China’s concern over data security, geopolitical tensions, and regulatory changes pose challenges for businesses dealing with competing compliance demands.
As Chinese president Xi Jinping said a decade ago: “Whoever controls big data technologies will control the resources for development and have the upper hand.”
To tighten the reins on who has access to Chinese companies’ data, China has taken aim at one of the global pillars of international finance and commerce, the world’s biggest auditing and consulting firms..
When Beijing asked state-owned enterprises and domestically listed companies in May to increase security checks on their auditors, it was part of a larger, global, power play on control of data. Particularly about how they handle sensitive information.
Currently, the ‘Big Four’ — Deloitte & Touche, Ernst & Young (EY), KPMG, and PricewaterhouseCoopers (PwC) — control the lion’s share of auditing work for Chinese companies.
There are plenty of reasons why the Chinese government would want local firms to ditch these mostly US-based firms and appoint homegrown companies instead, as was reported in February.
Beijing is worried about the vast amounts of Chinese data that foreign-linked firms have access to through their auditing and consultancy services. As a show of force, local offices of several foreign-linked consultancy firms were raided recently as part of anti-espionage investigations by Chinese enforcement agencies.
The trend to tighten oversight on Chinese firms took off in 2020 when the government scuttled the initial public offering of Alibaba’s fintech company, Ant Group, in Shanghai and Hong Kong.
Since then, the Chinese government has tightened regulation of various sectors in the economy, rectifying what it regards as commercial malpractices that undermine national interests.
So far, those that have been subject to tightened scrutiny include Big Tech platform companies, private tutoring and online insurance businesses. Companies were fined, forced to withdraw overseas IPO and demanded to restructure.
This state scrutiny of commercial activities eventually spread to accounting firms this year.
In May, the Ministry of Finance, the State-owned Assets Supervision and Administration Commission, and the China Securities Regulatory Commission issued a joint directive, requesting state-owned enterprises and domestically listed companies increase security checks on their auditors.
According to the directive, Chinese businesses should include specific clauses in their contracts with auditors, specifying the responsibilities and requirements for information security protection on the part of the auditors.
In February a media report suggested that the Chinese government had urged state-owned enterprises to appoint local auditors after their current contracts expire.
Although Chinese regulators have not issued official guidelines on this, it would not be a surprise that Chinese policymakers want strategic firms to decouple from US interests.
Ongoing technological rivalries between the US and China, coupled with new regulations on both sides which give governments greater power to inspect foreign companies, have aggravated trade and investment relations between the two superpowers.
Since being permitted to operate in China from the 1990s, the Big Four accounting firms with headquarters in the US have expanded and dominated the Chinese market.
According to rankings compiled by the Chinese Institute of Certified Public Accountants, the Big Four occupied the top places in the Chinese market in 2021, reaping a combined revenue of 20.6 billion Chinese yuan (USD$2.87 billion) from their clients in China, who were mainly Hong Kong-listed and US-listed companies.
Two reasons are behind Chinese leaders’ preference for homegrown auditors.
First, auditors have full access to their clients’ business information and financial status.
Some of the information, such as those relating to company strategies, customer data, state support and personal details of senior management, are not only commercial secrets, but also content that is regarded by Chinese leaders as strategic and sensitive.
Chinese policymakers also want to keep data of firms engaging in advanced technology out of the reach of foreign entities, for reasons of maintaining industrial and technological competitiveness.
Second, foreign auditors or local accounting firms linked to a foreign parent company have to comply with laws in the jurisdiction of their parent firm.
This may result in situations in which China’s interests will be undermined. For example, auditors linked to a US parent firm may be requested by US law enforcement agencies to hand over certain data of their Chinese clients.
To secure confidence from their Chinese clients, the Big Four in China have been stressing their operational independence from their US parent firms, as far as auditing and consulting services are concerned.
In the event of a standoff, auditors have little room to manoeuvre but to leave such conflicts to be resolved by government and regulators between the two countries.
