McKinsey warned Wirecard a year ago to take ‘immediate action’ on controls

Management board later passed over consultancy for compliance work in favour of PwC

McKinsey warned Wirecard more than a year before the payment group’s collapse that it should take “immediate action” to deal with an absence of controls at its largest business.

The consultancy told the company in June 2019 that “risks related to business partnerships or third parties” were one of its main vulnerabilities, according to two people briefed on the details and a document seen by the Financial Times.

The third-party business, later exposed as a sham, was said to carry out payments processing on Wirecard’s behalf in countries where it lacked licences to do the work itself. It accounted for half of the group’s reported revenues and all of its operating profit.

Wirecard’s chief financial officer Alexander von Knoop said on the same call that Wirecard was “very well structured in the field of compliance and legal”. Mr von Knoop was responsible for compliance at the time.

Thomas Poppensieker, senior partner of McKinsey’s global risk practice, presented the final results in August 2019. The findings were devastating for a company that had joined Germany’s prestigious Dax index the previous September and that had faced repeated allegations of financial misconduct over the previous decade.

The consultancy reported that Wirecard’s third-party business lacked compliance policies and internal oversight. It warned that such shortcomings in control functions could lead to managers “cutting corners illicitly” who want to meet internal targets.

As a consequence, this could expose Wirecard to financial risks from a falling share price and the loss of clients, McKinsey warned.

McKinsey described a multitude of other risk and compliance shortcomings. For instance, Wirecard lacked any formal process for acquisitions and post-merger integration, while controls over the enforcement of state sanctions and embargoes were also found to be “non-existent”.

All of these shortcomings had a “high probability of reputational, economic and legal risks to the organisation and its statutory bodies”, according to the document seen by the FT.

McKinsey concluded that Wirecard’s risk and compliance culture was in need of “substantial change” and suggested hiring up to 50 additional staff, including a group compliance officer.

The findings triggered a heated discussion within Wirecard, people familiar with the matter told the Financial Times. Talks were held with McKinsey about a follow-up project to implement the proposed changes. However, Wirecard’s management board instead pushed for PwC to be given the job of setting up a new compliance organisation.

This project — code-named “Merlion” after the national symbol of Singapore, where whistleblowers in early 2019 raised flags over accounting fraud at Wirecard — was launched later in 2019 despite creating a potential conflict of interest: PwC is also the auditor of Wirecard Bank.

Moreover, while PwC’s remit included nine different “workstreams”, it did not address Wirecard’s third-party business, people briefed on the details told the Financial Times. Another controversy arose over the precise remit and powers for the newly created role of group compliance officer. The idea to give this person a management board seat was initially rejected and only revisited and implemented later as questions over Wirecard continued to mount.

James Freis eventually joined Wirecard as group compliance officer on June 18 this year from Deutsche Börse. He ended up being promoted to interim chief executive the following day, as Mr Braun resigned.

Wirecard, McKinsey and PwC declined to comment.

https://amp-ft-com.cdn.ampproject.org/c/s/amp.ft.com/content/bfa1cafc-d8fa-4745-adef-ed99e88cb78f