By Kevin Brenner | Friday, June 12, 2026
Not Good is not an indictment of the companies it covers. It is a study of the mistakes made inside them by people prone to making them.
Kevin R. Brenner is Special Counsel at Global Link Law, where he leads the firm’s Global Investigations & Risk Advisory and Regulatory & Compliance and Employment Risk & Workplace Investigations practices. A former federal prosecutor with more than two decades of courtroom, investigative, and advisory experience, Kevin helps healthcare and multinational organizations manage enforcement risk, respond to government scrutiny, and build compliance programs that operate effectively across borders.
______________________________________________________________________________________________________
In March 2026, the Federal Reserve finally terminated its 2018 enforcement action against Wells Fargo. The Fed said the bank had met the required conditions after remediation work that “spanned nearly a decade.” The asset cap had been removed in 2025, but the enforcement action itself lasted until this year.
Nearly a decade.
That is a long time for a bank to live with the consequences of a sales system.
The Wells Fargo fake accounts scandal is usually described as a story about employees opening accounts customers never asked for. That is true, but it is not the useful version.
The useful version is this: Wells Fargo built a system that rewarded harmful behavior at scale.
The system did not need a brilliant fraudster.
It needed a number.
For years, that number was cross-sell: how many products the average retail bank household had with Wells Fargo. Investors heard about it. Managers tracked it. Sales goals and incentives pushed employees to increase it.
Then the number became the job. Once the number became the job, people found ways to hit it.
The Cross-Sell Machine
Cross-selling is ordinary. If a customer has a checking account, the bank may try to sell a credit card, savings account, mortgage, debit card, or auto loan. Done properly, that is relationship banking.
Wells Fargo made it part of the company’s identity.
Inside the bank, cross-sell had a second life. Wells Fargo “sought to distinguish itself” as a leader in cross-selling, then “set sales goals and implemented sales incentives, including an incentive-compensation program.” The CFPB found that thousands of employees engaged in improper sales practices “to satisfy sales goals and earn financial rewards.”
The numbers made the problem harder to dismiss. Wells Fargo’s own analysis found employees opened 1,534,280 deposit accounts that may not have been authorized and may have been funded through “simulated funding,” meaning funds were transferred from customers’ existing accounts without their knowledge or consent. Roughly 85,000 of those accounts incurred about $2 million in fees.
The DOJ later said that from 2002 to 2016, Wells Fargo pressured employees to meet unrealistic sales goals, leading thousands of employees to provide millions of accounts or products to customers under false pretenses or without consent, often by creating false records or misusing customer identities.
The metric stopped measuring customer demand. It started measuring employee pressure.
The Conduct Had a Name
Inside Wells Fargo, many of the practices were called “gaming.”
The DOJ said gaming included using existing customers’ identities without consent to open checking, savings, debit card, credit card, bill pay, and global remittance accounts. Some employees forged signatures, created PINs, moved money into unauthorized accounts, changed customer contact information, and opened products customers did not want or need.
The comfortable explanation was that these were bad employees.
That explanation works until someone counts.
A company can explain away one rogue employee. It cannot explain away thousands of employees doing versions of the same thing.
The Board Report
In 2017, Wells Fargo’s independent directors released a Sales Practices Investigation Report. The investigation included 100 interviews and a search across more than 35 million documents.
The report’s main finding was blunt: the root cause was the distortion of the Community Bank’s sales culture and performance management system, combined with aggressive sales management, which created pressure to sell unwanted or unneeded products and, in some cases, open unauthorized accounts.
The report also found that the Community Bank had too much autonomy, that senior leadership resisted changing the sales model, and that leadership minimized the scale and nature of the problem when forced to report it.
Bad metrics are dangerous. Bad metrics defended by powerful business leaders are worse.
The Board Did Not Get the Real Number
Sales practices were not identified to the Wells Fargo board as a noteworthy risk until 2014. By early 2015, management was reporting that corrective action was working. The board report found that management reports in 2015 and 2016 did not accurately convey the scope of the problem.
Only when Wells Fargo announced the September 2016 settlements did the board learn that approximately 5,300 employees had been terminated for sales practices violations.
That is the sentence every board should read twice.
If the board learns the real number from settlement papers, the reporting system has already failed.
The Bill
The first public bill was $185 million.
In September 2016, Wells Fargo paid fines totaling that amount to the CFPB, OCC, and the City and County of Los Angeles. The settlements covered about 1.5 million unauthorized deposit accounts and about 623,000 credit card accounts opened in customers’ names without their knowledge.
That was not the final bill.
In 2020, Wells Fargo agreed to pay $3 billion to resolve criminal and civil investigations into its sales practices. The DOJ described the resolution as including a deferred prosecution agreement, civil claims under the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA), and an SEC cease-and-desist proceeding.
The investor disclosure issue mattered too. The SEC found that Wells Fargo failed to disclose that the publicly reported cross-sell metric included significant numbers of unused or unauthorized accounts.
The fake accounts harmed customers. The inflated metric misled investors. The same metric sat at the center of both problems.
Then came the penalty that hurt in a different way.
In 2018, the Federal Reserve restricted Wells Fargo’s growth until the firm improved governance and controls, including board oversight and risk management processes.
