The Rationale for The Regulatory Audit in Banking

It is essential – in contemplating how it was possible for the KPMG SARS report to be written, accepted and proliferated in an apparently highly regulated industry – to fully understand the extent to which KPMG’s banking industry clients are regulated. The question is often raised by banks as to whether there will ever come an end to the seemingly endless droves of new regulation that continue to afflict the industry.

Most bank CEOs rank regulation as one of the most significant reasons for depressed returns on equity (ROEs). In understanding the new regime of regulation first, and bank returns second, it is imperative to acknowledge the rationale for the requirement within banking for the secondary audit – the regulatory auditor. The local regulator in South Africa, the SARB, gets its guidance primarily from the BCBS banking rules that are contained within the Basel III regulations that were first conceived post the 2008 financial crisis, and represent a comprehensive set of reform measures, to be implemented by banks in a phased approach.

The first phase was finalised in 2011, and mainly focused on new rules for capital, its definition, and its threshold requirements. The second and third phases focused respectively on the Liquidity Coverage Ratio (LCR), introduced in 2013, and the Net Stable Funding Ratio (NSFR), introduced in late 2014. Each of these ratios also have phase-in recommendations, allowing banks to gradually alter their balance sheets to meet the requirements. There are many further rules, for example, BCBS 239, titled Principles for Effective Risk Data Aggregation and Risk Reporting, that address other secondary or ancillary requirements. These requirements are contained in a numbered collection of BCBS rules, in this case BCBS regulation number 239, and are sometimes meant for clarification purposes and sometimes augur in new rules altogether.

In recent years, there have been a range of new regulations proposed in respect of the treatment of market risk, for example. The Fundamental Review of the Trading Book (FRTB) rules go live in 2019 and banks are expected to report under these new rules by 2020. FRTB represents a significant move away from the internal model methodology currently adopted by most banks in respect to their calculation of market risk, which was originally based on JP Morgan’s RiskMetrics Value-at-Risk (VaR) approach.

The new methodologies on offer for market risk treat-ment will require – according to most industry experts – substantial revamping of the systems, wiring and capabilities within banks for the processing of market risk numbers, from data origination, all the way through to comprehensive reporting. The SARB, along with all local in-country regulators, decides at each juncture whether they wish to adopt the new rules recommended by the BCBS into law.

It would be naïve, however, to imagine that in-country regulators have a great deal of choice in the matter. The SARB, barring a few concessions made under pressure from industry, has adopted virtually all of the Basel rules thus far. Regulators in countries such as Australia, Austria, Germany, Netherlands, Denmark, Finland, and many others, have done precisely the same. This was the intended effect: to standardise the rules for banking worldwide in order to reduce geographical arbitrage (think here of offshore tax havens) and to reduce global systemic risk.

In the words of the BCBS itself, the reforms at a bank-level aim to “raise the resilience of individual banking institutions to periods of stress”; and at a macroprudential-level, to target the “system wide risks that can build up across the banking sector as well as the procyclical amplification of these risks over time”.

These are exceptionally rational reasons to augur in new rules such as the liquidity risk and market risk rules that banks are busy implementing. As such, and in order to remain part of the banking fraternity globally, individual countries tend to adopt these rules into local national law far more easily, and with far less fuss, than countries have adopted proposed environmental rules that have been on the international agenda since before even the failure of the Kyoto Protocol, which was first signed in December of 1997.

It is not too cynical an observation to point out that the world’s heads of state have been far more successful in coming to consensus on how banks should be treated, than in coming to consensus on how to protect the ozone layer from the irreversible effects of carbon pollution on the future of mankind and on the environment. The reason is simple: there is an immediate and extreme penalty – never absolutely explicitly stated, but very much implied – to being delinquent in one’s adoption or implementation of the rules. Should a country, or its banks, not comply with BCBS rules, they will, often by law in other countries, be excluded as counterparties in cross-border transactions.

This means, for example, that any and all import and export transactions will be impacted, all cross-currency transactions will be impacted, and the inflow and outflow of capital and liquidity will be ceased. It would be the equivalent – from an individual country’s perspective – of receiving notice of an imminent and complete economic meltdown, since without being able to trade cross-border, a large proportion of any country’s economy would be put on hold.

The only countries that have demonstrated significant deviation from the BCBS rules are the U.S., the U.K. and China. The U.S., prior to the 2008 financial crisis, first indicated that they wished to adopt the Basel rules, then rejected them, then adopted them in part under the Office of the Comptroller of the Currency. Post crisis, the U.S. regulators – far more complex in structure given the nature of the Federal system than other countries’ regulators – rapidly brought in a set of completely new rules known as the Dodd-Frank laws. Dodd-Frank reads at over two thousand pages and addresses a far broader range of topics than the BCBS rules, including thorny topics such as how to regulate the rating agencies that were found to be derelict during the lead-up to the 2008 financial crisis.

The Dodd-Frank rules, as an aside, need to be complied with by any bank with a banking licence in the U.S., irrespective of where their domiciled headquarters are. This means that Deutsche Bank in the U.S. needs to comply with both Dodd-Frank and Basel III and all its adjuncts. The U.K. has also been slightly out of step with the BCBS rules, but not to the same extent. The Prudential Regulation Authority (PRA) was created in 2012 as part of the Bank of England under the Financial Services Act. This was a result of the U.K.’s adoption of what is known as the Twin Peaks framework, and it is already in process that South Africa will adopt a similar structure in the division of duties between the South African Reserve Bank and the Financial Services Board.

