Full text of District Notices (Federal Reserve Bank of Dallas) : Action Plans for Supervised Financial Institutions to Correct Deficiencies in Residential Mortgage Loan Servicing and Foreclosure Processing, Notice 12-06 : Wells Fargo

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

FRB Consent Order Implementation Report
12/23/11
Section 2 – Summary of Board Governance & Oversight Structure

The Board of Directors for Wells Fargo & Company (“Wells Fargo”) directs and oversees risk
management across the company. Board responsibilities with regard to operational risk are
assigned to the Audit and Examination (“A&E”) Committee of the Board. Among its other
functions, the A&E Committee reviews the quality of Wells Fargo’s operational risk
management practices, examines trends affecting operational risk exposures, supervises
the effectiveness and administration of operational risk policies, oversees the Wells Fargo
audit function, and reports to the full Board on these matters. For highly material
operational risks (as well as large credit and market risks), additional oversight is provided
by the Risk Committee of the Board, which consists of the chairs of each of the Board
committees.
The Board and A&E Committee’s oversight of operational risk management (inclusive of
compliance risk) is exercised through the Operational Risk group (OR), led by the Chief
Operational Risk Officer (CORO) who reports to Wells Fargo’s Chief Risk Officer. Reporting
to the CORO is Wells Fargo’s Chief Compliance Officer, who leads Wells Fargo’s Compliance
Risk Management (“CRM”) group, as well as the managers of other corporate risk
management programs, including Vendor Management. These oversight functions are
entirely independent of Wells Fargo lines of business (“LOBs”).
The CORO regularly provides reports to the A&E Committee regarding the state of
operational risk, including the “state of compliance” by all Wells Fargo LOBs regarding
applicable legal and regulatory requirements, including regulatory guidances. The CORO’s
reporting also includes the state of other corporate risk management programs, such as
Vendor Management.
The reporting by the CORO to the A&E Committee consists primarily of content produced by
Wells Fargo’s risk management programs. These programs require regular formal
reporting, as well as real-time communication and escalation of any emerging issues. The
programs also require the use of systematic risk management tools that capture a wide
variety of risk-related data from across the entire company.
Wells Fargo employs a risk management structure that corresponds closely to the “three
lines of defense” articulated in the Basel “Principles for the Sound Management of
Operational Risk,” although for certain risk programs, Wells Fargo’s implementation
predates Basel guidelines by many years. In this model, business management is the “first
line of defense” directly managing risk. Business managers are required to create businesslevel programs, which, as described above, require reporting and escalation to the central
OR function up to the Board. The reporting is made by risk professionals embedded in the
businesses, and directed simultaneously to business management and to OR (the “second
line of defense”). OR “owns” the risk-related policies, oversees business implementation of
risk programs, and aggregates enterprise-wide risk information for the CORO to present to
the Board. Independent assessment by Wells Fargo Audit and Security is the third line of
defense under the Basel guidelines.
Additionally, the CORO has dotted line oversight with respect to Group Risk Officers who
represent each of the four overall business groups within Wells Fargo (Consumer Lending,
Community Banking, Wholesale Banking, and Wealth, Brokerage and Retirement Services),
and the corporate staff groups. Although part of the business, Group Risk Officers also

exercise functionally independent oversight over operational and other risks of the business
groups and the LOBs that are within them, and are a significant point of coordination and
escalation.
Reporting to the A&E Committee for regulatory compliance follows this model. In the case
of regulatory compliance, reporting includes a further step of formal independent
assessments of business-level compliance programs by CRM oversight directors as to
whether the compliance programs of each Wells Fargo LOB have followed the requirements
of Wells Fargo’s Corporate Regulatory Compliance Policy. Among the requirements of that
Policy are that each LOB cover in its compliance program the requirements of laws,
regulations and regulatory guidances that apply to the business. CRM independently
assesses, with the assistance of the Wells Fargo Law Department, whether each LOB has
properly included applicable requirements within its program. CRM also evaluates whether
the LOB compliance function is adequately staffed. Similarly, for other operational risk
programs (including Vendor Management), the CORO provides periodic reports to the A&E
Committee about the state of the company’s compliance with the corporate policies
overseen by those programs. Thus, for example, the CORO would report significant
deficiencies in a particular business’ compliance with vendor management requirements
which he or she would learn about from either the Group Risk Officer for that business,
and/or the head of the corporate vendor management risk program.
Summaries of significant regulatory changes and information about Wells Fargo’s response
to them are also regularly reported by the CORO to the A&E Committee. This reporting is
based on enterprise-wide process for monitoring changes in laws, regulations and
regulatory guidances managed by the Wells Fargo Law Department, a process that is
closely linked to the CRM regulatory compliance oversight function. Through this monitoring
process, together with the CRM evaluation of LOB compliance programs and regular
communication with the Group Risk Officers, the CORO and, thus, the A&E Committee
exercise oversight over LOB compliance with legal requirements.
Wells Fargo believes that this existing structure for Board oversight of operational risk
management is the right structure for Wells Fargo, and we are not proposing changes to
the underlying structure as result of the Order. Rather, what we propose is essentially a
strengthening of particular components of our current approach to operational risk
management within the business group responsible for the activities covered by the Order.
Specifically, residential mortgage servicing and default management activities will be
treated as distinct lines of business within Wells Fargo Home Mortgage in all operational
risk processes and reporting.

FRB Consent Order Implementation Report
12/23/11
Section 2 – Board Oversight
Consent Order Requirement – 2a
The plan shall, at a minimum, address, consider and include: Policies to be adopted by the
board of directors that are designed to ensure that the ERM program provides proper risk
management oversight with respect to the Bank’s residential mortgage loan servicing, Loss
Mitigation, and foreclosure activities, particularly with respect to compliance with the Legal
Requirements, and supervisory standards and guidance of the Board of Governors as they
develop;

Status: Planned actions complete – further actions on track for 12/31 completion
Requirements Summary
Summary: Wells Fargo’s current policies establish a comprehensive risk management
structure and set of risk management activities, including reporting to the A&E Committee of
the Board.
Wells Fargo has made changes in how it applies these
requirements and activities to these businesses. The changes will require risk management
act ivies and disciplines at a more granular level of business and risk, and thereby create an
enhanced level of transparency and focus. Therefore no change to Board-level policies
themselves is needed.
Current Wells Fargo Board policies - and operating policies that implement processes to fulfill those
policies - require oversight with respect to compliance with all legal requirements and supervisory
standards and guidance, including those of the Federal Reserve Board of Governors. These policies do
not call out or specifically cite mortgage loan servicing, loss mitigation and foreclosure, or, indeed, any
particular business area of Wells Fargo; rather, the policies and reporting requirements apply to all
business areas of Wells Fargo.
Among the applicable Board policies is a corporate level risk appetite statement that was created and
was initially approved by the Board Risk Committee in January 2011. Development of line of
business/group risk appetite statements began in September 2011 and the final versions, including the
Consumer Lending Team which is inclusive of Mortgage, is on schedule for completion December 31,
2011. We anticipate the business/group risk appetite statements will undergo iterative revisions over
the coming quarters as we begin reporting the metrics. The process for reporting the emerging Risk
Appetite metrics is an ongoing business process and will continue after the consent order is lifted.
Our analysis of the Consent Orders and our existing enterprise risk management and enterprise
compliance programs (further detailed in paragraphs 3 and 4) determined that the tools, programmatic
requirements, and processes are sufficiently robust in themselves, and create operating limits that
capture risk tolerance.

1

FRB Consent Order Implementation Report
12/23/11
Section 2 – Board Oversight

To accomplish this, we are treating the mortgage servicing portions of our mortgage-related businesses
as if they are specific, separate businesses. Previously, the risk management program addressed
mortgage at the level of the “whole business.”

Accordingly, each business engaged in consumer residential mortgages has disaggregated risk
management to treat these servicing areas as if they are independent businesses. This change will result
in the required activities of risk assessment, control identification, reviews and testing, and Board
reporting being applied at the level of the specific business areas of Mortgage Servicing and Default
Management (mortgage loss mitigation/foreclosure). Ongoing oversight of these activities is the
defined responsibility of the corporate compliance function (Compliance Risk Management, or “CRM”).
The reporting change has been implemented, and is tracked as our response to Section 2(d), Board
Reporting.
In addition, the risks identified in the Consent Orders have been incorporated into our enterprise risk
management and compliance tools as explicit requirements.
. For
each of these instances, a new “Major Requirement” was designed, written, reviewed, and placed into
production on the CRAS+ system (our risk management tool that catalogs regulatory and other
requirements, assigns them to businesses, requires risk assessment at the level of the individual
business, and helps manage the testing and reporting processes). The new requirements were
implemented on 9/1/11. Each Major Requirement describes the risk, specifies standard controls, and
provides guidelines for the monitoring or review of the risks. By incorporating these risks in our tools
and systems, the standard program disciplines of assessment, testing/monitoring, reporting, risk
escalation, and (if necessary) corrective action, will be applied in the normal course of operating the
compliance program.
This plan was presented to the Compliance Committee, formed under the OCC’s servicing consent order,
which accepted it, and will retain ongoing oversight of implementation for the duration of the consent
order. When the consent orders are removed and the Compliance Committee dissolved, oversight will
return to the A&E Committee (although we have already begun reporting on the split-out servicing
businesses to the A&E Committee).
Although they are not Board policies, but rather corporate management policies, we note that Wells
Fargo has created a new Corporate Affiant and Notary Policy effective 11/17/11, and is significantly
revising the corporate Vendor Management Policy. These two corporate-level management policies
apply to all Wells Fargo businesses, and address significant issues identified in the Consent Orders.

