Wells Fargo 2016: $185M Enforcement Action

What happened?

Between 2011 and 2015, Wells Fargo employees across the Community Banking division opened approximately 2 million unauthorized deposit accounts and credit cards in customers' names, according to the CFPB consent order published on September 8, 2016. The conduct grew out of a sales incentive program that set daily cross-selling targets for branch staff. To hit those numbers, employees used personal information the bank already held to create new accounts, transferred small sums without authorization to fund them, and in some cases enrolled customers in online banking they hadn't requested.

Customers found out when cards or statements arrived for accounts they hadn't opened. Some were charged fees. The Los Angeles Times ran an investigative piece in August 2013 documenting complaints from Wells Fargo branch staff about the sales pressure they faced. The City of Los Angeles filed a civil lawsuit in May 2015.

The CFPB opened a supervisory examination, and by 2016 the scope of the problem was confirmed. On September 8, 2016, the CFPB, the OCC, and the Los Angeles City Attorney announced a coordinated enforcement action. The bank was ordered to pay $100 million to the CFPB, $35 million to the OCC, and $50 million to the city of Los Angeles, for a total of $185 million. Wells Fargo also disclosed it had already terminated approximately 5,300 employees in connection with the conduct.

What did regulators say?

The CFPB's consent order found that Wells Fargo had engaged in "unfair and abusive acts and practices" in violation of the Consumer Financial Protection Act. According to the consent order, the bank's Community Bank division ran a sales incentive program that created conditions under which employees "secretly opened unauthorized deposit accounts or credit cards, applied for credit cards, enrolled customers in online banking, or requested debit cards" without customers' knowledge or consent.

CFPB Director Richard Cordray stated in the agency's September 2016 press release that Wells Fargo had "built an incentive-compensation program that made it possible for employees to pursue personal gain and harm customers." The agency described the $100 million civil money penalty as its largest to date.

The OCC, in its separate enforcement action available through the OCC enforcement actions database, found that Wells Fargo had engaged in unsafe or unsound banking practices and required systemic improvements to internal audit, management oversight, and compliance risk management.

The Los Angeles City Attorney Mike Feuer described the case as a "massive fraud" in public statements following the settlement. His office's 2015 lawsuit had helped bring the practice to federal regulators' attention and remains part of the public record of how this came to light.

All three enforcement actions required Wells Fargo to identify affected customers and refund fees charged on unauthorized accounts.

What controls failed?

Several distinct control failures made this scandal possible. None was trivial, and together they let the conduct run for years.

Sales incentive design with no conduct risk assessment. The cross-selling program rewarded employees for volume without requiring verified customer consent or any post-sale confirmation that the customer knew about the product. No mechanism in the incentive structure asked what employees would do when they couldn't meet targets legitimately. That's the core governance failure, and it sits at board and executive level.

Transaction monitoring pointed in the wrong direction. Most AML monitoring at large retail banks focuses on unusual activity inside existing accounts. The Wells Fargo problem would have been visible much earlier if the bank had monitored account creation rates by branch, dormancy rates in newly opened accounts, and the ratio of new accounts generating immediate fee complaints. Those signals existed. They weren't being watched.

Customer identification and consent failures. The [Section 326 CIP (US-FinCEN)] requirement is that a bank verify a customer's identity when they open an account. Using records the bank already holds to create a new account without the customer's knowledge doesn't satisfy that requirement. It bypasses it entirely. The related [FinCEN CDD Rule (US-FinCEN)] framework assumes the bank understands why a customer is opening an account. That assumption was false for millions of accounts.

Whistleblower channels that didn't work. Subsequent Senate testimony and investigative reporting established that employees who raised concerns internally were in some cases fired. A compliance program that terminates the people who flag fraud doesn't have a reporting channel. It has a silencer.

SAR filing gaps. The [SAR Filing (US-FinCEN)] obligation under the [BSA (US-FinCEN)] covers suspected employee fraud. A scheme affecting 2 million accounts across thousands of employees raises a direct question about whether internal fraud SARs were filed. Whether they were is among the questions that investigators pursued after the initial enforcement action.

Which regulations were violated?

The enforcement actions cited federal consumer protection law, federal banking safety-and-soundness standards, and California state law. The case also carries implications for BSA compliance that weren't the focus of the 2016 action but matter for peer institutions thinking about their own exposure.

The CFPB's primary citation was the Consumer Financial Protection Act of 2010 (12 U.S.C. §§ 5531 and 5536), which prohibits unfair, deceptive, and abusive acts or practices (UDAAP). Secretly opening accounts customers never requested satisfied multiple prongs of that standard.

The OCC cited violations of 12 U.S.C. § 1818 for unsafe or unsound banking practices. The OCC's supervisory authority over national banks also flows through [12 CFR Part 21 (US-OCC)], which governs BSA compliance programs and imposes affirmative obligations on bank management to maintain adequate internal controls and oversight.

