- Key insight: KPMG repeatedly certified the three banks as financially sound, even shortly before the banks failed.
- Supporting data: The firm earned nearly $20M in combined fees in 2022 from the three banks.
- Forward look: Lawmakers are recommending auditing industry reforms, including mandatory auditor competition, expanded Public Company Accounting Oversight Board disclosure and new whistleblower programs.
Accounting firm KPMG, which audited each of the three midsize regional banks that failed in 2023, signed audits that led the public to believe each bank was financially sound — in some cases just days before the bank collapsed, according to a new report from the minority staff of the Senate Permanent Subcommittee on Investigations.
The report, released by committee ranking member Sen. Richard Blumenthal, D-Conn., alleges that, among other things, KPMG ignored Silicon Valley Bank's liquidity risks and vulnerability to a bank run, dismissed fraud allegations at Signature Bank and withheld concerns about First Republic Bank's ability to survive from its board.
"PSI's investigation reveals the extent to which auditors can be aware of deep flaws within an institution long before they are disclosed, or otherwise made apparent, to the public," the report stated. "KPMG publicly certified that [each] bank's financial statements 'present fairly, in all material respects, the financial position of the [bank]' and that each bank 'maintained, in all material respects, effective internal control over financial reporting,' [leaving] many depositors and investors with the impression that each bank was financially sound."
According to the report, KPMG — one of the Big Four accounting firms — gave SVB, Signature and First Republic clean auditing opinions 14 days, 11 days and 62 days, respectively, before each bank's subsequent failure. While bank regulators have reviewed each bank's failure, regulators broadly blamed management rather than the banks' accountants for failing to appreciate the danger the banks were in before it was too late.
KPMG, when reached for comment, said the firm complied with auditing regulations and that the Wednesday report called for auditors to go further than required by law.
"The Minority staff report is a misguided and erroneous opinion that stands as an outlier from the multiple investigations that have been conducted on these banks, none of which point to an auditor role in the failures," a KPMG spokesperson wrote in an email. "Importantly, however, after two years, this Minority staff report expressly does not question the accuracy of KPMG audit opinions and concedes that 'no regulatory assessment suggested that KPMG played a role in the failures of the banks' or violated auditing standards."
Following the failure — which came at the same time as Signature Bank and preceded the failure of First Republic a month later — FDIC sold SVB's assets to First Citizens BancShares. With $209 billion in assets, SVB ranks among the largest U.S. banking failures in history.
PSI investigators discovered that KPMG continued to give SVB's books a clean diagnosis even though it knew about the bank's weak internal auditing as early as 2022, after the Federal Reserve alerted KPMG to "foundational weaknesses." The firm told the Federal Reserve after a second alert in January 2023 that it had not relied on information provided by SVB's internal auditors for three years. When given the chance to raise "going concern[s]" in a 2022 audit, KPMG failed to identify six risks that SVB faced. The risks included the deterioration of assets, abrupt personnel shifts, exposure to volatile markets, volatility in the banking industry, regulatory inquiries and significant share price deterioration.
The report also found that the risks of rising interest rates, causing losses on SVB's securities portfolio, were not raised in the audit plan KPMG presented to SVB in 2022 or 2023. The auditing firm also signed a "comfort letter" shortly before the failure, assuring the banks' financial soundness using "ten-day-old data" saying the bank would need to release additional stock shares to raise emergency capital.
Before the executives could sign off on the comfort letter's issuance, the bank failed.
At Signature bank, KPMG reportedly knew of sweeping mortgage fraud allegations that compromised the bank's credit risk statements, but did not adequately investigate those allegations, relying instead on the bank's law firm's oral summary of the issue. The auditors still issued an unqualified audit opinion.
Auditors also struggled to obtain documentation about a "significant deficiency" in the bank's securities portfolio. In internal messages, the firm's second-most senior auditor told a coworker that Signature "has like [significant deficiencies], and they don't [care]," but KPMG still told the bank's board the issues were fixed by year-end.
The report also alleges that Signature's CFO was a former colleague of one of KPMG's lead partners and the relationship swayed the audit team not to seek further information about asset valuation deficiencies, the same gaps that later drove regulators' loss of confidence in the bank.
The report found the auditor tasked with reviewing Signature's blockchain payment platform lacked cryptocurrency expertise. When questioned by investigators, he could not explain the basic principles of the technology, like the difference between distributed ledger technology and a traditional centralized ledger, despite the centrality of cryptocurrency to the bank's business.
Days before First Republic's collapse, the bank completed a required "going concern" analysis. Internally, KPMG questioned the assumptions supporting the bank's ability to survive but never raised those concerns with the board at its April 21, 2023, meeting, just ten days before the bank went under.
KPMG also reviewed the bank's April 24 earnings release, which lacked discussion of risks about First Republic's financial health. KPMG, while not required to vet the earnings release, did not challenge the omissions, even though the same figures would have required its sign-off on an interim financial statement later that year. The lack of challenge to the release left the risks unidentified, according to the subcommittee.
The report also raised what it saw as conflicts of interest between the auditor and bank personnel. KPMG had audited the three banks for decades, cultivating deep ties with leadership. At Signature, the 2021 lead audit partner became chief risk officer within months of signing an audit opinion, while retaining financial ties to KPMG. At SVB, KPMG partners pressed to retain business even as the bank faltered. KPMG earned nearly $20 million in combined fees for audits of the three banks in 2022.
The PSI said the findings raise broader concerns about the auditing industry and issued five recommendations to address those concerns. It said Congress should review the regulation of the auditing industry and consider reforms to reduce conflicts of interest and strengthen responsibility for auditors. Congress, the PSI argued, should also increase competition in auditing by requiring banks to occasionally rotate the firms they employ.
"The current concentration of auditing firms, coupled with regulatory loopholes, led to closeness between KPMG and its audit clients that may have compromised the auditor's independence," the report said. "While the Subcommittee's review did not find a direct causal link between the lucrative, longstanding relationships KPMG enjoyed with [SVB, Signature and First Republic], the apparent familiarity raises concerns relevant to the entire auditing industry."
The subcommittee said Congress should clarify that it is entitled to receive inspection information from the nonprofit corporation that oversees the audits of public companies, known as the Public Company Accounting Oversight Board. Under current law, much of the PCAOB's inspection data remains confidential, even from Congress, limiting its ability to evaluate audit industry oversight and craft effective reforms. Transparency should also be expanded by requiring that enforcement actions in the auditing industry be made public, the report recommended.
The PCAOB was created with the Sarbanes-Oxley Act of 2002 to oversee auditing in the private sector. A Republican-led
The report also recommended setting up a PCAOB whistleblower office, similar to those at the SEC and CFTC.
"The whistleblower programs at the SEC and CFTC have been successful primarily because they generate 'specific, timely and credible information' in a complex and technical field, which can be difficult to obtain otherwise," the report argued. "Expanding whistleblower incentives to generate actionable enforcement information would provide more accountability to the auditing industry, increase corporate transparency, and provide greater investor protection."