2

FRB Consent Order Implementation Report
12/23/11
Section 2 – Board Oversight
Task Summary and Status
1. Assess current policies for oversight with respect to compliance with all legal requirements and
supervisory standards and guidance, including those of the Federal Reserve Board of Governors and
evaluate need for new policies. Complete 11/30/11.

2. Disaggregate the consumer residential mortgage businesses to provide visibility to the mortgage
loan servicing, loss mitigation, and foreclosure activities and incorporate the risks identified in the
Consent Orders into our tools as explicit requirements. Complete for 3rd quarter 2011 risk reporting.
Results were reviewed 12/5/11, and at the direction of Operational Risk, revised reporting was
completed by the businesses 12/13/11.

3. Add new Major Requirements to the CRAS+ system. Complete 9/1/11.

4. Consumer Lending business / group level appetite statement (following the establishment of the
corporate risk appetite statement). Due 12/31/2011.

3

FRB Consent Order Implementation Report
12/23/11
Section 2 – Board Oversight
Consent Order Requirement – 2b
The plan shall, at a minimum, address, consider and include: policies and procedures to
ensure that the ERM program provides proper risk management of independent contractors,
consulting firms, law firms, or other third parties who are engaged to support residential
mortgage loan servicing, Loss Mitigation, or foreclosure activities or operations, including
their compliance with the Legal Requirements and WFC’s internal policies and procedures,
consistent with supervisory guidance of the Board of Governors.

Status:

Green on track for 1/31/12 tasks

Requirements Summary
Summary: Wells Fargo approached this requirement in parallel with the Article V OCC
requirement efforts. At the business level, the consumer lending businesses significantly
expanded their risk management and controls associated with third party management, as
summarized below. At the enterprise level, the Enterprise Risk Management team
collaborated on new policies and procedures for the third parties supporting mortgage
servicing, loss mitigation or foreclosure and is working to strengthen oversight of those third
parties and business areas. Those policies and procedures are complete, and will be
implemented by 12/31/11. Enhanced oversight will be in place by 1/31/12.
Completion of the work to comply with Section 2 b depends in part upon the completion of work at the
line of business level under Article V of the OCC Consent Order.

Residential mortgage loan servicing, loss mitigation or foreclosure activities are all conducted within our
newly formed Consumer Lending Group. Under Article V of the OCC Consent Order and in collaboration
with the Vendor ERM Program, the Consumer Lending team has implemented a Residential Foreclosure
Attorney Management Program (RFAMP) and governance model that will enhance the evaluation and
management of legal, compliance and reputation risks posed by attorney firms providing residential
foreclosure, bankruptcy and eviction services to Wells Fargo. They have also analyzed all non-attorney /
third party providers (vendors) to ensure that all of the required risk assessments and supporting
documentation validates that appropriate controls are in place and that the relationships are being
managed and monitored in accordance with Consent Order requirements and Wells Fargo Vendor
Management policy standards. This includes developing a Vendor Performance Risk Assessment and
Scorecard process for third party vendors and associated dependent service providers; managing
affiliate and non-affiliate Custodians ; and assessing Property Maintenance Vendors to better understand
staffing levels and workload balance to ensure all vendors are able to meet Service Level Agreements.
They have also enhanced their Real Estate Agent scorecards to benchmark performance in the same
geographic market.

FRB Consent Order Implementation Report
12/23/11
Section 2 – Board Oversight
Reporting on the execution of these activities has been made to the Compliance Committee of the
Board, and will continue through the duration of the Consent Order. Once the Consent Order is lifted,
reporting will be made through the Vendor Management Program to the Audit & Examination
Committee, as described below.
The issues identified in the Consent Orders were consistent with certain self-identified issues that had
already triggered work within the enterprise vendor management program. Accordingly, Wells Fargo
adopted the following strategy:
x Immediately beginning the work of strengthening 3rd party management in the businesses that
service mortgages (scheduled for full implementation by 12/31/11).
x Provide oversight of this work by the corporate Vendor Management Office, via participation with
the business risk team implementing enhancements in mortgage servicing and via normal
quarterly corporate risk program reporting.
x Implement more detailed monitoring and oversight of the third party management activities
within mortgage servicing, loss mitigation and foreclosure areas. (by 1/31/12)
The January 31, 2012 deadline will see the following:
x Mortgage Servicing, loss mitigation and foreclosure businesses with strengthened programs at
the business level, including both policies and procedures
x Improved enterprise oversight of the mortgage servicing, loss mitigation and foreclosure
businesses with respect to third party providers and their management
Ongoing reporting to the Board of Directors will be made via regular reporting by the Chief Operational
Risk Officer to the A & E Committee. This reporting is a product of the ongoing oversight of business
performance against the requirements and standards of the Program, which includes both assessments
of the quality of business-level implementation of the requirements, as well as escalation of any
significant individual issues that may arise .

Task Summary by Status
Complete
1. Perform Gap Analysis of the Vendor Program against the consent order. Complete 9/29/11, with an
update 12/6/11.
In Process / Not Started
2. Strengthen 3rd party oversight in the businesses that service mortgages with oversight of this work
by the corporate Vendor Management Office. In Process: due 12/31/11
3. Oversight by Operational Risk of LOB implementation of strengthened controls. Established and
ongoing.
4. Revise the Vendor Program to specifically include the following (1) Broaden the definition of a
‘vendor’ to a ‘third party provider’, defined as any person or entity performing service for Wells Fargo
or on behalf of Wells Fargo (2) Strengthen requirements and clarify roles for the performance
monitoring of third party providers within mortgage servicing, loss mitigation and foreclosure
activities and operations In Process: Policy due 1/31/2012.

FRB Consent Order Implementation Report
12/31/11
Section 2 – Board Oversight
Consent Order Requirement – 2c
The plan shall, at a minimum, address, consider and include: steps to ensure that WFC’s ERM,
audit, and compliance programs have adequate levels and types of officers and staff
dedicated to overseeing the Bank’s residential mortgage loan servicing, Loss Mitigation, and
foreclosure activities, and that these programs have officers and staff with the requisite
qualifications, skills, and ability to comply with the requirements of this Order;

Status: Planned actions complete - further actions underway
Requirements Summary
Summary: Wells Fargo’s plan was to perform a staffing analysis for the ERM, audit, and
compliance programs, and communicate the results to the Compliance Committee of the
Board, by November 25th. These actions have been completed. The analysis has in turn
generated further actions, some taken, and some yet to be taken. Board supervision is
currently the responsibility of the Compliance Committee, and will be the responsibility of the
A & E Committee on an ongoing basis. The structure and processes for the ongoing oversight
are in place and operating.
This document primarily will focus on Wells Fargo’s actions with regard to staffing of corporate-level ERM
and compliance programs. However, first we summarize the actions taken by Audit Services, and actions
at the embedded business level.
Wells Fargo Audit Services
Wells Fargo’s Audit Services activities with regard to staffing are detailed in Consent Order paragraph 5.
However, at a summary level, Audit Services performed an evaluation of their audit coverage of the
mortgage business, and mortgage servicing in particular, which included an analysis of staffing. This
staffing analysis included review and confirmation of several actions to enhance resources assigned to
real estate lending: staffing for mortgage auditing was increased by approximately two times; new
positions were created at the senior audit manager level; the lead audit director for the mortgage
business will become a direct report of the Chief Auditor, beginning January 1, 2012. Audit will conduct
bi-annual staffing reviews of mortgage audit team. These steps were communicated to the Compliance
Committee of the Board. On an ongoing basis, the Audit Services quarterly report to the Audit &
Examination (A&E) Committee of the Board has long included a section of staffing, which will continue,
affording Board oversight.
Line of business Operational Risk and Compliance
Risk management and compliance programs and personnel within the lines of business were evaluated
under the OCC’s Consent Order for mortgage servicing: this is detailed in Wells Fargo’s response to the
OCC.
This work is overseen at the Board level by the
Compliance Committee of the Board. Overall, Wells Fargo did a major restructuring of the consumer

1

FRB Consent Order Implementation Report
12/31/11
Section 2 – Board Oversight
lending businesses, resulting in a new business group, with a new senior executive and other
management changes. The risk and compliance functions within this new Consumer Lending Group also
were significantly changed, both in organizational structure as well as new leadership. Ongoing, within
the businesses, personnel are evaluated using Wells Fargo’s robust performance management process,
which includes a personal performance plan, annual evaluation and the formulation of training and
development plans.
In addition, there is corporate oversight. Wells Fargo’s Operational Risk group oversees the work under
the OCC Consent Order, and will continue to oversee these business-level programs in the future, and
report to the Compliance and A & E Committees of the Board as part of its regular duties. On an ongoing
basis, the Chief Operational Risk Officer (CORO) has input and oversight for the performance review and
any significant job actions for the lead risk manager for Consumer Lending. The CORO also reviews
operational risk management budgets for all business units, and any change in operational risk
management budget exceeding 10% (+/-) year over year requires a written rationale and approval by
the CORO. The staffing and structure for the compliance program at the line of business level is
evaluated twice annually by the corporate compliance function, and those results reported to the A&E
Committee of the Board. In addition, there is an annual talent review for operational risk, led by the
CORO, that reaches into the senior levels of LOB risk personnel, which includes both compliance and
vendor management personnel.

