The Consumer Financial Protection Bureau (CFPB) has fined Wells Fargo Bank, N.A. $185 million – the largest fine it has ever imposed – after discovering that the bank’s employees secretly created more than 1.5 million unauthorized deposit and credit card accounts over the last five years in order to hit sales targets and receive bonuses.
This malpractice cost unsuspecting account holders $2.6 million in fees. Wells Fargo has refunded the charges.
According to CFPB’s Consent Order, Wells Fargo employees:
- Opened unauthorized deposit accounts for existing customers and transferred funds to those accounts from their owners’ other accounts, all without their customers’ knowledge or consent.
- Submitted applications for credit cards in consumers’ names using consumers’ information without their knowledge or consent.
- Enrolled consumers in online banking services that they did not request.
- Ordered and activated debit cards using consumers’ information without their knowledge or consent.
Wells Fargo told CNNMoney that “it had fired 5,300 employees over the last few years related to the shady behavior.”
Controlling insider behavior
Using customers’ information without their knowledge or consent is, obviously, a data protection issue – an area of paramount importance in all sectors, not just the banking industry. If your organization collects, processes, or stores customer information, you need to ensure you handle it securely. When employees can’t be trusted to do this – whether through malice, negligence, or incompetence – your organization’s reputation will take a severe hit.
Customers are rightly unforgiving when their data is compromised or misused: According to Ponemon Institute’s 2016 Cost of Data Breach Study: United States, abnormal customer churn rates increased 3% year-on-year as a result of data security incidents – and the higher the churn, the higher the per capita cost. The cost of a data breach for companies that experienced a customer churn rate greater than 4% rose to an average of $12.1 million.
Using international best practice
A robust ISMS (information security management system) based on the international standard ISO 27001 addresses people, processes, and technology, and ensures that security becomes a part of everyday business operations.
ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way.
Certification to the Standard demonstrates to investors, stakeholders, customers, and staff that information security best practice is being followed.