Order Enhances Role of Compliance and Other Control Functions at Nation’s Largest Banks
Earlier this month the Federal Reserve Board issued a cease-and-desist order finding that, in light of “pervasive compliance and conduct failures” involving violations of consumer protection laws, Wells Fargo was not meeting its regulatory expectations. The controversy began, as discussed last year in this blog, in fall 2017 with the disclosure of fraudulent account openings by employees struggling to meet unrealistic sales goals. This scandal was followed by the firm’s alleged failure to give refunds on insurance policies when people paid off their auto loans early and for charging customers for auto loans they didn’t need. This blog has previously offered possible explanations for Wells Fargo’s focus on fee revenue in its business model.
Describing Wells Fargo as a “large, complex organization,” the Fed based its action on Reg YY, which requires bank holding companies (BHCs) like Wells Fargo with assets of $50 billion or more to have a risk management framework that is “commensurate with its structure, risk profile, complexity, activities, and size.“ Such a framework must include “processes and systems for identifying and reporting risks and risk-management deficiencies.”[1] In Wells Fargo’s case, the Fed said the firm had pursued a business strategy emphasizing sales and growth without ensuring that senior management had established and maintained an adequate risk management framework. The result: weak risk management and compliance practices, noted the Fed.
Most strikingly, the Fed in its February 2 order froze Wells Fargo’s growth, halting it at $2 trillion in assets, until the Fed is satisfied that the firm’s corporate governance, risk management, and compliance practices meet its expectations. In Chair Janet Yellen’s words, “The enforcement action we are taking today will ensure that Wells Fargo will not expand until it is able to do so safely and with the protections needed to manage all of its risks and protect its customers.” In substance, this limit on growth is intended to ensure the firm is capable of scaling up its firm-wide risk management and compliance functions before it actually undertakes further growth. It will need to prove it can do this to the Fed’s satisfaction.
Wells Fargo action is pathbreaking because it is against one of the nation’s largest bank holding companies, for consumer harm that is unlikely to directly imperil the “safety and soundness” of the institution – the primary concern of bank regulators. The Fed and the other federal banking regulators regularly issue “no growth” orders to smaller, financially troubled, banking institutions for safety and soundness reasons. However, Wells Fargo’s conspicuous lapses in corporate governance, risk management, and compliance with respect to consumer protections reflect much wider, systemic problems in this banking organization. It was widely reported that Wells Fargo had received a “3” on management quality – the single most important metric in the CAMELS ratings system in the view of banking agencies. CAMELS ratings are a key means used in supervisors’ oversight of banks’ safety and soundness.[2] (“1” is the highest rating and “5” is lowest; CAMELS ratings are supposed to be confidential). Overall ratings of 3 or below are more likely to result in enforcement actions.
The Fed’s action against Wells Fargo is also pathbreaking in its highly unusual decision to post letters on its website simultaneously with the February 2 order that publicly “shamed” three of the firm’s former top officials – former Chairman John Stumpf and two former independent directors. These public censures are to be applauded. Though they fall short of imposing full accountability on officials responsible for deficient oversight and management, the public rebuke does impose some measure of individual accountability for shoddy oversight that has been sorely lacking in the government’s prosecution of large financial institutions. As Chairman, Stumpf was ultimately accountable for the failures in management. In its letter, the Fed harshly chastised him for deficient oversight and lack of prudent leadership: “[i]t was incumbent upon you as leader of the [Wells Fargo] board to ensure that the business strategies approved by the board were consistent with the risk management capabilities of the firm.” It noted that there were “many pervasive and serious compliance and conduct failures ongoing during your tenure as Chair.” Moreover, “[Wells Fargo] pursued business strategies and goals that motivated compliance violations and improper practices without ensuring its risk management programs were sufficiently robust to prevent such behavior.” The final dig: “You also continued to support the sales goals that were a major cause of the problem, and the senior executives who were most responsible for the failures … .”
More broadly, the Fed’s action against Wells Fargo and reprimand of its former officials should not be viewed as an outlier in its regulatory program. The order bespeaks a more aggressive approach toward the largest banking institutions. This writer disagrees with the views of some that the Wells Fargo order was political in motivation, a swan song from Chair Yellen on her last day at the Fed’s helm. It is highly likely that her successor, new Chair Jerome Powell, was fully on board with the action. Both the Fed’s senior leaders and the Trump Administration – and many Democrats in addition to the GOP in Congress – are in general agreement that the regulatory burden on smaller banking institutions must be lightened, but this impetus has not generally carried over to the largest firms.
The Fed is showing increasing concern about the largest BHCs’ ability to manage their diverse business lines within a complex corporate structure. It has exhibited its willingness to take action in rejecting the capital distribution plans (e.g., for dividends and stock buybacks) of the largest BHCs, such as Citigroup, for failing its rigorous stress tests. In particular, the Fed’s Wells Fargo order aligns seamlessly with regulatory guidance it issued in August 2017. Called “Proposed Board Effectiveness Guidance,” it emphasizes board of directors’ responsibility for oversight over risk management and compliance on a firm-wide basis.[3]
The message by now should be clear, to both Wells Fargo and its peers. In my view, and I believe the Fed’s as well, the Wells Fargo board had not articulated a risk appetite for the senior management team that was effectively implemented through appropriate controls, policies, and procedures. In regulatory jargon, the board did not “set clear, aligned and consistent direction regarding the company’s strategy and risk tolerance.”[4] A board must ensure that “compensation and other incentives are consistent with risk management objectives and measurement standards.”[5] Red flags were waving, but any policies and procedures in place were ineffective to pick up on these danger signs and obligate senior executives to take action.
Wells Fargo was an ideal candidate to showcase the supervisory concerns the Fed has consistently articulated. These regulatory developments promise to increase the stature, independence, and resources of the risk management and compliance functions at the largest banking institutions.