Missing the Red Flags
I have previously blogged about the collapse of SVB and the Signature Bank. In today's blog, I will update the information and probe more deeply the failings of regulators and KPMG to heed the warning signs that trouble lied ahead.
The collapse of Silicon Valley Bank (SVB) and Signature Bank, reminds me of the stream of bank failures since the 1970s that have created concerns about the ability of bank officials and regulators to oversee the liquidity and risk-taking activities of banks and other financial institutions.
SVB fell victim to a run-on deposit. Initially, customers tried to withdraw $42 billion—about a quarter of the bank’s total deposits. The flood of withdrawals destroyed the bank’s finances. It had poured large amounts of deposits into U.S. Treasury investments and other government-sponsored debt securities whose market value declined as the Federal Reserve raised interest rates over the past year.
State regulators closed New York-based Signature Bank, the third largest failure in the U.S. banking history, and two days after authorities shuttered SVB in a collapse that stranded billions in deposits. US prosecutors had been investigating Signature Bank’s work with crypto clients before regulators suddenly seized the lender.
Depositors’ confidence in the soundness of these institutions evaporated after it was reported that the banks could not meet depositor attempts to withdraw money from their accounts, generating a classic bank run that led federal regulators to step in.
Too Big to Fail?
In 1972, bank regulators bailed out the $1.2 billion Bank of the Commonwealth partly because they viewed it as “too big to fail.” My concern is that some of the same issues that motivated bailouts during this earlier period, particularly worries about banking concentration, are relevant today.
The too-big-to-fail problem in banking is the unwillingness of regulators to close a large, troubled bank because of a belief that the short-term costs of a bank failure are too high. The social costs of this policy are that it encourages banks to get inefficiently large and subsidizes risk taking.
One reason for concern over the too-big-to-fail problem is the existence of moral hazard. "Moral hazard" is a term used to describe situations in which a bank, financial institution, and insurance companies may be inclined to take bigger risks if they are insured than if they're not. It arises because banks are covered by Federal Deposit Insurance Corp. (FDIC) bailouts up to $250,000 in each depositor account, which limits the responsibility for the risks they take and the costs they create.
Savings & Loan Institutions: The 1980s-1990s
Risky mortgage behavior infected banking in the late 1980s and early 1990s when the savings and loan industry became the focus of Congressional hearings about failures at 1,043 failed thrift institutions during the 1986-1995 period that was reported to be $152.9 billion including $123.8 billion of U.S. taxpayer losses. There was a housing bubble during this time that caused a collapse in home values.
The most publicized failure was that of Lincoln Savings & Loan where thousands of California retirees lost their life savings after buying uninsured, worthless bonds. The period became known as the greatest collapse of U.S. financial institutions since the Great Depression.
Subprime Loans: The Early 2000s
The housing bubble that burst in the 2007-2008 period and related mortgage meltdown is another example of how risky bank behavior triggers unintended consequences, namely the failure of banks and financial institutions that played fast and loose with liquidity rules and made risky decisions. It has been estimated that home equity dropped by about $4.2 trillion through mid-2008. Total retirement assets lost $2.3 trillion during the same period. Savings and investment assets were down by $1.2 trillion and pension plan assets by $1.3 trillion.
The banks made subprime loans for homeowners who qualified for these mortgages because of lax or nonexistent underwriting policies. Loans were made with little or no verification of income, inflated appraised values, and the failure to assess borrowers’ credit worthiness.
The financial institutions that made the loans, including Citigroup, JP Morgan Chase, Bank of America, and Wells Fargo, were not too concerned about collectability since they had sold off their loans as asset-based mortgages to Fannie Mae and Freddie Mac, the two government-sponsored-entities that assumed the risk of default. It sounded good in theory until it was determined that they were fraudulent-based mortgages, which left them holding the bag because of record foreclosures and falling home prices. This was another case of moral hazard.
In response, a Democratic Congress passed the Dodd-Frank Act to protect consumers and to more closely regulate Wall Street. Republicans in Congress have moved to scale back Dodd-Frank regulations. In 2019 the Federal Reserve compounded the pullback by instituting new rules that eliminated liquidity requirements entirely for banks with assets under $250 billion and softened other regulations.
Ethics and the Financial Services Industry
A host of questions remain about ethics and the financial services industry. Is the industry behaving more ethically since the crisis? Can regulation compel ethical behavior? Should top executives be held personally responsible for their companies' mistakes? One skeptic put it succinctly: “Ethics and financial services—isn't that an oxymoron?”
Once again, moral hazard raises its ugly head as the U.S. government proclaimed it would cover deposits not only up to $250,000 but beyond. Even though accounts are uninsured beyond that amount, the government decided to cover all losses to stem the rising tide of another bout of contagion due to the failure of banks to cover their debts and repay depositors.
The two banks clearly had poor management and governance. As deposits soared, SVB’s executives had invested in long-term assets without hedging adequately against interest-rate risks, and the firm lacked a diversified portfolio of depositors, most of whom came from the venture-capital sector. As the sector came under increasing pressure, its members tried to withdraw their funds simultaneously, and the bank couldn’t meet its obligations.
The Revolving Door
The proverbial red flag should have been raised once it was determined that former KPMG auditors held financial reporting oversight roles with its client, Signature Bank. The CEO, CFO, some board members, and a risk officer all worked for KPMG. Ties between Signature Bank and KPMG ran deep among the top leaders and board members of the failed bank.
