A new CCO’s Herculean task at Wells Fargo

Bad press, regulatory rebuke, and Congressional scrutiny have dogged the firm for various misdeeds.

Even as Wells Fargo, in recent months, made a concerted effort to live up to bank regulators’ consent decrees, regain public trust, and put past failures behind it, legislative scrutiny drove CEO Tim Sloan out of the institution, the product of constant hectoring by the Senate Banking Committee and House Financial Services Committee.

Perhaps overlooked among the Congressional rancor was the January 2018 hiring of Mike Roemer, a 27-year financial services veteran, as chief compliance officer. He most recently served as group head of compliance for Barclays.

Roemer is responsible for ensuring that all areas of the company meet compliance management responsibilities and abide by all applicable laws and regulations. Reporting directly to Wells Fargo’s chief risk officer and head of corporate risk, he will be instrumental in leading the company’s efforts to, in its words, “develop an industry-leading compliance program.”

Compliance Week spoke to Roemer about the daunting task he has before him and his views on trends and topics related to compliance and risk management.

CW: What was it like to come into such a large organization and one that’s been under significant scrutiny? What’s your starting point? What were some of your priorities on Day 1?

MR: The role is transformational. Overall, the company’s view is to rebuild trust with its customer base, given the issues that that manifested themselves in 2016 through its sales practices.

When I come onboard at a place like this, part of the job is to learn about the company and learn about the culture of the organization. You spend time listening. The primary thing is to is learn from the company and its employees.

Wells Fargo was, historically, a federated model. That was one of the drivers for a lot of the firm’s earlier success. Unfortunately, it also led to some of the root causes of sales practices [that proved to be problematic]. My job is to create a compliance function that was enterprise-wide—a single compliance function for the entire organization. That was the mandate: to build a fit-for-purpose compliance function and, ultimately, a world-class compliance function. My role was also to impart a culture of compliance across the entire organization and make sure that processes, systems, training, and everything else, was in place to support it.

The first thing you do is to assess the gaps between what currently exists and what world-class compliance is. You assess what your customers need, what your shareholders want, and even what your regulators expect to see—an enterprise-wide compliance function that is centrally managed and designed to help the company manage risk for the benefit of customers. Compliance can be a competitive advantage for the firm and integral for rebuilding trust.

The other commitment Wells Fargo has is to look across the entire organization and find any other issues where either trust had been eroded, or that we were not necessarily doing everything we could to make the customer experience great. Once again, rebuilding trust permeates everything.

CW: How much of a challenge is it for a compliance officer, especially a new one, to improve a firm like Wells Fargo’s culture given the size, diversity, and geographical spread of the organization? How do you deal with the somewhat intangible nature of culture?

MR: That’s the $64,000 question, because everybody defines culture slightly different. For me, the biggest driver of culture in any organization is observable behavior. A compliance function should be, and can be, a culture carrier for the organization. It can be a champion for the culture of the organization.

How do you do you manage culture? If you have a federated model with disparate compliance organizations that are not necessarily aligned or focused on some sort of North Star, as Wells Fargo did, you can get very different outcomes from different parts of the company. Centralizing compliance was a foundational element for me coming into the organization.

When I started, at the top of the house there were approximately 200 compliance colleagues, then there were compliance colleagues embedded throughout the company in front line business units. Today, we have 4,300 [compliance personnel] that all report up to the chief compliance officer at the enterprise level. We not only identified people performing compliance in the businesses and centralized them, we also hired more than 500 people over the last 10-14 months.

Compliance will probably grow over the course of the next year or so to approximately 5,000 people. Those colleagues are now all connected as a team. They are spread throughout the entire organization, but there is solid line reporting to the CCO. That allows us to spread the compliance story, spread the compliance framework, and make sure that we are, in fact, culture carriers across the entire organization.

The foundational part was moving from the federated model which existed for the company and compliance, basically centralizing that function, and then having that group of people under one compliance program for the organization. All 4,300 of us view our job as to help the business manage compliance, make it a competitive advantage for the firm, and rebuild trust with our customers.

