How Wirecard skirted regulatory scrutiny by jurisdiction-shopping and canny intra-group structuring.
It would have been the quintessential business success story. Founded in Munich in 1999, this small payment processor for online gambling and pornography sites grew so massive that, by 2018, it had displaced Commerzbank from Germany’s prestigious Dax 30 index.
At its peak, the juggernaut was valued at more than €24 billion (S$38.6 billion). It issues credit and debit cards, supplies contactless payment tech, and processes payments for a purported 250,000 merchants worldwide, including almost 100 airlines.
Instead, Wirecard practically wrote the script for a blockbuster crime film. Signs of malfeasance began early on. Six-year-old Wirecard joined the Frankfurt stock exchange through a reverse takeover, avoiding the scrutiny of an initial public offering. Three years later, it fought off what would become the first in a series of balance sheet irregularity claims. Over the years, various authorities, including German regulator Federal Financial Supervisory Authority (BaFin) would side with Wirecard, charging accusers with market manipulation.
The Financial Times, which had homed its journalistic sights on Wirecard since 2015, published a flurry of exposes, revealing that almost all of Wirecard’s recent reported profits had come from only three opaque partner companies; that profits at two units were fraudulently inflated; and that customers the payments giant claimed to have did not exist.
Under intense investor pressure, Wirecard appointed KPMG last October to conduct a special audit to prove that its dealings were above board. Instead, the report published in April said that the accounting firm cannot confirm that arrangements responsible for “the lion’s share” of Wirecard profits reported from 2016 to 2018 were genuine, citing several “obstacles” to its work.
By June, Munich prosecutors had launched a criminal investigation against chief executive Markus Braun and three board members. A €1.9 billion-hole was found in Wirecard’s balances, forcing it to finally acknowledge the multiyear accounting fraud, saying that it will file for insolvency.
Braun and two others were arrested. Jan Marsalek, Wirecard’s chief operating officer and Braun’s right-hand man, went missing. Reports say that Marsalek has ties to Russian intelligence and once tried to fund and field a militia in Libya.
Now the definition of a penny stock, Wirecard is “beyond salvageable”, analysts say.
Regulatory structuring and forum shopping
Before the scandal went public, few consumers in Singapore – where the group had established its regional headquarters – had even heard of Wirecard, let alone any inkling that it enables a significant part of their shopping. Most would have assumed that it was Visa, Mastercard or a local bank that controls credit card payments.
Wirecard may only be one company – albeit a one-time fintech darling – but its significance is much greater. The scandal exposes vulnerabilities in the expanding universe of fintech, electronic payments and virtual businesses that allow unscrupulous managements to take advantage of regulatory arbitrage. Companies can, for example, pick and choose which jurisdictions their lines of businesses are sited – and thus regulated – in, through the clever use of subsidiaries, location of accounts and intra-group payment arrangements. Thus, a major financial service provider can operate in many jurisdictions with minimal supervision.
As a group, Wirecard operates several entities in Germany, including a bank, several payments service providers, a payment app named boon., and other “neo banking” services. However, the top-level company Wirecard AG is not regulated as a financial institution because it had categorised itself under German law as a “technology company” that provides group services. Wirecard is regulated in certain jurisdictions for payments services or payments schemes; in yet others, it did not come under government supervision. This allowed the group to lawfully provide essential payments services without coming completely within regulatory radar.
Payments – growing numbers in a shrinking world
According to a McKinsey report published last year, global payments revenue was US$1.9 trillion (S$2.6 trillion) in 2018. More than one-third of this was in Asia. And, while margins are traditionally smaller for Asian transactions, it is expected that this market will continue to be the largest in the industry.
Traditional banks make up a significant 37 per cent of this revenue stream, but they face competition from an increasing number of alternative payments providers. From stored value to credit, from payments portals to aggregators that let businesses accept card payments without setting up a merchant account through a bank, the ecosystem is evolving into payments as a service.
At the same time, the industry is consolidating as players compete for new markets and strive to achieve scale through global mergers and acquisitions. While we have bigger numbers, it is a “smaller universe”. Wirecard was right in the middle of this, operating point-of-sale (PoS) machines at your local deli, and supporting banking and other card services in major hubs, such as Singapore.
One of the key risk mitigants in any regulatory oversight programme is whether another company in the group is already regulated in an equivalent (and robust) regime of another country. It is impracticable to require a company that has operations in multiple jurisdictions to comply with the specific (and sometimes varied) requirements of each one. Regulators will consider where else a group is regulated when determining the risk level present in the local operations.
But BaFin had challenges in regulating Wirecard AG (classed as a tech company) as national laws did not promote the examination of the group – notwithstanding its size and systemic importance – as a whole.
The unwinding of the mess will now have to play out in each country in which Wirecard operated. BaFin’s lack of jurisdictional oversight has forced regulators of Wirecard subsidiaries to move on their own to ensure that financial reserves are held in country. Singapore’s authorities moved quickly to investigate the local subsidiaries and to ringfence its onshore assets.
But given the group’s size and operational significance in payment systems, it may not be possible to simply shut down its operations as the businesses relying on Wirecard’s services will be affected. You cannot just turn off the millions of PoS terminals and online payments portals without providing time for transition.
Clearly, a fresh look at the network of regulations is called for. Bundesbank’s president has said that Germany must toughen its rules for auditing and accounting to prevent another billion-euro scam like Wirecard-gate.
In Singapore, the authorities are actively updating the law to cater for innovations in fintech – from the Payment Services Act (PS Act) that was introduced into law earlier this year to regulate payment service providers, to the recent consultation paper for an Omnibus Act that seeks to consolidate and expand regulatory oversight of different classes of financial institutions, both onshore and (in certain cases) off. The PS Act and, if implemented, the Omnibus Act, would allow the Monetary Authority of Singapore to regulate companies incorporated abroad and/or their offshore activities with a clear Singapore nexus. This means that activities conducted by companies not present here can be brought under its supervisory eagle eye.
But the biggest problem facing financial authorities remains the global regulatory gaps. While securities laws are generally uniform and well established, and financial institutions that participate in those markets are well regulated, a similar regulatory framework for payment services has not had time to mature.
So while we continue to vaunt the rise of startup disruptors, bringing innovative ways to conduct business and lower the costs associated with traditional models, with some providers perceived as growing “too big to fail”, regulatory agencies the world over are having to play catch-up. Hopefully before another large failure hits the newsstands, even if the next one doesn’t involve a COO-cum-spy who is now allegedly under Russian protection.
A version of this article ran in the Business Times on 3 August 2020.