The asset growth restriction lasted until 2025. The enforcement action itself lasted until 2026.
Again: nearly a decade under a Federal Reserve enforcement action triggered by governance and control failures.
The bill eventually reached individual executives too.
The Congressional Research Service reported that former CEO John Stumpf surrendered $69 million through forfeiture and clawbacks, and Carrie Tolstedt, the former head of Wells Fargo’s retail banking division, surrendered $67 million.
Tolstedt later pleaded guilty to one count of obstruction of a bank examination. The DOJ said she failed to disclose statistics on employees terminated or resigned pending investigation for sales practices misconduct and failed to disclose that the Community Bank proactively investigated only a very small percentage of employees flagged for potential sales practices misconduct. She was sentenced to three years of probation, including six months of home confinement, and separately agreed to a banking-industry ban and a $17 million civil penalty.
That is a different lesson. The original problem was bad. Minimizing it to regulators created a separate offense.
My Read
Most companies do not have employees opening bank accounts without consent.
But most companies have metrics.
Sales quotas. Renewal targets. Utilization goals. Revenue forecasts. Customer success dashboards. Close rates. Call-time targets. Productivity scores. Market share goals. Conversion rates.
The question is not whether the number is useful. The question is what employees must do to survive it.
At Wells Fargo, the number became more important than the customer. Once that happened, the misconduct was predictable.
Wells Fargo’s stated values emphasized satisfying customers’ needs, helping them succeed financially, and acting with integrity. The compensation system, performance pressure, and management reaction said something else.
Employees followed the louder system.
Values are what the company says. Incentives are what the company pays for. Controls reveal which message employees treat as real.
How to Avoid Becoming the Next Cautionary Tale
1. Audit the metric, not just the result.
If a number is important enough to report to the board, investors, lenders, regulators, or the executive team, it is important enough to test.
Ask:
Who owns the metric?
Who benefits when it improves?
Can it improve without creating real customer value?
What conduct would artificially inflate it?
What complaints, refunds, terminations, exceptions, or overrides move with it?
What would this metric look like if questionable activity were removed?
That last question is the one Wells Fargo should have asked much earlier.
2. Treat incentive plans as legal documents.
A compensation plan tells employees what the company really wants. Legal and Compliance should read it that way.
Do not stop at whether the plan is clear. Pressure-test how a rational employee might hit it, what a weak manager might tolerate, what a top performer might hide, and what conduct could be described internally as hustle but externally as fraud.
If the plan rewards the number without testing the path to the number, the company is choosing to accept the risk.
3. Connect HR data to compliance risk.
Terminations, complaints, hotline reports, customer refunds, exception rates, and internal investigations should not live in separate systems forever.
If hundreds of employees are being disciplined for the same category of misconduct, that is not just an HR trend. It is a legal risk signal.
At some point, volume changes the question from “who did this?” to “what are we doing that keeps producing this?”
4. Give control functions authority over business metrics.
Legal, Compliance, Risk, Finance, Audit, and HR need authority to challenge the metric itself, not just clean up after the metric causes harm.
That means real access and real veto power: raw data, outlier testing, authority to change incentive compensation, power to pause campaigns, and a direct escalation path to the board.
If the people responsible for risk cannot change the metric, compensation plan, campaign, or process creating the risk, the company has assigned them accountability without authority.
5. Show the board the uncomfortable number.
Boards do not need every data point. They need the data points management would rather explain away.
How many employees were fired for conduct tied to this metric?
How many customer complaints mention pressure, confusion, unauthorized activity, or surprise fees?
How many accounts, claims, transactions, orders, or contracts are unused, reversed, refunded, canceled, or disputed?
How often does the business override the control?
The board needs the bad number, especially when the bad number explains the good number.
One More Thing
The dangerous number is rarely labeled dangerous.
It usually arrives as a dashboard. A growth goal. A board slide. A regional target. A bonus formula. A green arrow going up and to the right.
Everyone likes the number because the number is simple.
That is the trap.
A number can make a company look disciplined while hiding the conduct required to produce it. It can turn pressure into policy. It can turn customer harm into performance. It can turn thousands of small decisions into one very large enforcement file.
Wells Fargo spent years trying to prove its customers had more relationships with the bank than they really did.
The relationship that mattered most was the one between incentives and behavior.
That one worked perfectly.
Click Here to Schedule a 30 minute Consultation with Kevin Brenner
This blog post is for informational purposes only and does not constitute legal advice. The discussion of this matter, including the conduct of any individuals involved, is based solely on publicly available information and court filings. Nothing in this post should be interpreted as a statement of fact about any person’s character, intentions, or actions beyond what has been reported in official sources.
The analysis provided reflects general legal principles and commentary and may not apply to any specific situation. Reading this post does not create an attorney-client relationship with the author or their firm. If you have questions about how these issues may affect your organization, you should consult qualified legal counsel.
The information provided on this website is for general informational purposes only and should not be considered legal advice. No attorney-client relationship is created by accessing or using this website. Please consult with a qualified attorney before making any legal decisions. Global Link Law is not liable for any reliance on the information provided. Prior results do not guarantee a similar outcome.
