[Long time, no blog. Since May 1, co-blogger Gordon has been the dean of BYU Law School, and I have had the enormous pleasure to be an associate dean. This leaves little time for blogging or much else. However, yesterday's Wells Fargo news was too interesting to let slide.]
Yesterday, the Consumer Financial Protection Bureau announced that Wells Fargo will pay a $185 million fine to the CFPB, the city of Los Angeles and the OCC. Apparently, the commissions that the bank paid to employees for setting up new checking, savings and credit card accounts incentivized those employees to set up fake accounts using customer information without the customers' permission. These secret, unauthorized accounts sometimes resulted in customers paying fees but always resulted in the employees receiving bonuses. (Disclaimer: I am a WF customer, and yes, even the very awesome and helpful employees at the BYU branch try to cross-sell new products pretty regularly. Maybe all banks do as well.) Since 2011, over 5000 employees have been fired.
But, this is probably not the end of the story. (At least) Two other legal actions could transpire. First, shareholders could sue the board of directors in a derivative action for breach of the duty of oversight, a duty to monitor situated within the duty of loyalty. Second, shareholders could sue in a securities fraud action of language in disclosure or other documents seemed to hide or downplay the severity of this problem as it was known to the board. Neither avenues are particularly well-suited for these types of cases. For a securities fraud case, one would need to find a company statement that was factual and false: "Our incentive compensation systems for bank employees reward and properly incentivize good customer service." "We have systems in place to ensure that customer data is never used by employees to their advantage." Only in rare cases will general statements about good business practices give rise to passing the motion to dismiss stage in a federal securities Rule 10b-5 action (see Countrywide).
Shareholder derivative actions have not been too successful lately, either. Even post-financial crisis, shareholders could not get a lot of traction in the Delaware courts in cases against Goldman Sachs and Citigroup for the board's failure to monitor employees who engaged in highly risky trading, leading to huge financial losses. (See The Duty to Manage Risk, by me.) In those cases, the courts reasoned that the quintessential Caremark claim involved a company having no system to monitor foreseeable, significant, illegal activity by employees. Reckless and stupid employee activity, if not illegal, is a hard basis for a Caremark claim, and even illegal activity needs to be widespread and not isolated to a few bad actors. Interestingly, the Delaware courts have found hardly any viable Caremark claims since the landmark case (in which the court approved a settlement for almost nothing because "those claims find no substantial evidentiary support in the record and quite likely were susceptible to a motion to dismiss in all events."). So what about here?
Well, the activity is illegal. I'm assuming here that using private customer information without authorization is illegal and violates banking law. And, these actions violated CFPB regulations. So, we have illegal activity. The activity also does not seem isolated -- over 5000 employees, possibly 2 million unauthorized accounts, over 500,000 unauthorized credit cards. However, the Caremark case involved the company paying civil damages of $250 million in 1995. Here, the fine is $185 million, which may be the largest fine levied by the brand-new CFPB, but isn't that big in the scheme of things. If more charges are brought, that would strengthen the claim. I'm not sure I would be confident in a Caremark claim here, even though the activity is illegal and seems to be widespread. As of this morning, I couldn't find any new litigation having been filed, but stay tuned!