The Big Four – Disproportionate Concentration Risk

It is sobering and deeply unappealing to conclude that despite any crime committed within the Big Four audit fraternity – irrespective of the impact or severity of the crime – it is, as argued above, systemically impossible to shut down the firm involved. But this needs to be properly put into perspective by analysing the manner in which systemic risk has been addressed in the banking world.

Significant effort, post crisis, went into the definition and subsequent regulation of so-called SIFIs (Systemically Important Financial Institutions). This term was subsequently replaced with two versions of the concept, namely G-SIBs (Global Systemically Important Banks) and D-SIBs (Domestically Systemically Important Banks). Following the 2008 financial crisis, regulators – specifically U.S. regulators and the BCBS (Basel Committee for Banking Supervision) – decided to ensure that institutions such as Citibank or JP Morgan, which are so large and so intertwined in trades and transactions with so many multifarious institutions worldwide, and which serve so many customers, should have a lower probability of failure than other, smaller, regional banks.

The logic is simple: if Scotiabank (previously the Bank of Nova Scotia) were to fail, the regulator would step in, larger banks would buy up the assets for pennies in the dollar, trades would be unwound, and equity-holders would lose their money. Bondholders and other debt obligations would probably be met in the pricing of the assets. At worst, the government would take a stake in the bad assets. In South Africa, the failure of African Bank was an example of a variation on this theme.

However, were JP Morgan to fail, there would be apocalyptic consequences: all trades – often of enormous magnitude – with counterparty banks, would be in grave danger, possibly pushing these counterparty banks over the edge in a kind of domino effect. Confidence in banking would plummet; there would be a run on the bank, as well as on counterparty banks, further exacerbating the crisis.

Consider, for example, that Lehman Brothers, when it failed, was only one of the five large U.S. investment banks, and these investment banks were far smaller in size than the large diversified global banks. Lehman held assets of USD 639 billion in 2007, and JP Morgan held nearly USD 2 trillion in assets at the time.

Thus, in assessing the extraordinary impact of Lehman’s failure, regulators insisted that SIFIs should be defined, named, and that they should hold an additional buffer of high-quality equity. It is fairly straightforward, however, to poke conceptual holes in these additional SIFI measures. For example, if Citibank is required to hold an extra 2 percent of equity on their Risk-Weighted Assets (RWA), then by definition they will need to have lower leverage than their competitors. This will drive down their Return-on-Equity (ROE) which will make them less attractive investments. This in turn will drive up their cost of equity, which will once again further erode their ROE.

Also, the more equity a bank is required to hold from a regulatory perspective, counterintuitively, the riskier the bank becomes. Here’s the logic: if Citibank’s equity were to dip below the regulatory threshold – which is now more likely because the regulatory requirement has increased the nominal threshold – the news would cause an immediate liquidity crisis and a run on Citibank. No trader at any other bank would wish to be a counterparty in a trade with Citibank were it to breach its equity threshold – the bank would be unable to meet short-term liabilities long before it had time to use its extra SIFI equity buffer.

Nevertheless, despite these misgivings – long-debated in conferences and regulatory circles – one can see the importance of defining, at the very least, and especially vigilantly regulating, SIFI entities.

There are two kinds of SIFIs. The first are global SIFIs and the second are what are called D-SIBs (Domestic Systemically Important Banks). At the time of writing, there are three Japanese G-SIBs (Global Systemically Important Banks), four Chinese G-SIBs, one Belgian G-SIB, four French G-SIBs, two German G-SIBs, five U.K. G-SIBs, as examples, and there are eight U.S. G-SIBs. Eight is significant, but makes perfect sense given the size of the U.S. economy as a proportion of the world economy.

In fact, there are thirty-four G-SIBs globally. Zions Bancorp, for example, operating out of Salt Lake City, Utah, is the 42nd largest bank in the U.S. by total assets. It is neither a G-SIB, nor a D-SIB. In fact, it is a pretty small bank, with only USD 63 billion in assets. That’s only 2.5 percent of JP Morgan’s total assets – in fact, JP Morgan is forty times bigger than Zions Bancorp. Yet, just like JP Morgan, Zions Bancorp is required by U.S. regulators to comply with the very same banking rules that any other bank in the U.S. is required to comply with. It is astonishing to note that 98 out of the top 100 banks in the U.S. are audited by only four audit firms, namely the Big Four.

