An administrative law judge has affirmed that three former audit and risk management executives at Wells Fargo should face millions in penalties for their sloppy oversight during the bank’s fake-account scandal in the 2010s.
The judge, assigned to the Office of Financial Institution Adjudication, issued his ruling on Wednesday after lengthy proceedings to investigate the conduct of Claudia Russ Anderson, former group risk officer for Wells Fargo’s community banking division; David Julian, former chief auditor; and Paul McLinko, former executive audit director. All three (plus numerous other Wells Fargo executives) had been implicated in the widespread scandal of Wells Fargo employees opening fake accounts without customers’ permission so the employees could hit sales quotas.
Administrative law judge Christopher McNeil recommended that Anderson pay $10 million in civil penalties, Julian pay $7 million, and McLinko pay $1.5 million. The judge also recommended that Anderson and Julian be banned from working in the banking industry again; McLinko would only face a cease-and-desist order.
Those penalty amounts are actually more than what the Office of the Comptroller of the Currency originally sought when it began proceedings against the three executives last year; OCC wanted $5 million for Anderson, $2 million for Julian, and $500,000 for McLinko. McNeil’s higher penalty amounts will now go into effect unless OCC expressly decides not to impose them, although the three defendants will have the chance to appeal the penalties in federal court — and according to published reports, all three plan to do exactly that.
For audit and compliance professionals worried about personal liability for misconduct scandals, McNeil’s 78-page report makes for interesting reading. He paints a damning picture of management incompetence at Wells Fargo, including important risk assurance duties that Anderson, Julian, and McLinko didn’t fulfill. Let’s take a look.
‘Failure to Provide Credible Challenge’
One recurring theme in McNeil’s report was that Anderson, Julian, and McLinko didn’t do enough to investigate and challenge the questionable sales practices at Wells Fargo in the mid-2010s — even though the bank’s problems with fake accounts was widely known by then. That “failure to provide credible challenge” (McNeil used that phrase or versions of it 14 times in his report) constituted an unsafe banking practice unto itself, and a breach of the fiduciary duties that the three owed the bank.
For example, Julian (the chief audit executive) received numerous direct warnings in 2015 and 2016 that Wells Fargo had serious issues with its sales practices. When OCC examiners reviewed the bank’s audit function, they told the audit team to do more testing of the First Line of Defense’s compliance and to develop an audit strategy for the Second Line of Defense’s regulatory compliance efforts. Shortly thereafter, Julian received an audit report warning that the risks around sales practices in the consumer banking unit were significant and rising. In 2016, another OCC review found the bank’s incentive compensation program “was weak and in need of improvement.”
Despite all that evidence, McNeil wrote, Julian:
- failed to assure that Wells Fargo audit activity would detect and document the efficacy of controls over ongoing sales practices misconduct issues in the Community Bank;
- failed to escalate to senior bank management and the board issues related to internal control deficiencies in Community Bank’s first line of defense;
- failed to adequately supervise senior leaders of the Wells Fargo audit team to assure resources were timely being directed to detect and remediate control deficiencies in the Community Bank;
- failed to assure that adequate steps were taken to identify the root cause(s) of sales practices misconduct by Community Bank team members.
You get the picture. Julian had ample evidence that Wells Fargo’s sales practices were a nine-alarm fire, yet he didn’t take sufficiently strong action to tell the board that the building was burning down.
Anderson, the group risk officer, looks even worse; McNeil says she lied to the OCC numerous times during its investigations “by repeatedly informing the OCC that no one loses their job due to not meeting sales goals” — an accusation that rank-and-file Wells Fargo employees had been making for years. (Not to be confused with the thousands of employees also fired in the first half of the 2010s for opening fake accounts to meet their quotas, or moving customer monies among those accounts without permission.)
Too Many Committees, Not Enough Action
McNeil also described an overlapping web of in-house committees in the upper ranks of Wells Fargo, all of them supposedly playing a role in risk management or regulatory compliance. Anderson, Julian, and McLinko were on any number of those committees at any one time; Anderson, for example, served on six committees — right down to the operational risk committee and the operational risk management committee, which apparently served different purposes.
Perhaps there’s a lesson for other audit and compliance professionals here. Namely, when your org chart looks like a Jackson Pollock painting, you’re more likely to be lulled into a false sense of security that some other group is taking care of a risk, when in fact nobody is giving that risk the urgency it needs. The result could look like the awful picture painted by McNeil (and in OCC’s original charges against Wells Fargo executives).
That is, the bank had plenty of risk management committees. Those committees had charters, which specified the duties that executives were supposed to fulfill. If you fail to execute those duties, there’s your risk of civil enforcement from regulators. But when you have so many committees and so many charters, issues can fall through the cracks. Worse, that byzantine committee structure can lead to a stultified corporate culture, where nobody sees the urgency in anything.
Now Anderson, Julian, and McLinko may end up paying a very high price for going along with that lethargy, rather than fighting against it.