Wirecard lessons to be learned

Introduction

1. Wirecard will go down in German and global financial history, as one of the biggest success and failure stories in regulation and FinTech. By way of reminder the German payment firm Wirecard disclosed a €1.9bn hole in its accounts.
2. Wirecard had been widely regarded as a pioneer and innovator in the digital payments industry, displacing the big banks. Its market capitalization was at one point bigger than Deutsche Bank’s, and it replaced Commerzbank in the DAX index in 2018.
3. The controversy erupted when auditors EY refused to sign off on Wirecard’s accounts, having been unable to locate the missing €1.9bn. Events quickly cascaded and Wirecard became the first member of Germany’s prestigious Dax index to file for insolvency

What is the biggest lesson

The case provides learnings and dimensions that just don't seem to end – however the biggest lesson is

1. External regulation is not a substitute for proper behaviours and disciplined processes around risk and risk management.

Were there warnings

In this case we have seen examples of:

1. Regulatory/oversight bodies
   • Regulator protecting a "national treasure" / short selling restrictions
   • Red flag of "back door" listings
   • FIUs not processing/focused on high risk STRs - to extent the FIU was raided by other authorities https://riskandcompliance.freshfields.com/post/102gbph/germany-raids-its-own-financial-intelligence-authority-over-backlog-of-suspicious
2. Auditors
   • Auditors (apparent) lack of understanding of business model and operations
   • Qualified opinions in audit reports without follow up actions (that we know of)
3. Ethics
   • Whistle-blowers being victimised
4. Governance and risk management
   • Lack of transparency and accountability in governance and decision making
   • Businesses growing too fast too quick to enable transparency of operations

What we therefore see in the Wirecard story is failure in:-

1. Risk governance.
2. Risk management
3. Risk management and compliance functions
4. Risk culture.

The story

1. A fintech blog commenting on the Wirecard scandal stated: “Valued at €24 billion and part of Germany’s prestigious DAX stock index, it surprised and disappointed everyone when its auditors announced on June 18 that more than $2 billion in cash had disappeared.” The German payments business subsequently filed for insolvency at the end of the June.
2. Disappointing, yes, but surprising, no. Several clear warning signs of accounting malpractice had appeared over a long period.

Nobody listened

1. With few exceptions, investors, analysts and regulators ignored the red flags and accepted management’s statement that all was fine, even though.
   • The Financial Times questioned the company’s accounting and business practices for more than 18 months.
   • A KPMG investigation was unable to substantiate all the company’s revenues in 2016-2018.

Behavioural biases

1. This incident illustrates the behavioural biases that can be major drivers of investment missteps - specifically, belief perseverance bias when people cling to their previously held beliefs despite contradictory information.
2. Fintech is often mentioned in the same sentence as words such as ‘innovation’ or ‘disruption’ which adds an allure to financial technology companies.
3. Wirecard had been widely regarded as a pioneer and innovator in the digital payments industry, displacing the big banks.
4. Its market capitalization was at one point bigger than Deutsche Bank’s, and it replaced Commerzbank in the DAX index in 2018.
5. A Bloomberg article blamed the enthusiastic groupthink that carried Wirecard into the DAX index and valued it at 80 times earnings on “INVESTORS’ FAITH IN THE BROADER FINTECH STORY.”

Underlying control failures

1. Frauds are nightmarish scenarios for shareholders and auditors.
2. If there is collusion, they can be particularly difficult to spot. Only a fraction of corporate executives who manipulate or misrepresent their companies' performances get exposed by regulators for such misdeeds.
3. Reports of fraud at Wirecard dated back several years, although they were strenuously and repeatedly denied by management.
4. Even after the KPMG report was released in April 2020 which had publicly raised red flags about Wirecard’s accounting for the three prior years, senior management seemed to be in a state of denial stating that:
   • “none of the accusations and suspicions circulating publicly since January 30, 2019, have been confirmed.”
5. In retrospect, many investors and regulators were blind to the workings of Wirecard’s digital payments business and the risks it carried.
6. Risk was plainly not situated high enough on management’s or the board’s agenda.
7. A Financial Times editorial titled “LESSONS FROM A FINANCIAL TECHNOLOGY SCANDAL” opined that Wirecard had ignored the inherent risks associated with the digital payment business.  https://www.ft.com/content/27872df6-b496-11ea-8ecb-0994e384dffe
8. With the company led by a mercurial founder and a largely acquiescent supervisory board, it is not surprising that the normal checks and balances to prevent or uncover materials risks before they result in loss may have been overridden.
9. Payment processors and other fintech firms, in some cases, like to think of themselves as technology companies, subject to only technology and system risk; this ignores the swathe of other material operational, compliance and reputational risks that it must manage properly.

