We are beyond being shocked by systemic governance, risk, and compliance issues in banks. After all, we did write a recent book called “What They Do With Your Money: How the Financial System Fails Us and How to Fix It.”

But the scandal at Wells Fargo does supply a ready, and outrageous, case study of widespread, systemic governance failing combined with tone deafness in senior management. As of this writing, Wells’ mishandling of the situation has enabled a relatively small financial problem—a $185 million settlement—to slice 100 times that, or some $19 billion, from its market capitalization. It is the scope of the problem that makes Wells Fargo’s issue noteworthy. Incented by aggressive sales goals, bank employees opened two new million phantom accounts that customers neither requested nor authorized. Why? Because sales bonuses were tied to aggressive cross-selling goals. Hence, the employees created those phantom accounts and charged the real customers fees related to cross-sold products they never wanted. The Los Angeles City Attorney’s complaint about Wells Fargo’s sales practices claimed that targets for cross sales to existing customers for each employee were reviewed by district managers multiple times a day. In other words, the sales pressure was intense and the goals unrealistic.

To date, some 5,300 employees have been fired. That’s one in every 50 Wells employee. More than 500 of them were bank branch managers or higher in the hierarchy. The firings have been ongoing for five years, which means senior Wells officials must have known about the issue for at least that long. In fact, CEO John Stumpf admits he has had weekly calls focusing on the fraud with Carrie Tolstedt, the senior official in charge of the retail banking system since 2013. Despite that, he allowed her to retire, in a transparent attempt to protect her reputation and eight-figure payout. The adjective systemic seems custom-crafted to fit this situation. And that’s not just us saying it: The Comptroller of the Currency recognized the systemic risk Wells had created and has announced that he will warn other banks to examine aggressive cross-selling goals, explaining that such incentives need to be mitigated with strong internal controls. “This is a culture issue. You cannot, as a bank, abuse your customers’ trust,” Comptroller Thomas Curry declared.

Systemic abuse. Culture failure. One in every 50 employees fired. Market capitalization sliced by $19 billion. At times like this, corporate leaders should assume responsibility, execute accountability, and earn their compensation and stakeholder trust by saying the buck stops with them. At Wells, however, the C-suite looked in the mirror and saw 5,300 ghosts all named denial. Instead of taking accountability and control they blamed the lower-level employees who had been responding to the sales culture and incentive. CFO John Shrewsberry told a New York audience that “it was really more at the lower end of the performance scale, where people apparently were making bad choices to hang on to their job.” CEO John Strumpf initially denied any systemic problem and asserted “there was no incentive to do bad things.” His tone was such that the Wall Street Journal headline on that article read “Wells Fargo CEO Defends Bank Culture, Lays Blame With Bad Employees.” The attempt to use the “few bad apples” defense was itself a rotten apple. As Melissa Arnoff, the head of the reputation practice at communications consultant Levick told the Washington Post, “Yes, it is the employees who created the accounts. But there’s something wrong with the internal system if this went on for five years and involved at least 5,300 employees.” Strumpf seemed to get part of the message. He later announced that Wells would end the cross-selling goals.

There may still be a narrow window for Wells Fargo to snatch victory from the jaws of defeat. The board can accept responsibility and use the crisis to build a new culture.

At a Capitol Hill hearing last month Senator Elizabeth Warren pressed Strumpf to resign and to return compensation earned that might be linked to cross-selling. This, Warren contended, would represent meaningful accountability. But Strumpf deferred to the board which, of course, he leads.

What are the governance lessons from the Wells debacle? Let’s start at the top. As of this writing, no independent board member has stepped up publicly to provide assurance that Stumpf or other executives would be held accountable for the scam. Normally one would expect the chair to do so, but Stumpf has that job along with being CEO. Where is the lead director? Stephen Sanger has not played any public role so far, and indeed, his job may not be as powerful as the company would like outsiders to believe. According to the proxy statement, he is paid $40,000 extra to serve as lead director. The typical independent chair at an S&P 500 company is paid seven times more in extra compensation. If pay is a test of expectations, Well’s lead director may not be expected to do much. And if the board does eventually oust Stumpf over the scandal, it will by now seem too late and as a response to public pressure.

Arguably, Stumpf should have had an independent chair serving as his boss. And indeed, for more than a decade each of Wells’s annual meetings has featured a shareholder resolution calling precisely for that. But here is another lesson of the case. Well’s largest shareholders, including Blackrock and Vanguard, annually rejected that call, helping to kill the proposal and thus exposing all investors to elevated governance risk. It will be interesting to see how they vote on the same resolution at the 2017 meeting.

