Wells Fargo Data Breach: The Saga Continues (Part 1)

Steven Minsky | Aug. 9, 2017

In a recent interview I had with business journalist L.A. Winokur regarding the Wells Fargo cross-selling scandal, I made a prediction: “Once the dust of this scandal settles, perhaps in two or three years, Wells Fargo will remain vulnerable in other areas of its operations to risk management failures.”

Low and behold, the only part I didn’t get right was the timeline. In less than a year of paying $185 million in penalties, the largest fine ever levied by the CFPB, the bank finds itself in headline news for yet another scandal: this time, a leak of personally identifiable information for over 50,000 accounts.

I predicated this outcome because I have always maintained that if a company does not address the root cause of a failure in risk management, the problem is not solved, and other scandals with the same root cause will arise again and again.

Wells Fargo and their customers have fallen victim to ineffective risk management, brought on by poor governance. After a 6-month independent board committee investigation into the root cause of their cross-selling scandal, the bank found ineffective governance structures and poor risk management processes to be at the heart of the problem. However, after identifying these factors, the Wells Fargo board did very little to materially change their operations, culture, and leadership in way that would better protect their employees, customers, and shareholders.

Let’s look at Wells Fargo’s original scandal with an eye towards how their failure to mitigate the root cause of their risk led to the bank’s most recent headlines.

Failed Risk Identification Causes Wells Fargo Cross-Selling Scandal

In 2013, rumors circulated that Wells Fargo employees were engaging in aggressive sales tactics to meet their daily cross-selling targets. It began with 30 employees in San Francisco fired for opening new accounts and issuing debit or credit cards without customer knowledge. One Wells Fargo spokesman said, “We found a breakdown in a small number of our team members. Our team members do have goals. And sometimes they can be blinded by a goal.”

Of course, as we now know, this was no small breakdown. Over five years, 2 million false accounts were created.

As the investigation unfolded, it became clear that Wells Fargo was reluctant to admit that this issue was systemic, stemming from poor culture and ineffective monitoring of separation of duties. Former CFO Tim Sloan stated, “I’m not aware of any overbearing sales culture,” and proceeded to list the “multiple controls” Wells Fargo had in place to prevent abuse such as the employee handbook and a whistleblower program to notify senior management of violations.

The bank evidently maintained that the fault lay with their front-line employees’ inability to adhere to these protocols, as 5,300 front-line employees were fired, while retail banking head Carrie Tolstedt retired with a pay package valued at $124.6 million.

But as director of the Consumer Financial Protection Bureau Richard Cordray asserted, the bank failed “to monitor its program carefully, allowing thousands of employees to game the system and inflate their sales figures to meet their sales targets”

Ultimately, Wells Fargo built a cross-selling program that forced people into a bad situation. Companies should never put employees in the position of choosing between themselves and the customer. There is nothing inherently wrong with ambitious sales goals, as long as there are systems in place to ensure the customer and the employee are secure. In this case however, sales employees had the ability to directly open false accounts, thereby enabling them to disturb the customer’s security.

Herein lies the root cause of the scandal: separation of duties and access rights. Yes, the sales culture was extreme, and the pressure high. But employees tasked with these sales goals should not have been the same employees in charge of opening new accounts, and should not have had the access rights to do so. If these duties and access rights fell under employees that would not have benefited from the creation of these accounts, then there would be no incentive to create them, no conflict of interest, and this scandal would have never occurred.

Failed Risk Mitigation Causes Wells Fargo Data Breach

Wells Fargo later admitted that to prevent this risk and others from recurring, it needs to strengthen its risk management program. And yet, their latest scandal reveals that they have not yet taken sufficient action to uncover the root cause of their risk.

The bank is attracting renewed scrutiny after an unauthorized release of tens of thousands of clients’ information. The data breach began as a financial squabble between a pair of brothers, Gary and Steven Sinderbrand, who formerly worked at the company together. Gary Sinderbrand’s lawyer had been inquiring about documents related to the fees Sinderbrand was allegedly not paid when he received a trove of 50,000 account numbers, names, addresses, and social security numbers.

The data was sent by Wells Fargo’s representation Angela Turiano without a protective order or confidentiality agreement between the parties. Turiano asked for the data back after she was informed of the breach.

How does this relate back to the original cross-selling scandal? Root cause. Wells Fargo is again guilty of their failure to implement systems that ensure appropriate separation of duties and access rights.

Although it is her responsibility to facilitate communication between legal parties, it should not be within Turiano’s access rights and duties to obtain or even view records with the personal identifiable information attached, as this information does not relate to the evidence Sinderbrand’s lawyer was seeking.

If Wells Fargo had implemented an ERM framework that implemented stronger governance structures and placed priority on identifying and mitigating the root cause of risks, they would have avoided this data breach.

Until the company realizes that they aren’t doing enough to fill the major gaps in their risk management program, they will continue to put their customers at risk and suffer the reputational damage of doing so.

For in the time it took me to write this article, Wells Fargo yet again dominated headlines again for tacking on $80 million in insurance charges to the accounts of 800,000 auto loan customers.

Read part two of this series here.

Better Risk Assessments

Check out our eBook with 5 steps for better risk assessments here!