PwC faces its Enron moment: Confidentiality breaches, possible conspiracy to defraud

When then-prime minister Malcolm Turnbull called for heads to roll after the 2016 census was pulled offline – amid fears IBM’s data servers hosting the survey had been infiltrated – the American enterprise technology giant made an important decision.

IBM ran most of the big mainframe systems that had powered core government functions for several decades, earning it billions of dollars a year in fees and making the Australian government one of its top global clients.

No census data was leaked, but IBM faced years of legal sword-fighting with the government as authorities pressed for accountability and compensation for the cost of the disruption.

IBM made the smart call that you rarely win against the government. Even if it could prove it was others who dropped the ball (IBM and its communications provider, Vocus, settled their dispute), IBM accepted it would inevitably be put in the Canberra doghouse by agency CIOs – all of whom have a fine sense of where the political winds are blowing.

Fast-forward seven years and global accounting and consulting giant PwC faces a similar big strategic decision about how it resolves alleged breaches of Australian Tax Office confidentiality – and the apparent profiteering from those breaches – as exposed by The Australian Financial Review’s reporting and a Senate probe into the affair.

The alleged confidentiality breaches gave PwC clients – including, it seems, some big tech players – a crucial heads-up on multinational tax avoidance legislation that then-treasurer Joe Hockey had cooked up to extract tax from the global tech platforms that had made an art form of confounding treasuries around the world.

On the facts as they are known, corporate lawyers say PwC could face charges of contractual and equitable confidentiality breaches, most likely exposing the London-based big four partnership to a string of damages payments.

Corporate regulation expert Brent Fisse says the main potential criminal offences raised by the alleged misuse of confidential ATO information are general dishonesty and conspiracy to defraud, which, if found, would also expose the firm’s partners to possible proceeds of crime liabilities.

The Boeing example

Partnerships are of course jointly and severally liable for any compensation, and the big one would be if the ATO, on behalf of the Commonwealth Treasury, sued for lost tax revenues.

That could be hundreds of millions, if not billions, of dollars. And as Fisse has observed, PwC faces an Enron moment as it weighs up its options. Enron was the US energy giant that spectacularly collapsed in the early 2000s amid an accounting scandal that also took out Arthur Anderson, at the time considered one of the big five global accounting firms.

In the United States and Britain, economic regulators have not been shy to use deferred prosecution agreements to pin misbehaving corporates to the sinners’ wall, extracting remediation, compensation and future operating obligations.

Two years ago, the US Justice Department extracted a $US2.5 billion deferred prosecution agreement from Boeing, after two of its 737 MAX planes crashed, killing 346 people. The payment came after Boeing was charged with defrauding aviation regulators about new software that affected the flight system, and is an example of authorities taking a front-footed approach to enforcement and public interest.

In PwC’s case, it is also about sovereign revenue protection, and the enforcement ball sits with the ATO and its portfolio agency, Treasury.

The ATO has long had a comfortable working relationship with the big four, but now has an aggressive Senate committee pressing for action. Greens and Labor senators are sparring for public attention amid calls for government-wide bans of PwC, an investigation by the new anti-corruption agency and the names of all the PwC operatives who were in the know and turned a blind eye.

PwC has quickly engaged Labor-friendly lobbyists to calm the political waters. But it all comes as big consulting is on the nose, not just in Australia but across the globe, with governments increasingly wary of the sector’s conflicts of interests amid claims of key policy skills being outsourced.

Labor’s promised internal consulting hub has been given the go-ahead. However, the whole affair has yet again exposed how underdone Australian federal regulators are when it comes to dealing with globalised real-time payment systems that enable firms to easily shift dollars to wherever is most tax effective.

Real-time problems

Real-time payment apps and systems are also scaring prudential regulators, who have long relied on paper-based, face-to-face banking to make deposits “sticky” and slow potential bank runs – yet another example of how governments are hopelessly behind digital capitalism.

It is the surging area of digital scams and investment frauds where real-time payment systems are causing most strife, as scammers hoodwink millions into sending money direct from their banking apps.

If there is one principle that is uniting the gaggle of federal regulators that oversee the digital economy it is that, just like car manufacturers, digital firms must ensure the safety of their services and products. Just like Boeing, a key area of regulator focus is algorithmic transparency.

This seemingly uncontroversial principle is being heavily contested in the cyber, privacy, data management and consumer spaces as banks, telcos, media firms and social media platforms push back on proposed consumer protections – as they have for more than a decade.

Australia has come late to the digital privacy party, and policymakers have been able to observe what works and what doesn’t. Rather than following the highly flawed European consent-based route that has led to a pantomime of faux agreements, data expert and UNSW professor Peter Leonard says regulators are heavily supporting proposals by the Attorney-General’s Department to impose “concrete legal requirements of responsibility and accountability” for digital firms.

National security threat

Consumers’ rights and control over their own data has become the lobbying battlefront in Canberra, with data firms arguing that plans to let consumers opt out of being tracked will destroy personalised services, including media and advertising.

The same was said about bans on junk mail in letter boxes, spam prohibitions and do not call restrictions. Research has consistently shown citizen control is the fundamental design principle that firmly holds up the digital trust tent. Again, big tech, media, social media and marketing players will need to make a call if the tidal wave of data protections and controls that authorities across the world are inexorably imposing on the wild west data world are going to fade away.

No prizes for guessing the answer, and this week Financial Services Minister Stephen Jones committed to a new cross-industry code to impose enforceable obligations on banks, telcos and the social platforms to protect consumers from scams and investor fraud.

Jones had been heavily lobbied by Australian banks to not follow Britain, where the big banks have 48 hours to refund money lost to invoicing fraud. Britain is also banning unsolicited marketing calls for financial services and mass texting technologies.

British banks are reporting up to 80 per cent of their biggest fraud categories are coming from the three Meta giants, Facebook, Instagram and WhatsApp, suggesting scammers have already moved on from the telco world.

In Britain, fraud and scams represent a staggering 40 per cent of all crime, prompting (conservative) ministers to declare the online contagion a threat to national security. Meanwhile, Australia is embracing a camel-like regime of standards and obligations to be overseen by the ACCC’s new national anti-scam centre, in which victims face having to navigate around the various players to get their money back.

Good luck with that. It may be old-fashioned, but people put money with banks to ensure it is not stolen. Short of reckless negligence by customers, consumer groups persuasively argue that it is at the bank where the buck should stop and that without an economic incentive to lock down their systems, the banks will continue to be a honey pot for fraudsters.

Unlike the slow-moving policy agencies, regulators daily see the real world as it actually works. ACCC chief Gina Cass-Gottlieb is no cowboy, and has been particularly vociferous about needing refreshed powers, including take down and verification powers to remove the obvious scam sites, adverts and enticements.

The ACCC’s seminal work on digital platforms pushing for new code-making powers is still being considered, with Treasury curiously reluctant to embrace the customer centricity paradigm now underpinning modern government.