The Wirecard Fraud: A Case Study in Failed Confirmation Processes 

In January 2026, the Singapore courts delivered the final verdict in one of the most significant failures of financial oversight in modern history: the Wirecard fraud case.

Singaporean businessman R. Shanmugaratnam received a sentence of 10 years in jail, while his British accomplice, James Henry O’Sullivan, was sentenced to 6.5 years. Their convictions centred on their roles in falsifying financial documents linked to Wirecard AG, underscoring the grave risks associated with internal fraud and the manipulation of the balance confirmation process. 

How the Fraud Was Perpetrated 

Shanmugaratnam, as a director at Citadelle Corporate Services, issued 13 fraudulent letters confirming that his firm held nearly €1.1 billion (S$1.65 billion) in escrow for Wirecard and its subsidiaries. In reality, these funds did not exist. Undetected flaws in the confirmation process—which was meant to ensure independence—enabled the fraud. The supposed “independent” letters were actually drafted by Wirecard executives—including fugitive COO Jan Marsalek and Oliver Bellenhaus—and sent to Shanmugaratnam, who reproduced them on Citadelle’s letterhead. 

This breakdown in the confirmation process demonstrated the devastating consequences of auditors’ misplaced trust in manual bank confirmations, fundamentally shaking the foundation of trust that underpins the audit process. 

The Illusion of Independence 

The collapse of Wirecard was not due solely to missing money, but rather to the false appearance of independent third-party oversight. Citadelle Corporate Services, intended to serve as a neutral custodian for escrow services essential to capital market transactions, instead became an instrument of the fraudsters. 

• Loss of Neutrality: Shanmugaratnam admitted to following instructions from Marsalek and Bellenhaus, copying their wording directly into the confirmation letters sent to auditors. 

• Legal Consequences: The lack of integrity in this process led to severe custodial sentences for those involved and irreparable damage to Citadelle’s reputation. 

Impacts on Auditors and Investors 

The primary victims of this fraud were the external auditors (EY) and the investors who relied on their reports. Auditors accepted confirmation letters via email, believing they were independent verifications. However, because the communication channel was neither secure nor automated, the auditors were unaware that the confirmations they received were actually written by the very company they were auditing. 

This failure to verify the existence of the cash ultimately led to Wirecard filing for insolvency in 2020, after admitting that €1.9 billion was missing. The result was catastrophic losses for investors and a significant blow to confidence in global fintech governance. 

Lessons Learned: What Is Needed to Prevent Recurrence? 

The core lesson from the conviction of Shanmugaratnam and O’Sullivan is clear: Manual, email-based confirmations are no longer sufficient proof of existence. True independence in confirmations requires eliminating human intervention from the verification chain and ensuring that information is exchanged authentically, objectively, and directly between intended recipients and senders. 

To prevent such incidents, it’s essential to have enforceable controls comprising: 

• Direct Digital Verification: Use independent electronic systems to request and receive data directly from banking custodians, bypassing intermediaries like Citadelle directors. 

• Segregation of Duties: Ensure that those establishing relationships (such as O’Sullivan) cannot influence those responsible for verifying accounts (such as Shanmugaratnam). 

• Automated Anomaly Detection: Implement systems that flag deviations in confirmation wording or formats from standard banking protocols in real time, preventing “copy-paste” fraud. 

A Trusted Independent Confirmation Platform Matters 

Thomson Reuters Confirmation offers technology and solutions that enable independent financial confirmations and prevent costly internal fraud, with the following key capabilities: 

• Automated Confirmation: Secure APIs reconcile third-party confirmations, eliminating the manual processes that enabled Shanmugaratnam’s letter falsification. 

• Immutable Audit Trails: Real-time logging and immutable records verify the source of confirmations and ensure that intermediaries have not altered the data. 

• Independent Reconciliation: Automated engines match independent confirmations directly against internal ledgers, removing reliance on self-reported balances or manual emails from “trusted” directors. 

Conclusion 

The sentencing of the Wirecard accomplices serves as a final warning. Without truly independent confirmation tools, there will always be a risk of document interception and manipulation. The Confirmation platform guarantees that an auditor has the most accurate information possible when completing an audit.