Corporate Enterprise Risk Management and Compliance
Prior to the Consent Order, Wells Fargo had already begun a re-examination of its Vendor Management
Program generally, and of certain aspects of its Compliance and Fair and Responsible Lending Programs
(all three Programs are part of the Operational Risk group) because of the changing environment,
including heightened attention on the management of third-party service providers. The staffing and
skills review undertaken in response to the Consent Order provided additional information and supported
the need to enhance leadership and resources.
In response to the Consent Order, corporate Operational Risk and Compliance partnered with Corporate
Risk Human Resources to design and conduct management reviews and to prepare compliance
committee reporting that evaluated the adequacy of enterprise risk & compliance management staff to
comply with consent order requirements.
Based on our analysis of the Consent Order, Wells Fargo determined that the programs within the risk
management function that were affected by the Consent Order were: Compliance, Fair and Responsible
Lending (both of which report to the Chief Compliance Officer within Operational Risk), and Vendor
Management. A staffing and skills review of these three programs was conducted.
The review, led by Corporate Risk Human Resources, began with a review of the applicable job position
descriptions, to ensure the requirements for the positions included qualifications necessary to meet the
requirements of the consent order, as well as described the duties adequately. In Wells Fargo practice,
during search and hiring, the corporate job descriptions are supplemented by position-specific

2

FRB Consent Order Implementation Report
12/31/11
Section 2 – Board Oversight
descriptions that add topical knowledge and experience requirements for the position being hired. It was
determined that this practice was adequate, and that the existing corporate job descriptions did not
require emendation.
Next, Human Resources compiled information about the identified positions and team members filling
them, including experience, performance evaluation information, and available resumes. This HR-led
review was conducted with first line and senior managers, and included: competencies, mortgage
servicing experience and related certifications, job structures, activities, and amount of time allocated to
oversight of the mortgage servicing, loss mitigation, and foreclosure businesses. The review to this point
was completed on September 29, 2011.
The information was then presented to the CORO on October 7, 2011, who then worked with HR to
perform a final review and form conclusions and recommendations. These were discussed in detail with
the Chief Risk Officer of Wells Fargo, and with the Board Compliance Committee in executive session, on
November 16, 2011.
Further actions based on the analysis
Based on this work, changes will be made to the programs. The CORO has verbally communicated the
results to the Federal Reserve’s resident supervisory staff, and will prepare a summary memo by
12/31/11.
Vendor Management

The
program, as detailed in our response to Consent Order paragraph 2b, will be re-engineered to include a
more centralized model, a closer relationship with Wells Fargo’s Supply Chain Management department,
and the creation of a central unit to manage certain aspects of third party oversight and risk
management. This work has begun, and important aspects are targeted for completion in the first
quarter of 2012, including the development of a new corporate Vendor Management Policy by January
31, 2012, and planning for the piloting of certain operational aspect of the new structure.

Program changes are anticipated to affect line of business vendor risk team staffing models. The
corporate program will include a process to assess periodically whether adequate and knowledgeable
resources are dedicated to business-level oversight of vendor.

3

FRB Consent Order Implementation Report
12/31/11
Section 2 – Board Oversight
Compliance and Fair & Responsible Lending
Both the corporate Compliance Risk Management and the Fair & Responsible Lending programs report to
the Chief Compliance Officer.

To help manage changes in overall regulatory environment, Wells Fargo has created additional program
capacity by evolving its Dodd-Frank office into a permanent Regulatory Change Management Office. This
will provide enhanced ability to manage and monitor changes to policies, procedures, and processes
brought about by new or changes requirements or supervisory guidance (see Consent Order paragraph
4c). This Office has a manager, 7 program/project managers, and access to a pool of project managers.
Although the nominal effective date for the office is 1/1/2012, personnel in this Office are currently
performing project and program management roles for our Dodd-Frank effort overall, individual DoddFrank initiatives such as the Volcker rule, and the consent orders.
Ongoing monitoring of corporate operational risk staffing & skill adequacy
The corporate personnel in the Vendor Management, Compliance, and Fair and Responsible Lending
programs, as well as the personnel in the Regulatory Change Management Office, are subject to Wells
Fargo’s personnel evaluation processes, including personal performance plan, annual evaluation and the
formulation of training and development plans, as well as the annual operational risk talent review
previously referenced, which is led by the CORO.
For the duration of the Consent Order, progress will be overseen by the Compliance Committee of the
Board, with summary reporting to the A&E Committee. Thereafter, Board oversight responsibility will be
with the A&E Committee. The CORO, to whom the central program offices report, reports quarterly to
the A&E Committee of the Board.

Task Summary and Status (all tasks are complete)
1. Partner with Corporate Risk Human Resources to design management reviews. Completed August,
2011.
2. Determine the programs and positions within the risk management function that are affected by the
Consent Order. Completed August, 2011.
3. Review of the applicable job position descriptions to ensure the requirements for the positions
included qualifications necessary to meet the requirements of the consent order, as well as described
the duties adequately. Completed 9/29/11.
4. Evaluate the adequacy of the Wells Fargo hiring practice to supplement the corporate job
descriptions by position-specific descriptions that add topical knowledge and experience

4

FRB Consent Order Implementation Report
12/31/11
Section 2 – Board Oversight
requirements for the position being hired. Completed 9/29/11.
5. Compile information about the relevant positions and the team members filling them, including:
experience, performance evaluation information, professional work experience and certifications,
time allocated to mortgage servicing, and default management oversight, and structure of the
positions overall. Completed 9/29/11.
6. Conduct reviews with first line and senior managers. Completed 9/29/11.
7. Provide documentation of review results to the Chief Operational Risk Officer for her further analysis,
conclusions, and recommendations. Completed 10/7/11.
8. Discuss the conclusions and recommendations with the Chief Risk Officer. Completed 11/15/11.
9. Discuss the results in an Executive Session of the Board Compliance Committee. Completed
11/16/11.

Further Task Summary and Status
1.

The Chief Operational Risk Officer will provide a summary memo of the results of the ERM and
Compliance staff review to the Federal Reserve’s resident supervisory staff. Due 12/31/11

2. Completion of enhanced Vendor Risk Management Policy. Due: 1/31/12
3. Fill senior manager position over Vendor Risk Management. Due: 2/28/12
4. Further staffing analysis for Vendor Management central program office: Due: 6/30/12
5. Hire new Chief Compliance Officer. Due: tbd
6. Further staffing analysis for compliance oversight: 120 days following hire of new Chief Compliance
Officer.

5

FRB Consent Order Implementation Report
12/23/11
Section 2 – Board Oversight
Consent Order Requirement – 2d
The plan shall, at a minimum, address, consider and include: steps to improve the information
and reports that will be regularly reviewed by the board of directors or authorized committee
of the board of directors regarding residential mortgage loan servicing, Loss Mitigation, and
foreclosure activities and operations, including compliance risk assessments and the status
and results of measures taken, or to be taken, to remediate deficiencies in residential
mortgage loan servicing, Loss Mitigation, and foreclosure activities, and to comply with this
Order.

Status:

Green – on track for implementation 12/31/11

Requirements Summary
Summary: Wells Fargo has taken steps to improve the information and reports reviewed by
Board Committees regarding residential mortgage loan servicing, Loss Mitigation, and
foreclosure activities and operations. The Compliance Committee of the Board was formed to
oversee the status and results of measures taken to remediate the deficiencies noted in the
Consent Order. The Compliance Committee meets monthly, and provides direct Board
oversight of management’s actions at both the business level and the corporate program
level. Enhancements have been made to risk management and compliance programs that will
result in improved reporting to the A&E Committee of the Board, which will have ongoing
oversight responsibilities at the completion of the Consent Order.
Board oversight & governance structure
For the duration of the Consent Order, the Compliance Committee of the Board (formed in response to
requirements in the OCC Consent Order for mortgage servicing) will supervise Wells Fargo’s response
and progress against the identified issues from both the OCC and Federal Reserve Consent Orders. This
Committee meets monthly to review progress against remediation plans for both the OCC and FRB
Consent Orders. It also reviews and approves the required Quarterly Progress Reports to the OCC and
FRB. These activities directly provide Board oversight of remediation actions taken by management at
the business and corporate levels of the company to comply with the Consent Orders.
Reporting to the Compliance Committee is done by the Chief Operational Risk Officer (CORO). Over the
life of the consent orders, a large amount of information regarding progress against the requirements of
the consent order, the condition of the specific risks as revealed by self-testing and Audit work, and
other related material is generated, and used to develop Compliance Committee reports.
The Audit and Examination Committee of the Board (“A & E Committee”) generally has responsibility for
operational risk. When the Consent Orders are lifted, the A & E Committee will have ongoing
responsibilities for oversight and direction. Reporting to the A & E Committee for operational risk is also

1

FRB Consent Order Implementation Report
12/23/11
Section 2 – Board Oversight
done by the CORO, with the reports being developed out of normal activities of the risk management
programs in the area of operational risk.
In normal state reporting to the A & E Committee, there will not be standing agenda items regarding
mortgage servicing, loss mitigation, and foreclosure, but any exception conditions, or issues warranting
the attention of the Board will be escalated. Oversight processes have been modified as described
below to ensure that issues or conditions will be identified and escalated.
In the case of both the Compliance and A & E Committees, each committee meeting is reported to the
full Board by the committee chair, with full Board discussion as necessary.
The Credit Committee of the Board also receives reporting about loss and foreclosure experience in the
mortgage-related businesses as necessary. Again, there is not a standing agenda item, but rather
reporting occurs as necessary. The most recent report to the Credit Committee on these topics was
November, 2011.
Consent Order driven changes to ERM and Compliance program risk reporting
The enterprise risk and compliance programs place requirements on businesses to perform certain risk
management activities, and to perform extensive reporting on the results to central risk management
functions.
The programs were previously applied at the level of the “whole business”. Going forward, the
mortgage related businesses will be treated as if they are (each) three separate businesses, so that
Mortgage Servicing and Default Management (loss mitigation and foreclosure) will each, separately from
the rest of the business areas, be required to meet the risk assessment, testing, and reporting
standards. The reporting will be at a more granular level than previously employed, and thereby
provide improved transparency regarding these businesses. This reporting regimen has begun in the 4th
quarter of 2011 for 3rd quarter reporting activities. The reporting on the condition of compliance
programs, most recently made to the A & E Committee of the Board in November, treats these two
areas as individual businesses.
The central risk function has also specified that the regular quarterly reporting for operational risk in the
case of mortgage-related businesses include metrics regarding mortgage servicing, loss mitigation and
foreclosure information. This additional reporting will begin in the 1st quarter of 2012.
We are treating the two primary businesses - Home Mortgage and Home Equity - as if they were each
three businesses, splitting out Mortgage Servicing and Default Management (Loss Mitigation and
Foreclosure) from the main business. This means the programmatic requirements, including reporting
on the state of compliance and the state of the compliance program, as well as the escalation of any
issues, will apply separately to Mortgage Servicing, Default Management, and other business activities,
thereby providing the necessary transparency for the oversight function.

