Wells Fargo Fumbles Sanctions Compliance Demonstrating An Absence of Culture of Compliance (Part II of II)
Not that I am a glutton for punishment, but I always find enforcement actions to supply a number of valuable lessons learned. There are always instructive nuggets of information, opportunities missed, and root causes that highlight important compliance messaging and principles.
Wells Fargo has unintentionally provided a variety of these important lessons — not from positive behaviors but from a laundry list of violations that have revealed a corporate culture that has run amok. Despite its vigorous attempts to imrpove its ethics and compliance situation, Wells fargo continues to suffer from a fundamental lack of will. Its efforts have been drowned in a sea of consultants, so-called compliance professionals and others without adequate authority and support to improve its difficult situations. If Wells Fargo reduced its outside legal, consulting and professional expenditures by half, and took the money to invest and implement a culture of compliance, you can rest assured that Wells Fargo would be able to turn around its organization. But such a result requires wholesale change – from the senior executives on down.
Having put everything in perspective, it is important to turn to the specific facts, the failures of Wells Fargo’ to embed a culture of integrity, and the continuing leadership failures that resulted in yet another enforcement action — this time, an OFAC enforcement action requiring Wells Fargo to pay $30 million.
Wells Fargo forgot a basic point – OFAC sanctions prohibit facilitation of transactions that violate a specific Sanctions Program, and such facilitation can occur when a company provides technical support, infrastructure and data services to a third party – Bank A in Europe – which in turn conducted 124 illegal transactions. At the core of the problem was Wells Fargo’s actions (through its predecessor Wachovia) in revamping its software platform Eximbills for Bank A in Europe, which was used to conduct otherwise prohibited transactions. Wells Fargo knew better and had several opportunities to right itself when the issue was raised on various occasions by internal managers and employees. But Wells Fargo, consistent with its history, ignored these concerns.
Wells Fargo’s Failure to Attend (or even Act)
According to OFAC, none of Wachovia’s or Wells Fargo’s senior management directed or had actual knowledge of Bank A’s use of the Hosted Eximbills platform, which was used to conduct the illegal transactions. Internally, OFAC found that there were inconsistent communications as to whether the transactions triggered potential sanctions violations. Notwithstanding this uncertainty, OFAC concluded that Wells Fargo’s senior management should have known that use of the Eximbill platform violated OFAC sanctions requirements.
After Wells Fargo acquired Wachovia in 2008, Wells Fargo personnel raised on multiple occasions, including senior management, the potential for violating OFAC sanctions based on the inherited relationships and procedures from Wachovia. Nonetheless and unsurprisingly, Wells Fargo had no process in place to review Bank A’s use of Eximbills to confirm whether its operations complied with OFAC’s sanctions programs.
It took Wells Fargo seven years – in 2015 – to stop Bank A from conducting transactions that violated OFAC sanctions. A 2009 risk assessment of the trade sourcing businesses did not identify any risks associated with the program, and contemporaneous emails between Wells Fargo and Wachovia compliance and legal teams raised questions about OFAC compliance.
In 2010-2011, Wells Fargo and an outside consultant examined the trade insourcing business and did not identify any risks associated with Eximbills’ operation. In 2012, Wells Fargo legal personnel identified Eximbills for sanctions compliance issues and referenced an OFAC enforcement action as posing analogous issues.
By the end of 2012, a separate group in Wells Fargo independently concluded that a deeper dive into trade insourcing sanctions risks was warranted. In 2012, another OFAC enforcement action confirmed risks associated with operating a platform like Eximbills. As a result, Wells Fargo created an internal working group of compliance, legal and business representatives, including some legacy Wachovia personnel, to address the compliance issue. Unfortunately, the Wachovia personnel withheld information about the legacy system and operations of the Eximbill platform.
Despite reaching a faulty conclusion that the operation was low risk, the working group developed a plan to (i) strengthen sanctions compliance language in the relevant contracts, (ii) obtain periodic certifications that the foreign banks were not placing potentially non-OFAC-compliant items on Eximbills, and (iii) periodically audit the foreign banks’ Eximbills data.
The working group’s plan, however, was never implemented because the recommendations were rolled into a larger project that was reviewing the trade outsourcing/insourcing business at a more holistic level. This resulted in Bank A continuing to process non-OFAC-compliant transactions on the Eximbills platform for at least two more years as the holistic review of the overall trade finance technology business was being conducted.
It was not until July 2014, when an internal audit report noted that the insourcing business needed corrective actions because of lack of contract consistency and inclusion of compliance provisions. The audit report did not address whether the relevant business was in fact low or high risk.
Wells Fargo Finally Stops Eximbills’ Violations
It was not until 2015, during a business review of Bank A’s activities and relationship with Wells Fargo, that Wells Fargo “discovered” that Bank A was processing transactions and trade instruments on the Eximbills platform involving sanctions jurisdictions, entities and persons since 2008. The discovery was immediately reported to senior management and Wells Fargo promptly suspended Bank A’s access to Eximbills and voluntarily disclosed the matter to OFAC.
The issue was immediately escalated to senior management, and Wells Fargo promptly suspended Bank A’s access to Eximbills, voluntarily disclosed the matter to OFAC, and commenced a comprehensive investigation.
OFAC noted that the Wells Fargo settlement “highlights the risks that companies may face when employees pursue new business opportunities or the preservation of existing business relationships without proper oversight. Such oversight is important across all business units within an organization, including lines of business that may be small relative to the larger organization or that involve products or services falling outside the larger organization’s core business. Moreover, when sanctions compliance risks are raised internally — including concerns arising from smaller, non-core business lines — companies should promptly seek to thoroughly investigate and address those risks. Finally, this action emphasizes the necessity for comprehensive due diligence regarding potential sanctions risk when one entity acquires another through merger or acquisition.”