Using local or Hong Kong-based auditors may reduce complications and prevent details of Chinese businesses being surrendered to foreign entities because of legal requirements.
There are questions on whether Beijing’s concerns are valid or another form of discreet protectionism to favour domestic auditors in a market dominated by the Big Four.
At the heart of Beijing’s concern is the link between the local offices of Big Four accounting firms and their US-based parent companies which could undermine the interests of Chinese companies and the Chinese Communist Party.
Despite carrying a global brand, local operations of the major audit firms are legal entities owned by local equity partners. In other words, they are not owned or controlled by their parent firm.
Belonging to a global network of firms, these member firms adhere to auditing and management standards that are adopted across the network. They pay the head office a fee in return for marketing, IT, and other logistical support. The headquarters also provides direction on overall business strategies.
Chinese firms, especially those listed or intend to list overseas, see value in these firms because of their global networks and expertise. As these firms adopt auditing and management practices that are approved by major developed economies, they are more able to gain investors’ confidence.
Operating in China, the China practices of the Big Four are subject to Chinese laws. In the wake of stringent data security measures introduced by the Chinese Communist Party in recent years, these accounting firms have also adopted additional measures to comply with rules governing the protection, localisation, and cross-border transfer of data.
Many multinationals in China have revamped their IT systems, or created new ones only to serve the Chinese market. An integrated global IT infrastructure no longer meets regulatory requirements in China. Ernst & Young in China has been in a dispute with its global headquarters about payments for group IT services that cannot be used in China.
To ensure Chinese data is stored locally, the China offices of global auditing firms operate on a server separate from other offices, including Hong Kong. Staff at other offices are restricted from accessing data of clients on the mainland.
Since Hong Kong does not have similar data laws, no reciprocal arrangements are put in place.
Companies and employees are doing more than is required by laws to protect themselves. Some firms have restricted staff from travelling out of the country with their work phones and laptops.
Decoupling the China operations from other businesses may be a way to reconcile conflicting data-related requirements faced by a multinational. However, this also means additional costs to operate in China.
What has made data security top of the policy agenda has a lot to do with what’s happening inside China.
It’s no secret Chinese leaders want to turn China into a leading power in digital technology and artificial intelligence (AI).
Importantly, taking a lead in data and AI offers China the opportunity to leapfrog development and potentially overtake leading Western technology powers.
Therefore, Chinese leaders see data as critical assets for the country’s development. Managing and securing this data requires a governance regime.
Over the past few years, Beijing has passed new laws to strengthen the protection of domestic data — which it regards as vital to national security — and restrict its cross-border transfer.
Three new laws now form the framework of the data governance landscape in China — the Cybersecurity Law (2017), the Data Security Law (2021) and the Personal Information Protection Law (2021).
For businesses, more and more content now sits within the scope of national security and is subject to layers of regulatory scrutiny.
Among various provisions of these data security laws, the areas that create complications for businesses are related to data localisation and data transfer.
Chinese data security laws require all data generated in China to be kept within the country; any transfer of such data overseas requires the approval from Chinese regulators. Businesses are not allowed to pass on any data stored in China to foreign government agencies without approval from the Chinese government.
Data has also become a battlefield among major powers. Contests over ideology, market share, and the control of critical assets have led to a changing regulatory environment. New rules governing disclosures in foreign jurisdictions have further heightened China’s fears of being compelled to surrender sensitive data.
Take the Holding Foreign Companies Accountable Act. Passed in the US in 2020, it stipulates that companies trading on American exchanges would face delisting if US regulators are denied access to their audit papers for investigation for three consecutive years.
After lengthy negotiations, China finally agreed to allow US regulators to inspect audit working papers of Chinese companies listed on American exchanges. The law and its enforcement have triggered the voluntary exit of seven Chinese state-owned enterprises from US stock exchanges.
The withdrawal indicates the Chinese Communist Party’s prioritisation of data protection over capital investment by state-owned enterprises in foreign markets.
