Wells Fargo Taken to Task Again

Banking regulators dinged Wells Fargo yet again last week, this time for the bank’s failure to develop strong anti-money laundering controls and risk management practices. Wells must now implement a litany of improvements from the board on down, so pull up a chair; we have a lot to review here.

The enforcement action came last Thursday from the Office of the Comptroller of the Currency, which is the top consumer banking regulator in the United States. OCC didn’t impose any financial penalties against Wells, but the regulator did prohibit the bank from launching any new lines of business in risky markets until it resolves its issues — and wow, it has a lot of issues to resolve. 

The short version is that Wells must revamp its financial crimes compliance program pretty much entirely. That includes… 

  • New responsibilities for the banks’ board; 
  • New attention paid to AML and know-your-customer procedures in both the First Line operating units and the Second Line compliance function; 
  • Better risk assessments
  • Improvements to the suspicious activity and transaction monitoring processes; and 
  • Audits and testing to assure that all of the above actually works.

Last week’s agreement has no specific time frame for remediation, such as a three-year consent decree. Instead Wells Fargo must come up with a board-approved action plan and then make regular progress reports. One also presumes that OCC bank examiners and the Wells Fargo compliance team will be BFFs for a long, long time.

If any of this sounds familiar, that’s because OCC sanctioned Citibank earlier this summer for not moving quickly enough to improve its regulatory compliance program. In that instance, OCC also fined Citi $136 million — so at least Wells Fargo dodged that embarrassment, even if the rest of the story follows the same shaggy plot.

The larger compliance community can learn a lot here since the agreement goes into extensive detail about how Wells Fargo should assess and intercept financial crime risks in its organization. Those risks — money laundering, sanctions violations, suspicious customers, and so forth — are growing headaches for a wider range of organizations. Let’s see how Wells Fargo has been told to tackle them and how those directives might be applied at your own business.

Starting With the Board

First, Wells Fargo must establish a compliance committee on its board of directors, which will then oversee the action plan that the bank’s management team must draw up and the progress that employees make on the goals of that action plan. The compliance committee must have at least three members, and at least two of whom cannot be Wells employees.

For the record, Wells’ board already has a risk committee of five members, and part of that committee’s charter is to oversee financial crimes risk and the financial crimes compliance program. So right off the bat, I wonder whether this committee and its purview would satisfy OCC’s requirements for board oversight. I suppose if Wells announces a restructuring of its board (currently 13 members spread across six committees), we’ll know.

So the board must create a compliance committee, which will then oversee a corrective action plan that management must draft to fix all its AML and financial crime compliance shortcomings. As those fixes are put into place, the board’s audit committee must review a new internal audit plan “to ensure effective independent testing” of the bank’s AML and sanctions compliance programs, as well as the “overall adequacy” of those programs.

Let’s say that one more time since there are a lot of moving pieces here: the board’s compliance committee will oversee the compliance function as it implements an action plan; and the board’s audit committee will oversee the internal audit team as they test whether the elements of that action plan (1) actually work; and (2) are adequate for the risks at hand.

That’s a lot of coordination. In the past I’ve heard of boards addressing that complexity by cross-pollinating: the chair of the audit committee is a member of the risk (or compliance) committee; and vice-versa. Interesting to see that right now, no Wells Fargo directors serve on both the audit and risk committees; I wonder whether that might change. 

More broadly, the OCC settlement also includes a section on “general board responsibilities” which is pretty much what one would expect. Whether done through the compliance committee, the audit committee, the whole board, or any other committee, Wells Fargo shall:

  • Require that bank management and personnel have sufficient training and authority to execute their duties and responsibilities here;
  • Hold bank management and personnel accountable for executing those duties and responsibilities;
  • Authorize, direct, and adopt corrective actions as may be necessary; and
  • Address any noncompliance with corrective actions in a timely and appropriate manner.

Clearly the  OCC wants the board to be involved directly with these compliance program improvements. The proof will be whether the board leans on management with sufficient force to address those instances of noncompliance in a timely manner; nothing demonstrates a poor tone at the top better than known problems going unaddressed. 

Actions in the First and Second Lines

Wells Fargo also promised to invigorate the risk management capabilities in both its First Line operating units and the enterprise-wide compliance function in the Second Line. This gives us another chance to review how banks approach compliance in such a highly regulated sector.

Essentially, each line of business in a large bank (consumer banking, commercial banking, wealth management, investment banking, and so forth) has its own compliance team responsible for compliance within that division; and then the enterprise-wide compliance team, led by a chief compliance officer, monitors that work to make sure the First Line compliance teams are performing up to snuff and to understand the total compliance risk facing the bank as a whole.

This distinction between the First and Second lines is important, because first-line operating divisions might decide that their compliance risk is low, and introduce more risk than senior management might like. Or you might have multiple operating teams dabbling with different amounts of compliance risk, and the chief compliance officer in the Second Line would need to intervene to be sure the units are not, in aggregate, taking on more compliance risk than they understand.

Anyway, back to Wells Fargo and the OCC settlement. Wells Fargo agreed to strengthen the roles, responsibilities, and lines of authority for financial crimes risk management in both the First and Second lines. 

In the First Line, for example, that means stronger policies, procedures, and controls to assure effective implementation of the bank’s enterprise-wide AML and sanctions programs. It also means more testing of controls in those first-line units, more training (which must be job-specific), and reviews to assure that the First Line maintains sufficient staff to support the AML and sanctions compliance programs.

Wells must also do much the same for the Second Line compliance function, with a few extra twists. For example, the Second Line must also develop policies, procedures, and controls to oversee risk rating, escalation, the performance of root cause analyses, and resolution of compliance issues in a timely manner. (Crucial compliance duties, to be sure; but not ones that should be left to First Line operating teams.) The Second Line is also responsible for reporting compliance issues to senior management, and for “the functioning of financial crimes risk management-related forums,” whatever those are.

My only question here is whether Wells Fargo has some type of compliance risk governance framework — something that defines the roles, responsibilities, and accountability for both the front-line units and the independent compliance risk management team in the Second Line. You’d assume that a bank as big as Wells Fargo does indeed have such a framework; otherwise the chance of conflicting roles and responsibilities (and the ensuing turf battles) goes nowhere but up.

That’s enough for today. In a post later this week we’ll look at the specific compliance program improvements Wells must make for customer due diligence, suspicious activity reporting, risk assessment, and all the rest. 

Leave a Comment

You must be logged in to post a comment.