Wirecard: The Biggest FinTech Success and Failure Story of All Time
Published 26 August 2020. Updated 05 September 2020
Wirecard will go down in global financial history, as one of the most significant success and failure stories in FinTech of all time - the worst part being the learnings and dimensions of this story don't seem to end!
With the Brazilian and UK subsidiaries being the first sell-offs since Wirecard filed for insolvency, impacting over 5,800 employees globally, this is a story with dire human repercussions.
This is also true where German businessman Christopher Bauer, owner of PayEasy Solutions, a Manila-based payments processor, was reported dead a month after Philippine authorities announced he was under investigation over the payments company's collapse. PayEasy Solutions was a key business partner for Wirecard, accounting for €291.4m of the German payment group's reported revenue of €2bn in 2018 and more than a fifth of its operating profit,
The Wirecard digital and software business model was on paper simple, and the corporate structure was at a layer view "transparent." Globally we had also learned many lessons from Enron in 2001 and even Lehman Brothers in 2008.
Where then did it go so wrong? Could any of this been avoided had red flags along the way been explored further?
1. The Prequel
Wirecard was founded in 1999 but went bust the next year with the dotcom crash. The company recapitalized, including with monies from Markus Braun, an Austrian tech investor, and digital entrepreneur. He joined as CTO and CEO in 2002, where he refocused the business on providing internet payment services. By the beginning of 2005, InfoGenie AG, a German listed information service company providing call centre f, had transferred its stock to Wirecard. Wirecard then was officially listed by way of a Reverse IPO onto the Neuer Markt stock market. Through this, Wirecard became a wholly-owned subsidiary of "ebs Holding AG" (Electronic Business Systems), another payment company founded in 1998.
This relationship between ebs and Infogenie dated back to 2002 when a "strategic commitment of ebs to integrate a subsidiary into InfoGenie helped stabilise the call centre operator struggling with losses and the departure of key staff at the UK subsidiary following "a critical due diligence audit," according to the annual report.
Wirecard's business model initially focused on client and market segments, which had become "persona non-gratis" due to their increased risk profiles with other financial institutions, such as porn and gambling websites. But it also included software products for identification of fraud.
Soon, however, due in particular to its pre-paid credit card model, Wirecard had expanded globally to approx. twenty-six locations around the world, over 5,800 employees, and by 2018 valued at over $27 billion and had joined the exclusive DAX 30 index.[1]
So how did it all go so wrong?
While accounting fraud played a significant role with USD 1.2 billion "ghost" monies having never existed,
There were many other red flags from as far back as 2005 until the second Financial Times exposé in 2019 made the shareholders sit up and ask for an independent verification on the issues raised, which led to the fall of a fintech empire.
2. Red Flags
So what were these red flags, and how did they go undetected for so long?
a. Multiple whistleblowers
The 2019 expose run by the Financial Times was not the first instance of whistleblowing against Wirecard. As early as 2015, a Financial Times blog questioned its business model and accounting practices. Then in 2017, the German magazine Manager Magazin reported that Wirecard was involved in misleading reporting practices.
b. Origins of Wirecard and Reverse IPO through a defunct company
While Reverse IPOs are not uncommon, they do allow the acquiring entity to avoid the full disclosure requirements and financial scrutiny of the organization's books, which would have been part of a normal IPO process. Further, to do a reverse listing through a failing entity that is operating as nothing more than a shell company should have raised some serious questions.