At the state level, the Los Angeles City Attorney cited the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200) and the False Advertising Law (Cal. Bus. & Prof. Code § 17500).

The broader BSA framework is also relevant. A systematic employee fraud affecting a material number of accounts creates a credible argument that SAR filing obligations were triggered. And the [Section 326 CIP (US-FinCEN)] customer identification requirements were plainly circumvented: accounts were opened using existing customer data, with no genuine identity verification step and no customer consent.

Which typologies were involved?

This case sits outside the standard AML typology library. That's part of why it matters. The financial crime risk came from inside the institution, not from customers moving illicit funds through it.

Internal employee fraud at scale. Thousands of employees across multiple states engaged in the same conduct for years. This isn't an individual bad actor. It's an organizational typology: misconduct structured into an incentive system. FIUs at peer institutions should treat unusual account-creation velocities by branch or region as a monitoring signal, separate from transaction-level alerts.

Account origination abuse. Creating accounts without customer consent bypasses the CDD process entirely. The [FATF Rec 10 (FATF)] framework for customer due diligence assumes a real customer is opening a real account for a real purpose. When that assumption is false, the entire risk assessment built on top of it is also false. Accounts opened without consent can't be meaningfully assessed for AML risk because there's no customer intent to assess.

Incentive-driven misconduct as a structural vulnerability. Accounts with no legitimate owner, opened without consent, sitting dormant or generating fee complaints, are a baseline-contamination problem. If those accounts had been accessed or used by bad actors after the fact, detection would have been far harder. The standard monitoring logic for "normal" accounts doesn't apply when the accounts weren't normal to begin with.

Aftermath and remediation

The September 2016 fine started a sequence of consequences that ran for years and ultimately cost the bank far more than $185 million.

CEO John Stumpf testified before the Senate Banking Committee on September 20, 2016, and before the House Financial Services Committee shortly afterward. The Senate Banking Committee hearing record is public. Both hearings were combative. Stumpf resigned on October 12, 2016. Carrie Tolstedt, who had led the Community Banking division, also departed; she and Stumpf both faced subsequent proceedings to claw back compensation.

Wells Fargo announced in September 2016 that it was eliminating product sales goals for retail banking employees entirely and committed to contacting affected customers and refunding fees charged on unauthorized accounts.

In February 2018, the Federal Reserve took the unusual step of capping Wells Fargo's total assets at the level they stood at end of 2017. The action was explicitly tied to the bank's governance failures. It was an exceptional sanction and it remained in place for years.

In February 2020, Wells Fargo reached a $3 billion settlement with the DOJ and SEC to resolve criminal and civil investigations into the cross-selling conduct. The DOJ entered into a deferred prosecution agreement acknowledging the bank's responsibility for the conduct while deferring criminal charges.

Total financial exposure across fines, settlements, and consumer redress programs ran well into the billions, making the original $185 million a fraction of the eventual cost.

Lessons for other institutions

The Wells Fargo case is the clearest available example of how a broken incentive structure can overwhelm every compliance control layered on top of it.

Build account origination monitoring alongside transaction monitoring. Most monitoring systems watch what happens inside existing accounts. The Wells Fargo problem was visible in origination data: creation rate spikes by branch, dormancy rates in new accounts, fee complaints on accounts customers hadn't requested. Build detection logic at the point of account creation, before transactions ever occur.

Conduct risk review must be part of compensation design. Before any incentive program goes live, compliance should run a scenario analysis asking: "What does this reward employees to do to customers when it's gamed?" If the answer creates a path to customer harm, the design needs to change before launch. This is a board-level governance responsibility, not something compliance teams can fix after the fact.

Test your whistleblower channel; don't simply have one. Multiple Wells Fargo employees later stated they raised concerns and faced retaliation. If your reporting system's outcomes show that employees who file internal reports are separated at higher rates than those who don't, the channel is broken. Run annual audits of who reports, what happens to them, and how cases are resolved. Ensure legal and HR can't close reports unilaterally without compliance sign-off.

Internal fraud is a SAR trigger, not only an HR matter. Compliance teams should have written procedures specifying when employee misconduct becomes a [SAR Filing (US-FinCEN)] event under the BSA. Systematic fraud affecting a material number of accounts belongs in the AML framework. Document the decision either way.

How FluxForce helps prevent similar failures

FluxForce's behavioral analytics agents monitor account-opening patterns in real time and flag anomalies like dormancy spikes or unusual fee waivers that match internal fraud profiles. Nova Sentinel tracks employee activity against peer benchmarks and escalates outliers before patterns become systemic. Every decision comes with a complete, auditor-ready evidence trail. For cases where SAR filing is required, FluxForce drafts the SAR automatically with full provenance attached. These controls don't replace governance, but they surface what incentive-driven misconduct is designed to hide. Request a demo to see how they map to your institution's risk profile.