2

FRB Consent Order Implementation Report
12/23/11
Section 2 – Board Oversight
In addition, the specific risks identified in the Consent Orders for mortgage loan servicing, Loss
Mitigation, and foreclosure activities, which formerly were not included in Wells Fargo’s risk
management tools and processes have now been included, ensuring that these risks will be part of Wells
Fargo’s ongoing risk assessment, monitoring/testing, and reporting regimen. Six new “Major
Compliance Requirements” were added to CRAS+ on 9/1/11. CRAS+ is Wells Fargo’s system that
catalogs and assigns risks to businesses. Businesses use the system to assess the risks, record and
assess controls, administer the testing/monitoring activities, and record the results. These risks will
therefore be subject to existing risk management disciplines on an ongoing basis.

Plan Task Summary and Status (all tasks are complete)
1. Provide for supervision of the response and monitoring of progress against the identified issues by a
establishing the Compliance Committee of the Board for the duration of the Consent Order.
Complete 6/12/2011.
2. Reconfigure reporting and corporate risk program hierarchy to allow for more granular level
reporting with Servicing and Default Management viewed as separate Businesses. Complete for 3rd
quarter 2011 risk reporting. Results were reviewed 12/5/11, and ongoing process refinements are
being applied for 4th quarter 2011 reporting.
3. Begin reporting at central risk function level and line of business level. Complete for 3rd quarter
2011 risk reporting. Results were reviewed 12/5/11, and ongoing process refinements are being
applied for 4th quarter 2011 reporting.

Further Task Summary and Status
1. Implement changes to the Line of Businesses RABU structure. In Process Due: 1Q 2012. Please
note that this is an enhancement to create an efficient method of generating the information needed
for reporting. This is not needed to accomplish the changes, but makes them more efficient and
effective.

3

FRB Consent Order Implementation Report
12/5/11
Section 3 – Enterprise Risk Management
Consent Order Requirement – 3a
The plan shall, at a minimum, be designed to: Ensure that the fundamental elements of the
risk management program and any enhancements or revisions thereto, including a
comprehensive annual risk assessment, encompass residential mortgage loan servicing, Loss
Mitigation, and foreclosure activities.

Status: Complete
Requirements Summary
Wells Fargo has an enterprise-wide Operational Risk program, which consists of a framework that
includes roles and responsibilities, required processes including risk assessment, required tools, and
governance structures. It also incorporates a number of Corporate Risk Management Programs (“CRMP”)
for specific types of operational risk. Initial analysis indicated that the issues identified in the OCC and
Federal Reserve Consent Orders resulted from three fundamental reasons:
1) Risks that fall within the scope of an existing CRMP, but which were not adequately
distinguished by the CRMP
2) Risks that were not within the scope of any Wells Fargo CRMP, which therefore had not been
adequately assessed and managed, and for which inadequate information existed in order for
proper oversight to be performed
3) Business risk management structures that did not permit adequate visibility into the business
activities of mortgage loan servicing, loss mitigation, and foreclosure.
1) Risks that fall within the scope of an existing CRMP:
An initial analysis indicated CRMPs needing extension were Vendor Management, Fair and Responsible
Lending, and Regulatory Compliance. The three CRMPs performed a formal gap analysis against the
Consent Order. Each of the CRMPs beyond these three was directed to review the Consent Order, in
order to confirm the results of the initial analysis. Documentation of the analysis is attached.
Vendor Management had already begun a thorough re-engineering of the program as a result of prior
internal analysis of the program. That re-engineering was augmented by the results of the gap analysis
(attached) against the consent order. The overall result is a new framework for Wells Fargo’s evaluation
and management of risks that attend 3rd party service providers. The results of this will be documented
in Wells Fargo’s response to article 2(b). In the meantime, Operational Risk has performed oversight of
the business-level response to the pertinent sections of the OCC Consent Order.
Fair and Responsible Lending developed new controls and reviewed guidance for existing major
compliance requirements, which have been designed, written, reviewed, and placed into production on
the CRAS+ system, the basic tool for the evaluation and performance tracking of operational risks at
Wells Fargo. These requirements are assigned to businesses that engage in lending, under the standard
activities of “Manage collections & defaults” and “Monitor & service accounts.” Two documents are
attached, detailing the risk description, standard controls, and guidelines for when the activities are
monitored or reviewed.
2) Risks that were not within the scope of any Wells Fargo CRMP:
A number of the issues detailed by the OCC or the Federal Reserve Consent Orders had not previously

FRB Consent Order Implementation Report
12/5/11
Section 3 – Enterprise Risk Management
been included in a CRMP, nor identified at the needed level of specificity in the tools.
Accordingly, the Consent Order was thoroughly analyzed, and in each instance of a risk not previously
tracked, a new Major Requirement was designed, written, reviewed, and placed into production on the
CRAS+ system. Each MR describes the risk, specifies standard controls, and provides guidelines for the
monitoring or review of the risks. A document containing these six new MRs is attached. Because of the
importance of these issues, they have been incorporated as compliance program requirements, and
therefore fall under the requirements of the compliance program, including annual assessment, review
and reporting requirements.
3) Business risk management structures that did not permit adequate visibility into the business
activities of mortgage loan servicing, loss mitigation, and foreclosure:
The businesses had designed their risk management program at the level of their “whole business.”
Although each included the risks involved in mortgage servicing, loss mitigation, and foreclosure
activities, this structure did not permit sufficient identification of risk, nor transparency on the condition
of risk and the risk management functions. Accordingly, each business engaged in the business of
consumer residential mortgages have disaggregated to treat these areas as if they
are independent businesses. This change requires risk assessment, control identification, reviews and
testing, and reporting at a more detailed level than previously. In practical terms, there will be two
additional “businesses” rather than three: Servicing; and Loss Mitigation and Foreclosure. The use of
two businesses is a result of operational practicalities. There is a work stream dealing with
mortgages that are performing to expectations and a work stream for non-performing mortgages, which
encompasses both loss mitigation and foreclosure. The reporting change has been implemented, and is
tracked as our response to Section 2(d), Board Reporting. Sec 2(d) has a 12/31/11 response due date,
to allow the completion of the first quarterly reporting cycle (reporting as of September 30, completed in
the fourth quarter.)

Supporting Artifacts

Section 3a Completed Work Documents 12.06.11:

Section 3a
Completed Work Docu

FRB Consent Order Implementation Report
12/5/11
Section 3 – Enterprise Risk Management
Consent Order Requirement – 3b
3 (b) The plan shall, at a minimum, be designed to: ensure that the risk management
program complies with supervisory guidance of the Board of Governors, including, but not
limited to, the guidance entitled, “Compliance Risk Management Programs and Oversight at
Large Banking Organizations with Complex Compliance Profiles,” dated October 16, 2008 (SR
08-08/CA 08-11);

Status: Complete
Requirements Summary
Wells Fargo’s risk management function includes a Compliance Risk Management program that is
primarily responsible for fulfilling the requirements of SR08-8. We have analyzed our compliance
program against SR08-8: that analysis is included as a supporting artifact for requirement 4(b) of this
Consent Order as well as here.
As detailed in our response to item 4(b) of the consent order, the program framework and processes are
sufficient to meet the requirements of the Consent Order, but the application of those needed to be
expanded to include the risks identified under the consent order, and to view the mortgage servicing
portions of our pertinent businesses as if they were independent businesses.
Wells Fargo’s risk management function includes a number formal programs that are subject to Federal
rd

Reserve supervisory guidance, such as the management of 3 party service providers (“Vendor
Management Program”) and information security. We performed a preliminary analysis of the Consent
Order, which indicated that the programs that were affected were: Compliance, Vendor Management,
and Fair and Responsible Lending. For those programs we performed a formal analysis of the programs
against the requirements of the consent order. The determination was that the Compliance program
required expansion (as already noted – see item 4b),the Vendor Management Program required
changes, which are separately covered by item 2(b) of this Consent Order, and the Fair & Responsible
Lending program required minor changes, which are treated separately under 3(a). Please see the
response and supporting documentation for items 2(b), 3(a) and 4(b).
For the other programs in our enterprise risk management function (such as Information Security,
Privacy, and Business Continuity), we required the central program offices to analyze the consent order
for applicability, in order to confirm or modify the preliminary analysis. This effort confirmed the
preliminary analysis. These other programs in the risk management function are themselves subject to
various supervisory requirements and guidance, and are designed to meet this guidance, including that
of the Federal Reserve. They are regularly audited and examined against those requirements.
Accordingly, for the purpose of our response to the Consent Order, we confined our analysis of these
other programs to the Consent Orders.
Wells Fargo has a formal process to identify, review, and incorporate revised guidance from the Federal
Reserve (as well as other agencies). This will enable Wells Fargo to stay current with future Federal
Reserve regulations, requirements and guidance: see our response to item 4(c) of this Consent Order.