To put things properly into perspective, Deloitte employs 264 thousand people worldwide, and is the 6th largest privately-owned organisation in the United States. PwC employs 236 thousand people worldwide and is headquartered in London. Ernst & Young is the third largest in terms of number of employees with 231 thousand staff, and KPMG is the smallest of the Big Four with only 189 thousand employees worldwide. Zions Bancorp, as at the end of 2016, employs just over 10 thousand people worldwide – but most of them work out of the Salt Lake City headquarters.

It seems somewhat ironic, and disproportionate, that whilst banks have been inundated with extraordinary and complex regulation over the past decade, specifically regarding the question of systemic risk to the world economy, there are only four audit firms tasked with ensuring the veracity and accountability of virtually all banks worldwide, both in terms of their financial statements, as well as in terms of their regulatory reporting. Investors and regulators depend on a very select group of firms to safeguard the world economy.

If the failure of Lehman could do so much damage, it was surely appropriate for regulators to address shortcomings in the rules. Their introduction of the LCR (Liquidity Coverage Ratio) and NSFR (Net Stable Funding Ratio) metrics, are examples of their efforts. It seems remarkably myopic, however, to fail to recognise the systemic risk in having only four audit firms covering the majority of the world’s banks. It is telling that, in the 16 years since the failure of Enron and subsequently Arthur Anderson, there has been no new entrant to the elite tier-one audit club. Consider the fact that no merger has taken place between tier-two firms that have been anywhere near consequential enough to enable a new firm to gain traction in the business of auditing banks. The market for bank audits would appear to be unusually difficult to enter.

In fact, the concentration risk is even higher than the audit risk only. The Big Four each have approximately half of their revenue generated out of audit, the other half being generated out of advisory activities. This ranges from tax consulting, forensic work, management consulting, innovation, systems implementation work, human resources consulting, and contracting activities. A substantial portion of the revenue generated out of the advisory side of these firms comes also from bank customers. Audit firm brands are the dominant advisory and consulting brands that service banks.

Whilst audit firms are restricted from providing advisory services to the banks that they audit, they can provide advisory services to those banks they don’t audit. With the future introduction of forced rotation of auditors, every five years – originally conceived as a method of enhancing independence in audit – there is the possibility of having a large team of consultants from a particular audit firm acting one year as advisors, and the following year as auditors. Of course, the teams may be made up of different personnel, but there is quite significant internal personnel movement between the audit and advisory sides of these businesses. And there is of course a natural positive bias towards the work of one’s own colleagues.

Audit, to be sure, is substantially regulated. This is not in question. And audit firms, in the main, are extremely ethical in their behaviour, given that their business is based on the inherent trust bolted onto the brand. But there are two inevitable problems that pervade. First, there is the obvious problem that KPMG, as a tier-one audit firm, is simply too big to fail. Secondly, a sizable proportion of their work – whilst benefiting from the certitude and faith that is embedded in the audit profession – is, more or less, like all consulting, completely unregulated.

These have been two of the key arguments made against knee-jerk reactions to have KPMG South Africa fired as auditors. Putting aside the Gupta-linked companies and KPMG’s audits of these companies, the far more severe transgression was the fake SARS report. Bear in mind that this report was not an audit report. It comes from an advisory perspective – yet it had plastered on it the veneer of assurance. This is the same reason that television shows in which contestants win prizes, the Oscars, motor racing, and a plethora of other sports and social events, will use an audit firm to check the data and to provide conclusive outcomes that can be trusted.

The SARS report in many ways does not cast a shadow over audit as a function, or even as a profession. Rather, it casts a shadow over the structure of the audit firm community worldwide, raising disturbing questions regarding competition laws. But mainly, the SARS report simply amplifies an existing, and much-ignored, risk that sits squarely at the heart of the economic system worldwide. And that is the concentration risk within the Big Four.