The Board’s Role in Compliance

This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight

Author’s note to the revised third edition

I wrote this in the second edition’s author’s note:

Rereading one’s work can either be a comforting affirmation of one’s competence or depressing proof of one’s limitations – or both, which is somewhat the case here. As for the chapter as a whole, I stand by its content but for one important qualification: despite discussing ‘tone at the top’, this chapter did not previously address a critical point to consider in this regard – culture – which has been rectified in this edition.

Another qualification this time around: I did not properly appreciate that the Wells Fargo matter, with which I opened my two previous editions, was the mother lode of board failures of culture and oversight, and, as such, a magnificent case study for a board in any country.

The blasé boardroom

As the old saying goes, ‘the fish stinks from the head down.’ Applying anatomy to an organisation, naturally it may be thought that the chief executive officer (CEO), or perhaps the C-suite, is the ‘head’. But that would be a grave and even dangerous assumption to make, anatomically and organisationally, and on the compliance and ethical levels.

Until recently, not much was expected of a board of directors in the compliance and risk assessment spheres of corporate activity and responsibility. The compliance function, if it existed in more than name, generally had a limited, rule-enforcing role and was likely to get little or no attention from the board. You would need to sniff about to find compliance in the organisation chart, probably lumped in with all the other revenue non-producers.

This board-level neglect of compliance with ethical and legal standards certainly contributed heavily to the upsurge in corruption in so many countries, both in Latin America and elsewhere. The aim in this chapter is to show what went wrong with some hair-raising examples, but also to argue that the traditional oversight approach is no longer sufficient to changed circumstances and expectations.

Looking back at enforcement resolutions, in various areas of bad behaviour, there has been a perturbing infrequence of board-level sanctions or even public criticism.

For example, in a corruption case involving Embraer, it was revealed that the board of directors failed to take disciplinary action against a very senior executive even after the investigation showed that this executive knew of various bribe payments in several countries, made by employees who reported to him. The board’s failure to discipline or dismiss the executive led to higher monetary penalties and other sanctions.[2] In another corruption case, a CEO was personally involved in bribe payments in Argentina, yet continued as CEO, which again led to more severe penalties being imposed on the company.[3] In neither case was the board sanctioned, and based on my review of the media coverage, even criticised, for failure to act in the face of these serious findings.

In early 2018, the Federal Reserve Board (the Fed) announced it would impose an asset cap on Wells Fargo, restricting its growth until it remedied failures that led to sales and other abuses. Further, the Fed announced that Wells Fargo would replace four directors, but did not name them.[4]

In April 2018, the Office of the Comptroller of the Currency (a principal US federal banking regulator, and hereafter OCC) announced the assessment of a US$500 million penalty against Wells Fargo for these abuses. Concurrently, the federal Bureau of Consumer Financial Protection levied a US$1 billion fine on Wells based on the same facts, offset by the OCC’s US$500 million penalty.[5]

A consequence of these frauds and the related penalties was a veritable horror show and other calamities, as you will see further on.

The lead independent director of Wells Fargo received a letter from the board of governors of the US Federal Reserve System, finding that ‘there were many pervasive and serious compliance and conduct failures during your tenure as lead independent director’. The Fed went on: ‘you did not appear to initiate any serious investigation or inquiry into the sales practices problems . . . Your performance . . . is an example of ineffective oversight inconsistent with the Federal Reserve’s expectations.’[6]

The Federal Reserve was also quite unhappy with the board as a whole: ‘Management’s reports generally lacked detail and were not accompanied by action plans and metrics to track plan performance.’[7] The Federal Reserve also roundly criticised the shoddy oversight of compensation incentives by the Wells Fargo board.[8] In sum, there was a lot of finger-wagging and head-shaking from various government agencies, but no board member was sanctioned.

Public reaction judged the Federal Reserve’s actions and words to be no more than a wrist-slapping. The former US Treasury Secretary and president of Harvard University, Lawrence Summers (who is hardly a radical opponent of big business), writing for The Washington Post, asked why, in light of the clear failure of board supervision at Wells Fargo, ‘regulators are so reluctant to foist public accountability on the individuals in responsible leadership positions’. Summers added: ‘Why shouldn’t avatars of responsible capitalism such as BlackRock insist on public resignations of board members when firms have established a track record of unethical behavior on their watch? Yes, my proposal will make it harder to recruit board members. This is a feature, not a bug. If board members worry about reputational risk, this will deter dilettantes interested in the networking and the paycheck.’[9]

Sorry, Mr Summers, but Wells Fargo and the ‘avatars of responsible capitalism’ were not listening, and Wells directors appeared unconcerned about their reputations. On 9 September 2021, the OCC announced the imposition of yet another fine, a US$250 million civil penalty on Wells Fargo, based, among other things, on its continued violation of the 2018 consent order, discussed above.[10]

In Marchand v. Barnhill,[11] a 2019 case, on a motion appealing lower court decisions holding that the pleadings were insufficient (i.e., the facts asserted did not on their face support a finding of culpability), the Delaware Supreme Court reversed. The basic facts were as follows:

Blue Bell Creameries USA, Inc, one of the country’s largest ice cream manufacturers, suffered a listeria outbreak in early 2015, causing the company to recall all its products, shut down production at all its plants and lay off over a third of its workforce. Three people died as a result of the listeria outbreak . . . [S]tockholders also suffered losses.[12]

An aggrieved shareholder brought a derivative suit against various executives and the board of Blue Bell for breach of fiduciary duty.

The Delaware Supreme Court found that the plaintiff’s alleged facts supported the necessary inferences that the board failed to implement any system to monitor food safety issues and that this ‘utter failure’ by the board was in breach of its duty of loyalty.

The following is a partial list of board-related shortcomings noted by the Court.

  • Blue Bell manufactures only ice cream, thus making food safety a central compliance issue, yet the board did not have a food safety committee, no board-level process to address safety issues and no protocol for food safety issues to be raised to the board’s attention. See the Boeing and Vale discussions below.
  • For years before the 2015 listeria outbreak, safety inspectors had found troubling compliance failures. The Court mentioned six reports, most of them detailing multiple problems.
  • Tests, ordered by Blue Bell in 2013 and 2014, reported positive for listeria.
  • The board never received any of this information.
  • More negative news came to light in 2014 but board minutes reflect no discussion of these concerns.
  • On 13 February 2015, the Texas health authorities notified Blue Bell of positive listeria tests. The company itself, on 19 and 21 February, found listeria in the Texas facility. When the board met on 19 February 2015, there was no discussion of the listeria problem.
  • Only four days after the February board meeting, Blue Bell initiated a product recall. Only then did the board discuss the listeria issue, for the first time.
  • Instead of going into full disaster repair mode, the board did not meet more frequently or receive constant updates, leaving the company’s response to management.

On 1 May 2020, Blue Bell pleaded guilty to two counts of distributing contaminated goods. It was fined over US$17 million and agreed to pay more than US$2 million to settle federal false claims violations. This was the second-largest sum ever paid in a food safety case. The former president of Blue Bell was also charged by a federal grand jury with six counts of wire fraud and conspiracy for allegedly trying to cover up the listeria outbreak. [13] His trial is set for August 2022.[14]

There have been several cases coming out of Delaware in the wake of the Blue Bell case.

The Inter-Marketing Group case involved responsibility for a pipeline company’s disastrous oil spill. It was alleged that, as in the Blue Bell case, there was no oversight of the company’s ‘intrinsically critical’ business operation. Evidence showed that pipeline integrity issues were not discussed at the board level. Nor was a board subcommittee created to discuss these matters. Further, in response to the defendant’s argument that the audit committee’s charter required the committee to ‘advise the Board with respect to policies and procedures’, the court agreed with the plaintiff’s assertion that there was no evidence at all that the audit committee had ever complied with this requirement.[15]

In Clovis, the alleged oversight failures concerned the company’s only product, an oncological treatment for which it was seeking regulatory approval. Company officers overstated the drug’s efficacy, misapplied testing protocol standards, and misled regulators and investors. In assessing the board’s responsibility, the court stated that, ‘when a company operates in an environment where externally imposed regulations govern its “mission critical” operations, the board’s oversight function must be more rigorously exercised’.[16]

Boeing has an important role in the evolution of Delaware cases involving ‘mission critical’ oversight failures. More on that later on. One can add to these examples scandals at Volkswagen, Uber, Boeing (see below), CBS, Airbus, WeWork and Chipotle, and in Latin America at companies such as JBS, Biomet (later Zimmer Biomet), Biomet Argentina and Biomet 3i Mexico, Vale (more on this one later), Tyson de México, Petrobras, Odebrecht and Braskem, and SQM (Chile), to name only a few.[17]

However, the head-choppings so far have often followed a disquieting pattern:

  • the bad thing happens, whether allegations of corruption, cheating on emission standards tests, a dam bursts, publicity about a company’s pervasive culture of sexual harassment, etc.;
  • the board expresses resolute confidence in management but will ‘thoroughly and independently investigate’ said bad thing;
  • awkward facts come to the fore and various C-suite members ‘resign’;
  • there are more awkward revelations and the CEO walks out with his head under his arm (and often a fat cheque in his hand); and
  • finally, the board expresses its shock and dismay and appoints a new CEO, often (and with no evident sense of the asburd) a member of the board of directors who was on the scene during the whole sad affair.

