What Wells Fargo's Latest Scandal Tells Us About Enterprise Risk..

The health of your IT and data security is vital to the ongoing success of your business, and your clients’ trust in you. Strong risk management practices can be the difference between your company thriving, or failing.

On May 17, 2018, The Wall Street Journal reported that Wells Fargo Bank employees improperly altered or added information on documents related to corporate customers last year and early this year as it was trying to comply with a regulatory consent order over anti-money laundering controls.

In a statement, a Wells Fargo spokeswoman said: "This matter involves documents used for internal purposes. No customers were negatively impacted, no data left the company, and no products or services were sold as a result." This is stunning news considering the deep and troubled history of ethical and trust "problems" at the bank. Let's review:


September 8: FAKE ACCOUNT CREATION ALLEGATIONS- Federal regulators revealed Wells Fargo employees secretly created millions of unauthorized bank and credit card accounts without their customers knowing it. The bank is hit with a $185 million fine. Wells Fargo says 5,300 employees were fired for related reasons.

September 28: ILLEGAL ASSET REPOSSESIONS ALLEGATIONS- The company agrees to pay $24 million to settle charges. The DOJ claims the bank took 413 cars without a court order, which violates federal law. The company apologizes and commits to refunds.


January 23: WORKER RETALIATION ALLEGATIONS- The bank says there are signs it retaliated against workers who tried to blow the whistle on the fake accounts.

June 14: MORTGAGE FRAUD ALLEGATIONS- Wells Fargo is accused of modifying mortgages without authorization from the customers. That means some customers could have ended up paying the bank more than they owed. It's unclear how many customers were affected. Wells Fargo says it "strongly denies" the claims.

July 27: INSURANCE FRAUD ALLEGATIONS- The bank admits it charged at least 570,000 customers for auto insurance they did not need. Wells Fargo says an internal review found about 20,000 customers may have defaulted on their car loans for related reasons.

August 4: CREDIT CARD ABUSE ALLEGATIONS- Wells Fargo is sued for allegedly that accuses Wells Fargo of overcharging small businesses for credit card transactions by using a "deceptive" 63-page contract to confuse them.


February 2: SANCTIONS BY THE FED- The Federal Reserve states Wells Fargo Bank won't be allowed to grow its assets until the bank fixes its internal business practices.

February 23: MINORITY,LOW-INCOME LENDING PRACTICE ABUSE ALLEGATIONS-The city of Sacramento, California, accuses Wells Fargo of a "long-standing pattern and practice" of illegal lending in minority and low-income communities that reduced home values, limited property tax revenue and drove up foreclosures. The bank says the allegations "do not reflect how we operate in the communities we serve" and says it will "vigorously defend" its lending record.

April 20: FINED BY THE FEDERAL GOVERNMENT- The Consumer Financial Protection Bureau and the Office of the Comptroller of the Currency fine Wells Fargo $1 billion for Mortgage and Insurance Fraud.

May 17: EMPLOYEE DATA FRAUD AND ALTERATION ALLEGATIONS- According to the WSJ Report, Wells Fargo employees in the wholesale division added or altered the information without customers' knowledge, including Social Security numbers, addresses and dates of birth.

Let's just recap- For a period of 2 years or more, Wells Fargo Bank continued a pattern of financial mis-deeds, fraud, abuse, all while being investigated by the DOJ, CFPB, SEC, and others and all the while- maintaining its committment to their customers, and to their God, and Country.

Now lets just say that this is true for a minute- and these were "Bad Apples" acting alone and without sanction. Sure- that's totally plausible when looked at as a single incident. But we aren't talking about a single incident- there has been a clear, persistent, methodical pattern of data abuse and mishandling at Wells Fargo for over two years, or more. So I'll argue that the issues here are ones of a total, blatant and absolute lack of accountability, rule of law, checks and balances, ethics, and lending practices that paint a picture of a company that has completely lost its way, its trustworthiness, and its identity as a once trusted pillar of the financing and banking industry of this country. And sadly, I will submit this story isn't over quite yet!

I'll bet that the "drip, drip, drip" will continue while fines and other sanctions continue to pile up- and the Fed's either take over the bank, (which would be unprecedented,) or we see another MCI- Verizon like change.