FRB Consent Order Implementation Report
12/5/11
Section 3 – Enterprise Risk Management
Supporting Artifacts

Wells Fargo’s Risk Management Framework

16. 2011 10 25 OR
RM Executive Summa

Analyses of the other CRMPs against the Consent Orders

SR08-8 analysis

SR8-08-Requirement
s-Analysis2011 updat

CRMP CO Analysis
Updated 09.30.11 v2

FRB Consent Order Implementation Report
12/5/11
Section 3 – Enterprise Risk Management
Consent Order Requirement – 3c
The plan shall, at a minimum, be designed to: establish limits for compliance, legal, and
reputational risks and provide for regular review of risk limits by appropriate senior
management and the board of directors or authorized committee of the board of directors.

Status: Complete
Requirements Summary
Wells Fargo has established a corporate risk appetite framework including metrics for operational risk.
These were developed under the direction of Wells Fargo’s Chief Risk Officer, reviewed with the Risk
Committee of the Board of Directors, revised based on the input of the Committee, and finalized at a
recent meeting of the Committee. A copy is attached.
These limits form an important part of the Operational Risk reporting requirements which were
introduced in the 3rd quarter for all Wells Fargo businesses, and which are required in the 4th quarter
(for reporting on 3rd quarter activities). A copy of the required reporting template is attached. In
addition, the businesses involved in residential mortgage lending will monitor performance against the
parameters in the Statement and report on and review performance as part of the existing senior
management risk committees established to govern residential mortgage lending businesses. The first
report and review will occur prior to the end of 1Q12 and quarterly thereafter.

Supporting Artifacts

Corporate level Statement of Risk Appetite & Governance Protocols

New Operational Risk Reporting Template – see page 4 Risk limits)

EDOCS-1221190-V1Board of Directors Bo

OR-Profile-Report-Te
mplate.pdf

Risk Appetite – Q2 2011 Tolerance vs. Actual Levels 06302011 – Risk Book

Risk Appetite - Q2
2011 Tolerance vs Ac

FRB Consent Order Implementation Report
12/23/11
Section 4 – Compliance Risk Management
Consent Order Requirement – 4a
The plan shall, at a minimum, be designed to: Ensure that the fundamental elements of the
ECP and any enhancements or revisions thereto, including a comprehensive annual risk
assessment, encompass residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities;

Status: Complete
Requirements Summary
Summary. Wells Fargo has a compliance risk management program, which includes, among
many other features, a requirement for annual risk assessment. This program was analyzed
against SR08-8 in response to this Consent Order: the program’s processes and program
requirements per se are adequate based on this analysis,
First, not all the risks identified in the Consent Order
were part of the compliance program. Wells Fargo has incorporated these risks into its
formal compliance program. Second, the program formerly was applied to the real estate
secured consumer lending businesses at the level of the “whole business.”

Wells Fargo
will apply its compliance risk management program to the areas of mortgage servicing, and
mortgage loss mitigation/foreclosure as if they were independent businesses. This will
ensure that the processes and disciplines will be applied in a focused manner in these
business areas, and the reporting will create transparency.
Line of Business Compliance program
Although this document will concern itself primarily with the corporate compliance risk management
program, we note that numerous and broad changes were made to the business-level compliance
programs in Wells Fargo’s mortgage businesses. These resulted from thorough assessment of all
program elements, including policies and procedures, roles and responsibilities, training, controls, and
the scope of the program. The changes are documented in Wells Fargo’s response to the OCC Consent
Order, Article IV, and were implemented 9/12/11, according to the required OCC Consent Order
timeline. They include:
x revised roles and responsibilities
x significantly strengthened and broadened employee training
x changes to policies and procedures where required, in many business areas
x a strengthened formal talent management program for compliance personnel
x the expansion of the program to areas not previously covered, such as employee workload in
servicing, loss mitigation, and foreclosure areas
x enhanced compliance processes, such as more detailed testing procedures.

1

FRB Consent Order Implementation Report
12/23/11
Section 4 – Compliance Risk Management
Enterprise Compliance Program
Background:
Wells Fargo’s enterprise Compliance Program provides a framework for the implementation of
compliance risk management in all businesses at Wells Fargo. This framework has, among other
features, requirements for risk assessment, review of controls, monitoring/testing, reporting, corrective
action, training, and documentation. Each business-level program must reassess compliance risks
annually. These processes appear sufficient in design, as risk-management measures, based on a
detailed analysis of the program against SR08-8.
Each Wells Fargo business unit is required to create a business-level compliance program. In addition to
fulfilling the numerous other requirements for risk management actions, each program must report
quarterly on their business unit’s state of compliance and must reassess its business unit’s compliance
risks annually.
The corporate compliance function (“Compliance Risk Management” or CRM) provides oversight over the
business compliance programs to help ensure the Corporate Regulatory Compliance Policy requirements
are being met and issues are resolved promptly. In particular, the corporate oversight function reviews
to ensure all business programs include comprehensive risk assessment, ongoing monitoring and riskbased testing of major compliance requirements and accurate reporting on the state of compliance.
Program oversight evaluations are conducted regularly to help ensure compliance with the corporate
Regulatory Compliance Policy, and the state of the program results reported to the A & E Committee of
the Board on a regular basis.
The Compliance Risk Analysis System (CRAS+) supports corporate compliance management and is a
repository for recording critical compliance management information which provides an appropriate level
of transparency to the oversight function.
Adjustments made due to Consent Orders:
With this structure in place, why were the issues identified in the Consent Order not surfaced? Our
analysis determined that, in the case of the compliance program, there were two causes.
First, certain risks were not part of the formal compliance program. The compliance program had been
based primarily on federal and state financial services law and regulation. For some of the compliancerelated issues in the consent orders, there is no specific underlying federal or state financial services law
and regulation. In the Wells Fargo structure, by policy and practice, these risks were the responsibility
of management, to apply sound management principles, but had not been explicitly identified in the
compliance program. The particular risks, as a result, were not subject to the standard compliance
disciplines of formal risk assessment, control documentation and evaluation, ongoing testing, and
reporting. This issue has been addressed by adding the consent order requirements into our compliance
management tool (CRAS+) as of 9/1/11, making these requirements subject to our compliance
management processes including risk assessment, control documentation and evaluation, ongoing

2

FRB Consent Order Implementation Report
12/23/11
Section 4 – Compliance Risk Management
testing, and reporting as well as oversight by the corporate compliance function.
The information included in CRAS+ includes not only the requirements (in this case the consent order
requirements), but also the internal controls to be implemented at the business level to help ensure
compliance, and the testing/monitoring procedures to be followed by the business-level compliance
programs to verify that controls are effective. These requirements, standard controls and review
procedures are assigned to all businesses that offer consumer real estate mortgages and perform
mortgage servicing, and loss mitigation and foreclosure activities. The applicable compliance programs
are responsible for documenting the specific business-level implementation of the controls for each
requirement, for reviewing those controls on a regular basis (following a standard risk based cycle) and
rating the effectiveness of the controls as well as whether the business is actually complying with the
consent order requirements.

for purposes of our compliance program, we are treating the two primary businesses -Home Mortgage and Home Equity -- as if they were each three businesses splitting out Mortgage
Servicing and Default Management (Loss Mitigation and Foreclosure) from the main business. This
means the programmatic requirements, including reporting on the state of compliance and the state of
the compliance program, as well as the escalation of any issues, will apply separately to Mortgage
Servicing, Default Management, and other business activities, thereby providing the necessary
transparency for the oversight function.
By incorporating the issues and requirements of the Consent Orders into the compliance program, we
ensure that the issues will be subject to the disciplines and processes required by the program. By
requiring our mortgage-related businesses to “break out” mortgage servicing and default management,
there will be transparency required for oversight and Board reporting.
We believe this to be the best way to ensure that the issues and requirements are subject to ongoing
attention, and the effort is sustainable over time.

Task Summary and Status (all tasks are complete)
1. Evaluate current Enterprise Compliance Program and processes against this requirement. Complete
8/19/11.
2. Incorporate identified issues and requirements into the CRAS+ tool. Complete 9/1/11.

3

FRB Consent Order Implementation Report
12/23/11
Section 4 – Compliance Risk Management
3. Disaggregate the consumer residential mortgage businesses to provide visibility to the mortgage
loan servicing, loss mitigation, and foreclosure activities for transparency required for oversight and
Board reporting. Complete for 3rd quarter 2011 risk reporting. Results were reviewed 12/5/11, and
ongoing process refinements are being applied for 4th quarter 2011 reporting.

4

FRB Consent Order Implementation Report
12/23/11
Section 4 – Compliance Risk Management
Consent Order Requirement – 4b
The plan shall, at a minimum, be designed to: ensure compliance with the Legal
Requirements and supervisory guidance of the Board of Governors;

Status: Complete
Requirements Summary
Summary. Wells Fargo has a long-standing corporate compliance program that is designed
to ensure compliance with laws, regulations, and supervisory guidance, including that of
the Board of Governors. This program contains a comprehensive set of requirements,
processes, and specifies roles and responsibilities, the primary goal of which is to ensure
compliance. This corporate compliance policy has always applied to mortgage servicing,
foreclosure and loss mitigations activities, but we have identified reasons why it did not
surface the issues contained in the Consent Orders, and have taken steps to remedy those.