A vivid example is Boeing. In the case of Boeing, the ‘bad thing’ was the tragic crash of two planes, both of them its newest model, the 737 MAX.

On 22 October 2019, Boeing fired the head of its commercial aviation division.[18] Director David Calhoun said in November 2019 that the CEO had ‘done everything right’ and should not resign.[19] The CEO was sacked on 24 December 2019, one month after the endorsement from Calhoun.

Calhoun then became CEO. In an interview with The New York Times, he said: ‘We had a backup plan. I am the backup plan.’[20] Calhoun was a director for nine years and had already been chair of the board for a few months by this point. We’ll get more into this below, not to worry.

So, where do we go from here?

Confidence in corporate governance has been shaken. Media attention has been relentless and scathing, and activist shareholders and even stay-on-the-sidelines shareholders have made their unhappiness very clear. Many boards have sat bolt upright and taken notice; many, astonishingly, have not.

They have spurred management into action, who in turn have ordered the formation or bolstering of compliance departments, assertively demanded the preparation and dissemination of codes, manuals and policies, and of videos with production values Netflix would be proud of, assuring the viewer that no one takes this issue more seriously than senior management and the board. For it is they who must set the ‘tone at the top’. And they will – you can count on it.

I worry that the focus on ‘tone at the top’ takes attention away from all else that must come from the board and the C-suite, and lulls into mistaken contentment those who believe that setting ‘the tone at the top’ is sufficient. (We shall forgive whoever fell into the amatory arms of alliteration and coined the phrase.)

For tone is quite a superficial characteristic: ‘manner’, ‘mode’, ‘cast’, ‘colour’, ‘tint’, ‘complexion’ are only a few of the explanations or synonyms for ‘tone’, and these are such ephemeral and slight qualities.[21] Words, words, words.

For some time now, CEOs and board members have placed misguided faith in the manner in which they deliver their message being their only required contribution to a culture of compliance, and so have not participated from the outset in the setting up of structures and procedures that will create the conditions for a compliance mindset to emerge and prosper. This remains the case in 2022; all that has changed is now many CEOs executives pontificate about ESG (environmental, social and governance) instead of compliance. But boards and top executives can no longer do all the talking and leave to others all the doing.

The generally accepted major duties of a board of directors are to think strategically and to keep an eye on management. This second obligation, influenced over time by practices in many countries and by jurisprudence, notably in the state of Delaware (especially with its development of the ‘business judgement’ rule to protect boards from undue second-guessing), has become defined largely by what the board ought not to do: directors should not be executives and should not interfere in the operations and other aspects of the daily life of the company, leaving to boards a somewhat removed obligation to hear reports, ask questions and decide matters in a reasonable, prudent manner. A preoccupying outgrowth of the business judgement rule protection is that boards ought to maintain a healthy distance from operations, lest board members be judged by a more rigorous standard because they left their safe supervisory perch and mucked about in day-to-day affairs.

This separation of executive and oversight responsibility is generally salutary and sensible. However, the definition of what is reasonable and prudent is protean. The repeated failures of board supervision show either that boards are not doing even the minimum that was expected of them (which is sometimes the case) or that boards, more often, have not realised more is expected of them.

My advice is that the board immerse itself substantively in risk assessment and compliance, rather than act in only the conventional supervisory capacity. This may, at first glance, seem radical and a departure from the notion that boards should not meddle in operational matters. My answer is this: not only is this not radical but, in light of repeated scandals, it is necessary as part of the prudence and care that boards owe to shareholders. As for interference in operations, my proposal is to deepen board knowledge of, involvement in and contribution to, enterprise risk management, but not to supplant management functions. As you read the sad tales of risk management and compliance failures, ask yourself whether things might have turned out differently if my suggested approach had been taken.

Here is a recent example of a recognition, if belated, of these perceived higher requirements. After the crashes of the two 737 MAX airplanes, Boeing commissioned an examination of safety issues that resulted, among other steps, in the formation of a board-level safety committee. (You will see that even this did not work as it should have.) Why was this step not taken long ago? It appears that it was taken for granted that Boeing management was totally in control of product safety. As The New York Times reported, ‘[T]he board believed that [the ex-CEO], an engineer who had been with Boeing for his entire career, was so deeply informed about the business that he was a good judge of the risks involved in ramping up production’ of the MAX, which turned out to be a significant contributing factor to the accidents.[22] This is a mistake boards must avoid.

A note on ‘compliance’

I use ‘compliance’ to include anti-corruption and anti-fraud. Discrimination, harassment, conflicts of interest and related-party transactions also are the responsibility of the compliance function. But it clearly needs to be understood more broadly to include all significant business-related risks. You read of ice cream, pipelines and drugs, and you will read about dam and airplane safety, and the cheating of customers, all of which fit into this category.

I do not advocate that the assessment of all risks and the processes to address them should be the responsibility of the compliance department, but there must at least be in place very similar structures in conception, range of activity, and autonomy and independence, to monitor these areas of concern. The board cannot assume that these issues are being handled properly because they are an integral part of the ‘business’ of the company and are therefore for executives to deal with, as opposed to corruption or discrimination incidents, which are not ‘business’ events.

Nevertheless, this is where I stamp my authorial foot down is on the abuse of the word ‘compliance’. Conveniently tagging every corporate headache that is not directly operational as compliance-related will inevitably lead to the wrong people looking at problems the wrong way.

A few recently published examples of promiscuous labelling as compliance issues:

‘Post-Covid workplace’, ‘Employee Mental Health and Well-Being’, ‘work from home’, ‘Brexit’ (Brexit?), ‘environmental impact’, ‘social responsibility’, ‘Libor transition’, and, of course, ‘ESG’.[23]

This last may be the most tempting for senior management and the board to fob off on the compliance function. This would be unfair to the compliance department and a disservice to the goals of ESG. What ESG requires is a high-level, that is, C-suite and board development and supervisory process, because ESG initiative requires policy decisions and choices.

And a thought on ‘Board compliance oversight’. This is generally a delegated duty of the audit committee. While I share the increasing worry that audit committees may be overworked, an audit committee nevertheless seems to be the right oversight body. A separate governance or compliance committee might make sense in some circumstances, but these committees could suffer from not having all the information an audit committee receives. So I will refer to the audit committee as the board organ responsible for compliance supervision, which will at appropriate intervals fully brief the board. In turn, the board will engage actively and contribute to the compliance efforts of the committee and management. An exception to this rule would be for a business activity that is high risk and very technical, which should have board members with in-depth knowledge of the area, and perhaps even expert non-board members in an advisory capacity.[24] What Boeing needed and did not do.

Here I touch on the principal compliance characteristics and structures with which the board must thoughtfully and vigorously involve itself, to ensure the healthy creation and successful maturation of an effective programme and to avoid the disasters of the past.


To quickly and demonstrably mount or invigorate a compliance function, with new or additional codes, rules, prohibitions, remedies and punishments, companies are often tempted to skip the vital step of conducting a careful risk assessment. This is like prescribing drugs before examining the patient.

This results from various attitudes: overconfidence (‘we know our business, we know what needs watching’), the time required, the cost and, in some instances, the worry that mapping of relevant risks will make management risk-averse (like disconnecting the speedometer to avoid frightening yourself with your speed).

An EY survey of 500 CEOs and board members found that fewer than 25 per cent of directors reported being ‘very satisfied’ with the effectiveness of their risk assessment processes and only 20 per cent of directors were confident in risk reporting from management.[25]

Risk assessment is absolutely crucial. As the 2019 US Department of Justice Guidelines puts it:[26]

The starting point for a prosecutor’s evaluation of . . . a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.
. . . Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.

A good risk assessment exercise should:

  • freshly analyse the risks of the company in its significant areas of activity;
  • have the collection of information thoroughly informed by what front-line managers think their risks are and with what priority. These should be validated by interviews with senior executives;
  • include transaction-testing and walk-throughs to ascertain whether what should be working is, in fact, working;
  • from time to time, or for certain issues, hire external consultants;
  • have as its analytical centre for the dimensioning of risks and assigning of priorities a committee that, beyond compliance, includes senior accounting, legal, controls, internal audit (IA) and information technology representatives, at least. This diverse group is not likely to miss anything important; and
  • most of all, this work should be closely followed by at least one audit committee member. Hands-on, daily participation by this member is not necessary, but his or her frequent involvement in the data analysis and priority-setting discussions is highly desirable.

