[BreachExchange] Wells Fargo Opened a Couple Million Fake Accounts

Fri Sep 9 15:09:58 EDT 2016

https://www.bloomberg.com/view/articles/2016-09-09/
wells-fargo-opened-a-couple-million-fake-accounts

Two basic principles of management, and regulation, and life, are:

You get what you measure.
The thing that you measure will get gamed.

Really that's just one principle: You get what you measure, but only
exactly what you measure. There's no guarantee that you'll get the more
general good thing that you thought you were approximately measuring. If
you want hard workers and measure hours worked, you'll get a lot of workers
surfing the internet until midnight. If you want low banking bonuses and
measure bonus-to-base-salary ratios, you'll get high base salaries.
Measurement is sort of an evil genie: It grants your wishes, but it takes
them just a bit too literally.

Anyway, yesterday Wells Fargo was fined $185 million by various regulators
for opening customer accounts without the customers' permission, and that
is bad, but there is also something almost heroic about it. There's a
standard story in most bank scandals, in which small groups of highly paid
traders gleefully and ungrammatically conspire to rip-off customers and
make a lot of money for themselves and their bank. This isn't that. This
looks more like a vast uprising of low-paid and ill-treated Wells Fargo
employees against their bosses. The Consumer Financial Protection Bureau,
which fined Wells Fargo $100 million, reports that about 5,300 employees
have been fired for signing customers up for fake accounts since 2011. Five
thousand three hundred employees! You'd have a tough time organizing 5,300
people into a conspiracy, which makes me think that this was less a
conspiracy and more a spontaneous revolt. The Los Angeles City Attorney,
which got $50 million (the Office of the Comptroller of the Currency got
the other $35 million), explained the employees' grievances in a complaint
last year:

"Wells Fargo has strict quotas regulating the number of daily "solutions"
that its bankers must reach; these "solutions" include the opening of all
new banking and credit card accounts. Managers constantly hound, berate,
demean and threaten employees to meet these unreachable quotas. Managers
often tell employees to do whatever it takes to reach their quotas.
Employees who do not reach their quotas are often required to work hours
beyond their typical work schedule without being compensated for that extra
work time, and/or are threatened with termination.

"The quotas imposed by Wells Fargo on its employees are often not
attainable because there simply are not enough customers who enter a branch
on a daily basis for employees to meet their quotas through traditional
means."

So they resorted to non-traditional means. Like:

"In the practice known at Wells Fargo as "pinning," a Wells Fargo banker
obtains a debit card number, and personally sets the PIN, often to 0000,
without customer authorization. "Pinning" permits a banker to enroll a
customer in online banking, for which the banker would receive a solution
(sales credit). To bypass computer prompts requiring customer contact
information, bankers impersonate the customer online, and input false
generic email addresses such as 1234 at wellsfargo.com, noname at wellsfargo.com,
or none at wellsfargo.com to ensure that the transaction is completed, and
that the customer remains unaware of the unauthorized activity."

Is it not weird that all the fake e-mail addresses were Wells Fargo
addresses? I mean "noname" is obviously a weird e-mail address, but maybe
the customer was Norbert O'Name. But surely all the "@wellsfargo.com"
accounts were a tip-off that the requests were coming from inside the
building. Anyway, it's all pretty much as dumb as that, but on a scale that
is magnificently, hilariously dumb. From the CFPB's consent order:

"Respondent’s analysis concluded that its employees opened 1,534,280
deposit accounts that may not have been authorized and that may have been
funded through simulated funding, or transferring funds from consumers’
existing accounts without their knowledge or consent. That analysis
determined that roughly 85,000 of those accounts incurred about $2 million
in fees, which Respondent is in the process of refunding."

And:

"Respondent’s analysis concluded that its employees submitted applications
for 565,443 credit-card accounts that may not have been authorized by using
consumers’ information without their knowledge or consent. That analysis
determined that roughly 14,000 of those accounts incurred $403,145 in fees,
which Respondent is in the process of refunding."

So that's about 2.1 million fake deposit and credit-card accounts, of which
about 100,000 -- fewer than 5 percent -- brought in any fee income to Wells
Fargo. The total fee income was $2.4 million, or about $1.14 per fake
account. And that overstates the profitability: Wells Fargo also enrolled
people for debit cards and online banking, but the CFPB doesn't bother to
count those incidents, or suggest that any of them led to any fees. Which
makes sense: You'd expect online banking and debit cards to be free, if you
never use them or even know about them. Meanwhile, all this dumb stuff
seems to have occupied huge amounts of employee time that could have been
spent on more productive activities. If you divide the $2.4 million among
the 5,300 employees fired for setting up fake accounts, you get about $450
per employee. Presumably it cost Wells Fargo way more than that just to
replace them.

