Wrap your head around this: On Monday, giant accounting firm PriceWaterhouseCoopers was fined $25 million and accepted a two-year ban from some businesses to settle allegations by New York state regulator Benjamin Lawsky that PwC failed to get Bank of Tokyo-Misubishi to comply with regulators. Also, PwC will continue to do plenty of work helping banks comply with regulators. Got that?
The Bank of Tokyo-Misubishi case goes back to 2007. Regulators found that the Bank of Tokyo-Mitsubishi broke U.S. money laundering rules by processing payments that went to individuals and businesses in Iran and Sudan. The bank was mandated to hire a monitor. It bank hired PwC.
One of PwC's duties was to investigate how the bank had run afoul of the rules. They prepared a detailed report saying how Bank of Tokyo-Mitsubishi did things like insert hashtags when Sudan was mentioned (e.g., "Su#dan") to outsmart regulators' automated systems that were programmed only to look for correct spellings of blacklisted countries.
But PwC didn't submit that report to regulators. Instead, it submitted a sanitized version of the report that stripped much of the bad stuff out. Why? Well, according to internal PwC emails, senior executives didn't want to jeopardize its relationships with Bank of Tokyo-Mitsubishi and other banking clients. Regulators, however, got a hold of that earlier version of the report, and that's why PwC is in trouble.
See, a little over a decade ago, Congress passed Sarbanes-Oxley that was supposed to, among other things, limit the amount of non-auditing work that auditors could do for their clients. It was a reaction to Enron and other accounting scandals. The idea was that Arthur Andersen looked the other way when it came to Enron's faulty accounting because raising concerns might have jeopardized the lucrative consulting gigs it had with the energy giant.
Sarbox required all sorts of publicly traded firms to disclose payments they made to their accounting firms for non-audit work. Big banks and other firms put into place rules that required a committee of the board of directors to be notified when the firms' auditor was hired to perform any duties not related to auditing.
Initially that stopped banks from hiring PwC (and its competitors KPMG, Deloitte and Ernst and Young) for anything other than auditing and filing taxes. But then came the financial crisis. Post-crisis financial reforms like the Dodd-Frank financial reform law created all types of new requirements for banks. Accounting firms quickly responded by launching services that would help the banks comply with all the new rules. Since these services were considered "audit-related," firms could hire them without running afoul of Sarbox. What's more, in the wake of the financial crisis, regulators and the rest of us cared a little bit less about so-called auditor independence and more about keeping the banks in line.
Like its rivals, PwC has a built up a large regulatory compliance practice. For instance, Bank of America (bac) is audited by PwC. Last year, it paid PwC $104.2 million in fees. Just $100,000 of that was for non-audit work. But $7 million of that was for audit-related work. According to Bank of America audit related work includes "reporting and compliance matters and risk and control reviews." It was $13 million the year before that. There is nothing in the Lawsky settlement that prohibits PwC from doing work for the banks to help them comply with the Fed's stress tests or Dodd-Frank. That "audit-related" work is likely to grow.
In the Bank of Tokyo-Misubishi case, PwC seemed to be pretty concerned about how the bank, and others, would take their report. In this instance, it appears PwC didn't want its consulting work to jeopardize its accounting work. And although Bank of Tokyo-Misubishi wasn't an audit client of PwC, PwC does count three of the largest U.S. banks --Bank of America, Goldman Sachs and JPMorgan Chase -- as audit clients. And in one e-mail a director at PwC said that one of his concerns was that a thorough investigation of Bank of Tokyo-Mitsubishi might "finger" other banks as well. He didn't want his colleagues to be fingering anyone. And as long as you are in the process of marketing a business to banks to help them comply with regulations, you probably will try as hard as you can not to be the guy who points out to regulators when banks don't.