From conception to operation

Even recognising that companies have different culture and compliance concerns, some fundamental principles should govern the construction of every good compliance programme. While adhesion to best practices from top to bottom may be ideal, this is not realistic. But the principles of independence, autonomy, structure and cultural compatibility are key, as they serve as the foundation to build on how sturdy the compliance edifice is and how well it will successfully meld into the corporate landscape. The first two qualities ensure reliability; the correct structure separates the operational from support functions and compatibility ensures that the programme fits the culture and language of the company. These principles being of the first order, the audit committee must be fully engaged preserving them. Choices between ‘best’, ‘good enough’ and ‘will have to do for now’ must be made by the audit committee and management together. Not unlike other strategic business decisions, which routinely involve suboptimal elements and uncomfortable compromises, the building and oversight of the compliance function cannot be left only to executives. Based on personal experience, this is rarely done, but boards will have no choice.


I cannot overstate the importance of independence. Together with autonomy, discussed below, these attributes must be self-evident and unassailable from the board down. It is not sufficient that audit committee members be considered ‘independent’ under relevant market regulations. May a member who meets applicable requirements but who is a close, long-time friend of the CEO and other high-up executives (close friendship not being a disqualifying factor under, at least, US or Brazilian regulations) be on the audit committee? Technically, yes. But if that audit committee needs to launch an investigation possibly involving one of these close friends, how will that appear to regulators, shareholders and the media? If the structure is not as immune to attack as is possible, the reliability of its findings and conclusions may, and likely will, be questioned from the outset.

This same care should extend to professionals hired for compliance-related work, especially investigations. I would be uncomfortable hiring a law or consulting firm for an investigation that is doing, or has recently done, considerable other work for the organisation. The justification for hiring a close professional partner (‘they know us, they won’t go crazy’) is precisely why hiring that firm is inadvisable: it may appear as an attempt to gain an advantage.

The importance of ‘appearances’ varies widely between cultures. Generally, Anglo-Saxon cultures have paid more attention to the appearance of impropriety. For instance, most large, respected law firms in the United States put in place anti-nepotism rules several decades ago, while similarly respected firms in Latin America have been less prone to do so. The same is true with management of family-controlled public companies. This is only to note the difference, with no substantive criticism implied. But in compliance, looking bad is almost as bad as being bad.


Here, compliance-related functions refers to IA and internal controls. Where these are placed organisationally and to whom they report are as important to these functions as to compliance. The compliance literature is very clear[27] on the concept of the three lines of defence, so the following is a summary:

  • First line: the operational functions of the organisation, as the public-facing elements, are the front line in compliance. This is no trivial matter. A strong first line, made so by a corporate culture that persists in the incessant inculcation of ethical values, in the implacable rejection of ethically dubious conduct and in the continuous transmission by the board and senior management of the company’s values, is the clearest indication of a highly effective culture of compliance. And here is where ‘tone at the top’, constant and consistent, has its greatest value. But this is an unending effort, so strong second and third lines are indispensable.
  • Second line: compliance and internal controls support the first line. Their role is not to prohibit and punish, it is to construct processes that help the business functions do their jobs well and properly, and to monitor and improve these processes to make sure they work but do not constrain the business functions.
  • Third line: IA is the last line of defence and exists to ensure that anything that passed the other lines does not go any further. It is also axiomatic that IA should be kept distinct and have the highest degree of autonomy from management, inasmuch as it is not an operational function.


Here we deal with the oversight of compliance-related functions. A perfectly independent audit committee relying on departments that have compromising or conflicting vectors acting upon them is an empty vessel. It is in this area that the board must be most firm, because it is likely to need to make structural changes, which most companies almost instinctively resist.

Compliance and internal controls should be grouped together and its head should report directly to the CEO. Often the reporting is to the general counsel, but this confuses an operational function that is intended for the detection and avoidance of irregularities with the management function of the legal department to protect and defend the company from legal risks. As second-line components, these functions report to the CEO because they are, as mentioned above, supporting the business operations. The department head should also have regular and open access to the audit committee in executive sessions. Ideally, the audit committee chair should have a direct, informal relationship with the CCO. In a number of companies, the CCO reports directly to the audit committee. While I sympathise with the push for greater independence, I am persuaded that having compliance as part of the operations of the company and not an enforcement arm of the board is the better approach. This is also clearly the prevailing wisdom. Compliance should be seen by the company’s employees as a support function and not a policing one.

It is also important to protect the CCO from financial pressures; cost-cutting, downsizing and similar metrics ought not to be used for the compliance functions and any significant deviation in compensation of the CCO compared with peers should be discussed with and approved by the audit committee. Likewise, the CCO’s dismissal or demotion should only happen with the audit committee’s concurrence.

IA should report directly to the audit committee, which should set compensation for the IA head in consultation with human resources. I have not heard any convincing arguments against this structure but I will give the argument for it anyway. IA, the last line of defence, catches what the first line thought it could live with, or get away with, and that the second line missed. To have a group with this charge subordinate to those who looked away, allowed, or worse, participated in the transgression, makes no sense.

Compatibility with company ways

Pity the poor CCO. Likely to be a new arrival to the company, he or she has to very quickly put together a team and build a compliance function from scratch (or from some ramshackle structure left by the predecessor). The natural reaction of the harried newcomer is to get to work at once. There is a strong temptation to go for ‘easy wins’: announce an ambitious training schedule, get the sincere CEO video on air, put a code of ethics up on the website, probably closely modelling it on that of another company (after all, ethics are ethics, regardless of the company, are they not?). Pity next the poor company that put the CCO in such an impossible position. A compliance programme that does not organically fit the mores and traditions of the organisation, that does not reflect and absorb its cultural and even linguistic individualities, will fail. It will be rejected by the organisation, not with anger but with disdain.

To avoid this, the CCO will need to understand the organisation deeply, viscerally and how to best inject compliance into its core rather than grafting it on awkwardly.

What has shown to work well is to form a committee. This committee, comprising senior members of internal audit, information technology, accounting, internal controls, legal and, ideally, some line managers, perhaps from procurement or sales, would be instrumental in helping the CCO to develop a programme that, in the language of the company, addresses those of the company’s risk and compliance issues that most need attention. In the structuring, or restructuring, of the compliance functions, the participation of an audit committee member is vital. This member can usefully contribute reflection on the views and concerns of senior executives and board members, and can give political and other support to the CCO. This effort, along with the comprehensive risk assessment that is solidly based on first-line worries, will result in a programme that is introduced to the organisation with the support of a broad array of respected managers. With this inclusive approach, greater and more rapid adhesion to the compliance programme should be assured.

Saving the worst for last

Let us assume that senior management (including the board of directors) accepts its responsibility for compliance and ethics. But what if there are other signals, behaviours, expectations, of the board transmitted to executives and employees, that fly in the face of this responsibility?

Case study: Wells Fargo

Founded in 1852 as a California stagecoach service, Wells Fargo (sometimes, ‘Wells’) grew over time into a major regional bank, then embarked on a 25-year acquisition spree to become the third-largest bank in the United States and 15th in the world, by total assets.[28] ‘For 60 years, Wells Fargo was a feel-good brand name . . . [I]t’s rare for a company with a story as long and as august as Well Fargo’s to suffer so quick and thorough a fall.’[29]

For Wells to get so low, so fast, it had to do everything the wrong way – and Wells succeeded flawlessly: a jaw-droppingly sloppy board of directors, leading to or allowing to subsist patently insufficient tone (and substance) at the top, horribly ineffective risk management, a shocking lack of independence of critical oversight functions, a tragically flawed corporate structure and a culture that effectively required unethical behaviour.

Much of the problem came from Wells Fargo’s acquisition of Norwest Bank in 1998.

Dick Kovacevich, then CEO of Norwest and later of Wells Fargo, saw banking products – accounts, cards, loans – as consumer items. So, bank branches were ‘stores’, bankers ‘salespeople’ and clients ‘customers’.[30]

Recognising that the greater the number of products a customer bought from the stores, the ‘stickier’ the relationship, Kovacevich, while still at Norwest, launched a sales programme called ‘Going for Gr-Eight’: the goal was getting to eight products per bank customer.

This approach and the slogan was adopted by Wells Fargo.[31] But getting to eight products (the industry average is around three per client) required, in view of management, an aggressive programme combining relentless pressure on the salesmen, clear financial incentives for doing well, and nasty consequences for falling short. According to OCC findings, abusive sales practices began in the early years of this century, and intensified enormously in 2007 and beyond.[32]

The Los Angeles Times article of December 2013 that blew the lid off this scandal relates the hell that branch manager Rita Murillo was put through:

Regional bosses required hourly conferences on her Florida branch’s progress toward daily quotas for opening accounts and selling customers extras such as overdraft protection. Employees who lagged behind had to stay late and work weekends to meet goals, Murillo said.
Then came the threats: Anyone falling short after two months would be fired.
‘We were constantly told we would end up working for McDonald’s.’

The article continues: ‘One former branch manager . . . described her dismay at discovering that employees had talked a homeless woman into opening six checking and savings accounts with fees totalling $39 a month. “It’s all manipulation. We are taught exactly how to sell multiple accounts,” she said.’[33]

The OCC’s 2020 Notice of Charges cites some astonishing ‘flogging’ techniques, such as running the ‘gauntlet’, where managers were required to wear theme costumes and run between rows of other managers and announce their sales performances, with the aim of provoking criticism and ridicule for poor results; and threatening employees who did not meet sales expectations that they would be ‘transferred to a store where someone had been shot and killed’.[34]

The Board Report prepared by Shearman & Sterling at the request of the board after the 2016 settlements referred to below describes other disturbing behaviour.

