Wells Fargo’s ability to grow its business is on hold for a year while it designs and implements a remediation program to address deficiencies in its board governance, risk management and compliance program.  The Federal Reserve’s action blocking Wells Fargo’s growth is perhaps the strongest condemnation of a company’s overall leadership and direction that the government can impose.  There is clearly a complete lack of trust right now between the government and Wells Fargo.

The Federal Reserve’s action now puts into place a remediation program that reads like many others with basic requirements that the ethics and compliance community is well familiar with and which are intended to bring appropriate controls and oversight into place.  The one piece missing is something that may be the hardest – creating a culture of ethics and compliance.

Nonetheless, the Federal Reserve’s written plans provide a basic outline for Wells Fargo to improve its board governance and its risk management.

For example, Wells Fargo has to design and implement a plan  to enhance the Board of Directors effectiveness to ensure that:

• the Bank’s strategy and risk tolerance are aligned with the Bank’s risk management capacity;
• the Board’s composition, governance structure and practices support its strategy and aligned with its risk tolerance;
• the Board’s roles and responsibilities are not unfilled for an undue period of time following departure of any Board member.

In addition, Wells Fargo has to:

• Improve the Board’s oversight of senior management, including holding senior management accountable for implementing and maintaining the bank’s strategy in accordance with Board direction and the Bank’s risk tolerance and capacity, and the Bank’s management and control framework.
• Ensure senior management’s ongoing effectiveness in managing the Bank’s activities and related risks
• Ensure that senior management establishes and maintains an effective and independent firm wide risk management function that covers all material risks facing the Bank, that has the requisite stature, authority and resources with clearly defined roles and responsibilities and provides for staffing Wells Fargo’s risk management function with the appropriate level of expertise and with respect to compliance and operational risk management, and maintains a management structure that promotes effective oversight and control of compliance and operational risks that is independent of the related line of business and has separate and independent reporting lines to the Chief Risk Officer and to the Board or an appropriate Committee of the Board.
• Ensure that the Bank has an effective risk tolerance program, including an effective risk identification and escalation framework that identifies, aggregates, evaluates and reports material risk issues, plans to address risks and progress with respect to those plans; and a comprehensive and effective risk data governance and management framework.
• Ensure that the Bank has a compensation and incentive system that is consistent with risk management objectives and measurement standards, including consequences for violation of its policies, laws and regulations and adverse risk outcomes.
• Comprehensive reporting that will enable the Board to oversee management’s execution of its risk management responsibilities, including measures taken to comply with the Federal Reserve’s Order and provide the Board with sufficient information to evaluate the operational and compliance risks management functions.

The Federal Reserve’s Order also requires that the Bank submit a written plan to improve its compliance and risk management process to include (a) effective testing and validation measures for compliance and operational risk management to ensure compliance with applicable laws, regulations, policies and procedures (including consumer compliance laws, regulations and supervisory guidance) and testing of design and execution of operational and compliance risk controls; and (b) specific measures management will take to integrate all applicable compliance and operational risk requirements into business process and control designs and change management initiatives.