our culture to provide our customers any product or service that is not appropriate for them”  John Stumpf, CEO, Wells Fargo


If we reject the implied “ignorance/negligence” defence, then the scale of the delusion that Wells Fargo were under about their corporate culture appears staggering. In the aftermath of their exposure, many observers have focused on the management team’s performance or the bonus schemes that Wells Fargo had in place. Too few have focused on a corporate culture that seems to have imposed significant pressure on low-wage workers to achieve unrealistic sales targets and punished those that objected to the strategy. Fewer still on the human impact of this culture in terms of stress leave, turnover, lost productivity and illness. To date, we know that up to two million fraudulent customer accounts were opened. We also know that after discovery of this misconduct, about 5,300 of these low- wage workers have been fired.

There is a legitimate argument that these workers acted unethically and contrary to Wells Fargo’s values. It's accepted that they knowingly opened fraudulent accounts. It's therefore reasonable, and entirely legitimate, some argue, for Wells Fargo to have terminated their employment. This argument, underpinned by an espoused commitment to good governance principles, is simply a variation of the “bad apple” defence so frequently used by Australian Licensees responding to unfavourable press coverage or inconvenient regulatory action. It is an argument that is not, however, terribly convincing. While individual agency is a factor to consider, the structure, environment and context for the misconduct is far more important. Crucially, these latter factors were all controlled, or materially influenced by Wells Fargo management.

An interesting question to consider is whether the low-wage workers acted illegally to secure bonuses, to keep their jobs or just secure a living wage.

We can only speculate on individual motivations, but the Executives' likely motivations are perhaps much clearer.

There's an interesting aspect of the remediation process that should be noted. Despite 5,300 job losses and penalties of $185 million levied against the bank, not a single high-level executive was fired. Even their “sandbagger-in chief” was not significantly penalised for overseeing what the CFPB describe as “unfair and abusive practices under Federal Law." Even though CEO John Stumpf responded to sustained criticism of his leadership by leaving Wells Fargo in October 2016, he still left with over $133,000,000 of retirement benefits.


The naked emperor

Culture is the by-product of consistent behaviour”  Jason Fried & David Heinemeier “Rework 


Why didn’t anyone tell Wells Fargo that they were rewarding misconduct and celebrating achievements based on falsified data?

Why weren’t these problems escalated?

The reality is that many staff tried to do so but, as Planet Money’s, Chris Arnold found

“Ex-workers who resisted pressure to push banking products on customers who didn't want them say Wells Fargo retaliated against them by docking their permanent record, sabotaging future job prospects”. NPR

This is the heart of Wells Fargo’s critical cultural failure.

Those staff brave enough to challenge the “dummy account” strategy were silenced, stigmatised and systematically excluded from alternative employment. Low- paid workers, lacking any option except to comply with corporate behavioural norms, adjusted to the performance driven culture. They created fake accounts, kept their jobs and Wells Fargo raked in millions of dollars in fees.

Culture and controls

It’s depressingly easy to conceal corporate imperatives beneath the rhetoric of “rogue representatives” but the Wells Fargo scandal shows the limits of individual agency.

The scandal also highlights the brutal reality that without real whistle-blower protections, and without certainty that moral courage will be recognised and rewarded, most staff will ignore or replicate non-compliant conduct.

You might ask why the internal controls were so ineffective in ensuring Wells Fargo's compliance with the financial services laws. Where were the "integrity police"?

It's a vitally important question but one that is also profoundly difficult to answer from a distance. The role and contribution of the compliance team is unclear, but the ensuing scandal that embroiled Wells Fargo might prompt one to ask whether any internal compliance/internal audit function can resist internal pressures well enough to courageously champion customers’ best interests and fearlessly hold management to account.

While external compliance advisors/auditors may sometimes uncover organisations’ blind spots and vulnerabilities, it’s far less common, for these blind spots to be detected, reported and escalated by internal compliance advisors/auditors in the face of unsympathetic management.

Differences in capability or competences don’t adequately explain this difference. While courage may be an important differentiator, conflicts, compromises and cultural expectations may have a larger impact. This is not to suggest that internal compliance resources are either unnecessary or ineffective. Rather it suggests that an effective compliance framework should mitigate conformity risks by incorporating periodic assessments performed by independent compliance experts.

"How does a bank that is supposed to have robust internal controls permit the creation of over a half-million dummy accounts? ....... If I were a Wells Fargo customer, and fortunately I am not, I'd think seriously about finding a new bank." David Vladeck


Lessons from their experience

Any similarity between Wells Fargo and any Australian Licensee is unintended and purely coincidental. Nevertheless, Australian Licensees could draw the following lessons from the Wells Fargo example.


1.   Appreciate that any complex organisation doesn’t have a single “culture”. 

Try to assess your business by considering the norms of each group/department, the incentives offered and the consequences consistently applied for ‘misconduct’.

2.   Understand that you cannot accurately (or honestly) assess the culture of the organisation in which you are immersed. 

Seek external assessment and validation. Recognise that the quantification inherent in traditional operational risk management does not easily coexist with, what is necessarily, a subjective and qualitative assessment. Appreciate that your key risk indicators, which are likely lag indicators, are not definitive in their own right but only illustrative of potential issues.

While they may determine the additional investigation required, unless they are real time measures they have limited applicability. A synergistic approach is required.

Recognise that the strength of your culture is demonstrated by how you respond to current or anticipated issues.

3.   Those internal functions on whom you rely for honest and critical assessment are inherently compromised and may struggle to function as an effective control of management. 

Understand their limitations and consider their willingness to have uncomfortable conversations with senior management. Even separate reporting lines may not be adequate. Ensure that you have clear escalation processes in place. Review your Incident Management policies to mitigate structural conflicts.

4.   Consider how you reward whistle-blowers.

Consider whether your measures, processes and procedures encourage and support staff that expose misconduct and protect them if they are compelled to "blow the whistle".

5.   Recognise that your corporate culture is both organic and mechanical. 

Although the environment can influence and affect employees’ behaviour, consistent behaviour can also influence and affect the environment in which they operate. If you’re trying to change culture, focus on both aspects.

6.   Recognise that Conflicts of Interest are more subtle, and more insidious, than you might expect. 

Broaden your perspective to include conflicts created by your organisational structure and reporting lines.

7.   Appreciate that regulation (and over-regulation) is the inevitable consequence of failures of control and self-regulation. 

Direct your resources to effectively managing conduct rather than to confirming formal compliance.

8.   For most employees, continued employment is more important than compliance. 

If you have a vision and mission that you want employees to meet, make your expectations explicit and consistently respond to individuals' failures to meet those expectations.

9.   The potential penalties for non-compliance seldom exceed the immediate advantages gained by non-compliant behaviour. 

Law reform might be a pipe dream but you can bolster your contractual arrangements to discourage non-compliant behaviour. Review your employment agreements and bonus schemes.

10. Reputations are fragile. 

Manage regulatory engagements effectively, take advice and engage PR professionals.






(c) 2017 Assured Support and Sean Graham

(c) 2017 Assured Support and Sean Graham