The Community Bank produced daily and monthly ‘Motivator’ reports ‘as a source of pressure’, showing sales rankings down to the district level. Those reports ‘ramped up’ pressure on managers, some of whom ‘lived and died’ by them. The Jump into January sales campaign, started in 2003, aimed to get salespeople to ‘start the New Year strong’ by raising daily targets even higher and rewarding more generously higher activity levels achieved.[35]

This duplicitous activity was known, at least in part, by the Wells board for years but dismissed as a small problem,[36] except that it brought to Wells Fargo more than unauthorised 1.5 million accounts and more than a half a million unauthorised credit cards. This included 193,000 non-employee accounts opened between 2011 and 2015 where the only email address for the ‘depositors’ was[37]

In spite of this, revenues were paltry, estimated at around US$6 million.[38]

In May 2015, the Los Angeles City Attorney filed suit against Wells.[39] The federal Consumer Financial Protection Bureau (CFPB) and the OCC also opened investigations. In September 2016, a settlement of US$185 million with the three authorities was announced.[40]

Sadly, but predictably, Wells completely misunderstood the significance of these practices and the settlement, and aimed low, by blaming the employees involved. CEO John Stumpf in an interview made clear what he thought the problem was:

If employees are not going to do the thing we ask them to do – put customers first, honor our vision and values – I don’t want them here. I really don’t. … The 1 percent that did it wrong, who were terminated, in no way reflects our culture nor reflects the great work the vast majority of the people do. That’s a false narrative.[41]

In fact, the false narrative is Stumpf’s.

Congressional hearings were held in September 2016. In her closing remarks, Senator Elizabeth Warren delivered this devasting evaluation:

You know, here’s what really gets me about this, Mr. Stumpf. If one of your tellers took a handful of $20 bills out of the cash drawer, they’d probably be looking at criminal charges for theft. They could end up in prison. But you squeezed your employees to the breaking point so they would cheat customers and you could drive up the value of your stock and put hundreds of millions of dollars in your own pocket. And when it all blew up, you kept your job, you kept your multimillion dollar bonuses, and you went on television to blame thousands of $12-an-hour employees who were just trying to meet cross-sell quotas that made you rich. This is about accountability. You should resign. You should give back the money that you took while this scam was going on, and you should be criminally investigated by both the Department of Justice and the Securities and Exchange Commission.[42]

Shortly after the hearing, Stumpf resigned without explanation. The board in November 2016 chose Tim Sloan, the president and chief operating officer who joined Wells in 1987, to be the CEO of Wells Fargo.[43] That the board would choose a 29-year veteran of the Bank is astonishing, given the decades-old cultural problems that caused the scandal.

Before and after Sloan’s appointment, the federal banking authorities were continuing to express clearly their concern that Wells Fargo was unable or unwilling to implement an effective risk management programme. This should have been Sloan’s main goal, but there is no evidence that would suggest that was the case.

To the contrary, notes from a 24 January 2019 meeting with Wells senior executives reflected Fed staff concerns that ‘leadership seems to remain focused on lifting the asset cap by the end of the year as the primary goal and is [shaping] remediation plans around that . . . affect the way management is thinking (or being asked to think) about how remediation should be shaped and accomplished.’ This is an example, only one, of regulator unhappiness.

Even the Wells board, which was almost completely out of touch with what was happening in the bank, began to take notice. The House Report notes that ‘From at least mid-2018 through Sloan’s resignation in March 2019, concern about Sloan’s performance were raised by and to Wells Fargo’s board members’, citing an email board member Ted Craver sent to the chair of the board in May 2018, after the Fed rejected the bank’s risk management submission as ‘materially incomplete’: ‘Speaking frankly, this was a big miss that doesn’t reflect well on Tim [Sloan].’

Another year went by, with the authorities yet more concerned with the lack of progress on the various weaknesses to be remediated.

In March 2019, Tim Sloan testified before the House Financial Services Committee. He was questioned by the chair of the Committee: ‘I am simply asking whether or not the bank is in compliance [with the required remediation plans], based on reviews that are done by the OCC and the Consumer Bureau.’ Sloan replied, ‘We are in compliance with those plans.’

The next day, senior OCC officials conferred, one asking: ‘Have we told them they are in compliance?’ To which another senior official replied that Wells Fargo was not in compliance with those plans. This was made known to the Committee.[44]

Sloan got a US$2 million bonus for his performance in 2018. The chair proposed to say to the public that Sloan got a bonus ‘as recognition of the substantial progress in changing the culture and business practices of Wells’.[45] Less than two weeks later, Sloan ‘retired’ from Wells of his own accord, according to the bank.[46]

An interim CEO was appointed and, in September 2019, the board chose as Well Fargo’s CEO and president Charles Scharf, formerly chair and CEO of Bank of New York Mellon.[47] A year after Scharf took over, the OCC acted again. On 9 September 2021, it assessed another US$250 million fine against Wells.[48]

In September 2021, Federal Board Chairman Jerome Powell said that the asset cap would ‘stay in place until [Wells] has comprehensively fixed its problems’, suggesting the bank had a way to go before it would be allowed to expand in size.[49] It is still in place.

Root causes of the scandal

Performance incentives, as discussed in detail.

  • Corporate structure. Already under Kovacevich, the bank was very decentralised, ‘so much so that he’d refer to himself as a ‘CEO of CEOs’.’ Incredibly, legal, risk management and human resources reported to the heads of the business units and not to corporate. Human resources presented the same problem. ‘Almost all sales integrity cases and issues touched upon some fact of the HR function . . . Despite this, there was no coordinated effort by HR . . . to track, analyse or report on sales practice issues.’
  • Risk management. In addition to the inherent structural flaw, the Wells Board Report found that certain of the control functions often adopted a narrow ‘transactional’ approach: ‘They focused on the specific [issue] before them, missing opportunities to put them together in a way that might have revealed sales practice problems to be more significant and systemic.’ And the Audit Department ‘did not view its role to include analysing more broadly the root cause of improper conduct’.[50]
  • Senior executives. The board oversaw the hiring and overcompensation of senior executives, 10 of whom were fined over US$58 million; three of them were banned for life from working in the banking industry. The 10 included Stumpf, Carrie Tolstedt, the head of the Community Bank, the Corporate and Community Bank Chief Risk Officers, and the General Counsel. And the board replaced Stumpf with Sloan, who was fired two years later.

Everyone of these items should have, and could have, been addressed and corrected by the board. They had years and years to do so.

The Wells Board: Oh Boy![51]

I cannot point to a single thing the board did competently, much less well. The board allowed management, for years and years, to drag its feet on matters as important as risk management and compliance.

Moreover, the board itself was complicit, actively, in this failure to act. In a November 2016 meeting with the CFPB, only a few months after the settlement with Los Angeles, the CFPB and OCC, board member Quigley complained that ‘the Board was spending too much time on Sales Practices and that he was looking to reduce the level of detail with a “Less is More [approach] to Board materials on Sales Practices”.’[52] Interviewed by the House Committee Staff, OCC officials ‘expressed concerns about Quigley’s leadership’ and that ‘Quigley did not pose “hard questions” to management.’

Betsy Duke (then the vice-chair of the board) asked the CFPB ‘why are you sending [letters requesting actions by the Bank] to me, the board, rather than the department manager?’

Quigley ‘exhibited a similar lack of urgency . . . and a reluctance to oversee the Bank’s efforts to meet its obligations under the 2016 [consent orders]’.[53]

In November 2017 the Fed downgraded the Bank’s management – an unusual action to take. The OCC specifically pointed to the corporate chief risk officer ‘as directly responsible for the failure to address adequately the risk management issues’ being a major factor in the downgrade. The OCC had first criticised Loughlin’s efforts in June 2017, but Loughlin was not replaced until June 2018, a year later.[54]

Sloan wrote to Duke and Quigley that he had asked the Fed for a deadline extension supposedly to do more work on compliance and risk management remediation; in fact; Sloan wrote, the extension was not needed. Rather, it was a way to induce the Fed into thinking that the asset cap removal was not the only thing Wells was worried about. Duke (a former Fed Board of Governors member) and Quigley responded with approval, and said that this ‘logic is sound’.

One day after Sloan’s testimony before the House Committee – the day Wells announced Sloan’s US$2 million bonus – OCC staff members met in executive session with Wells directors. According to the House Report, notes kept by the OCC of the meeting include this: ‘[W]e are also concerned that the Board has not held management appropriately accountable.’ Sloan resigned on 26 March 2019.

Let us bring this compliance and governance nightmare to a close (for us at least; Wells is not close to waking up from it).