Cultural changes take a long period of time. Is a culture of compliance rewarded? Are people encouraged and rewarded for risk management? Do we encourage people to raise their hand and identify issues so we can all fix them quickly? Are we transparent with our customers and our regulators? All those things are tied to this cultural journey we’re on. Since [issues with sales practices arose], we’ve made a whole bunch of good progress but, and I’ll be the first person who says it, we are never done. We can always do better.

People sometimes get scared off when I say that you have to lean in, you have to have a voice, and you have to be willing to be fired. In compliance we may have a seat at the table, but we need to have the courage to speak up—and we can’t fear retribution. My commitment is that I will be supportive, and I’ll be willing to be fired on their behalf as it relates to delivering compliance risk management. 

CW: An important component of everything you’ve mentioned is, of course, the employees themselves. Can you discuss how you’ve improved existing initiatives and encouraged those folks to be part of a speak-up culture?

MR: What you’re trying to do is encourage these folks to raise their hand, to speak up, and to identify problems. You want everybody to do that.

If you’re in the technology space, making mistakes can be a very important part of innovation and developing new technology. It’s harder for a financial institution because, of course, we’re talking about customers’ futures and large sums of money.

We want people to raise their hand and identify problems as quickly as possible, but we don’t necessarily want them to fix them on their own. No one, including me, is successful on their own; you’re only successful when there is a team effort. I can build a great compliance function, in and of itself, but if it doesn’t engage with the businesses and doesn’t engage with the rest of the risk ecosystem of the firm, we won’t be successful. We might have pockets of success, but you can’t be truly compliant if the rest of the firm is having issues and customers are not having good experiences.

We have made escalation of issues a priority, but we try to do it in such a way where it’s not a “gotcha” mentality. It may be that, historically, there were more issues being identified by compliance, supervisors, regulators, or our control functions, but the company is now encouraging self-identification. You want the second line and risk management teams to identify fewer issues, with the majority identified by the business units themselves.

We have a training program, across the firm, around raising your hand. We have ethics lines and other tools that are designed for both raising issues and doing so anonymously. We have a zero tolerance for retribution. It’s important for everyone here to understand that compliance and risk management is everyone’s job. Everyone needs to understand their role as it relates to the entire firm.

CW: You mentioned something I’m sure compliance officers would think is a very good thing: the ability to have some form of board-level reporting. From what you’re saying, there’s a lot of buy-in and you are part of the team. That is a luxury not every compliance officer can say they have.

MR: We have to be able to have the courage to raise issues, no matter what and no matter with whom, all the way up through to the CEO and the board. We now have a reporting structure where we have a monthly meeting with a subcommittee of the board, and I basically escalate any issue I want to.

What we’re trying to do is to make compliance and risk management part of the DNA at Wells Fargo and make it part of the culture of the organization. A culture of compliance doesn’t mean that it’s a draconian place with lots of rules and regulations. It should mean that our colleagues and team members around the around the organization are focused on making sure that we’re doing things right for our customers, consistently, with every interaction every time. We should all be striving for that.

If you have a risk management culture, it is understood that our job is to manage risk every day, whether that’s compliance, operational, liquidity, or credit risk. There are a whole host of risks and, as an organization, our job is to manage all of them consistently.

CW: How can technology, especially emerging technology, fit into your plans?

MR: There was a period during the 2008 credit crisis, and in the aftermath of LIBOR and FX scandals, when you saw a massive buildup of compliance staffs. I’m not necessarily interested in arms and legs; I’m interested in brains.

When you’re a compliance officer of Wells Fargo there are certain things you should expect. You should expect to make a good living and that we’re going to invest in your personal and professional development. We are going to give you challenging work, but it’s going to be rewarding and you’re going to feel like you can make a difference. You are not going to be doing mind-numbing work. That’s where technology comes in.

We’re probably, in some cases, a little bit behind, but we’re trying to ratchet things up as quickly as we can.

We’re using artificial intelligence for lexicon-based surveillance capabilities. We are also building artificial intelligence solutions to allow our team members around the around the world to enter any question they have on compliance into our “Why Comply?” tool. Through an ongoing learning capability, we would see what we don’t have capabilities in, identify training needs, and identify topics we should do more on.

To be honest, none of these are fully built out across the entire organization. As I mentioned before, the company was historically a very federated model. What I discovered when I got here was that there was really good stuff going on in pockets everywhere. My job is to is to identify them, leverage them, and then roll them out across the broader organization. Some of our call centers, for example, were using natural language processing on surveillance of some of our broker dealers. What we’re doing is packaging and gathering all these instances of cool stuff and then trying to leverage them for all of our businesses.

