Wirecard will be a compliance and audit training reference point for years to come, says compliance expert Oonagh van den Berg, recounting the warning signs in the years-long lead up to its collapse.
Wirecard will go down in global financial history as one of the most significant success and failure stories in fintech of all time – the worst part being that the learnings and dimensions of this story don’t seem to end. With the Brazilian and UK subsidiaries being the first sell-offs since Wirecard filed for insolvency in June, impacting over 5,800 employees globally, this is a story with dire human repercussions.
The Wirecard digital and software business model was on paper simple, and the corporate structure was at a layer view “transparent.” So, after the lessons from Enron in 2001 and Lehman Brothers in 2008, where did it go so wrong? While accounting fraud played a significant role, with USD 2.1 billion “ghost” monies having never existed, could any of this have been avoided had red flags been explored further along the way?
As early as 2015, a Financial Times blog questioned Wirecard’s business model and accounting practices. Then in 2017, the German magazine Manager Magazin reported that the company was involved in misleading reporting practices. But it was not until the second Financial Times exposé in 2019 that shareholders sat up and asked for an independent verification on the issues raised, which led to the fall of a fintech empire.
Wirecard was founded in 1999 but went bust the next year with the dotcom crash. The company recapitalised, with the help of capital from Markus Braun, an Austrian tech investor and digital entrepreneur. Braun joined the company as CTO and CEO in 2002, where he refocused the business on providing internet payment services.
Wirecard became listed through a reverse IPO of call centre provider Infogenie in 2005. While reverse IPOs are not uncommon, they are often criticised for allowing the acquiring entity to avoid full disclosure requirements and scrutiny of its books, which would have been part of a normal IPO process. In Wirecard’s case, its reverse listing through a failing entity that was operating as nothing more than a shell company should have raised some questions.
Wirecard’s business model initially focused on client and market segments which were unwelcome at most financial institutions, due to their increased risk profiles. These segments included pornography and gambling websites.
Nevertheless, over time, several reputable entities jumped into bed with Wirecard, and over time the company expanded globally. By 2018, Wirecard was valued at over USD 27 billion and it had joined the exclusive DAX 30 index. The question is whether a reputational risk assessment was undertaken by these entities before entering their business relationships with Wirecard, given that its business was built on its offering to pornography and gambling websites.
The German Financial Intelligence Unit (FIU) has publicly acknowledged that it was not processing high-risk STRs in connection with Wirecard, one of the areas now under review by German authorities. Of more than 1,000 reports received by the FIU before the scandal broke in June, only two were passed on to state police. Anticipate seeing more to come in this area, or not, depending on how deep this goes and the level of additional reputational damage that the German authorities are willing to acknowledge for this failure.
It has also been reported that since 2010, Visa and Mastercard, who partnered with Wirecard on pre-paid credit cards, had concerns about the company’s business network, even going as far as to cut off specific merchants. Some of Wirecard’s clients are said to have changed their names to avoid being identified. In Visa and Mastercard’s view, too much of Wirecard’s business was originating from risky areas such as gambling, pornography, and unregulated health-care products known as nutraceuticals.
Such high-risk clients were highly lucrative to Wirecard. Pornjapan, a pornography purveyor, paid up to 10 percent in fees for transactions handled by Wirecard in 2017, according to the company’s internal documents reviewed by The Wall Street Journal. By comparison, mainstream merchants tend to pay 2 to 3 percent for US credit-card purchases.
Though Visa and Mastercard penalised Wirecard more than USD 10 million for miscoded gambling transactions and a high level of stolen card purchases and reversed transactions in 2010, this didn’t stop their relationship with the former payments giant.
On at least two occasions, EY auditors gave qualified opinions on the audited financial statements of a Wirecard subsidiary in Singapore, indicating that certain financial information could not be verified and corroborated. The first qualified opinion was in relation to a Wirecard subsidiary’s high level of uncollected cash based on its reported licence fee income and receivables. The second was due to problems verifying the validity of Wirecard’s gateway fees from another subsidiary, Infotop Singapore. This is the same subsidiary where the USD 2.1 billion “ghost” monies were initially said to be sitting.
What should have been put in place was a time-dependent systematic process of follow up actions to obtain the information and remove the subjective assessment. It is concerning that an organisation as sophisticated as EY did not, as far as we are aware, have their own internal controls in place to assure this. But the regulator and shareholders should have demanded it.
In was only after the 2019 Financial Times report alleged that a Wirecard senior finance executive was suspected of falsification of accounts, money laundering, and round-tripping in its Asia-Pacific operations that shareholders engaged KPMG to conduct a special independent investigation, which brought to light Wirecard’s accounting malpractice.
One of the findings of KPMG’s independent investigation was that Wirecard was unable to provide comprehensive records of executive board meetings. Fundamental governance principles require that discussions and actions of executive meetings be recorded for various reasons. Minutes not only promote accountability and transparency; they also facilitate effective audit and regulatory reviews.
How was it that an organisation seen as the golden child of the European fintech world was able to operate and make decisions at the board level without minutes being taken or any records to support decision making? The fact that this was never addressed by EY is almost as surprising as the auditor’s failure to verify the existence of USD 2.1 billion.
According to reports, EY did not independently confirm Wirecard cash balances in Singapore for three years, instead relying on documents and screenshots provided by a third-party trustee and Wirecard itself. The auditor now faces a class action lawsuit and criminal complaints from shareholders and bondholders.
Aftermath and lessons
Once the fraud came to light, arrest warrants for the CEO Markus Braun and COO Jan Marsalek were issued by German authorities charging the two for fraud, embezzlement and insider trading. Investigations are also underway in Singapore and the Philippines.
Marsalek went on the run, telling colleagues he was off to the Philippines to chase the missing billions, but it was later discovered that his travel itinerary, airline bookings and immigration records had been falsified. The trip to the Philippines was never made. Marsalek was last said to have fled to Russia with a cache of bitcoins.
Meanwhile, there have been discussions on whether the German regulator Bafin overstepped in its protection of Wirecard against the adverse news reported by the Financial Times. It has also come to light that Bafin officials bought and sold Wirecard shares in higher volumes as the payments company edged towards collapse.
The German finance ministry said one-fifth of Bafin’s staff had engaged in some kind of investment activity in 2019 and 2020, with an increasing interest in Wirecard in the months ahead of its collapse. In the six months to the end of June, 2.4 percent of their investment activity related to buying and selling Wirecard stock or derivatives.
Florian Toncar, a lawmaker in the German parliament, stated, “The trading in Wirecard by Bafin staff is surprising and raises questions, such as the size of the trades and whether officials who traded had insider knowledge.”
The first DAX company to ever go out of business, Wirecard is going to be a compliance and audit training reference point for years to come. Considering all the above revelations and the string of subsequent arrests of Wirecard executives, the big questions are now:
- How did this manage to go undetected with so many red flags along the way?
- How were multiple regulatory licences granted for Wirecard on the back of fabricated capital?
- What now will regulators be doing to make sure this never happens again?
- Have we seen the end of the Wirecard saga?
- What will be the knock-on and legacy impact on other fintechs and the wider industry?
It is evident that the speed of growth, together with incomplete due diligence, and a lack of governance have contributed to Wirecard’s downfall. We cannot afford to get this wrong again, particularly in Asia, where e-commerce is not a luxury but a necessity.
Oonagh van den Berg is Founder and Managing Director of RAW Compliance, a global compliance community and training platform focused on compliance culture and behaviours, and Virtual Risk Solutions, a compliance consultancy. She is also the host of the global Podcast Series “The Compliance Word.”
This article was adapted from its original version, available here.