Visitors pass a sign at the entrance to the Wirecard AG headquarters in Munich, Germany, on ... [+]
A fintech blog commenting on the Wirecard scandal stated: “Valued at €24 billion and part of Germany’s prestigious DAX stock index, it surprised and disappointed everyone when its auditors announced on June 18 that more than $2 billion in cash had disappeared.” The German payments business subsequently filed for insolvency at the end of the June.
Disappointing, yes, but surprising, no. Several clear warning signs of accounting malpractice had appeared over a long period. The Financial Times questioned the company’s accounting and business practices for more than 18 months. A KPMG investigation was unable to substantiate all the company’s revenues in 2016-2018. With few exceptions, investors, analysts and regulators ignored the red flags and accepted management’s statement that all was fine.
This incident illustrates the behavioral biases that can be major drivers of investment missteps - specifically, belief perseverance bias when people cling to their previously held beliefs despite contradictory information. Fintech is often mentioned in the same sentence as words such as ‘innovation’ or ‘disruption’ which adds adds an allure to financial technology companies.
Wirecard had been widely regarded as a pioneer and innovator in the digital payments industry, displacing the big banks. Its market capitalization was at one point bigger than Deutsche Bank’s, and it replaced Commerzbank in the DAX index in 2018. A Bloomberg article blamed the enthusiastic groupthink that carried Wirecard into the DAX index and valued it at 80 times earnings on “investors’ faith in the broader fintech story.”
Underlying control failures
Frauds are nightmarish scenarios for shareholders and auditors. If there is collusion, they can be particularly difficult to spot. Only a fraction of corporate executives who manipulate or misrepresent their companies' performances get exposed by regulators for such misdeeds.
Reports of fraud at Wirecard dated back several years, although they were strenuously and repeatedly denied by management. Even after the KPMG report was released in April 2020 which had publicly raised red flags about Wirecard’s accounting for the three prior years, senior management seemed to be in a state of denial stating that: “none of the accusations and suspicions circulating publicly since January 30, 2019, have been confirmed.”
In retrospect, many investors and regulators were blind to the workings of Wirecard’s digital payments business and the risks it carried. Risk was plainly not situated high enough on management’s or the board’s agenda. A Financial Times editorial titled “Lessons from a financial technology scandal” opined that Wirecard had ignored the inherent risks associated with the digital payment business. With the company led by a mercurial founder and a largely acquiescent supervisory board, it is not surprising that the normal checks and balances to prevent or uncover materials risks before they result in loss may have been overridden.
Payment processors and other fintech firms, in some cases, like to think of themselves as technology companies, subject to only technology and system risk; this ignores the swathe of other material operational, compliance and reputational risks that it must manage properly. Gaining and preserving the trust of consumers, merchants and others with robust risk management and internal controls is critical to the success of financial technology business, particularly one that handles customer money. So we ask what risk management lessons can we draw from the Wirecard fraud that are relevant to the fintech industry as a whole.
Lessons in risk management
Financial companies are expected to adopt a risk management program that provides a thorough and consistent evaluation of the nature and extent of risks to which they are exposed. Central to this is Enterprise Risk Management (ERM) which articulates and codifies how an organization approaches and manages risk.
The tenets of an ERM framework include articulating risk appetites, putting formal policies into place, conducting risk assessments, establishing strong internal controls, and ensuring oversight by both senior management and boards of directors. Wirecard’s 2018 Annual Report had extensive disclosure of its “efficiently organized [enterprise] risk management system.” The weaknesses that were confirmed later in the company’s internal control and governance procedures remind fintech managers of the challenges that must be overcome to make risk management truly operational in a dynamic technology-driven firm.
For risk management to be effective, management and the board must own and address it, and the risk management system supported by a healthy risk culture throughout the group.
Risk governance. The Board’s role in the governance of risk is to set the tone and reinforce the importance of and establish oversight responsibilities for risk management. It should also guide informed decision-making and effective allocation of resources. Inadequate evaluation of potential risk scenarios can lead to unexpected surprises as a result of previously unknown risks.
Several factors point to the failure of risk management and corporate governance with respect to the Wirecard accounting fraud. Until early 2019, the board chose not to create dedicated committees for audit or risk and compliance. The management and its supervisory board, it has been reported, lacked the competence and diversity to lead a multinational tech firm; they may have felt inhibited in seriously challenging senior management about the assessment and mitigation of key risks. Risk management and compliance functions – the second line of defense in a three-lines-of defense model – proved unable to make operational management responsible for the emerging fraud and financial reporting issues. In 2019 the CEO reported that the size of the compliance team was just 20-strong, or about 0.4 percent of the workforce. HSBC, by comparison, said it had 6,000 compliance staff in 2017, or 2.6 percent of its workforce at the time.
Risk culture. A healthy risk culture starts at the top of an organization with the Board and senior management, and then filters down to the entire workforce. Regulators know more stringent regulations won’t work by themselves, and that culture and behaviors are the main drivers of the effectiveness of a firm’s risk management framework.
The prevailing culture at Wirecard seems to have focused on growth. A sense of complacency about current and future risks could have emerged that allowed the fraud and financial misstatements to stay unnoticed for so long. As recently as January 2020, the retiring chair of its supervisory board made glowing remarks about the company, calling Wirecard AG a growth and success story unparalleled in Germany's recent economic history.
Shifts in Fintech regulation
From my 25-plus years in enterprise risk management, I believe that external regulation is not a substitute for proper behaviors and disciplined processes around risk and risk management. Nonetheless, my experience in the life insurance industry was that the attention of insurance regulators on risk management practices of regulated institutions, particularly after the Global Financial Crisis, could have a major influence on strengthening risk management frameworks across an industry.
The U.S. payments industry is licensed on a state by state basis, which can create inconsistency. Acting Controller of Currency Brooks announced last month the OCC would shortly unveil the first version of a potential ‘Payments Charter.’ The OCC charter would grant an institution a national licensing platform for their payments business. The OCC first proposed a fintech charter in 2015 as a possible avenue for fintech firms to create a level playing field between banks and non-banks in finance, based on comparable standards of capital, liquidity and risk management. If successful, the introduction of national regulatory standards on the payments industry could become the regulatory model for other fintech sectors in the future.
In conclusion, as the Fintech market develops, companies may come under increasing pressure to formalize their risk management organization, policies and practices to match those of large banks and other institutions with whom they compete. Financial technology moves faster than regulation or internal risk governance. The Wirecard scandal is not just a single case of fraud; it also exposes gaps in the way that fintech companies more broadly implement their risk management process. As expectations for sound risk management grows, the industry will need to take actions to close these gaps.
