When news of the Wells Fargo cross-selling scandal broke, many people cited a poor sales culture as the root cause. In the blog I wrote about this scandal, I pointed to the fact that the same employees who were tasked with reaching certain sales goals were the same employees who were issuing new accounts and cards. With proper risk assessments and oversight, management would have identified the risk of employees meeting their sales goals improperly, and they would have mitigated this risk by implementing separations of duties and access rights.
After an in-depth investigation into the scandal, the CFPB and the OCC alleged the bank “failed to establish an enterprise-wide sales practices oversight program to prevent and detect unsafe or unsound sales practices, or mitigate the risks resulting from such sales practices.”
While these regulators point to a failure in risk management in their allegations, the scope is too narrow. For organizations to truly protect themselves from the punitive damages and reputational consequences of scandals, they need to implement risk management and oversight practices across the enterprise, not just within select departments.
I predicted that Wells Fargo would fall victim to subsequent scandals because they focused too narrowly on their sales department without considering similar vulnerabilities in other areas of their business.
My prediction first came to fruition when the bank leaked the PII of 50,000 accounts, and again when Wells Fargo admitted to charging their auto-loan customers for insurance they didn’t need. Both of these scandals are tantalizingly similar to the bank’s original cross-selling scandal. To avoid the repeat scandals and headlines they’ve found themselves the center of, Wells Fargo needed to establish a robust enterprise risk management program and infrastructure, complete with risk assessments that extend across departments and levels
Under the Wells Fargo settlement, which is the largest ever imposed by the consumer bureau, Wells Fargo will reimburse harmed consumers and make improvements to its risk management and compliance programs. The string of punitive actions in addition to this latest settlement should be a warning to all risk managers, C-suite executives, and companies alike: scandals are failures in risk management, wrongdoings are preventable, and upper management will be held accountable for their failure to oversee operational activities.
This is a message I and LogicManager have expounded for many years, and now 18 months after Wells Fargo first topped news headlines, my prediction from September 20, 2016 has been accepted now by two federal regulators, and all major press will report how the Wells Fargo Scandal is now officially labeled a failure in risk management.