The US retail bank Wells Fargo has had a considerable number of incidents over the last several years.

The list of scandals, complaints, and fines is far-ranging: from millions of fake accounts, whistleblowing dramas, failing community lending tests, charging for insurance without customer knowledge, computer glitches that incorrectly forced home foreclosures, fake job interviews to portray diversity, to its most recent fine, US$7mn for violations of anti-money-laundering rules.

At this point, you need to look beyond individual control failures and question the underlying governance and risk culture – as raised in May 2022 in an open letter by Senator Brown, the chairman of the Senate Banking Committee. Senator Brown called out Wells Fargo for its failures to fix these issues, despite having a growth restriction imposed on the bank in 2018.

The issues around Wells Fargo are reminiscent of recent failings in the Australian banking industry, with the industry regulator APRA noting that leading retail banks such as Commonwealth Bank of Australia were culturally too focused on financial performance, to the expense of both customer experience and good risk management.

What are some things to take away from these ongoing risk and compliance failures?

  • Risk management is about action
  • Acknowledging drivers of misconduct
  • Balancing the voices

Risk management is about action

Wells Fargo received a consent order by the Office of the Comptroller of the Currency in 2018, ordering them to pay back customers charged with improper fees. In 2021, three years later, it had not committed sufficient effort to identify or repay harmed customers. The bank paid a US$1bn settlement to the regulator in 2018, and then the failure to remediate customer harm attracted another US$250mn fine in 2021.

Even if Wells Fargo had paid those customers promptly, that’s just fixing what has already gone wrong. Incident management isn’t just noting the incident that occurred; it’s about remediating customers and addressing the root cause to prevent the incident from recurring. Similarly, risk and control assessments aren’t just about documenting control deficiencies and leaving them on a report for years. The point is to commit resources and take action to prevent future incidents or misconduct from occurring.

Acknowledging drivers of misconduct

You aren’t going to find a process manual that says ‘Harm customers while lining our coffers’ (if you do, run!). But without some consideration, the environments in which we place our people may lead them down a path where misconduct is rationalised. Consider the following drivers or scenarios:

  • Unreasonable or excessive sales or productivity targets, particularly when failure to meet them puts employment in jeopardy
  • Incentives that conflict with good customer outcomes
  • Incentives that drive internal conflict rather than foster collaboration
  • Performance evaluations that punish poor performance or outcomes regardless of decision quality
  • Performance evaluations that do not include components that measure risk, compliance or ethics related behaviours
  • The ‘shooting the messenger’ effect, resulting in failure for important bad news to be delivered to those that can act on it

This is just the tip of the iceberg, and some are more subtle than others.

Consider the management principle “Before you come to me with a problem, I want you to come up with a potential solution first”. On the surface it might sound like good advice; you prompt your people to be proactive, and it might improve efficiency if they end up solving the problem without getting other people involved.

However, if they can’t find a solution to the problem, you may have incentivised them to not raise the issue for fear of being labelled someone who isn’t a problem solver. They might distance themselves from the problem, hoping others will identify and solve it.

Balancing the voices

Wells Fargo’s recent history and the callout regarding their governance and risk practices bears similarities to APRA’s recent investigation into the Commonwealth Bank of Australia. In the report accompanying that investigation, the regulator said that banks need to incorporate a balance of three voices:

  • The voice of finance: how do we meet targeted financial performance?
  • The voice of the customer: what is best for the customer?
  • The voice of risk: are we taking appropriate risks and effectively managing the ones we are taking?

APRA found that in CBA’s case, the last two voices were often ignored or undervalued in favour of the first voice. This also appears to apply for Wells Fargo. Failure to pay back customers three years later (or even identify those impacted) is a clear indicator that the customers voice is undervalued. The slew of outstanding issues also indicates that addressing risk and control failures hasn’t been high on the agenda.

Think of the adage “The standard you walk past is the standard you accept”. The tone at the top is an important signpost for all employees, and a shift in balance needs to start there – as well as enabling and supporting a speak-up culture.

What can you do?

We hope that your governance and risk management practices aren’t as troubled as Wells Fargo’s. Nonetheless, we recommend that you consider the following to perform a health check or identify areas of improvement:

  • Evaluate whether the three voices of finance, customer and risk have appropriate weighting in the boardroom and executive forums; if it isn’t balanced there, that imbalance is likely to permeate further into the organisation
  • In relation to risk governance, are there action items, audit findings or control deficiencies that continue to be delayed? Would an explanation of those delays be acceptable to customers, regulators or other stakeholders?
  • Consider the environment your people work in. Could procedures, incentives or accepted management behaviour open up possibilities of misconduct or inappropriate behaviour?
  • Evaluate how management or relevant stakeholders react to bad news or poor performance

You may also consider culture surveys to support the points above, if they are well-designed and if management are committed to act on them (asking people for their opinion and not acting will probably have the opposite effect). Remember, you can’t fix what you can’t see, and having visibility into the connectedness of risks, controls, processes, and measurements is key to identifying potential problems.

For more information on culture and conduct risk and how they can affect your organisation, download Protecht’s free Understanding, Managing and Monitoring Culture Risk, Conduct Risk and Risk Culture eBook. This eBook gives you all the information you need in order to better understand, manage and monitor your culture and conduct related risks.

Related Articles

feature image
Risk Culture, Operational Risk, Risk Manager, GRC

Top 5 Risk Management Challenges for FinTechs

It’s clear that today’s operating environment is changing at a very rapid pace, which means the risks are evolving fast, too. In this blog, we...
Read more
feature image
Risk Culture

Are you really in control of your Culture and Conduct risks?

The list of key risks that should be keeping us awake at night seems to be forever changing. Whatever your list, Culture and Conduct Risk should be a...
Read more
feature image
Risk Culture

Victorian Government raises the bar on Risk Management. How will you rise to the occasion?

The Victorian Government’s Risk Management Framework (VGRMF) which applies to Victorian Government departments and public bodies covered by the...
Read more