Wirecard and Greensill: Emerging Risk Blindness in the 2020s

In April 2019, Financial Times journalists travelled to Manila to visit the registered offices of two companies that Wirecard claimed were processing hundreds of millions of euros in payments across Asia. At one address they found a retired seaman’s home. At the other, a bus company. These were supposed to be the operational hubs of a DAX 30 corporation valued at EUR 24 billion.[1]

Fourteen months later, Wirecard admitted that EUR 1.9 billion in cash on its balance sheet did not exist. The CEO was arrested. The COO fled. Fifteen banks that had extended a EUR 1.75 billion credit facility discovered they had been lending against fabricated revenue.[2]

Less than a year after that, Greensill Capital collapsed, freezing $10 billion in Credit Suisse supply chain finance funds and exposing a business model that had quietly mutated trade finance into unsecured corporate lending.

These were not traditional bank failures. They were something newer and more dangerous: failures of risk identification itself. The institutions that were exposed — as lenders, investors, auditors, and regulators — possessed sophisticated risk frameworks. Those frameworks were structurally incapable of identifying what was in front of them.

Wirecard: The Fraud That Regulators Protected

Wirecard’s fraud was not subtle. It was a fabrication of revenue through fictitious third-party acquiring (TPA) partners across Asia and the Middle East. The company claimed these partners processed payments on its behalf in jurisdictions where it lacked acquiring licences. The partners were largely non-existent. The revenue was fabricated. The EUR 1.9 billion in escrow accounts that supposedly held the TPA cash had never contained anything.[3]

What makes Wirecard essential to understanding emerging risk blindness is not the fraud itself — it is the comprehensive failure of every identification mechanism that should have caught it.

The auditor

EY served as Wirecard’s statutory auditor for over a decade, issuing unqualified opinions every year. EY accepted management representations without independent corroboration, relied on electronic copies rather than original documents, and did not independently verify the existence of the offshore escrow accounts. When KPMG was finally commissioned to conduct a special audit in 2020, it reported that it could not verify the existence of the TPA sub-merchants and could not obtain independent bank confirmations for the EUR 1 billion in cash supposedly held in Asian trust accounts.[3]

The regulator

BaFin’s response to the mounting evidence against Wirecard is the most damaging case of regulatory capture in recent European financial history. Rather than investigating the fraud allegations raised by the Financial Times from 2015 onwards, BaFin investigated the journalists. In 2016, the regulator opened a market manipulation case against anonymous short-sellers who had alleged money laundering at Wirecard. In February 2019, following the FT’s Singapore exposé, BaFin took the extraordinary step of imposing a two-month ban on short selling Wirecard stock. It then filed criminal complaints against the FT reporters.[4]

The subsequent German Parliamentary inquiry found that BaFin was structurally incapable of supervising Wirecard. A fragmented two-tier enforcement system split responsibilities between BaFin and the Financial Reporting Enforcement Panel (FREP). Regional authorities classified Wirecard’s parent as a technology company, exempting it from banking supervision entirely.[4]

The banks

A syndicate of fifteen major banks had extended a EUR 1.75 billion revolving credit facility to Wirecard, which was 90% drawn at insolvency. The lending banks — including Commerzbank (EUR 175 million loss), ING (EUR 175 million), Crédit Agricole (EUR 110 million), ABN Amro, and LBBW — had relied on Wirecard’s DAX 30 membership, EY’s clean audit opinions, and the existence of a regulated subsidiary (Wirecard Bank) as proxies for actual counterparty due diligence.[2]

None of them independently verified the TPA business model. None demanded direct confirmation of the escrow accounts. None asked the question that the FT had been asking publicly for four years: do these third-party partners actually exist?

Total investor and creditor losses were catastrophic. Wirecard’s market capitalisation collapsed from a peak of approximately EUR 24 billion. SoftBank lost EUR 900 million through a convertible bond investment made in April 2019 — after the FT’s reporting was well advanced.[2]

Greensill: When Trade Finance Becomes Unsecured Lending

Greensill Capital’s collapse in March 2021 demonstrated a different but equally dangerous form of emerging risk blindness: the inability of institutional risk frameworks to identify when a familiar product category has been fundamentally redefined.