It could also be the case that the audits of these companies would be found not meeting US regulatory requirements.
In their first round of inspections of US-listed Chinese companies, US regulators reported deficiencies in the audits conducted by two Big Four offices in Hong Kong and China.
The battle over data access and protection between the big powers has put businesses in a difficult position, caught between conflicting demands of regulators in different jurisdictions. Any parties passing on any data stored in China to foreign government agencies without approval from the Chinese government constitutes a violation of the data security law.
This restriction conflicts with the Clarifying Lawful Overseas Use of Data Act of the US, which gives US enforcement agencies the right to access electronic data, regardless of where such data is stored.
Medium-sized auditing firms in China are expected to win some market share if the Big Four are gradually driven out of the contest.
That doesn’t mean homegrown auditors will become big winners.
In terms of scale and expertise, only one homegrown accounting firm — Pan China International — made it to the top 10 (fifth position) in the CICPA 2021 ranking; others — the Big Four, BDO, Moore Stephens Da Hua, Baker Tilly, RSM, were all member firms of a larger international network, though not necessarily US-linked.
There are signs that some state firms have begun considering switching to non-Big Four auditors.
The Board of Jiangxi Bank, a city-level commercial bank, recommended changing the company auditor from KPMG to BDO last year. BDO is also a global network of accounting firms headquartered in Belgium. It served 19 central state-owned enterprises clients in 2021.
Meanwhile, regulatory rules in China require Chinese companies to rotate their auditor every eight years. This would allow non-Big Four companies to capitalise on the changing regulatory climate and win new contracts.
For the time being, the new guidance on auditors is understood to be applied to companies on the mainland, but not their offshore operations. Hong Kong subsidiaries of Chinese state-owned enterprises and listed companies are not under the pressure to shift auditors, though their parent companies may be requested to do so.
The Big Four in Hong Kong are the preferred auditors of many Hong Kong subsidiaries of Chinese listed companies, such as tech companies which are looking to raise money and their profile in international markets. They also have a sizeable portfolio of state-owned clients, including the banks and insurance companies, oil conglomerates and telecom leaders.
For those Hong Kong subsidiaries with extensive overseas businesses, the recent top-down instruction on auditors is unlikely to trigger immediate withdrawals from the Big Four. To some businesses, the global network and expertise of the Big Four are valuable resources.
Particularly in the financial services, complex reporting and regulatory rules mean that not all auditing firms are capable of handling more sophisticated disclosures.
Sometimes, smaller auditors are susceptible to pressures from their clients, thus compromising their independence as external auditors. International investors also tend to have more confidence in financial disclosures prepared by globally recognised brands than local Chinese auditors.
Other firms with less sophisticated reporting needs may shift to non-Big Four firms due to the shifting regulatory environment. Close rivals to the Big Four, such as BDO Limited, Mazars Hong Kong, Baker Tilly Hong Kong, are expected to benefit if state-linked companies discard the Big Four. It was reported that smaller local auditors had won new contracts from the Big Four.
Although it is possible for a Chinese parent company to use a non-Big Four firm as its domestic auditor but a Big Four company as its international auditor, in practice companies will prefer using auditors from the same network across its business operations, in order to align accounting standards and reduce audit risk.
Therefore, any change of auditor at the Chinese parent firm, due to added pressure from the top, will affect the auditing contract of its subsidiaries in Hong Kong.
This suggests that companies may face the dilemma between meeting their business and auditing needs on one hand, and pleasing Chinese policymakers on the other.
Companies which deviate from government direction may find themselves under stricter scrutiny of regulators. Failure to meet data security requirements will also result in hefty penalties.
Yvette To is a postdoc at the Department of Public and International Affairs, City University of Hong Kong. She writes about the politics surrounding Chinese technology firms. The work described in this paper was fully supported by a fellowship award from the Research Grants Council of the Hong Kong Special Administrative Region, China (CityU PDFS2021-1H11).