Fines Cut for Ex-Wells Fargo Execs

U.S. banking regulators settled charges with two former top audit executives at Wells Fargo for their oversight failures during the bank’s fake accounts scandal of the 2010s, cutting the millions in fines the two men were facing by more than 90 percent.

The Office of the Comptroller of the Currency announced the deals late last week. David Julian, former chief auditor at Wells Fargo, saw his fines cut from $7 million to $100,000. Paul McLinko, executive audit director, had his fines cut from $1.5 million to $50,000.

Let’s recap the history here. Julian and McLinko were part of the senior leadership team at Wells Fargo in the 2010s, when regulators charged the bank with turning a blind eye to employees opening bank accounts without customer consent to hit sales quotas. That misconduct eventually led to a $3 billion settlement with Wells Fargo in 2020. 

The Office of the Comptroller of the Currency subsequently launched proceedings against Julian, McLinko, and risk officer Claudia Russ Anderson in 2021. OCC accused the three of failing to exercise proper oversight in the 2010s (when evidence of the fake accounts scandal was all over the place) and an administrative law judge published a blistering investigative report in 2022 that excoriated all three for “failure to provide credible challenge.” He recommended multi-million dollar fines for Julian and Anderson, and a $500,000 fine for McLinko. 

OCC finally charged Julian, McLinko, and Anderson in January of this year just before the Biden Administration left town, imposing fines even larger than what the judge suggested: $10 million for Anderson, $7 million for Julian, $1.5 million for McLinko.

All three then appealed their cases to federal court. Those cases had been pending, until new OCC leadership appointed by President Trump agreed to settle the cases against Julian and McLinko last week for pennies on the dollar. The case against Anderson apparently remains ongoing.

Dueling Theories of Accountability

The original seven-figure fines against Julian and McLinko caused a huge uproar in the internal audit community when first announced in January. Internal audit professionals were aghast that some of their own might face financial ruin for corporate misconduct that, ultimately, senior management is supposed to prevent. 

Were regulators really going to start nailing internal audit executives to the wall for failing to prevent that misconduct, they asked? Exactly what are internal auditors supposed to do in such circumstances? You can’t fire First Line operating employees on your own. You can’t compel the board or CEO to take action. All you can do is quit or become a whistleblower to regulators, actions that could easily put your career in a coma.

I do sympathize with that broad theory, but it moonwalks right by numerous uncomfortable allegations in this specific case. 

For example, go back to that administrative judge report from 2022. According to that report, chief auditor Julian received numerous direct warnings in 2015 and 2016 that Wells Fargo had serious issues with its sales practices. OCC examiners expressly told the audit team to do more testing of the First Line of Defense’s compliance. Shortly thereafter, Julian received an audit report warning that the risks around sales practices in the consumer banking unit were significant and rising. In 2016, another OCC review found the bank’s incentive compensation program “was weak and in need of improvement.” 

Despite all that evidence, the judge wrote, Julian failed to assure that adequate steps were taken to identify the root cause of sales practices misconduct; and failed to escalate those First Line internal control issues to senior bank management and the board.

All that is to say: there’s a compelling case that Julian (and McLinko and Anderson) didn’t take their oversight roles seriously, when they had evidence a-plenty that the sales practices were out of control. 

So no, as a routine matter, the regulatory world shouldn’t hold internal audit and compliance professionals responsible when misconduct failures happen at their companies; as we so often say, internal auditors and compliance officers don’t “own the risk,” and therefore shouldn’t be punished when that risk goes haywire. 

But when internal auditors and compliance officers engage in dereliction of duty that allows the misconduct to fester — that’s different. 

The Duty Auditors and Compliance Officers Owe

The ultimate question we’re all trying to answer here is at what point do your interactions with management, or the lack thereof, cross over into dereliction of duty? 

That is, if an auditor fails at the block-and-tackle work of auditing, such as not responding to issues expressly raised by regulatory examiners — one can see how that might be dereliction of duty. You’re supposed to do a job and you didn’t do it. 

But what does a “failure to escalate to the board” look like? That’s a harder question to answer. If an auditor or compliance officer flags an issue at the board meeting, and then the board does nothing — what should the audit or compliance officer do then? Shout “This is important!” really loudly? Staple your report to directors’ foreheads? If you don’t do those things, is that dereliction of duty?

Large organizations are plagued with inertia, right up to the boardroom. If your job is to help drive change and improvement at the organization — and that is the internal auditor or compliance officer’s job, after all — cutting through that inertia can be excruciatingly difficult. 

So do you simply run into that inertia, bounce off helplessly, and declare that you’ve fulfilled your required role? Or do you have some obligation to keep trying harder and harder, even if you need to shatter the whole edifice? Because that might sound great and noble, but in the real world it often gets you fired while the inertia endures. 

If these cases had been adjudicated in court, at least we’d have a clear standard to help answer those questions. Unfortunately for us, the Trump Administration moved to settle — and because the Trump Administration’s default setting is to go easy on pretty much all enforcement, we don’t know whether OCC settled because the facts and logic were bad, or simply because Trump doesn’t like accountability. 

So our questions about how much personal liability auditors and compliance officers should face, and when, continue to linger.