Standard supply chain finance — reverse factoring — is straightforward. A financial intermediary pays a buyer’s supplier early at a discount, then collects the full amount from the buyer at maturity. The risk is low because the receivable is backed by a confirmed invoice for goods already delivered from a creditworthy buyer.

Greensill distorted this model beyond recognition. The firm financed “prospective receivables” — extending capital to companies based on anticipated future business rather than confirmed invoices. The UK Treasury Committee subsequently described this practice as more akin to straightforward unsecured lending, with the supply chain finance label serving as window dressing.[5]

Credit Suisse: outsourcing the first line of defence

Greensill’s growth depended entirely on its ability to securitise these loans and distribute them to investors. Its primary channel was Credit Suisse Asset Management, which created four supply chain finance funds holding $10 billion in assets. Credit Suisse marketed these funds to its wealth management clients as low-risk, liquid alternatives to money market funds.[6]

The FINMA enforcement findings and the Paul, Weiss investigation revealed that Credit Suisse had effectively outsourced its first line of defence to Greensill. The bank’s asset management division had little independent knowledge of or control over the underlying claims. Greensill originated the loans, structured the notes, and procured the credit insurance — without rigorous verification by Credit Suisse risk officers.[6]

The single point of failure

The entire $10 billion architecture rested on trade credit insurance provided primarily by a single underwriter: Greg Brereton at Tokio Marine’s Sydney office. When Tokio Marine discovered the extent of the concentration risk and the unconventional nature of the prospective receivables, it terminated Brereton and refused to renew coverage. The insurance expiration in early March 2021 stripped the notes of their protective wrapper, triggering the fund freeze and Greensill’s bankruptcy within days.[7]

A $10 billion fund structure dependent on the underwriting decisions of a single individual in a single office in a single city. That is not a risk that appears in any standard counterparty risk framework. It is a concentration risk that only becomes visible if you look through the product structure to the operational dependencies underneath.

Concentration and political capture

Greensill’s exposure was further distorted by extreme concentration in the GFG Alliance, an opaque network of steel, mining, and industrial companies controlled by Sanjeev Gupta. The Bank of England had flagged concerns about GFG-related entities as early as December 2019, but information silos prevented action before government COVID lending guarantees were extended to Greensill.[5]

To access additional government funding, Greensill employed former Prime Minister David Cameron, who held stock options in the firm and engaged in extensive informal lobbying of Chancellor Rishi Sunak and senior Treasury officials. The Treasury Committee condemned this as demonstrating a significant lack of judgement and described Greensill’s positioning as a technology firm helping small businesses as a deceptive sales pitch designed to obscure a fundamental solvency problem.[5]

Of the $10 billion frozen in Credit Suisse’s funds, approximately $7 billion was recovered through liquidation of standard receivables. The remaining $2.7 billion became mired in cross-border litigation and disputed insurance claims. The reputational damage from Greensill and the concurrent Archegos loss of $5.5 billion triggered the fatal loss of market confidence that led to Credit Suisse’s forced acquisition by UBS in March 2023.[8]

The Pattern: Why Traditional Frameworks Miss Emerging Risks

Wirecard and Greensill are different frauds with different mechanics. But they share a common structural cause: the institutions that were exposed were running risk identification processes designed for a financial landscape that no longer exists.

Three specific failures recur across both cases.

Velocity mismatch. Traditional bank risk identification operates on quarterly or annual cycles. Risk models are backward-looking, calibrated to historical default data. Fintechs scale exponentially. By the time a bank’s risk committee categorises a new exposure type — an API-driven aggregator model, a dynamically priced supply chain instrument — the fintech has already mutated its risk profile or scaled the exposure beyond safe parameters. The IIF/EY Global Bank Risk Management Survey found that 57% of financial institutions expressed deep concern about their ability to keep pace with emerging technology developments.[9]

Regulatory perimeter evasion. Financial regulation is categorical: an entity is a bank, an insurer, or an asset manager. Both Wirecard and Greensill designed hybrid structures that fell between these categories. Wirecard separated its regulated banking subsidiary from its unregulated holding company, neutralising holistic supervision. Greensill used the UK’s Appointed Representatives regime — designed in 1986 for self-employed insurance salespeople — to originate billions in corporate debt without direct FCA authorisation. New product types consistently fall between existing risk categories, and the institutions exposed to them apply the wrong underwriting standards.