Also, the history of Infogenie should have been a possible red flag in that this was an entity which due to "a critical due diligence audit," had earlier had to be restructured and resulted in not just losses but multiple staff departures. Who exactly was Wirecard associating with through ebs, and where the business practices "reputable"?
c. Reputation of clients
Several reputable entities jumped into bed with Wirecard, a company that, in its early days, built its business on its offering to porn and gambling websites. The question is, what was the assessment by these entities on:
The Wirecard website states, "As a Wirecard partner, you can impress your customers…"; well, unfortunately, that's not the case anymore.
d. STRs related to Wirecard payments withheld by FIU
The German FIU has publicly acknowledged that it was not processing/focused on high-risk STRs related to Wirecard, which is now being reviewed by German authorities. Anticipate seeing more to come in this area, or not, depending on how deep this goes and the level of additional reputational damage that the German authorities are willing to acknowledge for this failure.
e. Fines by Visa and Mastercard
Since 2010 it is reported that Visa and Mastercard, who partnered with Wirecard on pre-paid Credit cards, had concerns about Wirecard's business network, even going as far as to cut off specific merchants, with some clients changing names to avoid being identified. Their view was that too much of its business was originating from risky areas such as gambling, pornography, and unregulated health-care products known as nutraceuticals.
Such high-risk clients were highly lucrative to Wirecard. Pornjapan, a pornography purveyor, paid 10% fees for transactions handled by Wirecard in 2017, according to internal Wirecard documents viewed by The Wall Street Journal. Mainstream merchants tend to pay 2% to 3% for US credit-card purchases.
Both Visa and Mastercard successfully fined Wirecard for miscoded gambling transactions and a high level of stolen card purchases and reversed transactions, imposing fines exceeding $10 million, but they didn't stop the relationship
f. Qualified opinions in audit reports
Again, as with reverse IPOs, qualified opinions whilst not encouraged, are not uncommon in audit reports where the original documentation to verify and collaborate the financial information provided to the auditor cannot at that moment be provided. A qualified opinion:
On at least two occasions, E&Y auditors gave a qualified opinion on the audited financial statements of a Wirecard subsidiary in Singapore. The first qualified opinion was regarding the subsidiary's high level of uncollected cash based on its reported license fee income and license fee receivables. The second qualified opinion was due to problems verifying the validity of its gateway fees from another subsidiary, Infotop Singapore. This is the same subsidiary where the USD 1.8 billion "ghost" monies were sitting.
What should have been put in place was a time-dependent systematic process of follow up actions to obtain the information and remove the subjective assessment. It is concerning that an organisation as sophisticated as E&Y did not, as far as we are aware, have their own internal controls in place to assure this. But the regulator and shareholders should have demanded it.
In was only after the 2019 Financial Times report came out that the shareholders engaged KPMG to conduct a special independent investigation and then the accounting malpractice came to light.
g. Lack of transparency and accountability in governance and decision making
How was it that an organization, seen as the golden child of the European fintech world, able to operate and make decisions at board level, without minutes being taken or any records to support decision making? The KPMG independent investigation included that the company had failed to record minutes at its executive meetings and was unable to provide comprehensive documentation. Fundamental governance principles require that discussions and actions of executive meetings be minuted for various reasons. Minutes not only promote accountability and transparency; they also facilitate effective audit and regulatory reviews.
h. Auditors lack of understanding of business model and operations
The 2019 Financial Times report stated that a Wirecard senior finance executive was suspected of falsification of accounts, money laundering, and round-tripping in its Asia-Pacific operations. The question is whilst we have already addressed the qualified opinion issue above, we need to understand how an auditor could miss that USD 1.7 billion didn't exist? How is this possible and draws a question on whether the auditors fully understood the business model and accounting practices at play within Wirecard? Was the accounting and business model just too sophisticated or did the auditors just plainly not understand it? Can we also be sure that no other Conflicts of Interest between the auditor and Wirecard?
i. Employee names and passports
With the issuance of the arrest warrants for the CEO Markus Braun and COO Jan Marsalek by German authorities on charges of fraud and embezzlement, including an investigation underway by the Singapore authorities, the later went on the run, telling colleagues he was off to the Philippines to chase the missing billions. It was then however, found that the travel itinerary, including airline bookings and immigration date, has been falsified, and the trip had never been made. He was last pinpointed to be in Belarus. It was then discovered that the COO had and was traveling on multiple country passports, including one issued with diplomatic status, country of origin, yet undetermined. So, who is Jan Marsalek?
