Yesterday the OCC assessed a $35 million civil money penalty against Wells Fargo Bank, N.A. for risk management failures and retail sales practices. The CFPB assessed a $100 million penalty. The City Attorney of Los Angeles, Mike Feuer, whose 2015 lawsuit appears to have triggered the federal investigations, assessed a $50 million penalty in settlement in state court. The OCC found that Wells Fargo’s employee “incentive compensation program and plans … fostered … unsafe or unsound sales practices.” Specifically, thousands of Wells Fargo employees opened roughly 1.5 million deposit accounts and applied for roughly 565,000 credit card accounts for consumers, all of which may not have been authorized by the consumers. While the CFPB’s action focused on the underlying sales practices, the OCC’s action, as would be expected, focused on Wells Fargo’s risk management system.

What went wrong at Wells Fargo through the lens of the OCC’s Risk Management System (3 Lines of Defense) requirements

Frontline Units
  • “The Bank’s Community Bank Group failed to adequately oversee sales practices and failed to adequately test and monitor branch employee sales practices.”
Independent Risk Management
  • “The Bank lacked an Enterprise-Wide Sales Practices Oversight Program and thus failed to provide sufficient oversight to prevent and detect the unsafe or unsound sales practices”
  • “The Bank lacked a comprehensive customer complaint monitoring process that impeded the Bank’s ability to … assess customer complaint activity across the Bank … [and] analyze and understand the potential sales practices risk.”
Internal Audit
  • “audit coverage was inadequate because it failed to include in its scope an enterprise-wide view of the Bank’s sales practices.”