Third-party risk treated as vendor risk. Banks treated Wirecard and Greensill as standard counterparties or vendors, applying procurement-grade due diligence rather than evaluating them as systemic risk nodes. The IIF and McKinsey found that third-party risk management is the single greatest capability weakness in financial services, cited by 65% of Chief Risk Officers. The lending syndicate behind Wirecard’s EUR 1.75 billion facility relied on the DAX 30 label and EY’s audit opinion as substitutes for independent verification. Credit Suisse relied on Greensill’s own representations about the quality of its origination. In both cases, the bank was flying blind on the risk it had actually taken on.

What Good Looks Like: Horizon Scanning and the Delphi Method

The risks that destroyed Wirecard and Greensill were not unforeseeable. They were unforeseen — by the institutions directly exposed — because those institutions lacked the processes to look for them.

Macro-prudential bodies had identified the threats. The Bank of England’s July 2019 Financial Stability Report warned explicitly about the liquidity mismatch in open-ended investment funds — the exact structural flaw that triggered the freezing of Credit Suisse’s Greensill funds.[9] The WEF Global Risks Reports from 2017 and 2018 flagged technological dependence, cyber fraud, and interconnected risk blindness as top global threats. The IIF/EY CRO surveys consistently identified third-party risk management as the greatest capability gap in banking.

The macro-level identification worked. The translation into micro-prudential action at individual institutions did not. This is the gap that emerging risk processes are designed to close.

The EON methodology addresses emerging risk blindness through three reinforcing mechanisms:

Horizon scanning with PESTLE analysis. Systematic monitoring of political, economic, social, technological, legal, and environmental signals for weak indicators of emerging threats. Greensill’s lobbying of government ministers, the sudden proliferation of supply chain finance as a product category, and the rapid growth of unregulated fintech intermediaries were all observable signals. Horizon scanning does not predict the specific failure. It identifies the conditions under which new risk types emerge — and triggers deeper investigation before the exposure materialises.

The Delphi method for emerging risk workshops. Structured, anonymous, iterative expert elicitation designed to surface risks where historical data does not exist. Experts across risk, technology, legal, and operations are asked to independently assess emerging threats. Anonymity eliminates hierarchical deference and groupthink. Multiple rounds with feedback force convergence on genuine risks rather than consensus around comfortable assumptions. If a bank had run a Delphi process in 2018 asking its risk, operations, and technology experts to assess the systemic vulnerabilities of fintech counterparties, the structural opacity of Wirecard’s TPA model and the insurance concentration in Greensill’s structure would have surfaced as identifiable risks.

Event-driven triggers from peer institution failures. When Wirecard collapsed in June 2020, every bank with fintech counterparty exposure should have conducted an immediate re-identification exercise. The specific question: which of our fintech exposures share the structural characteristics that enabled this fraud? When Greensill collapsed in March 2021, every institution holding supply chain finance assets should have asked: does our risk framework distinguish between genuine trade receivables and prospective receivables? Are we relying on a single insurance provider? The EON methodology mandates this as a formal trigger category. Material events at peer institutions are not news items. They are identification inputs.

The Regulatory Response

The regulatory overhaul following these failures has been substantial. Germany enacted the Financial Market Integrity Strengthening Act (FISG) in 2021, abolishing the flawed two-tier enforcement system and granting BaFin direct investigatory powers over financial reporting. Auditor rotation was mandated and non-audit services restricted.[10]

The EU’s Digital Operational Resilience Act (DORA), which entered application in January 2025, mandates that financial institutions map their entire ICT supply chain, conduct pre-contract due diligence on third-party providers, and bring critical technology providers under direct regulatory oversight for the first time.[10] In the UK, the FCA and PRA tightened the Appointed Representatives regime following the Treasury Committee’s finding that firms were exploiting the framework far beyond its intended scope.

These reforms address the structural gaps. But regulation is inherently reactive. The next emerging risk will not fit the categories that the current framework was designed to capture. The only durable defence is an identification process that does not wait for the regulatory perimeter to catch up.

