Former Wells Fargo Execs Fined Millions

Three of the top risk assurance executives at Wells Fargo during its fake accounts scandal in the 2010s must all pay millions in fines for failing to challenge the bank’s misconduct aggressively enough — a dose of individual accountability that sounds good in theory, but might still leave audit, compliance, and risk management professionals rather spooked.

The Office of the Comptroller of the Currency announced the enforcement actions Tuesday afternoon. The three sanctioned executives are:

• Claudia Russ Anderson former group risk officer for Wells Fargo’s community banking division. Anderson was fined $10 million and barred from working in the bank industry again.
• David Julian, former chief auditor, who was fined $7 million. 
• Paul McLinko, former executive audit director, fined $1.5 million.

All three worked at Wells Fargo in the 2010s during its notorious scandal of employees opening accounts without customers’ permission so the employees could hit (impossibly high) sales quotas set by senior management. Matters finally exploded into public view in 2016, when banking regulators hit Wells Fargo with a $185 million fine. The Justice Department followed up in 2020 with criminal charges and a $2.5 billion fine. 

Meanwhile, OCC has pursued enforcement actions against 11 former Wells Fargo executives over the years; Anderson, Julian, and McLinko are the last of that group. The fines themselves weren’t really a surprise, either. In 2022 an administrative law judge held a hearing on the executives’ roles at Wells Fargo, and blasted all three for “failing to provide credible challenge” to management’s misdeeds. He recommended the same multi-million dollar fines that OCC imposed today.

Anderson, Julian, and McLinko can all appeal their fines. It wasn’t immediately clear on Tuesday what any of them might do next. 

Individual Accountability Questions

Let’s start by stating the obvious: as much as compliance and audit professionals love the idea of individual accountability for corporate misconduct, huge fines against risk assurance executives themselves hits uncomfortably close to home. One long-running fear in this profession is that senior management won’t give you the resources you need to run a competent compliance or risk management program, and then regulators will somehow decide that’s your fault and you pay the price. 

So is that what happened here, or were Anderson, Julian, and McLinko complicit enough in the Wells Fargo debacle that they deserved their fate? That’s the question compliance and audit executives need to ponder. 

The enforcement orders against Anderson, Julian, and McLinko don’t paint a flattering picture. For example, the enforcement order against Anderson found that she “repeatedly and consistently downplayed the sales practices misconduct” — when that misconduct was widespread across all of Wells Fargo, and had been a known issue for years. Consider this key passage:

Anderson acquired a wealth of knowledge about the extent of [sales practice misconduct] and the fact that managers and employees were complaining about sales goals and sales pressure… She also participated in numerous email chains detailing instances of employees committing misconduct to meet sales goals, demonstrating that she read and considered those details. Despite this knowledge, she failed to credibly challenge the incentive compensation program to her superiors… 

That’s the real issue here. Once a compliance or risk management professional has knowledge of clear, specific misconduct happening at your organization — or even just conditions at the business that invite the risk of misconduct — what duty do you have to challenge management? 

Compliance officers talk to me about this on a regular basis. Several have told me tales of knowing about sketchy behavior at their respective employers, and that senior management was fully aware of said sketchy behavior. How much more could those compliance officers “credibly challenge” managers who fully knew the risky conditions smouldering at their businesses? (In all these cases confidentially told to me, the compliance officers bolted for new jobs before the shinola hit the fan.)

On the other hand, doing nothing about risks or misconduct can transgress into the realm of recklessness. For example, both OCC examiners and outside consultants alike warned Anderson that the bank’s controls to prevent bogus accounts were ineffective, but Anderson took no action to improve those controls. “In relying on ineffective controls despite knowledge of their nature, the OCC said, “Anderson disregarded the substantial risk of harm from the ineffective controls.”

OCC isn’t wrong to say that. And remediating ineffective controls is something a chief risk officer can do, even if management ignores other pleas you might make about incentive plans souring your corporate culture. 

A Note for Auditors Too

OCC fined Julian and McLinko for the same reasons it fined Anderson: because they had clear, direct knowledge that Wells Fargo’s sales practices were a high integrity risk, and then didn’t do enough in their audit plans to address that. (Or so OCC says, at least.)

Example: according to the administrative law judge’s inquiry and other evidence, Julian knew as far back as 2013 that problematic sales practices were a serious and widespread problem at the bank. That same year, McLinko received multiple presentations from Wells Fargo’s investigations team about sales integrity, complete with statistics about the number of violations and of people fired. 

Still, Julian (and by extension his lieutenant McLinko) did not update his audit plan to reflect that clear, specific, and high risk that everybody knew about. OCC “finds that generally accepted standards of prudent operation require chief auditors to establish a risk-based plan that adequately audits the highest risks in the bank,” the enforcement order against Julian said — and so therefore, by not doing so, Julian was reckless in his oversight duties. 

The enforcement orders against all three run more than 100 pages long, so there’s a lot more to explore here. Plus, we should remember, we haven’t heard Anderson, Julian, or McLinko’s side of the story.

Still, today’s fines against them are a bracing bit of news for compliance and audit professionals. They certainly raise questions about what your duties of credible challenge to management really are, what those credible challenges should entail — and what consequences might befall you if you don’t do it.