This has become a critical employee onboarding question – how well are we recording the various name and travel documents of our employees? Are we dependent on individual disclosure? It's quite common for people with dual nationalities to have multiple passports, and also given people can also have various names depending on which language they are using, how are we ensuring we have completed "Know your Employee" at the onboarding stage? This is something that Wirecard missed and we should expect to see the regulators tightening their grips on this.
j. Employee travel itineraries
In addition to the COO Jan Marsalek passport issue, multiple questions have been raised about this travel itinerary and whether this was known to Wirecard executives. He frequently visited Russia, with over 60 trips in 10 years. In 2014 alone he traveled to Moscow 10 times, usually flying in and out within a day. In 2015 7 times, again often staying less than 24 hours, and traveling in many instances on a practice jet. Many organisations have in place pre-approval requirements for employee business travel, including an assessment of the need and nature of the trip, in particular, to ensure there are no breaches of cross border regulatory restrictions on service and product offering. But is this control translating to up and coming Fintech organisations? Was it in place? Also given present challenges, although traveling is restricted, are organisations surveilling/monitoring staff travel and client interactions properly amid the pandemic when they are working remotely?
k. Independence of the regulator and Conflicts of Interest
There have been discussions on whether the Bafin overstepped in its protection of Wirecard against adverse news reporting by the Financial Times in response to its expose on Wirecard (discussed in more detail below). What has also come to light, however, is that Bafin officials bought and sold Wirecard shares in higher volumes as the payments company edged towards collapse.
The German finance ministry said one-fifth of Bafin staff had engaged in some kind of investment activity in 2019 and 2020, with an increasing interest in Wirecard in the months ahead of its collapse. In the six months to the end of June, 2.4% of investment activity by Bafin staff related to buying and selling Wirecard stock or derivatives.
One quote made by Florian Toncar, a lawmaker in the German parliament, stated, "The trading in Wirecard by Bafin staff is surprising and raises questions, such as the size of the trades and whether officials who traded had insider knowledge."
This raises two questions: 1. Was the regulator going to save Wirecard at all costs until the scale of the fraud emerged? or 2. Did the regulator really have no idea on the real scale and complexity of the issues, and had so much confidence that even its employees saw its shares as a stable financial investment?
3. Treatment of Whistleblowers
One of the biggest takeaways from Wirecard will again be around Whistleblowers being victimized. It's not the first time and it won't be the last. Whistleblowers - Are they protected or is it career suicide? That's a whole other discussion.
In the case of Wirecard, the Bafin targeted two Financial Times journalists and several short-sellers accusing them of potential market manipulation over reports about suspected accounting irregularities and filed a criminal complaint against them. In response, the German Financial Supervisory Authority banned short selling on Wirecard stocks between February to April 2019.
Other cases we have seen are:
Coming forward and speaking up can destroy careers, and it comes with a personal cost-benefit analysis. It's not that the person lacks morals, integrity, or ethics - instead, there is the bigger picture of a family to feed, a career not to end in tatters, and the mental and physical impact of speaking up.
4. The Future
Wirecard is for sure going to be a compliance and audit training reference point for years to come.
Considering all the above revelations and the subsequent arrest of its CEO and COO, the big questions are now:
It is evident that the speed of growth, together with incomplete due diligence, and a lack of governance, has led here to significant pitfalls. We cannot afford to get this wrong again, for in China and other Asian countries, e-commerce is not a luxury but a necessity.
Let's now learn the lessons and try to get this right!
With the Brazilian and UK subsidiaries being the first sell-offs since Wirecard filed for insolvency, impacting over 5,800 employees globally, this is a story with dire human repercussions.
This is also true where German businessman Christopher Bauer, owner of PayEasy Solutions, a Manila-based payments processor, was reported dead a month after Philippine authorities announced he was under investigation over the payments company's collapse. PayEasy Solutions was a key business partner for Wirecard, accounting for €291.4m of the German payment group's reported revenue of €2bn in 2018 and more than a fifth of its operating profit,
The Wirecard digital and software business model was on paper simple, and the corporate structure was at a layer view "transparent." Globally we had also learned many lessons from Enron in 2001 and even Lehman Brothers in 2008.
