Column: Lessons from Wells Fargo

David Jaffe

The fiasco at Wells Fargo, where bankers opened thousands of fraudulent accounts leading to litigation, enforcement, fines and a stunning loss of reputation, is old news. The consequences, however, continue to play out for the company and its leaders. A new report released by the Wells Fargo Board’s independent directors shows that the company lacked key elements of effective compliance and ethics efforts. A review of the report offers important lessons for other companies.

The board singled out John Stumpf, former CEO, and Carrie Tolstedt, former president of the Community Bank — the division where the fraud took place — for blame. It ordered them to forfeit over $100 million of compensation, it reduced 2016 executive bonuses for others by an aggregate $32 million, and fired for cause four other officers in the Community Bank. These dire consequences for individuals have set a new precedent for corporate boards to follow.

Key elements of the report highlight essential compliance and ethics principles that Wells Fargo missed, and that business leaders need to know. These principles come from the Department of Justice’s standards for compliance and ethics programs and from the accumulated experience of executives trying to keep their companies out of harm’s way.

First, the Community Bank had its own risk management department, which reported to the head of the division, not to a corporate officer, and did not have access to directors. Tolstedt, according to the report, adamantly and strictly limited communication between “her” team and the corporate level risk team (and the board).

But businesses need a compliance and ethics function that is independent of operating management, is empowered to participate in decision-making, and has direct access to the board.

Second, Wells Fargo incorporated its compliance and ethics efforts into a Risk Department, which looked at ethics issues mainly through the lens of enterprise risk management (ERM). ERM usually focuses statistically on the potential impact of a risk on the financial statements. Wells Fargo’s risk team knew that hundreds of employees per year had been fired for violations of account opening rules; but it only saw a problem that affected fewer than 1 percent of the bank’s employees, and that the amounts involved in each case were quite small.

Compliance and ethics are different from ERM, even though the two areas overlap. Seeing a problem involving (relatively) modest numbers of employees and sums of money, Wells Fargo saw a modest problem. A team with a focus on integrity would likely have seen a fundamental problem and appreciated the ways in which the problem could snowball.

Third, to the extent that it saw problems, Wells Fargo focused its efforts on firing employees who broke rules, not on requiring integrity. Management knew that some employees were opening accounts fraudulently, and that some supervisors were encouraging them. But every employee at every level must know that her boss requires ethical conduct and compliance. Companies must create incentives for good conduct and avoid incentives for bad conduct.

Finally, Stumpf gave deference to Tolstedt and hesitated to dig deeply. The Community Bank was very profitable and Stumpf considered Tolstedt the “best banker in America.” As a result, she was not scrutinized carefully, was allowed to restrict communication, and was given deference in decision-making, even after account problems became known at the corporate level and Los Angeles County sued Wells Fargo over fraudulent accounts. There must be one standard of conduct. Important or successful people can’t be allowed to get away with bad conduct.

Especially for middle market and large businesses — and their leaders — the cost of bad conduct can be astronomical. An investment in learning and applying essential principles of compliance and ethics programs will provide a great return by significantly reducing the risk of expensive and career-killing disasters.

David Jaffe is the principal of Jaffe Counsel plc.