There's much that is strange about this story of PricewaterhouseCoopers's consulting work for Bank of Tokyo-Mitsubishi UFJ, starting with the fact that PwC "is accused of lacking the objectivity and integrity expected of consultants but not actually breaking the law." There are some pretty big assumptions in that sentence! What objectivity and integrity do you expect from consultants?
Bank of Tokyo-Mitsubishi had done some illegal transactions with Iran and Sudan and so forth, and it hired PwC to do a historical transaction review of all those illegal transactions. The idea was that PwC would write a report, and the bank would submit it to the New York Department of Financial Services as part of its plea for leniency for, you know, doing all those illegal transactions. PwC wrote the report, and the bank sent some edits to basically make it sound less bad. Here is the Department of Financial Services:
At BTMU's request, PwC removed from a draft of the HTR Report a statement that, had it known from the outset of the HTR about BTMU's written instructions to strip wire messages, PwC would have recommended that BTMU undertake a forensic review of its wire transfers. PwC should have included such an express statement of its views in the HTR Report to ensure complete disclosure to the Department of potentially serious limitations on the HTR process in light of the written instructions. Futhermore, PwC repeatedly acceded to the Bank's demands and redrafted the HTR Report in ways that omitted or downplayed issues of material regulatory concern.
This is ... some pretty dull stuff? PwC omitted "an express statement of its views" about how it should have done more (and presumably more expensive!) consulting work, and it changed wording in ways that "omitted or downplayed" the bank's badness. The DFS settlement agreement, and the New York Times story, both have appendices with the changed language. There are a couple of real omissions, but a lot is about tone and word choice, things like "'Special Instructions' had also been changed to the more innocuous 'Written Operational Instructions,'" ehhh, OK. Anyway, this cost PwC an astounding $25 million, and a two-year ban on doing this sort of work in New York.
Here is a rough chronology:
- Bank of Tokyo-Mitsubishi did bad stuff from 2002 to 2007.
- PwC investigated that bad stuff from June 2007 through June 2008 and wrote a report.
- In June 2008, the bank submitted PwC's report to the Department of Financial Services.
- In June 2013 -- five years later -- the DFS and the bank reached a consent order about the bad stuff, fining Bank of Tokyo-Mitsubishi $250 million (and requiring it to hire yet another consultant!).
- That 2013 consent order relied extensively on PwC's 2008 report:
The HTR provided the cornerstone for the Consent Order. In 2013, after a year-long investigation into BTMU's past U.S. dollar clearing activities, the Department and the Bank agreed to use the HTR's findings as a basis to extrapolate the approximate number of improper transactions processed by BTMU NY from 2002 through 2007. DFS required that information in order to accurately assess the scope of the Bank's misconduct and thereby fix an appropriate penalty.
- Here's what the consent order said about that extrapolation:
BTMU estimates that it cleared approximately 28,000 U.S. dollar payments through New York worth close to $100 billion involving Iran, and additional payments involving Sudan and Myanmar.
- But the DFS wasn't done:
After entering into the Consent Order, the Department continued its investigation, focusing its inquiry on the Bank's dealings with PwC. To that end, DFS reviewed voluminous documents and took sworn testimony from eight current and former PwC professionals who worked on the HTR.
- And now, in August 2014, the DFS is fining PwC another $25 million for deficiencies in that report.
So: The PwC report "provided the cornerstone" for the bank's $250 million fine, since it was the basis for DFS's estimate of how many bad transactions it did. And now DFS is mad about that report. So you might sensibly assume that the report's numbers were wrong: that PwC lowballed the amount of improper transactions that the bank did, minimizing its legal liability. Maybe there were actually, I don't know, 56,000 transactions worth close to $200 billion, and the fine should have been much more.
There are hints of that in today's settlement agreement: Early drafts of PwC's report raised questions about the completeness of its data, and the scope of its investigation, and those questions vanished in the final draft. It's natural to conclude from that its data was incomplete and that its investigation should have dug up more bad stuff.
But those are just hints. Bank of Tokyo-Mitsubishi confessed its wrongdoing six years ago. The DFS agreed to the consent order "after a year-long investigation into BTMU's past U.S. dollar clearing activities." DFS launched its investigation of PwC, full of "voluminous documents," at least a year ago. And there's not a whisper, in today's settlement agreement, that PwC actually got the numbers wrong. The tone was wrong, and the language was revised to be too friendly to the client. But the consent order wasn't based on tone. It was based on numbers. And today's settlement doesn't question the numbers.
This means either that PwC's numbers were right -- in which case, who cares about the tone? -- or that DFS hasn't bothered to check.
People want this story to be about conflicts of interest, and I suppose it is. But be careful: It isn't at all a story of a conflict of interest between consultant and client.
It's much simpler. If you committed a crime, and are caught, often the best strategy is to throw yourself on the mercy of the authorities.
But that in itself creates a conflict. On the one hand, you want to express maximum contrition. You want to confess freely to all your crimes, self-criticize relentlessly, weep and wail and rend your garments and flagellate yourself so much that the authorities find it unnecessary to add any flagellation of their own.