Where then did it go so wrong? Could any of this been avoided had red flags along the way been explored further?
1. The Prequel
Wirecard was founded in 1999 but went bust the next year with the dotcom crash. The company recapitalized, including with monies from Markus Braun, an Austrian tech investor, and digital entrepreneur. He joined as CTO and CEO in 2002, where he refocused the business on providing internet payment services. By the beginning of 2005, InfoGenie AG, a German listed information service company providing call centre f, had transferred its stock to Wirecard. Wirecard then was officially listed by way of a Reverse IPO onto the Neuer Markt stock market. Through this, Wirecard became a wholly-owned subsidiary of "ebs Holding AG" (Electronic Business Systems), another payment company founded in 1998.
This relationship between ebs and Infogenie dated back to 2002 when a "strategic commitment of ebs to integrate a subsidiary into InfoGenie helped stabilise the call centre operator struggling with losses and the departure of key staff at the UK subsidiary following "a critical due diligence audit," according to the annual report.
Wirecard's business model initially focused on client and market segments, which had become "persona non-gratis" due to their increased risk profiles with other financial institutions, such as porn and gambling websites. But it also included software products for identification of fraud.
Soon, however, due in particular to its pre-paid credit card model, Wirecard had expanded globally to approx. twenty-six locations around the world, over 5,800 employees, and by 2018 valued at over $27 billion and had joined the exclusive DAX 30 index.[1]
So how did it all go so wrong?
While accounting fraud played a significant role with USD 1.2 billion "ghost" monies having never existed,
There were many other red flags from as far back as 2005 until the second Financial Times exposé in 2019 made the shareholders sit up and ask for an independent verification on the issues raised, which led to the fall of a fintech empire.
2. Red Flags
So what were these red flags, and how did they go undetected for so long?
a. Multiple whistleblowers
The 2019 expose run by the Financial Times was not the first instance of whistleblowing against Wirecard. As early as 2015, a Financial Times blog questioned its business model and accounting practices. Then in 2017, the German magazine Manager Magazin reported that Wirecard was involved in misleading reporting practices.
b. Origins of Wirecard and Reverse IPO through a defunct company
While Reverse IPOs are not uncommon, they do allow the acquiring entity to avoid the full disclosure requirements and financial scrutiny of the organization's books, which would have been part of a normal IPO process. Further, to do a reverse listing through a failing entity that is operating as nothing more than a shell company should have raised some serious questions.
Also, the history of Infogenie should have been a possible red flag in that this was an entity which due to "a critical due diligence audit," had earlier had to be restructured and resulted in not just losses but multiple staff departures. Who exactly was Wirecard associating with through ebs, and where the business practices "reputable"?
c. Reputation of clients
Several reputable entities jumped into bed with Wirecard, a company that, in its early days, built its business on its offering to porn and gambling websites. The question is, what was the assessment by these entities on:
- Reputational risk through association,
- The business model of Wirecard
- The senior management team of Wirecard; and
- The sophistication of the internal controls and compliance team maturity and skillsets to identify illegitimate behaviour?
The Wirecard website states, "As a Wirecard partner, you can impress your customers…"; well, unfortunately, that's not the case anymore.
d. STRs related to Wirecard payments withheld by FIU
The German FIU has publicly acknowledged that it was not processing/focused on high-risk STRs related to Wirecard, which is now being reviewed by German authorities. Anticipate seeing more to come in this area, or not, depending on how deep this goes and the level of additional reputational damage that the German authorities are willing to acknowledge for this failure.
e. Fines by Visa and Mastercard
Since 2010 it is reported that Visa and Mastercard, who partnered with Wirecard on pre-paid Credit cards, had concerns about Wirecard's business network, even going as far as to cut off specific merchants, with some clients changing names to avoid being identified. Their view was that too much of its business was originating from risky areas such as gambling, pornography, and unregulated health-care products known as nutraceuticals.
