Fraud , ID Theft , Insider Fraud

Regulators Slam Wells Fargo for Identity Theft

Bank Fined $185 Million Over Rampant Misuse of Customers' Identities
Regulators Slam Wells Fargo for Identity Theft
Photo: Mike Mozart (Flickr/CC)

For years, some Wells Fargo employees subscribed the bank's customers to products they didn't request, and that practice has now triggered $185 million in fines.

See Also: Ransomware: The Look at Future Trends

The second-largest U.S. bank was accused by state and federal regulators of allowing its employees to access customers' personal information - and in some cases forging data - to subscribe them to products, such as credit cards, that both generated revenue for the bank as well as commissions for salespeople. Prosecutors say an astounding 2 million ghost deposit and credit card accounts were opened without customers' knowledge, or through misrepresentation.

This institutionalized campaign of fraud at Wells Fargo may represent one of the largest incidents of organized identity theft ever recorded.

On Sept. 8, Wells Fargo accepted related penalties imposed by the federal Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency and the Los Angeles city attorney. It will pay a $100 million fine to the CFPB - the largest fine the agency has ever levied; $35 million to the OCC; $50 million to Los Angeles and $5 million in remediation to customers.

Wells Fargo says in a statement: "We regret and take responsibility for any instances where customers may have received a product that they did not request." Separately, the bank says it undertook a review and refunded $2.6 million to customers - with each refund averaging $25 - "for any fees associated with products customers received that they may not have requested." The bank said less than 1 percent of accounts were affected.

The enforcement actions against Wells Fargo will likely now cause regulators to look more closely at how banks incentivize sales associates and what governance structures are in place to prevent abuse, says Christopher Pierson, CISO and general counsel at invoicing and payments provider Viewpost. Pierson also sits on the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee.

"Many financial institutions have had overzealous sales persons overreach their authority or the wishes of the customers and in some cases commit blatant deceptive acts," Pierson says.

Product Pushing

Wells Fargo's retail banking revenues depend in part on cross selling, or trying to get existing customers to take up other fee-generating products.

The bank boasted that its customers held, on average, six different Wells Fargo products, but as part of its "Gr-eight" initiative, pushed for salespeople to increase that average to eight, according to a civil complaint filed by Los Angeles' city attorney in May 2015. But the complaint alleges that the goal was unattainable without salespeople resorting to abusive and fraudulent tactics.

"Managers constantly hound, berate, demean and threaten employees to meet these unreachable quotas," the complaint reads. "Managers often tell employees to do whatever it takes to reach their quotas."

The pressure was allegedly intense, with each Wells Fargo branch having to tally sales for district managers at 11 a.m., 1 p.m., 3 p.m. and 5 p.m. The complaint describes how associates pumped up their sales in an attempt to remain in managers' good graces. The tactics they used mirror how cybercriminals execute identity theft schemes, including borrowing identity details and opening fraudulent accounts in consumers' names.

The practices were allegedly so common that Wells Fargo employees had taken to nicknaming some of the related tactics. One, known as "pinning," involved bank employees enrolling customers - without their knowledge - into online banking and bill-paying products. Employees generated ATM cards for the dummy accounts and assigned PIN numbers - usually "0000" - to the cards, essentially impersonating customers, according to the complaint. For each of these new, bogus enrollments, an associate would receive compensation.

But subscribing people to new products often required more customer information than salespeople may have been able to access. Because customers were in the dark, bank employees allegedly sometimes just entered made-up data into Wells Fargo's internal system. To bypass computer prompts asking for customer contact information, for example, bankers allegedly often filled in fake email addresses, such as "1234@wellsfargo.com." The fake email addresses ensured that customers were unaware that they had been signed up to a new product, the complaint reads.

In some cases, Wells Fargo employees actually withdrew money from authorized accounts - a practice euphemized as "simulated funding" - to pad unauthorized, fee-generating deposit accounts that customers did not know existed. The bank took in at least $2 million in overdraft and monthly service fees, according to the complaint.

Those who didn't have enough money to pay the sneaky fees saw their credit reports get dinged. In another extraordinary consequence of this fraud, prosecutors say that the clandestine actions by Wells Fargo employees drove customers to purchase identity theft protection from Wells Fargo, not realizing that it was their bank that was fraudulently misusing their identities.

Long-Running Practices

Wells Fargo allegedly violated a range of California regulations, including bans against the use of another person's data for illegal purposes and the accessing of personal information by unauthorized people.

Yet another one of the amazing aspects of this saga is that it seemed to persist for more than five years. The complaint notes that Wells Fargo had fired a handful of employees over the years for related offenses but adds that "those efforts have been, at most, cosmetic, and ultimately benefit Wells Fargo by providing them with plausible deniability."

Wells Fargo spokeswoman Mary Eshet says that 5,300 Wells Fargo employees have been fired due to practices described in the complaint. Those firings occurred between January 2011 through March 2016, suggesting that the bank failed early on to spot or squash these illegal practices.

Wells Fargo must now retain an independent consultant to review its sales practices, review training procedures and create a compliance plan, according to the consent order that the bank signed with the CFPB.

Executive Editor Tracy Kitten contributed to this report.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network