Wells Fargo and other institutions that carry tremendous burdens of trust must and should be held accountable to the very letter of the law! This is a test of our justice system, and of our consumer confidence. It's a test of the very ethics this counry's financial institutions depend upon.

AND its also a reminder that corporate risk, insider fraud and bad-actors exist and are a clear and present danger to our economies, and our way of life.

So what do we do about it? Other than the ethical standards and values a company maintains, adopting a solid Risk Management Framework starts with understanding your risk likehood, or vulnerability. A Risk Assessment is a good first step in this process. While we all like to focus on the utopian aspects of business, in reality, as incidents like Wells Fargo show, businesses must prepare for the worst-case scenarios as well.

There are many ways disaster can wreak havoc on a business, both man-made and natural, deliberate and accidental. These hazards can put your security at risk, and compromised data is a threat that can shut your enterprise down for good. To fully understand what threats you might face, and how to mitigate these data security hazards, your business needs a risk assessment. When you know what you’re up against, you can plan for those worst case scenarios, and move forward to the good things without constantly worrying about what could happen.

What is a Risk Assessment? A risk assessment, when completed thoroughly, identifies your most critical systems and data. It also examines how specific risk scenarios could impact the systems and information, and how likely it is that those threats could materialize.

With these threats to your data security identified and prioritized, your enterprise can then determine how to address each threat, whether it is through protecting your data and resources, mitigating the damage after it happens, recovering your systems or accessing them elsewhere, or other steps specific to your company.

Every business faces different risks and will have a unique risk assessment.

For example, if your company works with health information, a HIPAA risk assessment needs to ensure that personal and protected data is upheld to the most stringent regulations to avoid major penalties.

Types of Data Security Hazards

Hazards threatening your data security can generally be split into four categories. There are natural hazards, all of which are unplanned and uncontrollable. These are threats like earthquakes, fires, lightning strikes, and flooding.

To plan for these hazards, you have to have systems in place that will keep your data secure and your systems running, even if your physical location is compromised by a natural threat.Man-made hazards can be deliberately targeted at your business, like virus attacks and hacking, a disgruntled former employee revealing your data to outside sources, or through attacks on your physical location like arson, vandalism, or theft.

There are policies and practices you can put into place to avoid many of these issues, or at least cut down on the impact. For example, strong security practices could ensure that former employees will no longer have access to company data.Then, there are accidental data security threats, caused by people who aren’t trying to specifically hurt your business.

These are issues like operator or programming errors, accidental deletions of data or failure to back up important information. Accidental data security threats include physical accidents, like leaks or fires. Protective measures help address these threats, proactively handling any data risk before it can cause a lot of damage. Finally, there are larger, people-centric incidents that are not specific to your enterprise or its location, but can still have an impact. This could be a telecommunications system failure or outage, civil disorder, traffic accidents or transit issues blocking access to your physical location.

Your company needs to know how to detect these problems early, and recover from this type of incident. To determine what data security hazards apply to your company, it’s important to look back at historic data as well as considering ongoing scenarios. Media information, weather and natural disaster data, previous disruptions or threats to the company, and an understanding of tech risks all come together to create an accurate picture of your company’s vulnerabilities.

Risk Assessment: An Ongoing Commitment

It’s important to update your risk assessment regularly, as potential threats change and your data and technological requirements shift, too. If your geographical location is facing more weather-related events, for instance, you should re-assess to decide if there are protective steps you could take. Or, if you start using a new computer system, or bring a new client on board, your risk profile may change.

An outdated risk assessment won’t help if disaster strikes, so be sure to check in with your data security often. As you work to update your risk assessments and contingency planning, remember that running old systems is a risk itself. Outdated tech is an open door to a data breach, and easily avoided by ensuring that your tech is updated along with your business plans.

The health of your IT and data security is vital to the ongoing success of your business, and your clients’ trust in you. Strong risk management practices can be the difference between your company thriving, or failing.

At CloudSkope, we help clients ensure their data is as secure as it can be, with risk management processes and programs that are tailor-made to your business and its needs.

82 views0 comments