Such high-risk clients were highly lucrative to Wirecard. Pornjapan, a pornography purveyor, paid 10% fees for transactions handled by Wirecard in 2017, according to internal Wirecard documents viewed by The Wall Street Journal. Mainstream merchants tend to pay 2% to 3% for US credit-card purchases.
Both Visa and Mastercard successfully fined Wirecard for miscoded gambling transactions and a high level of stolen card purchases and reversed transactions, imposing fines exceeding $10 million, but they didn't stop the relationship
f. Qualified opinions in audit reports
Again, as with reverse IPOs, qualified opinions whilst not encouraged, are not uncommon in audit reports where the original documentation to verify and collaborate the financial information provided to the auditor cannot at that moment be provided. A qualified opinion:
- indicates that there was either a scope limitation, an issue discovered in the audit of the financials that were not pervasive, or an inadequate footnote disclosure.
- A qualified opinion is an auditor's opinion that the financials are fairly presented, except for a specified area.
- Unlike an adverse or disclaimer of opinion, a qualified opinion is generally still acceptable to lenders, creditors, and investors.
On at least two occasions, E&Y auditors gave a qualified opinion on the audited financial statements of a Wirecard subsidiary in Singapore. The first qualified opinion was regarding the subsidiary's high level of uncollected cash based on its reported license fee income and license fee receivables. The second qualified opinion was due to problems verifying the validity of its gateway fees from another subsidiary, Infotop Singapore. This is the same subsidiary where the USD 1.8 billion "ghost" monies were sitting.
What should have been put in place was a time-dependent systematic process of follow up actions to obtain the information and remove the subjective assessment. It is concerning that an organisation as sophisticated as E&Y did not, as far as we are aware, have their own internal controls in place to assure this. But the regulator and shareholders should have demanded it.
In was only after the 2019 Financial Times report came out that the shareholders engaged KPMG to conduct a special independent investigation and then the accounting malpractice came to light.
g. Lack of transparency and accountability in governance and decision making
How was it that an organization, seen as the golden child of the European fintech world, able to operate and make decisions at board level, without minutes being taken or any records to support decision making? The KPMG independent investigation included that the company had failed to record minutes at its executive meetings and was unable to provide comprehensive documentation. Fundamental governance principles require that discussions and actions of executive meetings be minuted for various reasons. Minutes not only promote accountability and transparency; they also facilitate effective audit and regulatory reviews.
h. Auditors lack of understanding of business model and operations
The 2019 Financial Times report stated that a Wirecard senior finance executive was suspected of falsification of accounts, money laundering, and round-tripping in its Asia-Pacific operations. The question is whilst we have already addressed the qualified opinion issue above, we need to understand how an auditor could miss that USD 1.7 billion didn't exist? How is this possible and draws a question on whether the auditors fully understood the business model and accounting practices at play within Wirecard? Was the accounting and business model just too sophisticated or did the auditors just plainly not understand it? Can we also be sure that no other Conflicts of Interest between the auditor and Wirecard?
i. Employee names and passports
With the issuance of the arrest warrants for the CEO Markus Braun and COO Jan Marsalek by German authorities on charges of fraud and embezzlement, including an investigation underway by the Singapore authorities, the later went on the run, telling colleagues he was off to the Philippines to chase the missing billions. It was then however, found that the travel itinerary, including airline bookings and immigration date, has been falsified, and the trip had never been made. He was last pinpointed to be in Belarus. It was then discovered that the COO had and was traveling on multiple country passports, including one issued with diplomatic status, country of origin, yet undetermined. So, who is Jan Marsalek?