When you use natural language processing and artificial intelligence, they may require an experienced compliance officer to actually analyze and look into what they produce. That’s obviously much more rewarding and interesting work.

CW: A sometimes overlooked aspect of compliance is keeping the training vibrant, not just a check-the-box kind of approach. What is your strategy?

MR: I’m not a massive supporter of online training. Historically, it was created to allow companies to demonstrate to regulators that training has been completed. My experience elsewhere is that it is less focused on outcomes and more focused on the actual execution of the training. So, we are partnering with the enterprise learning and development team that sits in Wells Fargo. They are putting a new system and starting [this spring] which will allow us to start to change that dynamic and have a much more outcomes-driven training program. It will also allow us to tailor training based upon needs.

As I mentioned before, our [AI-driven] “Why Comply?” tool will allow us to say, “Hey, this month, in this part of the United States, we have many questions on disclosure and gifts and entertainment policies.” This will allow us to tailor specific training. With an outcomes-focused training program, designed to identify issues and provide very acute training for those issues, I think we will see much better outcomes, as opposed to “everybody takes the training, takes the test, passes the test, and forgets about it until next year.” We’re moving away from that.

CW: I noted with interest that there was an emphasis on the “three lines of defense” model in Wells Fargo’s Business Standard report. As someone with significant audit experience, how important is that and how do you want to integrate that approach into your compliance efforts?

MR: Historically, those lines were opaque at Wells Fargo. The new risk management framework we’ve implemented is designed to make roles and responsibilities much clearer, to make sure that people understand them and what their responsibilities are.

The second line’s job [functions established by management] is to provide a framework to help manage and understand risk. The goal is to make risk management more user friendly and to embed it as part of a process, not a separate thing on top of a process. It needs to be embedded in virtually everything we do within the company. That was a challenge, as you might imagine, under the federated model Wells Fargo had. We’ve moved past that now.

A new [Chief Risk Officer] came on board last year with the new risk management framework. Compliance is now one of the modules under that overall risk management framework.

The framework is very much focused on accountability, especially frontline accountability. For every process in the organization, we identify a process owner and map it—risks, controls gaps, and potential points of failure. It’s an overall business process management mindset. We focus on frontline management, frontline activities, and the people responsible and accountable for understanding their risks. They are supposed to get help from the second line to help them understand their risks and get help when they design something to manage it. We challenge and check that plan.

CW: A lot of compliance officers who are reading this may at some point in their career end up in a place with a similar scope and complexity to what you’ve inherited here. Do you have any advice for your peers in terms of how to make sure they don’t get overloaded when there are so many moving pieces and so many critics? How do they keep their heads on straight and above water?

MR: People sometimes get scared off when I say that you have to lean in, you have to have a voice, and you have to be willing to be fired. In compliance we may have a seat at the table, but we need to have the courage to speak up—and we can’t fear retribution. My commitment is that I will be supportive, and I’ll be willing to be fired on their behalf as it relates to delivering compliance risk management.

I also tell my compliance colleagues to worry only about what they can control. We can’t control a lot of stuff. We can’t control what Congress says about Wells Fargo. We can’t control what others are saying about us. What we can control, every day, is our role in risk management for the company and our role in helping make Wells Fargo a better place for our customers and our team members.

There is a lot of stuff that can distract you, including bad press for the company. Unfortunately, for us, it is deserved. We have had some problems and not treated our customers the way that we should have, or the way they think we should have. We’re doing everything we can to try and fix that and we are absolutely taking accountability. That’s what we can control.

We can take accountability. We can show empathy. We can deliver better outcomes and better service. We can deliver world-class compliance risk management. We can fix our problems and make things right for our customers. Those are the things we can control, but everyone in compliance has to be willing to speak up.

Keep your head on straight. You are making a difference, but you need to lean in and have a voice. You need to have courage to stand up and identify things that need either more clarity or that could be wrong. The worst thing in the world is silence. Silence is not golden anymore, that’s for sure. Silence can be one of the root causes of a whole host of problems, and problems don’t age well.