What To Do Monday Morning

Audit your fintech and NBFI exposures. List every non-bank financial intermediary your institution has exposure to — as a lender, investor, fund distributor, payment processor, or technology provider. For each one, ask: do we understand the actual business model, or are we relying on the entity’s own description of what it does? Have we independently verified the revenue drivers? If the answer relies on audited accounts and public filings alone, your identification is incomplete.
Test your third-party look-through. For your top ten third-party financial exposures, map the operational dependencies underneath. Who provides the insurance? Who processes the actual transactions? Where is the data held? If a single provider, underwriter, or counterparty failure would cascade into a material loss, you have an unidentified concentration risk.
Run a Delphi round on emerging product categories. Assemble experts from risk, legal, technology, and operations. Ask them to independently identify the three fintech or NBFI product categories where your institution has growing exposure and where the risk framework has not been specifically adapted. Aggregate anonymously. Feed back with reasoning. Run a second round. The output will identify your blind spots faster than any backward-looking model.
Establish event-driven triggers for fintech failures. Formalise a process where material fintech or NBFI failures trigger immediate re-identification of analogous exposures. Wirecard should have triggered every bank to re-examine its fintech counterparty due diligence. Greensill should have triggered every institution holding supply chain finance assets to verify the underlying receivables. If your process does not mandate this, the lesson is being absorbed as a news story rather than as an identification input.
Challenge the product label. Supply chain finance is not always supply chain finance. Payment processing is not always payment processing. When a product category is growing rapidly and the margins seem implausibly attractive, the risk identification question is not whether the label is correct — it is what the product has actually become.

Sources & References

Financial Times, “Wirecard — the timeline,” 25 June 2020. FT journalists visited Manila addresses in April 2019; founding reports on FT Alphaville from 2015. Dan McCrum, Money Men (2022). gmtresearch.com
EUR 1.75 billion revolving credit facility, 90% drawn at insolvency; 15 banks in syndicate including Commerzbank (EUR 175M loss), ING (EUR 175M), Crédit Agricole (EUR 110M). SoftBank invested EUR 900 million via convertible bonds in April 2019. Total investor losses approximately EUR 23.8 billion. pymnts.com
KPMG, Report on the Independent Special Investigation — Wirecard AG, 27 April 2020. Could not verify TPA sub-merchants or obtain independent bank confirmations for escrow accounts. wirecard.com
European Parliament, What are the wider supervisory implications of the Wirecard case?, ECON Committee Study, 2020. BaFin short-selling ban February 2019; criminal complaints against FT; fragmented regulatory landscape. europarl.europa.eu
House of Commons Treasury Committee, Lessons from Greensill Capital, Sixth Report of Session 2021–22, HC 151. “Prospective receivables” practice; GFG Alliance concentration; David Cameron lobbying; Appointed Representatives regime. parliament.uk
FINMA enforcement finding, 28 February 2023: Credit Suisse “seriously breached” supervisory obligations on $10 billion supply chain finance funds. FINMA, Report — Lessons Learned from the CS Crisis, 19 December 2023: “serious deficiencies in risk management,” permissive commercial culture, weak tone from the top. finma.ch
Tokio Marine terminated underwriter Greg Brereton; coverage expiry triggered fund freeze in March 2021. Marsh sued for $143 million by White Oak for failing to disclose insurance lapses. insurtechinsights.com
Morningstar, “Credit Suisse’s Demise: A Timeline of Scandal and Failures,” 2023. Greensill recovery ~$7B of $10B; $2.7B in litigation. Archegos loss $5.5B. UBS emergency acquisition March 2023. morningstar.com
IIF/EY, An Endurance Course: Surviving and Thriving Through 10 Major Risks Over the Next Decade, Global Bank Risk Management Survey 2019. 57% of institutions cited concern over pace of emerging technology; 65% of CROs cited TPRM as greatest capability weakness. Bank of England, Financial Stability Report, July 2019: FPC warning on liquidity mismatch in open-ended investment funds. iif.com
Germany: Financial Market Integrity Strengthening Act (FISG), 2021 — auditor rotation, abolished two-tier enforcement, direct BaFin powers. EU: Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, application from 17 January 2025 — five pillars covering ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. forescout.com