The board of Wells Fargo, over almost 20 years, delivered this to its shareholders:

  • a market capitalisation loss of at least US$220 billion from the imposition of the asset cap in 2018 through May 2020;[55]
  • a US$4 billion loss of profits up to only July 2020, according to a Bloomberg estimate[56] (it is probably fair to speculate that this number has at least doubled in the following two or so years);
  • by my calculations, fines aggregating over US$5.5 billion since 2016; and
  • a stupendous fall in reputation. In 2017, Wells was ranked last in overall reputation, an almost 19 point drop from 2016 and almost a full 10 points below the next worse bank (Bank of America). It was the only bank to score below 50.[57] In 2021, it was still in last place.[58]

The board of Wells overlooked sign after sign of trouble, adopting the three-monkey ‘see, hear and say nothing’ approach to corporate governance.

A well-selected board gives a company a number of persons (in Wells’ case, 16 directors in 2015) of varied experiences, professional and personal, thereby materially increasing the probability that, if management loses its way, gets unmoored, is in denial – in short, is making a mess – one or more of the directors will see the dangers and jump in to clean things up.

Not this board. Excluding two directors, who were in their first year of service, in 2016 the 14 other members averaged over 14 years on the board, 144 years total.[59] They had a century-and-a-half of exposure to Wells Fargo, yet collectively missed what had been going on for almost two decades. And when journalists, regulators and lawsuits made them ever so slightly open their eyes, they completely misperceived the situation and compounded their appalling failure to discharge their fiduciary obligations.

The Wells Fargo board was clueless and hapless, truculent and in denial.


Vale, a Brazilian company, is, and for many years has been, one of the world’s leading producers of iron ore.[60] Iron ore extraction is an environmentally hazardous business. The particular hazard we need to know about are iron ore tailings, the fine-particled slurry waste by-product of the process. This mud-like, heavy liquid is collected in tailing ponds, and contained, usually, by an earthen dam.

In 2015, a dam for one of these ‘ponds’ near Mariana in the state of Minas Gerais, Brazil, owned by Samarco, a 50:50 joint-venture of Vale and BHP, gave way, causing 19 deaths, the greatest environmental disaster in Brazil’s history to date.[61]

On 25 January 2019, a Vale tailing dam, up a hill from the small town of Brumadinho, in the same state, collapsed, losing 13 million cubic meters of tailings, obliterating the town, killing 252 and leaving another 18 unaccounted for. In its wake, numerous investigations were launched, resulting in the CEO of Vale and a number of other executives facing homicide charges and fines in the billions of reais being levied or negotiated.[62]

Vale itself commissioned an independent investigation, led by a former member of Brazilian’s Supreme Court. In its report, the investigative team deliberately ranged broadly in its search for answers, and ‘included aspects related to governance, risk management, corporate culture, [and] compensation policy and incentives’.[63]

As to these issues, after the Mariana dam failure of 2015, ‘dam safety became a frequent subject at meetings of the Board [and its committees.]’[64] The investigation devotes pages to the dam safety reports made to the board and its committees. Though it carefully avoids any specific criticism, one is gently led to two conclusions:

  • The management reports were general and vague, focused on the fact that regulatory approvals were obtained, rather than on low safety levels at Brumadinho and other dams. ‘[I]t was noted that presentations on the . . . dams made to the board of directors and their [sic] Advisory Committees signalled the safety of the dams.’ In other words, the board was getting sanitised information.[65]
  • ‘The review identified no evidence of discussions regarding the decision to cease disposal of tailings at [the Brumadinho facility] or its low factor of safety at the Board of Directors, [or] its Advisory Committees.’[66] It is fair to infer that management chose what data to convey, and the board chose to do what many boards are accustomed to: receive the reports, make sure that their substance is recorded in the minutes, and no more.

The report points out at Vale ‘a strong hierarchical structure that is resistant to the exposure of problems to higher levels . . . Furthermore, there was no incentive for questioning decisions made at higher hierarchical levels.’[67]

It also points to a ‘siloed environment’, with business units reluctant to share information with the corporate level:

[There] was a work environment that lacked transparency and that did not encourage personnel to raise concerns and/or question leadership decisions[68] . . . This cloistered and closed structure led to relevant information that was understood to be unfavorable to generally remain restricted to . . . the Iron Ore Division.[69]

Vale was, to be kind, solipsistic. Discussions of dam ruptures were framed by monetary considerations only, without taking into account the loss of life. They focused mostly on workplace safety, with little attention paid to risks to neighboring communities, that is, ‘without the necessary focus on process safety (e.g., minimization of large-scale risk . . . inherent to operation in a hazardous industry.)[70] . . . [M]ere regulatory compliance is rarely sufficient to generate the safety of highly complex structures.’[71]

The investigation also highlights a phenomenon prevalent at Vale, the ‘normalisation of deviance’, where repeated exposure to departures from norm over time inures those responsible from the need to deal with these variations.[72]

The report registers ‘a major emphasis on financial aspects’ of dam safety, finding little or no focus on safety measures. The report states that there were no safety goals for compensation purposes in 2018, and in 2016 and 2017, the only such goals were the completion of external audits and the obtention of favourable inspection certificates.[73]


Another company to look at is Boeing and its troubles arising out of the crashes of two of its recently introduced MAX aircraft, in October 2018 and March 2019, resulting in the death of 346 persons.

The media coverage, a US congressional investigation, and a settlement with the US Department of Justice reveal a troubling story.

Boeing, after decades of near-total commercial aircraft dominance, began in the mid 2000s to lose a significant market share to Airbus. In 2010, it found itself in a battle with Airbus for significant orders from American Airlines, until then a loyal Boeing customer. The then-CEO was under ‘explicit pressure from the Board to . . . bolster profit’.[74]

To satisfy American Airlines and others, the roll-out of the MAX needed to be at supersonic levels. So breakneck speed in design and production was a must. And Boeing did all it could to push these along. This might seem like the expected maximisation of profit the markets require, but Boeing is not a book publisher or a department store chain. So why did it act as such? Why did it not sufficiently recognise the ‘mission critical’ nature of its commercial aviation business?

Boeing arguably began to lose its way over 20 years ago. In 1997, it bought the failing McDonnell-Douglas aircraft manufacturer. It soon became apparent that the McDonnell-Douglas culture completely overwhelmed Boeing’s. The joke in Seattle was that ‘McDonnell Douglas bought Boeing with Boeing’s money’.[75] Harry Stonecipher, the McDonnell-Douglas CEO that took over leadership of the combined entity could not have been clearer: ‘When people say I changed the culture of Boeing, that was the intent, so it’s run like a business rather than a great engineering firm.’[76]

In the US House of Representatives Report on the 737 MAX crashes, Boeing employees are cited about the company before the merger: ‘Multiple current and former Boeing employees viewed Boeing as an engineer’s paradise . . . where safety was always at the forefront.’ The Boeing House Report continues: ‘The prowess of the engineers . . . [was] replaced by the accounting acumen and financial decisions of business executives.’[77]

A veteran business journalist, Jerry Useem, points to the move of Boeing headquarters from Seattle to Chicago in 2001, 1,700 miles from the nearest Boeing commercial airplane assembly plant. ‘The isolation was deliberate.’ The then-CEO said that when headquarters are close to principal facilities, ‘the corporate center is inevitably drawn into day-to-day business operations.’ That statement, Useem observes, ‘captures a cardinal truth about [Boeing]: The . . . MAX disaster can be traced back . . . to the moment Boeing leadership decided to divorce itself from the firm’s own culture.’[78]

With this background, the following revelations of the House Report and from the media are not surprising.

A Los Angeles Times journalist points to the decision in 2011 to ‘tweak’ the existing 737 model rather than design a new one, as Airbus was doing. The then-CEO, under ‘explicit pressure’ from the board to ‘bolster profit’, chose to limit cost and speed up the development of the MAX, which led to software solutions, including the MCAS stability software that has been identified as the major factor in the MAX crashes.[79]

A Fox Business article quotes Nell Minow, of Value Edge Advisors, the ‘queen of good corporate governance’: ‘The move from a manufacturing mindset based on quality and safety, to a finance mindset’ led her to hold the board of Boeing as ‘completely responsible for the failures at the company’.[80]

Boeing strove to ensure that regulators not require simulator training for the MAX, as, among other issues, it had a contractual obligation to Southwest that would have meant up to US$400 million in penalties should simulator training be mandated.[81]

The head of the MAX development team had installed ‘countdown clocks’ in meeting rooms to reinforce the importance of any hour or day wasted. He described these clocks as ‘excitement generators’.[82]

A Boeing test pilot, after undergoing the MCAS stability exercise on a simulator, described the result as ‘catastrophic’. The FAA, the US aeronautics administrator, defines catastrophic as: ‘Failure conditions that are expected to result in multiple fatalities of the occupants or . . . fatal injury to a flight crewmember normally with the loss of the airplane.’[83]

Edward Pierson, a graduate of the US Naval Academy, a 30-year Navy officer, joined Boeing upon retirement from the US Navy. He was a ‘senior leader’ of the MAX final assembly facility. Pierson, troubled by what he saw as safety concerns, raised them with the general manager of the MAX project, Scott Campbell. Pierson and his superior finally had a meeting where Pierson said that, in the military, faced with these issues, ‘we would stop’. Campbell, channelling Stonecipher, responded: ‘The military is not a profit-making organization.’ Pierson then went up the corporate structure, writing several letters to the CEO and even to the entire board of directors. Pierson never heard from the CEO or any board member, and chose to retire early.[84]

