Wells Fargo Consent Orders Are Must-Reads for Bank Risk Management

It has been 10 days since news broke that the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) filed consent orders against Wells Fargo, resulting in a combined $1 billion civil money penalty (CMP). Many headlines about this story focused on the bank’s mortgage and auto lending practices. In reality, there is a more informative story here, especially for anyone involved in bank risk management or compliance.

Of course the 16-page OCC Consent Order for Civil Money Penalty, the 35-page OCC Cease and Desist Order, and the 35-page CFPB Consent Order are not as thrilling to read as a New York Times bestseller, but they are telling. And reading through the orders provides more details than the news blips about them, details that bank risk management and compliance officers can find useful in strengthening their own risk management and compliance practices.

 5 Telling Facts in Consent Orders Against Wells Fargo

1. The Financial Hit Goes Beyond $1 Billion: Most TV and print outlets announced that Wells Fargo was fined $1 billion by the two regulatory agencies. That is true in that their net CMP was $1 billion. It is interesting to note, however, that the OCC fined the bank $500 million and the CFPB fined it $1 billion for a total of $1.5 billion in CMPs, although the CFPB agreed to accept the $500,000 collected by the OCC as part of its settlement. In addition, the orders call on the bank to develop remediation plans for customers it is alleged to have harmed, which will lead to additional costs for the bank.
2. The OCC Focus Is on Risk Management: While news stories ran with the mortgage and auto lending practice allegations, likely because that was the message in the CFPB order, the OCC focuses first and foremost on risk management before addressing the other two issues. The order’s opening paragraph states that, “The OCC has identified deficiencies in the Bank’s enterprise-wide compliance risk management program that constituted reckless unsafe or unsound practices and resulted in violations of the unfair acts or practices provision of Section 5 of the Federal Trade Commission Act…”
3. The Alleged Risk Management Deficiencies Extend in Time and Scope: The OCC claims that, “Since at least 2011, the Bank has failed to implement and maintain a compliance risk management program commensurate with the Bank’s size, complexity and risk profile.” The alleged deficiencies also impacted almost every aspect of the program, including the plan’s execution, the expertise of the personnel involved, the assessment and testing of the plan, the reporting to the Board, and its overall implementation.
4. UDAP and UDAAP Used by OCC and CFPB: As discussed before in this blog, unfair, deceptive or abusive acts or practices (UDAAP) and its cousin unfair and deceptive acts and practices (UDAP) are often handy regulations for regulatory agencies to cite because of their broad scope. In addition to the OCC’s unfair claim outlined in point #2, the CFPB alleges unfair acts and practices in violation of the Consumer Financial Protection Act (CFPA) in regard to Wells Fargo’s mortgage and auto lending practices. On the former, the CFPB claims that the bank “unfairly failed to follow the mortgage-interest-rate-lock process it explained to some prospective borrowers.” On the latter, it claims the bank “operated its Force-Placed Insurance program in an unfair manner.”
5. Vendor Management Comes into Play: Both the OCC and the CFPB orders indicate that the auto lending practices in question involved the bank’s vendor, reinforcing the fact that banks are ultimately responsible for the functions being performed by their vendors.

The moral of this story for banks and credit unions of all sizes: make sure that 1) your risk management practices are appropriate for your risk profile; 2) nothing you or your vendors are doing in word or deed can be deemed unfair, deceptive or abusive; and 3) you are routinely monitoring your vendors to ensure that they are fully and effectively complying with all the rules and regulations that apply to your institution and to them.