Of course, there were many other countries that pushed back against certain of the proposed Basel rules – Germany, for example, in its concern over the treatment of small business loans – but, in the main, the BCBS rules can easily make the claim of being the most widely adopted set of international principles in history, other than perhaps the Geneva Convention principles that protect human rights. In the latter case, sadly, compliance has been far more wanting than in the case of bank regulation.

In order to regulate there is an inherent requirement to ensure compliance. Regulation, after all, is not just a matter of getting rules passed as law through Parliament. Compliance needs to be governed and policed. Should a particular bank fail to adhere to the minimum standards set out in the rules, then there should also be some degree of sanction. The regulator requires therefore a set of reports on a regular basis, checked by an external party, that would act as submissions of information by every bank. These submissions would either ensure compliance to each and every one of the stipulated rules, or would highlight the particular perforation in the bank’s performance against the standards.

The Reserve Bank in South Africa, realising that it did not have the manpower to design and draft these reporting templates, formed an industry-led group – represented by each of the major banks in South Africa – whose responsibility it was to create these reporting templates. The Reserve Bank adopted a naming convention under which each of the BCBS-specific risk and other reporting requirements could be referred, which was an already in-place legacy reporting methodology coming out of the Bank’s Act.

Thus, for example, the BA 100 (Bank’s Act series 100) report covers the reporting bank’s balance sheet, the BA 110 covers off-balance sheet activities, the BA 120 covers the income statement, the BA 125 covers information regarding shareholders, and the BA 130 covers investment, loans and advances made by the reporting bank. Up to this point, the BA series would seem to be no more than a pro forma representation of the financial statements that would anyway be audited by the reporting bank’s primary auditors.

However, from the BA 200 all the way through to the BA 900, there are thousands upon thousands of very specific fields in spreadsheet-based templates that need to be filled in – sometimes daily, sometimes monthly, sometimes quarterly, and sometimes annually – by the reporting bank. The BA 200, as one example, is particularly complex. It is the credit risk return, and is broken down by a number of dimensions, but in particular by the asset classification dimension as stipulated under the BCBS rules. Furthermore, assets need to be categorised according to whether there is collateral in place to mitigate risk, or whether there are perhaps guarantees in place.

Other parts of the BA series cover liquidity risk, operational risk, market risk, as well as risks specific to derivative positions such as repo positions as opposed to, for example, options positions. There are special sections within the BA series that focus on securitisation and what positions are held by the reporting bank in respect of these complex instruments. This is an example of a reporting requirement that is a direct result of the 2008 financial crisis, in which these instruments were created by banking financial engineers to get risky assets off their balance sheets as fast as possible.

In fact, the majority of the BA series – each of its spreadsheets, and each of its specific fields, of which there are thousands – can be traced back to one or other of the underlying reasons for the 2008 financial crisis in the first place. The necessity, for example, for a reporting bank to prove the make-up of its High-Quality Liquid Assets (HQLA), which is the numerator in the Liquidity Coverage Ratio (LCR), is not only a result of the Northern Rock bank run, nor is it a result only of the tremendous risk inherent in the funding structure of banks’ pre-crisis balance sheets, it is also a result of a near-complete erosion of trust between the regulator and the banks. Not only do the regulators insist that banks report these numbers in immense detail, and regularly – they also require every single one of these numbers to be audited.

It is not difficult to imagine the volume and complexity of work required to audit annually the entire BA series for a bank; nor the hordes of candidate auditors required; nor the sheer organisational and logistical challenges faced by the auditors themselves; nor the risks involved in signing off these audits. Imagine the sleepless nights that the audit partner for a major bank must experience given the extremely deleterious risk that something may have been missed. After all, Ernst & Young was sued almost immediately after Lehman’s failure. Of course, there is professional indemnity insurance, and this somewhat mitigates the risks involved, and there are the fees that should sufficiently compensate partners and the audit firms for the responsibility and accountability they assume; but nothing can protect a firm’s reputation once it has been tarnished to the degree that KPMG South Africa’s has.

Given the immense complexity of banking, and given the necessity for there to remain a sufficiently sophisticated talent pool that is not even more concentrated than it is at present, it is no wonder that the Reserve Bank in late September quietly got the South African bank executives together and asked for everyone to lower the temperature in the room.

It would be unthinkable to fire KPMG as auditors, since, as the Reserve Bank has pointed out, that would serve only to increase systemic risk, rather than decrease it. The conundrum remains: if the scripting and proliferation of the SARS report is not enough for a bank to fire KPMG, then unfortunately there is an inherent acceptance that these four firms are simply too important to fail. And that means that the door is left wide open to further abuse of the trust inherent in these brands.

It seems that it would be far easier, and far more helpful to the audit fraternity, as well as to the banking fraternity, to maintain the integrity of the KPMG brand, rather, and of all the audit brands in general, by simply criminally convicting those individuals responsible rather than attacking the brand. And perhaps it would be wise also to reduce the systemic risk concentrated in these Big Four audit firms by finally, and completely, restricting them to what they do best, which is audit.