An analysis of Wells Fargo’s compliance program against the Consent Order and SR08-8 was
performed. The program’s framework, processes and requirements, per se, appeared sufficient to
meet the programmatic requirements under the consent order: they require annual risk assessement,
including assessment of the control environment, monitoring/testing, reporting, escalation of issues,
and (if necessary) formal corrective actions
Therefore, we analyzed why the issues identified in the consent orders occurred, but were not
surfaced and addressed by the compliance program. The analysis determined that, in the case of the
compliance program, there were two causes.
First, certain risks were not part of the formal compliance program. The compliance program had
been based primarily on federal and state financial services law and regulation. For some of the
compliance-related issues in the consent orders, there is no specific underlying federal or state
financial services law and regulation. In the Wells Fargo structure, by policy and practice, these risks
were the responsibility of management, to apply sound management principles, but had not been
explicitly identified in the compliance program. The particular risks, as a result, were not subject to
the standard compliance disciplines of formal risk assessment, control documentation and evaluation,
ongoing testing, and reporting. This issue has been addressed by adding the consent order
requirements into our compliance management tool (CRAS+) as of 9/1/11, making these
requirements subject to our compliance management processes including risk assessment, control
documentation and evaluation, ongoing testing, and reporting as well as oversight by the corporate
compliance function.

1

FRB Consent Order Implementation Report
12/23/11
Section 4 – Compliance Risk Management
for purposes of our compliance program, we are treating the two primary businessesHome Mortgage and Home Equity-as if they were each three businesses, splitting out Mortgage
Servicing and Default Management (Loss Mitigation and Foreclosure) from the main business. This
means that the programmatic requirements, including reporting on condition, will apply separately,
thereby providing transparency.
With these measures, Wells Fargo’s response to the consent order is incorporated into the standard,
ongoing operations of compliance risk management, which has demonstrated itself as sustainable.

Task Summary and Status
Complete
1.

Assess current policies for oversight with respect to compliance with all legal requirements and
supervisory standards and guidance, including those of the Federal Reserve Board of Governors
and evaluate need for new policies. Complete 11/30/11.

2. Analyze Compliance Risk Management program against SR08-8. Complete 9/19/11.
3. Analyze why the issues identified in the consent orders occurred, but were not surfaced and
addressed by the compliance program. Complete 6/10/11.
4. Disaggregate the consumer residential mortage businesses to provide visibility to the mortgage
loan servicing, loss mitigation, and foreclosure activities and incorporate the risks identified in the
Consent Orders into our tools as explicit requirements. Complete for 3rd quarter 2011 risk
reporting. Results were reviewed 12/5/11, and ongoing process refinements are being applied for
4th quarter 2011 reporting.

2

FRB Consent Order Implementation Report
12/23/11
Section 4 – Compliance Risk Management
Consent Order Requirement – 4c
The plan shall, at a minimum, be designed to: ensure that policies, procedures, and processes
are updated on an ongoing basis as necessary to incorporate new or changes to the Legal
Requirements and supervisory guidance of the Board of Governors.

Status: Complete
Requirements Summary
Summary. Wells Fargo has a robust process in place to ensure that policies, procedures and
processes are updated on an ongoing basis to incorporate new laws and regulations or
changes to legal requirements and supervisory guidance. We have reviewed this process and
believe it meets the requirements of the Consent Order. However, we have recently
augmented the resources available, given the pace and degree of regulatory change in the
wake of the financial crisis.
Background
Wells Fargo has a long-standing process (the “alerts process”) with the following features:
1) Members of the Legal Group monitor numerous sources of regulatory changes for financial
institutions, specifically including the Board of Governors of the Federal Reserve regulations and
supervisory guidance. In addition, other items such as interpretive letters, examination
procedures, and policy statements, are monitored;
2) New items identified through the monitoring process are entered into a database, generating a
specific record, and requiring the entering of multiple contextual data points for each change,
such as agency, citation, Legal Group contact, the Wells Fargo proponent for incorporating the
change into the Wells Fargo risk management tools, and significant dates associated with the
item (e.g., comment due date);
3) Bi-weekly meetings, including representatives from the Legal Group and from Compliance Risk
Management, review each item for significance and applicability, discuss the distribution of the
item, and make an initial risk determination. The risk determination designates whether the item
requires corporate-level project management (highest-risk, or most broadly applicable items),
corporate-level tracking (moderate-to-high risk, cross-group items), or simply assigned to the
businesses for implementation (low risk, or narrow applicability items);
4) Distribution of each item as applicable to representatives for affected businesses, including staff
and support areas, Group Risk Officer offices, and other corporate risk management programs,
such as information security and vendor management. Always included in the distribution are:
the Major Requirement proponent for CRAS+ ( Wells Fargo’s system that catalogs risks, assigns
them to businesses, and is used by the businesses to assess risk, controls, to administer
testing/monitoring, and record risk condition), the pertinent attorney(s) in the Legal Group,

1

FRB Consent Order Implementation Report
12/23/11
Section 4 – Compliance Risk Management
Audit, and Compliance Risk Management;
5) Ongoing reporting for the projects that are managed as corporate projects, and others
determined to require tracking, as established by the risk determination. This reporting goes in
summary form to the CORC, and in more detailed form to the Compliance Council.
Changes to policies, procedures and processes are made during execution of the projects that are
generated through the alerts process (see 3 above). Indeed, the projects in large measure are
specifically to apply project management discipline to the changes necessary in business practices and
procedures, and the policies that govern the practices and procedures.
Corporate-wide projects are managed by the corporate Operational Risk function, and new policies,
procedures and processes are managed through the project, whether the need is for corporate-level
policies, procedures and processes, or at the business level. In the case of other projects that require
corporate level tracking, progress on the business level is tracked by Operational Risk. In the case of
items assigned to the businesses, the responsibility for making changes is the responsibility of business
management. Oversight processes (Compliance Risk Management) or auditing (Wells Fargo Audit)
provide assurance.
Treatment of changes from the Consent Orders
For the changes required in the Consent Orders (for example, MERS requirements), an enhanced version
of the usual process is being used.
The entire consent order effort is being managed centrally, with the Chief Operational Risk Officer
(CORO) as the sponsoring executive, and specified senior executives from the businesses designated as
responsible for ensuring that the changes are implemented. Project teams were reviewed for adequacy
and expertise.
The project management process has included review and challenge of all aspects of planning, from the
project design stage (when an independent review committee was assembled for the purpose) through
planning (review by the CORO, senior management, and Audit), and execution (active oversight by
corporate risk functions and near real-time assurance work by Audit).
Additional resources allocated to the Alerts program
While we believe the current alerts process to be sufficient to meet the requirements as stated in
paragraph 4(c) of the Consent Order, the pace and degree of change in regulatory rulemaking in the
wake of the financial crisis is great. Therefore, we have expanded our Dodd-Frank Program Office, and
evolved its role to include laws, regulations, and supervisory guidance beyond Dodd-Frank, as they
emerge from the alerts process, described in step 3 above. The office is composed of project managers
who manage the alerts related corporate-led projects, and administer the tracking and reporting.
Although the nominal date for this office to be operating is 1/1/2012, in fact personnel are in place and
managing efforts such as the consent order project, the Volcker Rule project, and ongoing coordination
of Wells Fargo’s other Dodd-Frank initiatives.

2

FRB Consent Order Implementation Report
12/23/11
Section 4 – Compliance Risk Management
Plan Task Summary and Status (complete)
1. Analyze the alerts process to ensure that it reliably incorporates new or changed Legal Requirements
and supervisory guidance of the Board of Governors. Completed 10/11/11.

Further Task Summary and Status
1. Augment the resources available for managing change, by establishing the Regulatory Change
Management Office (expanding and further evolving the original Dodd-Frank Office). Complete
(official transfer 12/31, but Office is in place, staffed, and functioning).

3

Wells Fargo Audit & Security – FRB Consent Order Response
Section5:Audit(FRBConsentOrder)

Leadership








Requirement
Section2:BoardOversight,Section5:Audit
Section2:BoardOversight,Section5:Audit
Section2:BoardOversight,Section5(a)–(f):Audit


FRBConsentOrder–Section2(BoardOversight),5(Audit)

2
Within60daysofthisOrder,theboardofdirectorsofWFCshallsubmittotheReserve
Bankawrittenplantostrengthentheboard’soversightofWFC’senterprisewiderisk
management(“ERM”),internalaudit,andcomplianceprogramsconcerningtheresidential
mortgageloanservicing,LossMitigation,andforeclosureactivitiesconductedthroughthe
Bank.
Requirements

5

Within60daysofthisOrder,WFCshallsubmittotheReserveBankanacceptablewritten
plantoenhancetheinternalauditprogramwithrespecttoresidentialmortgageloan
servicing,LossMitigation,andforeclosureactivitiesandoperations.Theplanshallbe
basedonanevaluationoftheeffectivenessofWFC’scurrentinternalauditprograminthe
areasofresidentialmortgageloanservicing,LossMitigation,andforeclosureactivitiesand
operations,andshallincluderecommendationstostrengthentheinternalauditprogram
intheseareas.