An industry analyst points to the distancing, both culturally and physically, at Boeing as a prime reason for its troubles: ‘[What was lost] was the ability to consistently interact with an engineer who in turn feels comfortable telling you their reservations . . . As a recipe for disempowering engineers in particular, you couldn’t come up with a better format.’[85]

As early as 2000, the renowned business scholar Jim Collins warned that Boeing ‘always understood it was an engineering driven company, not a financially driven company’. If Boeing was not ‘honoring that as their central mission, then over time they become just another company’.[86]

On 7 January 2021, the US Department of Justice announced that Boeing had entered into a deferred prosecution agreement in which the company is charged with one count of conspiracy to defraud the United States through misleading statements to regulators by Boeing employees. Boeing agreed to pay over US$2.5 billion, consisting of a criminal penalty of US$243.6 million, compensation of US$1.77 million to MAX airline customers, and US$500 million for a fund to compensate the families of the 346 passengers who died in the two crashes.[87]

Subsequently, pension funds filed suit in Delaware Chamber Court against Boeing’s officers and directors allegedly involved in the MAX tragedies, seeking damages against those individuals for the benefit of Boeing, as shareholders in the Blue Bell case did. To prevail, these shareholders had to show that the board could not be trusted to bring the action, because of the board members’ own culpability. ‘This is extremely difficult to do’, under Delaware law, said the court: plaintiffs had to show that a majority of Boeing’s board members faced a ‘substantial likelihood’ of liability for Boeing’s losses. This showing, under Delaware law, could be based either on the ‘complete failure’ of directors to establish a reporting system for safety issues, or on directors turning ‘a blind eye’ to red flags evidencing safety issues.[88] The court found that plaintiff stockholders met the pleading standards for both sources of liability.

In a 102-page opinion, the judge laid out a devastating story of carelessness, blindness, duplicity and even plain lying by Boeing.

The court picked up on the dramatic cultural shift after the McDonnell/Douglas Boeing merger where the MCD executives became the top dogs, which I described elsewhere.[89]

The court describes Boeing’s safety record as ‘spotty,’ citing the battery problems of the 787 Dreamliner, and a crash of a Boeing 777. Continuing, the court cites 13 different safety issues as Boeing went into 2015 that went uncorrected. As a consequence, the FAA (the US aviation authority) imposed ‘historic’ fines of US$12 million on Boeing.

The court further found, as regards board oversight of airplane safety:

None of Boeing’s Board committees were specifically tasked with overseeing airplane safety, and every committee charter was silent as to airplane safety differently from other aviation companies with board-level safety committees, such as Southwest, Delta, United, Jet Blue and Alaska.
The Audit Committee was responsible for risk management, but its yearly updates on risk management did not address flight safety. For instance, the opinion stated that the Audit Committee, from the inception of the MAX to its grounding never mentioned safety. “Rather, consistent with Boeing’s emphasis on rapid production and revenues, the Audit Committee primarily focused on financial risks.”

Airplane safety was not a regular set agenda item for board meetings. The board did not have a channel for receiving in-house complaints about safety.[90]

The Lion Air crash occurred on 29 October 2018. Management did not inform the board for over a week, and when it did, it asserted that the MAX was safe.[91] (I am on the board of Gol, which flies only Boeing planes and had signed on for delivery of a very large number of MAXes. Gol’s board members were told by Gol management of the crash the day after it happened.)

The court then related the underhanded manner in which Boeing tried to tamp down criticism, by denying and criticising media coverage. In a letter to the board on 18 November, the CEO ‘bemoaned a steady drumbeat of media coverage and continued speculation . . . and again falsely suggested that the 777 MAX was safe’. The board of Boeing was invited to meet more than a month after the Lion Air disaster, but participation by the board members was optional. No minutes exist, but management’s ‘talking points’ for the meeting expressed unhappiness with people ‘commenting freely, including customers, pilot unions, media and aerospace industry pundits’.[92] Imagine that: 189 persons driven into the ground at terminal velocity, and the board was upset that people were being critical.

The board formally addressed for the first time the Lion Air crash at its regularly scheduled meeting on 16 and 17 December. Its minutes, says the Opinion, reflected, not safety concerns, but a preoccupation with ‘restoring profitability and efficiency’. During its two-day meeting, the board allocated five minutes to a four-page legal memo that included Lion Air matters. And another 10 minutes to compliance and risk management.[93]

At its next meeting, on February 24 and 25, the board ‘decided to delay any investigation until the conclusion of the regulatory investigations’.[94]

A month after the board decided not to investigate the Lion Air crash, an Ethiopian Airline MAX crashed on 10 March 2019 crashed, killing another 157 persons. Boeing again blamed the pilots, but at that point, a third of the world-wide MAX fleet had already been grounded. (On 11 March, Gol held an emergency board meeting and quickly and unanimously agreed with management’s recommendation that Gol should ground its MAXes immediately.)

On the same day that the Ethiopian crash became news, Boeing’s CEO jumped into action. He got in touch with the board in writing and assured the members about ‘ongoing production operations’ (that was his big worry) and assured the board that management was ‘engaged in extensive outreach’ with customers and regulators, ‘to reinforce our confidence in the 737 MAX’.[95] Muilenberg spoke with Transportation Secretary Chao and Donald Trump in an attempt to keep the MAX flying. On 12 March the FAA confirmed that the MAX could keep flying. At least one director praised Muilenberg’s efforts on this score. The next day, the FAA grounded the MAX.[96]

Board members were not very exercised about the 157 deaths. Board member Giambastiani emailed the CEO to draw his attention to an article suggesting pilots were at fault in both the crashes.[97] This was very much the ground Boeing stood for some time on.

On 15 March 2019, a director, Arthur Collins, summoned (presumably) all his courage and suggested, a board meeting devoted to product safety. He was careful to explain, however, that: ‘I recognize that this type of approach needs to be communicated carefully so as not to give the impression that the board has lost confidence in management which we haven’t or that is a systemic problem with quality.’

Let us take a moment to digest this. A director diffidently suggests that safety might be discussed at a board meeting. But I leave it to you, Calhoun, new lead director, and to the soon-to-be-fired CEO. ‘Just a thought.’[98] Two crashes, almost 350 deaths, a confidence sinkhole of unmeasurable depth, and ‘just a thought’. No big deal.

Flaccid though it was, Collins’ suggestion had some effect and a subsequent board meeting devoted over two hours to safety and created a board-level safety reporting function by forming a committee on Airplane Policies and Processes. Unfortunately, this only looked good on paper. Its sessions were sparsely attended, with Giambastiani as the only board member at more than half of the Committee’s 18 sessions.[99]

The Airplane Committee in due course recommended that the board establish another Committee dedicated to safety, which the board did, the Aerospace Safety Committee. This Committee very quickly suggested that the board form another Committee, which it did, the Product and Services Safety Organization.[100]

This is absolutely typical of vacuous and myopic compliance-related responses. One committee is good, two are better. Three even more so. How can anyone criticise us, given the number of committees we have?

But . . . here is the court’s next sentence: ‘The Board publicly lied about if and how it monitored the 737 MAX’s safety.’ Not a common finding by judges in corporate cases, in my experience.

The court cites Calhoun, then-lead director, saying that upon the Lion Air crash the board had been notified immediately and met ‘very, very quickly’ thereafter; that the board participated in evaluating the MAX’s safety risks; that the board considered grounding that MAX fleet after the Lion Air crash; and that the board met within 24 hours of the Ethiopian crash and recommended that the MAX be grounded. ‘Each of Calhoun’s representation was false.’[101]

Here is another fact, reminiscent of Wells Fargo and its break from Stumpt and Toldstedt. On 19 November, Calhoun says that from the ‘board’s point of view, Dennis [Muilenberg] has done everything right’. After the regulators learned ‘the extent of Boeings deceit under Muilenberg’s leadership’, on 22 December the board terminated Muilenberg and replaced him with – yes – Calhoun, as CEO. In 33 days, Muilenberg went from doing ‘everything right’ to doing everything wrong.[102] Was anyone paying attention? The board replaced one insider with another insider, just as Wells did.

The Court proceeded to rule on the claim that plaintiffs made that defendants’ breached their fiduciary duty the shareholder, which is, ‘perhaps to redundance . . . possibly the most difficult theory in corporation upon which a plaintiff might hope to win a judgement’. To do so plaintiffs needed to either show that (1) directors ‘entirely failed to implement any reporting on information System or controls’ or (2) ‘having implemented such a system, the directors consciously failed to monitor or oversee its operations’. The court found that both tests were met, which is rare indeed.[103]

In November 2021, about two months after the opinion was handed down, Boeing entered into a settlement of the suit, subject to court approval, for US$237.5 million, which would be the largest monetary recovery in Delaware over allegations that directors failed to protect the company and its shareholders against the risk of harm. In addition, Boeing agreed that:

  • its board would always have at least three directors with safety-related experience;
  • Boeing would separate the chair and CEO functions;
  • it would for at least five years have an ombudsman programme to provide employees involved in certification work with a way to raise concerns;[104] and
  • according to Reuters, the crashes have cost Boeing US$20 billion, so a recovery of a little over 1 per cent of this less is not something to cheer about. But maybe it is a start.