What can we learn

1. Gaining and preserving the trust of consumers, merchants and others with robust risk management and internal controls is critical to the success of financial technology business, particularly one that handles customer money.
2. So we ask what risk management lessons can we draw from the Wirecard fraud that are relevant to the fintech industry as a whole.
   • Risk governance.
   • Risk management
   • Risk management and compliance functions
   • Risk culture.
3. Discussed below

Lessons in Risk governance.

1. The Board’s role in the governance of risk is to set the tone and reinforce the importance of and establish oversight responsibilities for risk management.
2. It should also guide informed decision-making and effective allocation of resources. Inadequate evaluation of potential risk scenarios can lead to unexpected surprises as a result of previously unknown risks.
3. Several factors point to the failure of risk management and corporate governance with respect to the Wirecard accounting fraud.
4. Until early 2019, the board chose not to create dedicated committees for audit or risk and compliance.
5. The management and its supervisory board, it has been reported, lacked the competence and diversity to lead a multinational tech firm; they may have felt inhibited in seriously challenging senior management about the assessment and mitigation of key risks.

Lessons in risk management

1. Financial companies are expected to adopt a risk management program that provides a thorough and consistent evaluation of the nature and extent of risks to which they are exposed.
2. Central to this is Enterprise Risk Management (ERM) which articulates and codifies how an organization approaches and manages risk.
3. The tenets of an ERM framework include
   • articulating risk appetites,
   • putting formal policies into place,
   • conducting risk assessments,
   • establishing strong internal controls, and
   • ensuring oversight by both senior management and boards of directors.
4. Wirecard’s 2018 Annual Report had extensive disclosure of its “efficiently organized [enterprise] risk management system.”
5. The weaknesses that were confirmed later in the company’s internal control and governance procedures remind fintech managers of the challenges that must be overcome to make risk management truly operational in a dynamic technology-driven firm.
6. For risk management to be effective,
   • management and the board must own and address it, and
   • the risk management system supported by a healthy risk culture throughout the group.

Lessons in Risk management and compliance functions

1. the second line of defence in a three-lines-of defence model – proved unable to make operational management responsible for the emerging fraud and financial reporting issues.
2. In 2019 the CEO reported that the size of the compliance team was just 20-strong, or about 0.4 percent of the workforce. HSBC, by comparison, said it had 6,000 compliance staff in 2017, or 2.6 percent of its workforce at the time.

Lessons in Risk culture

1. A healthy risk culture starts at the top of an organization with the Board and senior management, and then filters down to the entire workforce.
2. Regulators know more stringent regulations won’t work by themselves, and that culture and behaviours are the main drivers of the effectiveness of a firm’s risk management framework.
3. The prevailing culture at Wirecard seems to have focused on growth.
4. A sense of complacency about current and future risks could have emerged that allowed the fraud and financial misstatements to stay unnoticed for so long.
5. As recently as January 2020, the retiring chair of its supervisory board made glowing remarks about the company, calling Wirecard AG a growth and success story unparalleled in Germany's recent economic history.

Closing thoughts

1. the Wirecard affair is the most serious illustration since the “Dieselgate” episode four years ago of the tendency of Germany’s business world to close ranks against criticism.
2. Officials and corporate bosses treat the raising of legitimate concerns as an assault on German patriotic interests — in Wirecard’s case blaming Anglo-Saxon speculators — not as a reason to probe and question.
3. The case shows, too, how German capitalism favours corporations over shareholders. Short selling is seen not as a valid part of price discovery but a device for illicit manipulation.
4. Searching questions must be faced, too, by Wirecard’s auditor, EY, over how it failed to spot the cover-up of what now appears a yawning hole in the balance sheet.BaFin points out it had oversight only of Wirecard Bank’s banking arm, not the core payments processing business.
5. Here, Germany is far from alone. Regulatory scrutiny of the mushrooming financial technology industry remains deficient.
6. The inherent risks of financial activities are not blunted by enfolding them in a shiny “tech company” wrapper. That is just one of many lessons to be learnt from what is now a multibillion-euro scandal.

Sourced - https://www.forbes.com/sites/gideonpell/2020/07/14/wirecard-fraud-is-risk-management-lesson-for-fintech-companies/#75955307487c / https://www.ft.com/content/27872df6-b496-11ea-8ecb-0994e384dffe