On the other hand. I mean. If you're caught with a pile of meth in your living room, you want to be forthcoming and repentant about all the meth. You don't necessarily want to tell the cops about the bodies buried in the backyard. You want to confess freely and unreservedly to all the crimes they were going to catch anyway.
That conflict -- you want to play up your contrition, while playing down your culpability -- has nothing to do with whether you hire a consultant to do your begging and confessing for you. I mean, hiring (and paying for!) an outside firm to castigate you conveys a pleasing (to regulators) desire to be castigated, so it's a good idea. But you want the consultant to do what you'd do: make you look contrite, but not guiltier than necessary. Always in a way that is consistent with "the objectivity and integrity expected of consultants."
This is not a conflict that can be solved by yelling at -- or fining -- consultants. The consultants are a distraction; the conflict is between regulators and wrongdoers. Regulators want maximal investigations ("tell us every bad thing you ever did"), while wrongdoers want minimal investigations ("here is every bad thing we ever did [that you know about]"). It's hard to imagine how that conflict could ever go away.
On the other hand it's easy to imagine how to minimize its effect. Just have the regulators do the investigation. You want someone to scrutinize every transaction? Scrutinize every transaction! If you outsource your investigation to the company you're investigating, or its agents, you can't act surprised when their scrutiny is less than thorough.
I know, I know. Investigations are expensive, companies that do bad stuff are supposed to be contrite and forthcoming, and regulation will always rely in part on self-policing. But, I mean, the technology exists to deal with those problems. Regulators can, for instance, require targets to pay for consultants who work directly for the regulators, as the 2013 consent order did. Or they can demand "reimbursement to the Department for the costs of its investigation," as today's settlement agreement does. Sure investigations can be expensive, but they can also be profitable.
The lesson here might be that the big problem with outsourced investigations is not conflicts of interests. The problem here seems to be that:
- We don't know if PwC's accounting of Bank of Tokyo-Mitsubishi's wrongdoing -- the number and dollar amount of illegal transactions -- was correct;
- neither does DFS; and
- DFS isn't interested in finding out.
Here the supervisors are skimping on supervision in favor of meta-supervision. They're less worried about questions like "how much bad stuff did Bank of Tokyo-Mitsubishi do?" and more worried about questions like "How did PwC decide how to change the tone of its report about the bad stuff that Bank of Tokyo-Mitsubishi did?" That's a natural question if you do your supervision of banks via meta-supervision of consultants, but it's not exactly a confidence-inspiring one. Maybe if the Department of Financial Supervision spent more time examining the facts, it would have less reason to worry about the tone that PwC used to describe those facts.
To be fair, the "Written Operational Instructions" edit also omitted some colorful internal-manual language that made it clear how Bank of Tokyo-Mitsubishi kept secret the payments that it routed to Iran. But it was still clear enough in the final version: "The instructions were to use the cover payment method, to indicate our Bank as the ordering bank and not to include the name of other final receiving bank, so that the funds would not be frozen."
One really delightful omission is this language, in the original report but not in the final:
Another new case was identified resulting from the search term Sudan having a pound sign in front of the term (e.g., #SUDAN). Subsequent reviews of our project documentation indicated that ALT data was processed by the Bank into a more usable format by using code to convert UNIX linebreaks (carriage returns) into pound signs (#). As carriage returns were randomly dispersed throughout the data, in some instances # symbols appear embedded in terms that were split across two lines of text in the wire. The example #SUDAN is one of these cases and would have caused the Code search methodology not to work. As of the date of publishing this report, we did not further investigate the impact of carriage returns.
Nor is it a story about the conflict of interest between auditing and consulting, even though PwC is an audit firm as well as a consulting firm. PwC acted only as a consultant for Bank of Tokyo-Mitsubishi, whose auditor was Deloitte; PwC's work could just as well have been done by a law firm or a regulatory consultant outside of an accounting firm.
You laugh, but that's apparently a thing. The DFS settlement agreement notes that PwC's report "stated that it was the product of an objective and methodologically sound process," though what it actually said was that PwC's work was "performed in accordance with standards for consulting established by the American Institute of Certified Public Accountants." The agreement quotes those standards, and you can read them here; consultants are supposed to:
Client Interest - Serve the client interest by seeking to accomplish the objectives established by the understanding with the client while maintaining integrity and objectivity.
Understanding with Client - Establish with the client a written or oral understanding about the responsibilities of the parties and the nature, scope, and limitations of services to be performed, and modify the understanding if circumstances require a significant change during the engagement.
So, yes, PwC represented that it was "maintaining integrity and objectivity." It was also representing that it was serving its client, and establishing an understanding with that client about what its services would include. PwC let its client edit its report, and accepted some edits that made its client look better, because that was the assignment.
To contact the author on this story:
Matthew S Levine at firstname.lastname@example.org
To contact the editor on this story:
Zara Kessler at email@example.com