There are other compliance and governance questions to ask, too. Where was internal audit? How can two million accounts be opened, and most closed, and enough people know it’s wrong so that 5,300 employees are fired, and for all this to take place over five years, without internal audit looking at the root causes. Or alerting the board.

Where was the board audit committee? If internal audit did look at the cross-selling metrics, how could the audit committee of the board not know? And if the audit committee did know, why did it not act?

Where were human resources managers? When more than 5,300 employees are fired for the same cause (and that cause was an ethical failing and a compliance violation) shouldn’t human resources have known?

Where was the financial planning and analysis unit? In the latest 10-Q filed before the scandal exploded, the bank seemed atop the cross-selling metrics. It bragged about “Our retail banking household cross-sell … was 6.27 products per household.” It clearly tracked the cross-sells carefully. Did it keep an eye out for the top line results, and a closed eye for the fact that they were fictitious?

If the bank had been firing people for five years, and if legal (and presumably senior management) had been contemplating a settlement, why had there not been appropriate risk disclosure in its securities filings? And how could senior management not have been aware of the reaction the settlement announcement would engender? The bank’s spokesperson did not help matters when he said "Each quarter, we consider all available relevant and appropriate facts and circumstances in determining whether a litigation matter is material and disclosed in our public filings. Based on that review, we determined that the matter was not material. As investors, we think a $19 billion drop in market capitalization is pretty damn material.

Of course, this scandal is still playing out. But it’s clear that damage has been done. We predict there will be a number of shoes that still have to drop. A lawsuit alleging a failure to disclose the five years of phantom account openings is virtually inevitable. Pressure will be put on the individual members of the board, particularly the lead director and audit committee. Depending on how it all plays out, Mr. Stumpf may or may not keep his job; after all, Jaimie Dimon came out of the London Whale fiasco at JPMorgan not only intact but with a strengthened control environment at the bank. Nonetheless, there are clearly a number of compliance and governance lessons to learn.

Forgotten purpose. The Comptroller of the Currency hit the nail on the head. “You cannot, as a bank abuse your customers’ trust.” Finance is a service business. There are so many intermediaries in any financial transaction that financial institutions sometimes forget there are real people at the end of that chain. The bank accounts weren’t just numbers and electronic ledgers. They were people’s savings and credit ratings and reputations. The fact that Wells Fargo forgot that its first loyalty had to be to the customers who lent it money, was the enabler of the scandal and the reason the banks’ initial reaction was so tone deaf. Yes, a $185 million settlement may not be “material” to a bank that earns more than $20 billion a year. But it represents a breach of trust (as well as material holes in the compliance regime). The fact that senior management of Wells Fargo didn’t recognize that until it was the unintended poster child for failed compliance is perhaps the most troubling aspect of the entire situation.

Aggressive sales goals need to be monitored for unintended consequences. We love stretch goals; they are great motivational devices. But beware; they can cause behavior that you don’t want. How the board of Wells Fargo missed this one, we do not know. When we sit on boards, we try as best as we can to understand the ramifications of our incentive systems and to monitor corporate culture. That means using every assurance mechanism available, both internal and external. We listen to internal audit, go deep with external auditors, ask legal and human relations for unredacted reports of what calls come in to the anonymous whistleblower hotline, read press and analyst reports about the enterprise (the aggressive sales tactics at Wells Fargo were first reported by the Los Angeles Times in 2013).

When something bad happens, take accountability and address it head on. Wells Fargo knew the settlement was being announced. It knew it had fired 5,300 workers. Yet it failed to get ahead of the story by saying it had a problem and how it was being fixed. The lead director should have spearheaded a package of actions including clawbacks of pay, the appointment of an independent board chair, and a housecleaning of relevant top executives. Calling the scandal the result of “bad choices” by the rank and file or “not material” makes management seem either out of touch or inadequate to deal with the situation. And it squanders trust, plunging the stock price.

There may still be a narrow window for Wells Fargo to snatch victory from the jaws of defeat. The board can accept responsibility and use the crisis to build a new culture. There is precedent for such a pivot. When JPMorgan had its London Whale controversy, it also made initial missteps and underestimated the damage. Indeed, CEO Jaimie Dimon called it a tempest in a teapot. But then Dimon and Board Audit Committee Chair Laban P. Jackson tag-teamed the situation, speaking, testifying, and visibly taking responsibility. The result has been a better risk culture at JPMorgan. Not coincidentally, Wells’ stumbles enabled JPMorgan’s market capitalization to soar past that of Wells Fargo to become the most valuable bank in the United States.