So now we have to change our whole culture?

If a culture has the kinds of problems here discussed, then the answer is yes, and before disaster strikes. Here are some suggestions:

  • Change your board as much as you require. The Wells Fargo board in 2021 had only three directors (of 11) that had been on the board before 2018 and none who had been on before 2015 (when the troubles became public).[105]
  • Pick as CEO someone from outside. Wells did not do that, and Sloan, the 29-year Wells veteran, turned out almost immediately to be a terrible choice. The jury is out on Calhoun, the CEO of Boeing, but he has not yet shown the willingness to make major changes and Calhoun was called a liar by a Delaware judge.[106] But Charles Scharf, who succeeded Sloan in 2019 at Wells from outside the culture, seems to be trying. Time will tell.
  • Have the CEO turn the company upside down. Just as a crisis the size of Wells’ was not brought on by relatively few branch employees, or in Boeing’s case by four foreign pilots, it is also evident that a culture is not created by one or two directors or executives. Scharf has made sweeping changes at Wells, hiring nearly 90 new executives, at least. Nine of the 17 executives on Wells Fargo’s leadership committee are new hires. These executives came from 22 different companies.[107] They can probably continue to shed the old culture, but let us recognise that to meld all these and many other experiences and world views together is very daunting and will take time. Wells will also need for Scharf to do more than change executives. The CEO ‘should roll up his sleeves, mingle with the masses . . . to see what life is like in the rest of the company. He must communicate early, honestly and often . . . The . . . CEO must set the tone by putting people first in every leadership action he takes.’[108]
  • Change behaviour. It is indispensable that management consistently and committedly do the right thing. In many cases, there will be no appetite for profound change because it requires from senior staff and managers qualities that are hard to come by: humility, openness, patience, a thick skin, fair mind and the ability to view oneself as a colleague. Amy Edmondson, a Harvard Business School professor, in referring to the MAX accidents and problems at the Boeing 787 Dreamliner plant in South Carolina, wrote: ‘This is a textbook case of how the absence of psychological safety – the assurance that one can speak up, offer ideas, point out problems, or deliver bad news without fear of retribution – can lead to disastrous results.’ The only way to change this, according to Edmonson, is by having ‘the behavior of managers up and down the line . . . vehemently and continuously supporting psychological safety’.[109]
  • Cast a constantly wary eye on your company or client, yourself and your colleagues. The arrogance and lack of reflection at Wells Fargo and at Boeing is evident through their handling of the affair. One of the two independent directors at Vale during the dam break crisis advises:
In the monitoring role, it’s having a chronic unease – exercising perpetual scepticism, assuming the worse [sic] may happen and that things may not be working . . . In the advice role, the board should be as committed and close to management as possible without interfering with management responsibilities.[110]

This is precisely the change in approach I am arguing boards need to make. The following is an observation about Wells from a veteran business reporter, Bethany McLean, who has followed Norwest and Wells Fargo for decades:

[Wells Fargo] couldn’t get over their self-righteous horror that this was happening to them. In their view, the rest of the world was wrong, because they were Wells Fargo and they were perfect, and of course they didn’t mean to do anything like this and this was all an accident, and why was the press after them? It literally could not understand why people were so upset. I think that sanctimoniousness just extended throughout the executive suite into the very blood and bones of the company.[111]

This could happen to my company or client, and it could to your company or client.


[1] Andrew Jánszky is an independent lawyer with more than 40 years’ experience in international capital markets, mergers and acquisitions, corporate governance and compliance.

[2] United States of America v. Embraer S.A., Deferred Prosecution Agreement, 24 October 2016, p. 4.

[3] United States of America v. Latam Airlines Group S.A., Deferred Prosecution Agreement, 25 July 2016, p. 4.

[4] Board of Governors of the Federal Reserve System, ‘Press Release’, 2 February 2018.

[5] Office of the Controller of the Currency, ‘Press Release’, 28 April 2018.

[6] Board of Governors of the Federal Reserve System, Board Letter re: Accountability as Lead Independent Director of Wells Fargo & Company Board of Directors. Washington, DC: The Federal Reserve, 2 February 2018.

[7] See the discussion on Vale, below.

[8] id.

[9] Summers, Lawrence, ‘Wells Fargo’s Board Members Are Getting off Too Easy’, The Washington Post, 6 February 2018.

[10] Office of the Controller of the Currency, ‘Press Release 2021-95’, 9 September 2021.

[11] Marchand v. Barnhill, 212 A.3d, 805 (Del. 2019) [Marchand].

[12] id., at 807.

[13] Department of Justice, ‘Blue Bell Creameries Agrees to Plead Guilty and Pay $19.35 million for Ice Cream Listeria Contamination – Former Company President Charged’, 1 May 2020.

[14] Flynn, Dan, ‘Former Blue Bell president’s trial delayed until summer’, Food Safety News, 11 January 2022.

[15] Inter-Marketing Group United States v. Gregory L. Armstrong, C.A. No. 2017-0030-TMR

[16] In Re Clovis Oncology, Inc. Derivative Litigation, C.A. No. 2017-0222-JRS

[17] Stewart, James B, ‘Problems at Volkswagen Start in the Boardroom’, The New York Times, 24 September 2015; Griswold, Alison, ‘Now That Uber Has a New CEO, Employees Say Its Board Needs to ‘Grow up’’, Quartz, 2 September 2017; Kitroeff, Natalie; Gelles, David, ‘Boeing Fires C.E.O. Dennis Muilenberg’, The New York Times, 23 December 2019; Gardner, Eriq, ‘CBS Faces Credibility Questions Over Leslie Moonves Investigation’, Hollywood Reporter, 8 August 2018; ‘Airbus Executives Get Swept Away by a Corruption Investigation’, The Economist, 8 February 2018; Tan, Gillian, et al., ‘WeWork Plows Ahead with IPO Plans after Reshaping Board to Counter Skepticism’, Los Angeles Times, 13 September 2019; Carr, Austin, ‘Chipotle Eats Itself’, Fast Company, 16 October 2016; Phillips, Dom, ‘The swashbucking meat tycoons who nearly brought down a government’, The Guardian, 2 July 2019; Cassin, Richard L, ‘Zimmer Biomet Holdings pays $30 million to resolve new FCPA changes’, The FCPA Blog, 12 January 2017; Watson, R T, ‘Vale’s Management Team Is on Thin Ice After Deadly Dam Break’, BNN Bloomberg, 28 January 2019; Neumann, William, ‘Tyson Settles U.S. Charges of Bribery’, The New York Times, 10 February 2011; Schipani, Andres, ‘Petrobras in $853 million settlement of bribery case that rocked Brazil’, The Financial Times, 27 September 2018; Presley, Linda, ‘The largest foreign bribery case in history’, BBC World Service, 21 April 2018; ‘Chile’s SQM paying $30 million to resolve U.S. corruption cases’, Reuters, 13 January 2017; Cassin, Richard L, ‘Former Chile mining executive to settle FCPA offenses’, The FCPA Blog, 25 September 2018.

[18] Gelles, David; Kitroeff, Natalie, ‘Boeing’ Boeing ousts Top Executive as 737 MAX Crisis Swells’, The New York Times, 22 October 2019.

[19] Koening, David and The Associated Press, ‘After Pressure From Congress, Boeing Chairman Says CEO Won’t Get Bonus Until MAX Flies’, Fortune, 6 November 2019.

[20] Kitroeff, Natalie; Gelles, David, ‘It’s More Than I Imagined’: Boeing’s New C.E.O. Confronts its Challenges’, The New York Times, 5 March 2020.

[21] Biskup, Robert, et al., ‘Board Oversight of Corporate Compliance: Is it Time for a Refresh?’, Harvard Law School Forum on Corporate Governance, Harvard Law School, 15 October 2019.

[22] Kitroeff and Gelles (footnote 19, above).

[23] Dodd, Vivek, ‘Top 10 Compliance Challenges in 2022’, Skillcast, 13 January 2021; Protiviti Insights, ‘Top-of-Mind Compliance Issues for 2021’, (undated).

[25] Kiemash, Stephen; Doyle, Rani, Report: ‘Eight priorities for boards in 2020’, EY Center for Board Matters, 19 November 2019, p. 9.

[26] US Department of Justice, Criminal Division, ‘Evaluation of Corporate Compliance Programs’, April 2019, pp. 2 and 3.

[27] For example, ‘The Three Lines of Defence in Effective Risk Management and Control’, The Florida Institute of Internal Auditors, 2013.

[28] Peters, Justin, ‘How Wells Fargo Became Synonymous with Scandal’, Slate, 28 November 2020; Phaneuf, Alicia, ‘Top 10 Biggest Banks US Banks by Assets in 2022’, Insider Intelligence, 2 January 2022; Felba, David, Ahmad, Renan, ‘The world’s 100 largest banks, 2021’, S&P Global Market Intelligence, 23 April 2021.