Milestones




InitialDraft
Due

InitialReview
Complete

RevisedDraft
Due

FinalReview
Complete

5/13/11

5/18/11

5/25/11

5/31/11

ToBoard
Final
Committeefor
DocumentDue
Review
6/6/11

6/7/11

60DaysOut
6/12/11



Wells Fargo & Co. – Internal Use Only

Page 1

Wells Fargo Audit & Security – FRB Consent Order Response

DebAnderson

Section2:BoardOversight



2

(c)

Theplanshall,ataminimum,address,consider,andinclude:
(c)StepstoensurethatWFC’sERM,audit,andcomplianceprogramshaveadequatelevelsand
typesofofficersandstaffdedicatedtooverseeingtheBank’sresidentialmortgageloan
servicing,LossMitigation,andforeclosureactivities,andthattheseprogramshaveofficers
andstaffwiththerequisitequalifications,skills,andabilitytocomplywiththerequirements
ofthisOrder.



DebAnderson

Section5(a)–(f):Audit


5

(a)

5

(b)

5

(c)

5

(d)

5

(e)

5

(f)

Theplanshall,ataminimum,bedesignedto:
(a) Ensurethattheinternalauditprogramencompassesresidentialmortgageloanservicing,
LossMitigation,andforeclosureactivities;
Theplanshall,ataminimum,bedesignedto:
(b) periodicallyreviewtheeffectivenessofECPandERMwithrespecttoresidentialmortgage
loanservicing,LossMitigation,andforeclosureactivities,andcompliancewiththeLegal
RequirementsandsupervisoryguidanceoftheBoardofGovernors;
Theplanshall,ataminimum,bedesignedto:
(c) ensurethatadequatequalifiedstaffingoftheauditfunctionisprovidedforresidential
mortgageloanservicing,LossMitigation,andforeclosureactivities;
Theplanshall,ataminimum,be designedto:
(d) ensuretimelyresolutionofauditfindingsandfollowupreviewstoensurecompletionand
effectivenessofcorrectivemeasures;
Theplanshall,ataminimum,bedesignedto:
(e) ensurethatcomprehensivedocumentation,tracking,andreportingofthestatusand
resolutionofauditfindingsaresubmittedtotheauditcommittee;and
Theplanshall,ataminimum,bedesignedto:
(f) establishescalationproceduresforresolvinganydifferencesofopinionbetweenauditstaff
andmanagementconcerningauditexceptionsandrecommendations,withanydisputesto
beresolvedbytheauditcommittee.






















Wells Fargo & Co. – Internal Use Only

Page 2

Wells Fargo Audit & Security – FRB Consent Order Response

BusinessApproachSummary(Provideafewparagraphsasanexecutiveoverviewofyourapproach):
Auditiscommittedtoperformingathoroughreviewandevaluationtostrengthenourauditcoverageofresidential
mortgageloanservicing,lossmitigation,andforeclosureactivities.

Weperformedaninitialreviewtoidentifyareasforimmediateimprovement.Specifically,we:

x Reorganizedourmortgageauditteamtocreateagrouptofocusspecificallyonmortgageloanservicing,loss
mitigation,andforeclosureactivities;
x Chosealeadertoheadupthisnewteamwhohastheexpertiseandpassiontofulfillourrole;
x Engagedwiththebusinesstomonitoractionplansrelatedtosupervisorylettersandtheconsentorders;
x EnhancedourquarterlyreportingtotheAuditandExaminationCommitteeoftheBoardthatspecifically
addressesourprogresstowardscompletionofactionplansandinformstheBoardofanyconcernswehavein
thecompany’sprogresstowardsmeetingtherequirementsoftheconsentorders.

Additionally,wedevelopedactionplanstoaddressgaps.Theseinclude:

x Conductinganassessmentoftheauditstaff,specificallyconsideringmortgageloanservicing,lossmitigation,
andforeclosureexperience;andenhancingtheteamwheredeficienciesarenoted.Wearepreparedtoaddto
staffand/ormakechangestomeettheconsentorderrequirements.
x Enhancingordevelopingourcurrentprocessesforthebusinessmonitoringprogramandcontinuousaudit
process,respectively.
x Assessingourauditstrategyincludingmakingimprovementstoourauditdocumentation,adding/changing
auditableunits,andensuringcoverageofenterpriseriskmanagementandcomplianceprogramsincludedefault
relatedrisks.Thisassessmentwillincorporatecoveragerelatedtothecurrentriskenvironmentincluding(but
notlimitedto)fairtreatmentofandimpactstocustomers,compliancewithinvestorandregulatory
requirements,oversightofthirdparties,MISandqualityassurance.Additionally,wewillincorporateactionplan
requirementsintoneworexistingassuranceauditsortargetedreviewstoensuresustainabilityofprocessesand
controls.
x Documentingallenhancementstoourcoveragestrategyandengaginganexternalconsultanttoprovide
feedbackonourcoverage.
x DevelopingvalidationtestprogramsforOCCandFRBconsentorders.Weareattendingkeymeetingsand
performinganassessmentofactionplansforaccuracyandcompleteness.Objectivesofaudit’sinvolvementare
toassessthe:
x Adequacy,completeness,andtimelinessofrequiredactivitiesanddeliverables
x Effectivenessofoverallprojectmanagementactivitiesincludingleadership,communications,issues
management,changemanagementandmonitoringofallkeyactivities.
x Designandimplementationofthesystemofinternalcontrolsandgovernanceprocesses.

WhiletheconclusionofourworkiscontingentuponcompletionoftheLineofBusinessActionPlans,wewillcontinuously
shareourprogresswiththeregulatorsandmanagement,providingtransparencyonouractivities.



Wells Fargo & Co. – Internal Use Only

Page 3

Wells Fargo Audit & Security – FRB Consent Order Response

ActionPlanStrategy(MilestonesandTargetDates):
2(c)Theplanshall,ataminimum,address,consider,andincludestepstoensurethatWFC’sERM,audit,andcompliance
programshaveadequatelevelsandtypesofofficersandstaffdedicatedtooverseeingtheBank’sresidentialmortgageloan
servicing,LossMitigation,andforeclosureactivities,andthattheseprogramshaveofficersandstaffwiththerequisite
qualifications,skills,andabilitytocomplywiththerequirementsofthisOrder.

ActionPlanStrategyandMilestones.

¾ In2011,theMortgageauditteamwasreorganizedtocreateagrouptofocusspecificallyonresidentialmortgageloan
servicing,lossmitigation,andforeclosureactivities.Thisteamwillberesponsibleformonitoringactionsrelatedtothe
consentorder/supervisorylettersandmanagingthebusinessmonitoringprogramandleadingauditcoveragerelatedto
theseactivities.Wearealsoenhancingstafftoincorporatebusinesslineknowledge.Wewillassessthecurrent
qualificationsandskillsforthemanagementandstaffincludingeducation,certifications,andyearsofauditandmortgage
experienceforeachteammember.Anygapsidentifiedwillberemediatedthroughtraining,ongoingdevelopment,hiring
ofstaff,oraugmentingreviewswithindustryexperts.July29,2011.

5(a)Theplanshall,ataminimum,bedesignedtoensurethattheinternalauditprogramencompassesresidentialmortgageloan
servicing,LossMitigation,andforeclosureactivities;

ActionPlanStrategyandMilestones

Experiencedleadershiphasbeenassignedresponsibilityforauditcoverageofresidentialmortgageloanservicing,lossmitigation,
andforeclosureactivities.Theleadershipalongwithdedicatedstaffwill:

¾ BeaccountableforauditvalidationworkfortheSupervisoryLetterMRAcorrectiveactionplanandConsentOrderAction
plansimplementation.Throughthiswork,auditwillenhanceandimprovecurrentandfutureauditcoverageofresidential
mortgageloanservicing,lossmitigation,andforeclosureactivities(takingintoconsiderationchangesthebusinessismaking
inresponsetosupervisoryandconsentorderactionplans).MERSandDocumentCustodyhavebeenidentifiedtobeadded
asgoforwardAuditableUnits.Wearealsodevelopinghorizontalresidentialcoverageofconsumerdefaultacrossall
consumerportfolios.AdditionalchangestotheaudituniversewillbemadebyOctober11,2011.
¾ Incoordinationwiththeabove,auditwillreviewthecurrentAuditableUnitdocumentsforauditentitiesrelatedto
residentialmortgageloanservicing,lossmitigation,andforeclosureactivities.Thisreviewwillincorporateanassessment
ofdocumentationrelatedtothecurrentriskenvironmentincluding(butnotlimitedto)fairtreatmentofandimpactsto
consumers,compliancewithinvestorandregulatoryrequirements,oversightof3rdparties,MIS,andqualityassurance.
October11,2011
¾ ContinuetoreportMortgageServicingupdatestoAuditManagementCommitteeandAuditandExaminationCommitteeas
oneofthetoptenmostrelevantauditactivitiesfor2011andthroughouttheconsentorderperiod.
¾ UpdatetheresidentialmortgageBusinessMonitoringProgram(BMP)toprovideforincreasedoutofcyclemonitoringby
auditofresidentialmortgageloanservicing,lossmitigation,andforeclosureactivities.Theprogramwillincludeperforming
continuousmonitoringactivitiesfortheareaswithinresidentialmortgageloanservicing,lossmitigation,andforeclosure
activities.Aspartofourcontinuousmonitoringwewilldevelopkeyperformanceindicatorstoassistinidentifying
emergingrisks.ThefirstversionwillbecompletedOctober11,2011,withcontinualenhancementsasthebusinessrefines
andimplementsadditionalprocesses.Thiswillinclude:
o Meetingswithbusinessleaders,auditmanagement,legalandriskpartners;reviewofkeymanagement
reports/trends;reviewofindustrytrends/news.
o Anassessmentofthecurrentriskenvironmenttoidentifyareasofemergingrisk.Wewillenhanceauditcoverage
asneededbasedontheassessment.TheBMPisformallydocumentedquarterlyandsubmittedtosenioraudit
management(includingtheChiefAuditor.)Goingforward,wewillalsoshareourreportwithbusinessline
management.
¾ Wehavedevelopedandaremakingimprovementstoimplementproceduresthatspecificallydefinetheminimum
requirementsforscopingandsubsequenttestingforauditsperformedforresidentialmortgageloanservicing,loss
mitigation,andforeclosureactivities.August12,2011
Wells Fargo & Co. – Internal Use Only