In the abstract, you can see why Wells Fargo would emphasize cross-selling
of multiple "solutions" to customers. It is a good sales practice; it both
indicates and encourages customer loyalty. If your customers have a
checking account, and a savings account, and a credit card and online
banking, all in one place, then they'll probably use each of those products
more than if they had only one. And when they want a new, lucrative product
-- a mortgage, say, or investment advice -- they're more likely to turn to
the bank where they keep the rest of their financial life.

But obviously no one in senior management wanted this. Signing customers up
for online banking without telling them about it doesn't help Wells Fargo
at all. No one feels extra loyalty because they have a banking product that
they don't use or know about. Even signing them up for a credit card
without telling them about it generally doesn't help Wells Fargo, because
people don't use credit cards that they don't know about. Cards with an
annual fee are a different story -- at least you can charge them the fee!
-- but it seems like customers weren't signed up for many of those. This
isn't a case of management pushing for something profitable and getting
what they asked for, albeit in a regrettable and illegal way. This is a
case of management pushing for something profitable but difficult, and the
workers pushing back with something worthless but easy.

Not that the workers were happy: These tactics seem to have been less a fun
way to put one over on the bosses, and more a desperate attempt to stop the
pain. Some of them still sound pretty traumatized by all the berating:

"“When I worked at Wells Fargo, I faced the threat of being fired if I
didn’t meet their unreasonable sales quotes every day, and it’s high time
that Wells Fargo pays for preying on consumers’ financial livelihoods,”
Khalid Taha, a former employee, said in a statement."

And of course the customers were unhappy. Actually, it seems like a
majority of them were unharmed and oblivious, but that's a majority of a
very large number. Thousands were charged fees, or had their credit
damaged, or were generally creeped out by, you know, strangers using their
personal information to open bank accounts on the internet. Even ignoring
all the eventual fines, no one was made better off by this system. Wells
Fargo's customers were harmed, its employees were miserable, and it didn't
even really make any money doing it.

Eventually we will all stop reading and writing articles about Why No
Senior Executives at Big Banks Went to Prison for the Financial Crisis, but
that time isn't quite yet. There are basically two views about the answer.
One is that senior bankers knowingly countenanced fraud, but were good at
covering it up, and prosecutors couldn't quite find the smoking gun. The
other is that fraud is sometimes an emergent property of complex
institutions, and that there can be widespread misbehavior at a bank
without senior management approving it, or knowing about it, or wanting it.
This case is, I think, useful evidence for the latter view. "Wells Fargo
knew, or in the exercise of reasonable care should have known, that its
employees open unauthorized accounts," said the L.A. City Attorney last
year, but it's hard to believe that any actual human in senior management
wanted that to happen. They wanted employees to open lots of real accounts,
and designed a system that they hoped would encourage that. But they
designed it badly, and ended up instead encouraging employees to open a lot
of fake accounts. That's not what anyone wanted, but it happened anyway.

Strictly, it's 5,300 fired for "engaging in Improper Sales Practices,"
defined as:

(1) opening any account without the consumer’s consent;
(2) transferring funds between a consumer’s accounts without the consumer’s
consent;
(3) applying for any credit card without the consumer’s consent;
(4) issuing any debit card without the consumer’s consent; and
(5) enrolling any consumer in online-banking services without the
consumer’s consent.

According to the L.A. City Attorney, other dumb methods included:

Signing up family members and friends for accounts. (Employees "report that
they spend holiday dinners trying to convince family members to sign up for
accounts.")
"Bundling," where employees falsely tell customers that they can't get the
service that they want unless they sign up for other services they don't
want.
"Sandbagging," where employees wait to open requested accounts until the
beginning of the next reporting period.
Lying about monthly fees, either by saying that new accounts don't have
monthly fees when they actually do, or saying that accounts that really
don't have monthly fees do, unless you sign up for some other account.
"Advising customers who do not want credit cards that they will be sent a
credit card anyway, and to just tear it up when they receive it."

I mean, 14,000 out of 565,443 credit card accounts seem to have incurred
fees. You can see why they'd be a minority: The whole point of this was to
sign customers up without their noticing, and they're more likely to notice
a card with a fee.

Oh, disclosure, I guess: I have a no-fee Wells Fargo Visa card that I never
use. (Seriously I have one charge on it in the last five years, for $13.12
worth of groceries.) I did mean to sign up for it, though.

>From the L.A. City Attorney's complaint:

"Customers have been prejudiced in numerous ways by Wells Fargo's gaming:
(a) customers lose money to monthly service fees charged for unauthorized
accounts; (b) customer accounts are placed into collection, forcing
customers to fight with debt collection agencies for fees charged by Wells
Fargo on unauthorized accounts; (c) customers' credit reports are affected,
impacting job applications, loans for automobiles, and mortgage
applications; and (d) customers are forced to purchase costly identity
theft protection services to ensure against further fraudulent activities."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160909/c26f0177/attachment.html>