[29] Peters (footnote 29, above).

[30] McLean, Bethany, ‘How Wells Fargo’s Cutthroat Culture Allegedly Drove Bankers To Fraud’, Vanity Fair, 31 May 2017.

[31] id.

[32] Office of the Comptroller of the Currency, ‘Notice of Changes for Orders of Prohibition And Orders to Cease and Desist and Notice of Assessments of Civil Money Penalty’, 23 Jan 2020, pp. 4–6;

[33] Reckard, E Scott, ‘Wells Fargo Pressure-cooker sales culture comes at cost’, Los Angeles Times, 21 December 2013.

[34] OCC, p. 20 (footnote 32 above).

[35] Independent Directors of the Board of Wells, Fargo & Company, ‘Sales Practice Investigation Report’, 10 April 2017 (‘Wells Board Report’), p. 6.

[36] id. pp. 97–103.

[37] McLean (footnote 30, above).

[38] Tayan, Brian, ‘The Wells Fargo Cross-Selling Scandal’, Stanford Closer Look Series, p. 6.

[39] Reckard, E Scott, ‘L.A. Sues Wells Fargo, Alleging ‘Unlawful and Fraudulent Conduct’, Los Angeles Times, 4 May 2015.

[40] Korey, James Rufus, ‘Wells Fargo to pay $185 million Settlement for ‘outrageous’ sales culture’, Los Angeles Times, 8 September 2016.

[41] Tayan (footnote 38, above), p. 3.

[42] Egan, Matt, ‘Elizabeth Warren’s Epic Takedown of Well Fargo CEO’, CNN Business, 21 September 2016.

[43] ‘Wells Fargo Chairman CEO John Stumpt Resigns; Board of Directors Elects Tim Sloan CEO, Director; Appoints Lead Director Stephan Sanger Chairman, Director Elizabeth Duke Vice Chair’, Business Wise, 12 October 2016; ‘Tim Sloan Named Wells Fargo’s President and Chief Operating Officer’,, 17 November 2015.

[44] The Majority Staff of the Committee on Financial Services, US House of Representatives, ‘The Real Wells Fargo: Board & Management Failures, Consumer Abuses and Ineffective Regulatory Oversight’, 1 March 2020 (‘Wells House Report’), pp. 39, 50-58.

[45] id. p. 58.

[46] Merte, Renae, ‘After years of apologies for customers abuses, Wells Fargo CEO Tim Sloan suddenly steps down’, The Washington Post, 28 March 2019.

[47] ‘Wells Fargo Names Charles W. Scharf Chief Executive Officer and President’,, 27 September 2019.

[48] Office of the Controller of the Currency (footnote 9 above).

[49] Schroeder, Pete, ‘Fed’s Powell says Wells Fargo cap to stay until problems fixed’, Reuters, 22 September 2021.

[50] Wells Board Report, p. 14.

[51] As mentioned, the Board Report was commissioned by the Independent Directors of the Wells Board but prepared by Shearman & Sterling. I was an associate and partner at Shearman & Sterling for 34 years, leaving for another firm some seven years before the Board Report was produced. I think it is a well-done report, with a notable exception: the board receives only three minor criticisms in the Board Report, pp. 16–17. In light of the House Report, further regulatory actions and law suits, I consider this a significant shortcoming. Others were harshly critical: the Los Angeles Times called it a ‘whitewash’ and Howell Jackson, a chaired professor at Harvard Law School, was merciless: he labelled parts describing the Board Report (which he insisted on calling the ‘Shearman & Sterling Report’) as ‘self-serving and silly’, containing at least two ‘false narratives’, and, ‘one great big whopper’ regarding when the board first had knowledge of abuses (Jackson believes it was in 2011, while the Board Report has it at 2014). See Michael Hiltzik, ‘Wells Fargo scandal report details board of directors’ dereliction of duty, gives them a pass’, Los Angeles Times, 10 April 2017; Howe E Jackson, ‘One Take on the Report of the Independent Directors of Wells Fargo: Throw the Bums Out’, Harvard Law School Forum on Corporate Governance, 22 April 2017.

[52] Wells House Report, p. 46.

[53] id. p. 445.

[54] id. pp. 55–56.

[55] Ennis, Dan, ‘2018 asset cap has cost Wells Fargo $220B in market value’, Banking Dive, 9 May 2020.

[56] Ennis, Dan, ‘Wells Fargo has missed out on $4B in profits since asset cap’, Banking Dive, 25 August 2020.

[57] Sposito, Sean, ‘2017 reputation survey: Banks avoid the Wells Fargo drag’, American Banker, 27 June 2017.

[58] Berg, Joel, ‘2021 bank reputation survey: Goodwill humming’, American Banker, 1 September 2021.

[59] Wells Fargo, 2016 Notice of Annual Meeting of Stockholders and Proxy Statement.

[60] NS Energy Staff Writer, ‘Top Five Iron Producing Company of the World from Rio Tinto to the National Mineral Development Corporation’, NS Energy, 1 Sept 2020.

[61] Relatório Final da CPI, Câmara dos Deputados, Comissão Parlamentar de Inquérito, ‘Rompimento da Barragem de Brumadinho’, outubro de 2019 (‘CPI Report’), p.27.

[62] id., pp. 27, 38–53.

[63] Extraordinary Independent Consulting Committee for Investigation – CIAEA, Executive Summary of the Independent Investigative Report – Failure of Dam 1 of the Córrego de Feijão Mine – Brumadinho, MG, 20 Feb 2020 (Vale Report), p.6.

[64] id., p. 27.

[65] id., p. 40.

[66] id., p. 27.

[67] id., p. 34.

[68] id., p. 40.

[69] id., p. 34.

[70] id., p. 34.

[71] id., p. 34.

[72] id., p. 35.

[73] id., p. 39.

[74] Hiltzik, Michael, ‘Boeing’s Board Shouldn’t Escape Blame in 737 MAX Scandal’, Los Angeles Times, 3 Jan 2020. For a thorough and well-written account of the MAX fiasco, see Robinson, Peter, Flying Blind: The 737 MAX Tragedy and the Fall of Boeing (Doubleday, 2021).

[75] Useem, Jerry, ‘The Long-Forgotten Flight That Sent Boeing Off Course’, The Atlantic, 20 Nov 2019.

[76] Callahan, Patricia, ‘So why does Harry Stonecipher think he can turn around Boeing’, Chicago Tribune, 29 Feb 2004.

[77] ‘The Design, Development & Certification of the Boeing 737 MAX’, Committee on Transportation and Infrastructure, US House of Representatives, 2020 September (‘Boeing House Report’), p. 37.

[78] Useem (footnote 75, above).

[79] Hiltzik (footnote 74, above).

[80] De Lea, Brittany, ‘Boeing’s all-star board bears blame for flawed corporate culture: Experts’, Fox Business, 9 Jan 2020.

[81] Hiltzik (footnote 74, above).

[82] Boeing House Report (footnote 44, above), p. 168.

[83] id., p. 113.

[84] id., pp. 165–6, 174–182.

[85] Useem (footnote 75, above).

[86] id.

[87] Boeing Deferred Prosecution Agreement, justice. gov., 7 Jan 2021.

[88] In re Boeing Co. Derivative Litig. No. 2019–0907–MTZ WL 4059934 (Del. Ch. 7 September 2021) (The Opinion).

[89] id. pp. 8–9.

[90] id. pp. 10–12.

[91] id. pp. 12–18.

[92] id. pp. 34.

[93] id. p. 40.

[94] id. p. 43.

[95] id. p. 46.

[96] id.

[97] id. p. 49.

[98] id. p. 50.

[99] id. p. 52.

[100] id. pp. 53–54.

[101] id. pp. 55–56.

[102] id. p. 56.

[103] id. pp. 92-94.

[104] Shepardson, David, ‘Boeing directors agree to $237.5 million settlement over 737 MAX Safety Oversight’, Reuters, 5 November 2021.

[105] Wells Fargo. 2021 ‘Notice of Annual Meeting and Proxy Statement’.

[106] See footnote 101.

[107] Ungarino, Rebecca; Johnson, Carter; Tyson Taylor, ‘Wells Fargo has added nearly 90 series hires from JPM, MNY, and other firms in what Charlie Scharf has called a dramatic change to leadership. Here’s our exclusive look at the stunning overhaul’, Business Insider, 14 January 2022.

[108] Kanter, Rosabeth Moss, ‘It’s time for Boeing’s new CEO to restore trust by putting people first’, CNN Business Perspectives, 15 Jan 2020.

[109] Edmondson, Amy C., ‘Boeing and the Importance of Encouraging Employees to Speak Up’, Harvard Business Review, 4 May 2019.

[110] Davis, Stephan; Guerra, Sandra, ‘Crisis – Resilient Boards: Lessons from Vale, Harvard Law School Forum on Corporate Governance’, 23 February 2021.

[111] Peters (footnote 29 above).

Unlock unlimited access to all Latin Lawyer content