Here we go again. The compliance world has been given another stark reminder that personal liability isn't just some abstract concept — it's very real and, depending on who you are and what you’ve done (or not done, as the case may be), it can hit hard. The latest chapter in the seemingly endless 2016 Wells Fargo saga has just been published, and it's quite the page-turner.

Since there are multiple Wells Fargo scandals, let me refresh your memory: back in the day, Wells Fargo maintained an incentive compensation plan with unrealistic targets for new accounts, credit cards, and other products in its retail operations. Failing to meet those targets resulted in the termination of many lower-level, bank employees. As you can predict, employees facing real pressure to keep their jobs opened many, many accounts in customers’ names without their authorization. In some cases, those customers were even assessed fees and charges associated with products they didn’t authorize or know about! 

In the face of these illegal and unethical practices, many employees reported the misconduct internally. Unfathomably, not only did Wells Fargo fail to appropriately address those reports, but the company also terminated many of the people who raised their concerns. There was also a fundamental lack of oversight by the financial institution’s Board of Directors, and the list goes on and on.

The Wells Fargo story is the nightmare that just keeps on giving — which brings us to now. [Just last month – OR – Earlier this month], the U.S. Office of the Comptroller of the Currency dropped the hammer on three more individuals — this time, in risk management and internal audit. And these weren't small-time penalties.

Let's break down the damage: the former Group Risk Officer at Wells Fargo got hit with an order prohibiting her from working in the banking industry, plus a whopping $10 million penalty — double her original penalty set forth in the 2020 Notice of Charges. The bank’s Chief Auditor is looking at a cease-and-desist order (an order to stop the improper activity, which likely won’t look too good on a resume) and $7 million in penalties (up from $2 million). Finally, an Executive Audit Director also got slapped with a cease-and-desist order and a $1.5 million penalty, triple the $500K he originally faced in the Notice of Charges.

Here's where it gets interesting. Compare these outcomes to some of the former executives who decided to play ball and negotiate. The head of Wells Fargo Bank, NA, settled in 2021 for $17.5 million (down from $25 million in the Notice of Charges), and the bank’s General Counsel agreed to pay $2.7 million (almost half of his original $5 million penalty). In comparison, the risk management and audit professionals seem to be penalized for putting up a defense.

Now, there are several legal theories to challenge the outcome on appeal, including the constitutionality of an Administrative Law Judge determining the penalties. Given the U.S. Supreme Court's recent skepticism regarding the powers of Federal agencies, these orders may well be overturned on appeal. But here's the million-dollar question (pun intended): even if they win, was it worth it, after years of litigation, astronomical legal fees, and careers in limbo?? 

The Wells Fargo fiasco is a stark reminder that being a compliance, risk management, or audit professional isn't for the faint of heart. You're not just pushing papers and checking boxes; you're potentially putting your entire career and your financial future on the line. The takeaway? When you're in a second- or third-line role, you've got to be ready to stand your ground and do what's right, even if it means risking your job. Because, as these cases show, the alternative could be much, much worse. Sure, it might be easier to look the other way or keep your head down. But, if there's one lesson we can learn from this ongoing saga, it's that compliance, risk management, and audit professionals need backbone — and lots of it. The price of integrity might be high, but the cost of failing to maintain it is worse.

Remember, in our field, your reputation and potential personal liability are always on the line. So next time you're faced with a tough compliance call, ask yourself: am I ready to stand behind this decision if the regulators come knocking?  

We’ll be watching this case to see whether there are appeals and how they play out. But one thing's crystal clear — compliance isn't just a job, it's a responsibility that comes with real consequences. Choose your battles wisely, but never forget that sometimes, those battles choose you.

What are your thoughts on personal liability for compliance professionals? Have you faced similar tough decisions in your role? We’d love to hear from you.

***Full disclosure: I am an attorney by training, and my writing style reflects it. I used my research and conclusions and then penned this post with the assistance of AI to help make it a more interesting read for everyone.