One big lesson for compliance and audit executives this year will be the risks that swirl around compensation and incentives. Wells Fargo will be Exhibit A in that discussion, and rightly so.
Still, the more I look at the SEC’s enforcement action against Credit Suisse last week, where it fined the bank $90 million for poor oversight of employees who gamed how the bank reported assets under management, the more I believe that compliance officers should study both cases together if you want a real education. Wells Fargo and Credit Suisse are bookends on either side of the same problem. Compare their mistakes, and you can raise some thought-provoking questions about how the Three Lines of Defense and senior leaders are supposed to maintain an effective compliance program.
To recap the details of Credit Suisse: the SEC fined the bank $90 million for shenanigans in its private banking division, where employees improperly relabeled assets under custody to be assets under management. That distinction is critical because “AUM” affects what the bank can report as net new assets (NNA)—and that’s the metric investors use to gauge how well a bank is generating new business. So the high-pressure culture at Credit Suisse’s private banking unit led employees to fudge AUM, which caused misleading statements about NNA to investors, which led to the fine and the bank’s admission of wrongdoing last week.
In my first post about Credit Suisse last week, I mentioned two other parts of the settlement in passing: that Credit Suisse has updated its AUM policy to add more specific criteria for when assets can be classified as under management; and that substantial decision-making authority about AUM and NNA has been transferred from the private banking unit to Credit Suisse’s group finance function.
Upon further reflection, we need to reflect on those two conditions a lot more. They provide an excellent avenue for compliance officer to consider how the Three Lines of Defense should work. Stack up those mistakes against Wells Fargo’s other example of incentives gone wrong, and you get two real-life scenarios worth presenting to your board, CEO, audit team, or anyone else wondering whether they have risks with their incentives and culture.
Crossed Lines of Defense
The temptation is to say that both Wells Fargo and Credit Suisse had problems of poor culture and employee incentives. That’s not quite accurate. Consider what Credit Suisse did by introducing a stricter set of criteria to define assets under management, and to re-assign lots of decision-making authority on that point away from the private bankers. Credit Suisse relocated the risks of incentives away from the First Line of Defense, and put them into the Second Line.
Compliance purists might frown on this idea. For all our talk that “the business unit should own the risk”—Credit Suisse has done the opposite here. Now a Second Line of Defense function (the group finance team) gets authority over AUM and NNA. What’s more, by adding more specific indicators for AUM, Credit Suisse is giving internal audit more evidence to examine when it reviews this risk from its perch in the Third Line of Defense.
Those are good ideas. They just don’t jibe with the concept of building a strong ethical culture where the business unit owns the risk. They jibe with the concept of adding more policies and procedures so one business unit can’t muck everything up for the whole enterprise.
That gets to a crucial question about Credit Suisse. What was missing here, that led to the misconduct around AUM and NNA? Did the bank have a sufficient ethical culture, but lacked mechanisms in the Second and Third Lines of Defense? Or are the moves to beef up the Second and Third lines misplaced, because the culture and incentives are flawed?
Some people might argue that Credit Suisse has at least tried to hit the right notes on an ethical culture. The bank did part ways with the chief operating officer of its private banking division, Rolf Bogli. (The SEC also fined him $80,000 although he did not have to admit any wrongdoing personally.) It did cooperate with the SEC in its investigation, lining up documents and witnesses from overseas. More broadly, its new CEO Tidjane Thiam is trying to overhaul the whole enterprise, including a culture of executives not telling senior management about the bank’s full exposure to risk.
Others might argue that Credit Suisse is treating the symptoms (faulty reporting of AUM and NNA) rather than the disease (a high-pressure culture where incentives lead to misconduct).
So right here, compliance professionals looking for lessons to learn can ponder: How do we diagnose the misconduct at our company? Do we understand what was missing that allowed the misconduct to fester? Whatever was missing—are we plugging that gap correctly? Or are we fortifying the wrong line of defense?
Enter Wells Fargo
Contrast all that with Wells Fargo. The evidence here suggests a much deeper problem: that the Second Line of Defense was working, since various employees say they tried to raise alarms about bogus customer accounts. Then senior managers didn’t move to address those allegations quickly enough.
That’s not at all a Credit Suisse problem, where the Second and Third Lines of Defense weren’t working. At Wells Fargo, the people who oversee the Second and Third Lines of Defense—the CEO and the board—didn’t do their jobs.
We rarely talk about where the CEO and the board fit in the Three Lines of Defense model. That’s unfortunate. One great thinker on this subject is risk management guru James Lam, who argues that the CEO sits atop the Second Line, the board atop the Third Line. He’s right. If the Second Line of Defense is where all the risk management functions (compliance, HR, legal, IT security, and so forth) reside, the CEO oversees those people. Likewise, if internal audit is an independent check on risk management, it should report to the board, acting as an independent check on the CEO.
One lesson to learn (among many) from Wells Fargo, then, is to view the Three Lines of Defense model in multiple dimensions. That is, each line of defense has multiple layers, and your problem might be in a specific layer of those lines. Indeed, for serious problems of culture, the problem generally does reside in the higher layers: the aggressive business unit leaders, the detached CEO, the disinterested board. No wonder Congress wants Wells Fargo’s CEO fired and investors want the board reshuffled.
That’s how I see these two cases complementing each other, at least. Let me know your thoughts and let’s keep the conversation going.