Page 4

Wells Fargo Audit & Security – FRB Consent Order Response
¾
¾

Engageanexternalconsultanttoprovidefeedbackoncoveragestrategy. October11,2011(Note,webelieveourcoverage
strategywillcontinuetobeenhancedasthebusinesscompletesactionscommittedintheconsentorderresponse.Asa
result,wewillbeengagingaconsultantafterweareabletoincorporatebothcompletedandanticipatedprocesschanges.)
WFAS’QualityAssurancegroupwillincreasetheirreviewofauditsrelatedtoresidentialmortgageloanservicing,loss
mitigation,andforeclosureactivities.Thereviewswillincludeanassessmentofauditcoverage,exceptionidentification,
andreporting.October11,2011

5(b) Theplanshall,ataminimum,bedesignedtoperiodicallyreviewtheeffectivenessofECPandERMwithrespecttoresidential
mortgageloanservicing,LossMitigation,andforeclosureactivities,andcompliancewiththeLegalRequirementsandsupervisory
guidanceoftheBoardofGovernors;
ActionPlanStrategyandMilestones

¾ AudithasdevelopedandisimplementingprocedurestoassesstheeffectivenessofEnterpriseRiskManagementforallof
WellsFargobusinesslines.Wewillenhancetheprogramtoensurecoverageofresidentialmortgageloanservicing,loss
mitigationandforeclosureactivitiesfor2011.WFASperformedahighlevelassessmentforEnterpriseRiskManagement
forWellsFargoforthefirsttimein2010.TheWFASopinionisreportedannuallytotheBoard.
¾ AuditconductsannualreviewsoftheGroupComplianceOperationalRiskgroupthatsupportsresidentialmortgagelending
businesslines.Wewillenhancetheprogramtoensurecoverageofresidentialmortgageloanservicing,lossmitigationand
foreclosure.August31,2011


5(c)Theplanshall,ataminimum,bedesignedtoensurethatadequatequalifiedstaffingoftheauditfunctionisprovidedfor
residentialmortgageloanservicing,LossMitigation,andforeclosureactivities;

ActionPlanStrategyandMilestones

¾ In2011,theMortgageauditteamwasreorganizedtocreateagrouptofocusspecificallyonresidentialmortgageloan
servicing,lossmitigation,andforeclosureactivities.Thisteamwillberesponsibleformonitoringactionsrelatedtothe
consentorder/supervisorylettersandmanagingthebusinessmonitoringprogramandleadingauditcoveragerelatedto
theseactivities.Wearealsoenhancingstafftoincorporatebusinesslineknowledge.Wewillassessthecurrent
qualificationsandskillsforthemanagementandstaffincludingeducation,certifications,andyearsofauditandmortgage
experienceforeachteammember.Anygapsidentifiedwillberemediatedthroughimmediatetraining,ongoing
development,hiringofstaff,oraugmentingreviewswithindustryexperts.July29,2011
¾ Tosupplementtheskillsetsofourmortgageteam,willweestablishdevelopmentplansthatmayincludeinternaland
externaltraining,lineofbusinesstraining,andjobrotations.October11,2011(weshouldbeabletostarttherotation
programJan.1.2012)

5(d)Theplanshall,ataminimum,bedesignedtoensuretimelyresolutionofauditfindingsandfollowupreviewstoensure
completionandeffectivenessofcorrectivemeasures;
ActionPlanStrategyandMilestones

¾ AsrequiredbyWFASPolicy,wewillperformvalidationofcorrectiveactionforallhighandveryhighreportableissues
identifiedinourregularlycycledauditswithin30daysofclosurebybusinesslinemanagement.Wewillensureissuesnot
completedappropriatelyortimelyareproperlyescalatedtomanagementandboardreporting.
¾ WehaveimplementedadditionalenhancementsduringtheConsentOrderthatrequireallmoderatereportableissues
identifiedinregularlycycledauditsofWFHMandHEresidentialmortgageloanservicing,lossmitigation,andforeclosure
activitiestobevalidatedwithin45daysofclosurebybusinesslinemanagement.Thiswillbeeffectiveforallissuesreported
onorafterJanuary1,2011.
¾ Inadditiontothevalidationworkperformedafterissueclosure,wewillevaluateandretestthecontrolsrelatingtothese
issuesduringthenextaudittoensuresustainability.
¾ Allissueswhichmanagementchoosestoassumetheriskratherthantakingcorrectiveactionrequireappropriatebusiness
unitmanagementapproval(2levelsabovethebusinessunitmanager).Inaddition,theseissuesrequireapprovalbythe
AuditDirector,inconsultationwiththeSeniorAuditDirectorandDeputyChiefAuditor,andarereportedtotheAuditand
Wells Fargo & Co. – Internal Use Only

Page 5

Wells Fargo Audit & Security – FRB Consent Order Response
¾

ExaminationCommitteequarterly.
Quarterly,AuditmeetswiththeHeadofHomeandConsumerFinanceandtheCoHeadsofHomeMortgage.Duringthese
meetings,ormoreimmediateifnecessary,Auditwillprovidespecificupdatesonresolutionofauditfindingsandfollowup
reviewsperformed.Wewillalsoescalateconcernswehavewiththeeffectivenessofcorrectivemeasurestakenbythe
business.EffectiveQ211


5(e)Theplanshall,ataminimum,bedesignedtoensurethatcomprehensivedocumentation,tracking,andreportingofthe
statusandresolutionofauditfindingsaresubmittedtotheauditcommittee;

ActionPlanStrategyandMilestones

¾ DevoteaspecificsectionofthequarterlyAuditandExaminationCommitteereporttoprovideupdatestotheboardonthe
stateofmortgageservicingspecificallyrelatedtoresidentialmortgageloanservicing,lossmitigationandforeclosure
activitiesandactionsbeingtakentoaddressregulatoryconcerns(includingthesupervisoryletterandconsentorder)andto
provideanongoingassessmentofoverallprogrammanagementrelatedtotheconsentorder.EffectiveQ211andquarterly
thereafterwhileundertheConsentOrder
x WFASreportstotheAuditandExaminationCommitteequarterlyontheinternalauditactivity'spurpose,authority,
responsibility,andperformancerelativetoitsplan.Describedinthereportare:keycontrolissuesandbreakdownsand
management’scorrectiveactions,keyrisksandhowtheyaremitigated,briefdescriptionofallauditsratedlessthan
acceptableintheperiod,reportonthedistributionofauditratings,principalprojectscompletedandmajorresults,
snapshotofregulatorycomplianceenvironmentduringtheperiod,summaryofinvestigationandsecurityactivities,
financialresultsandstaffingdatafortheperiodreported,andanyotheritemsofinteresttotheauditcommittee.
Issuesthatarenotclosedwithin30daysoftheinitialremediationdatesetbymanagementareescalatedtotheAudit
andExaminationCommitteeandincludedinthereport.

5(f)Theplanshall,ataminimum,bedesignedtoestablishescalationproceduresforresolvinganydifferencesofopinionbetween
auditstaffandmanagementconcerningauditexceptionsandrecommendations,withanydisputestoberesolvedbytheaudit
committee.

ActionPlanStrategyandMilestones

¾ WeeklymeetingswithexecutiveleadersinauditandthebusinesshavebeenestablishedsinceJanuary2011.Monthly
reportingisbeingdevelopedandwillbepresentedtoexecutiveresidentialmortgageleaderswhichwillincludeifthe
businessisontracktocompletethecorrectiveactionoractionplansrequiredbytheSupervisoryletterandConsentOrder.
Itwillalsoincludeanyissuesraisedbyauditincludingdisagreementswiththebusiness.Ifresolutioncannotbe
appropriatelymade,escalationtotheChiefAuditorandDeputyChiefAuditorwillhappeninestablishedweeklymeetings.
Additionally,theChiefAuditorandDeputyChiefAuditorwillalsoescalateissuestotheEnterpriseRiskManagement
Committee.OperatingCommittee,AuditandExaminationCommitteeor,CEOasnecessary.EffectiveQ211
¾ Quarterly,AuditmeetswiththeHeadofHomeandConsumerFinanceandtheCoHeadsofMortgage.Duringthese
meetings,ormoreimmediateifnecessary,Auditwilldiscussdifferencesofopinionbetweenauditstaffandmanagement
concerningauditexceptionsandrecommendations.Wewillalsodiscussspecificupdatesonourauditcoverageof
residentialmortgageloanservicing,lossmitigation,andforeclosureactivities.Ifdifferencesofopinioncannotberesolved,
wewillescalatetotheChiefAuditorandDeputyChiefAuditorwhowillalsoescalateissuestotheEnterpriseRisk
ManagementCommittee,OperatingCommittee,AuditandExaminationCommitteeor,CEOasnecessary.EffectiveQ211
¾ Wewillshareourenhancedcoveragestrategywithregulators,auditmanagementandbusinesspartnerstodemonstrate
audit’scommitmenttosupportingastrongcontrolenvironment,ourwillingnessandabilitytoescalateissuesasneeded
andprovidetransparency.October11,2011

Wells Fargo & Co. – Internal Use Only

Page 6