McKinsey warned Wirecard more than a year before the payment group's collapse that it should take "immediate action" to deal with an absence of controls at its largest business.
The consultancy told the company in June 2019 that "risks related to business partnerships or third parties" were one of itsmain vulnerabilities, according to two people briefed on the details and a document seen by the Financial Times.
The third-party business, later exposed as a sham, was said to carry out payments processing on Wirecard's behalf in countries where it lacked licences to do the work itself. It accounted for half of the group's reported revenues and all of its operating profit.
Last month Wirecard filed for insolvency after disclosing that the outsourced operations had been misrepresented to shareholders and that €1.9 billion ($3.3b) in cash linked to the operations probably did "not exist".
The McKinsey assessment, which was jointly commissioned by the management and supervisory boards at Wirecard, shows that compliance shortcomings were highlighted internally more than a year before the company acknowledged that a vast fraud had taken place.
Later, in August 2019, McKinsey gave a full presentation to the two boards at an off-site meeting in Austria, where it warned that "non-existent" controls over the third-party business had created a "significant risk".
McKinsey was hired after the Financial Times reported in April 2019 that Wirecard relied heavily on three opaque partner companies in Asia to carry out payments processing on its behalf.
The compliance audit by McKinsey was one of the first initiatives of Wirecard's risk and compliance committee, which was founded in March last year and chaired by Anastassia Lauterbach, a McKinsey alumna.
Lauterbach was appointed to Wirecard's supervisory board in mid-2018 alongside Susana Quintana-Plaza, then a partner at Siemens' venture capital arm Next47. They joined a board dominated by men who had supervised the company for a decade.
The McKinsey review was finished by the end of June 2019 — four months after Wirecard's then chief executive Markus Braun told analysts on a conference call that the company's compliance was "perfect".
Wirecard's chief financial officer Alexander von Knoop said on the same call that Wirecard was "very well structured in the field of compliance and legal". Von Knoop was responsible for compliance at the time.
Thomas Poppensieker, senior partner of McKinsey's global risk practice, presented the final results in August 2019. The findings were devastating for a company that had joined Germany's prestigious Dax index the previous September and that had faced repeated allegations of financial misconduct over the previous decade.
The consultancy reported that Wirecard's third-party business lacked compliance policies and internal oversight. It warned that such shortcomings in control functions could lead to managers "cutting corners illicitly" who want to meet internal targets.
As a consequence, this could expose Wirecard to financial risks from a falling share price and the loss of clients, McKinsey warned.
McKinsey described a multitude of other risk and compliance shortcomings. For instance, Wirecard lacked any formal process for acquisitions and post-merger integration, while controls over the enforcement of state sanctions and embargoes were also found to be "non-existent".
All of these shortcomings had a "high probability of reputational, economic and legal risks to the organisation and its statutory bodies", according to the document seen by the FT.
McKinsey concluded that Wirecard's risk and compliance culture was in need of "substantial change" and suggested hiring up to 50 additional staff, including a group compliance officer.
The findings triggered a heated discussion within Wirecard, people familiar with the matter told the Financial Times. Talks were held with McKinsey about a follow-up project to implement the proposed changes. However, Wirecard's management board instead pushed for PwC to be given the job of setting up a new compliance organisation.
This project — code-named "Merlion" after the national symbol of Singapore, where whistleblowers in early 2019 raised flags over accounting fraud at Wirecard — was launched later in 2019 despite creating a potential conflict of interest: PwC is also the auditor of Wirecard Bank.
Moreover, while PwC's remit included nine different "workstreams", it did not address Wirecard's third-party business, people briefed on the details told the Financial Times. Another controversy arose over the precise remit and powers for the newly created role of group compliance officer. The idea to give this person a management board seat was initially rejected and only revisited and implemented later as questions over Wirecard continued to mount.
James Freis eventually joined Wirecard as group compliance officer on June 18 this year from Deutsche Börse. He ended up being promoted to interim chief executive the following day, as Braun resigned.