This has become a critical employee onboarding question – how well are we recording the various name and travel documents of our employees? Are we dependent on individual disclosure? It's quite common for people with dual nationalities to have multiple passports, and also given people can also have various names depending on which language they are using, how are we ensuring we have completed "Know your Employee" at the onboarding stage? This is something that Wirecard missed and we should expect to see the regulators tightening their grips on this.
j. Employee travel itineraries
In addition to the COO Jan Marsalek passport issue, multiple questions have been raised about this travel itinerary and whether this was known to Wirecard executives. He frequently visited Russia, with over 60 trips in 10 years. In 2014 alone he traveled to Moscow 10 times, usually flying in and out within a day. In 2015 7 times, again often staying less than 24 hours, and traveling in many instances on a practice jet. Many organisations have in place pre-approval requirements for employee business travel, including an assessment of the need and nature of the trip, in particular, to ensure there are no breaches of cross border regulatory restrictions on service and product offering. But is this control translating to up and coming Fintech organisations? Was it in place? Also given present challenges, although traveling is restricted, are organisations surveilling/monitoring staff travel and client interactions properly amid the pandemic when they are working remotely?
k. Independence of the regulator and Conflicts of Interest
There have been discussions on whether the Bafin overstepped in its protection of Wirecard against adverse news reporting by the Financial Times in response to its expose on Wirecard (discussed in more detail below). What has also come to light, however, is that Bafin officials bought and sold Wirecard shares in higher volumes as the payments company edged towards collapse.
The German finance ministry said one-fifth of Bafin staff had engaged in some kind of investment activity in 2019 and 2020, with an increasing interest in Wirecard in the months ahead of its collapse. In the six months to the end of June, 2.4% of investment activity by Bafin staff related to buying and selling Wirecard stock or derivatives.
One quote made by Florian Toncar, a lawmaker in the German parliament, stated, "The trading in Wirecard by Bafin staff is surprising and raises questions, such as the size of the trades and whether officials who traded had insider knowledge."
This raises two questions: 1. Was the regulator going to save Wirecard at all costs until the scale of the fraud emerged? or 2. Did the regulator really have no idea on the real scale and complexity of the issues, and had so much confidence that even its employees saw its shares as a stable financial investment?
3. Treatment of Whistleblowers
One of the biggest takeaways from Wirecard will again be around Whistleblowers being victimized. It's not the first time and it won't be the last. Whistleblowers - Are they protected or is it career suicide? That's a whole other discussion.
In the case of Wirecard, the Bafin targeted two Financial Times journalists and several short-sellers accusing them of potential market manipulation over reports about suspected accounting irregularities and filed a criminal complaint against them. In response, the German Financial Supervisory Authority banned short selling on Wirecard stocks between February to April 2019.
Other cases we have seen are:
- Kaloti - Anna Waterhouse rightfully reported serious money laundering suspicions about Kaloti and financial transactions. The DFSA instead launched an investigation into her and DB.
- Enron - Sherron Watkins sent an anonymous memo. Enron began an inquiry, but it failed to use independent investigators, and her claims were largely dismissed. Instead, her integrity was questioned on the selling of her Enron stocks after sending the memo.
- Lehmans - Matthew Lee lost his job barely a month after alerting the auditor Ernst & Young
Coming forward and speaking up can destroy careers, and it comes with a personal cost-benefit analysis. It's not that the person lacks morals, integrity, or ethics - instead, there is the bigger picture of a family to feed, a career not to end in tatters, and the mental and physical impact of speaking up.
4. The Future
Wirecard is for sure going to be a compliance and audit training reference point for years to come.
Considering all the above revelations and the subsequent arrest of its CEO and COO, the big questions are now:
- How did this manage to go undetected with so many red flags along the way?
- How were multiple regulatory licenses granted for Wirecard on the back of fabricated capital?
- What now will regulators be doing to make sure this never happens again?
- Have we seen the end of the Wirecard saga?
- What will be the knock-on and legacy impact on other FinTechs and the wider industry?
It is evident that the speed of growth, together with incomplete due diligence, and a lack of governance, has led here to significant pitfalls. We cannot afford to get this wrong again, for in China and other Asian countries, e-commerce is not a luxury but a necessity.
Let's now learn the lessons and try to get this right!
Written by Oonagh van den Berg, Founder and CEO of RAW Compliance, and Founder and Managing Director of Virtual Risk Solutions. She is a recognized industry SME, Educator, and Mentor.