Signature’s founder and top executive Joseph DePaolo was an audit manager at KPMG, and Stephen Wyremski, the institution’s chief financial officer, was a bank auditor for the firm. Another graduate of the firm, Keisha Hutchinson, signed off on the institution’s 2020 financial statements as a KPMG audit partner—just a month before the bank announced it was hiring her as its chief risk officer, a position she was still holding when the bank collapsed. Judith Huntington and Michael Pappagallo, members of the Signature examining committee that oversaw the work of the auditor, also previously were auditors for KPMG.
The appearance of a conflict of interest stands out because of the arrangement between Hutchinson and Signature as its future risk officer at the time of signing the audit report. The conflict should have been evaluated by asking: Would a reasonable third party examining the relationship conclude that Hutchinson lacked independence by signing off on Signature’s financial statements just one month before it was announced she would become the bank’s chief risk officer? The one year cooling off period discussed below makes it seem as though the conflict of interests would have tainted independence and created a barrier to objective decision-making during the audit.
Independence in appearance requires that auditors and the audit firm should avoid any relationship with the client or client management that might lead a reasonable person to believe there may be a conflict of interests between the firm and the client. The close relationship between former KPMG personnel who joined Signature Bank and the firm itself raises questions about the one-year cooling off period that is required between the time KPMG personnel left the firm and joining the client’s management team. It appears that the relationship between Hutchinson, the chief risk officer of the Bank, and her former employer, KPMG, created a threat to independence that could not be mitigated by any safeguards, which is a violation of the AICPA Code of Professional Conduct.
According to SEC regulations, a one-year cooling off period is required before a company can hire certain individuals formerly employed by its auditor in a financial reporting oversight role. The "cooling off" period is designed to put time and space between the auditors’ role and that of decision-making for the audit client. In other words, if an engagement team member who participated on the audit of the current (or immediately preceding) fiscal year goes to work for a client within one year, the firm’s independence would be impaired.
KPMG signed the audit report for SVB 14 days after a surge of withdrawals threatened to leave it short of cash. “Common sense tells you that an auditor issuing a clean report, a clean bill of health, on the 16th-largest bank in the United States that within two weeks fails without any warning, is trouble for the auditor,” said Lynn Turner, who was chief accountant of the Securities and Exchange Commission from 1998 to 2001.
In a footnote, SVB said the fair-market value of its held-to-maturity securities was $76.2 billion as of December 31, 2022, or $15.1 billion below their balance-sheet value. The fair-value gap was almost as large as SVB’s $16.3 billion of total equity—which, KPMG could have pointed out, is something anyone reading the financial statements could have seen. SVB stuck to its position that it intended—and had the ability—to hold those bonds to maturity. Two crucial facts for determining whether KPMG missed the banks problems are when the bank runs began in earnest and when the bank’s management and KPMG’s auditors became aware of the crisis.
What is known about SVB is that deposit outflows accelerated in February 2023. On March 8, 2023, SVB said that client cash burn has remained elevated and increased further in February. The bank said its deposits at the end of February were lower than it had predicted in January.
Both bank audits were for 2022, so auditors weren’t scrubbing the banks’ books for the time when they ran into trouble. But auditors are supposed to highlight risks faced by the companies they audit. They are also supposed to raise important issues that occur after companies close their books and before the audit is completed, or so-called post-balance-sheet events.
Most of the capital hole in SVB’s balance sheet was in government-sponsored mortgage bonds that the bank classified as “held to maturity.” That label allowed SVB to exclude unrealized losses on those holdings from its earnings, equity and regulatory capital.
In a footnote, SVB said the fair-market value of its held-to-maturity securities was $76.2 billion as of December 31, or $15.1 billion below their balance-sheet value. The fair-value gap was almost as large as Silicon Valley Bank’s $16.3 billion of total equity—which, KPMG could point out, is something anyone reading the financial statements could have seen.
SVB stuck to its position that it intended—and had the ability—to hold those bonds to maturity. KPMG allowed the accounting treatment. Now it will be up to the FDIC to sell the securities.
The real issue is whether KPMG followed the auditing standards in AU-C Section 560, Subsequent Events and Subsequently Discovered Facts. It requires that the firm “performed the necessary audit procedures designed to obtain sufficient appropriate audit evidence that all subsequent events that require adjustment of, or disclosure in, the financial statements have been identified.” The requirement includes inquiring of management and, when appropriate, those charged with governance about whether any subsequent events have occurred that might affect the financial statements. KPMG did not address the audit procedures it followed to identify subsequent events in the statements above.
In its defense, the bank’s troubles put KPMG between a rock and a hard place. If it had called attention to SVB’s falling deposits or issued a warning about SVB’s ability to continue as a going concern, it could have set off a run on the bank. By not raising these issues, it will face questions about how it missed the signs that the bank was headed for trouble.
Congress Should Investigate the Audit Industry
Although both SVB and Signature Bank failed within days of each other by customer bank runs that began after KPMG filed its audit reports, the timing is concerning given how short the period was between the auditor’s financial attestations and the disastrous disclosures about the liquidity in SVB and Signature Bank. Auditors are supposed to warn investors and creditors of any going concern issues. Even if the bank wasn’t struggling in the previous year, KPMG was required to evaluate developments that occurred after the balance sheet-date, so the company’s financials were presented fairly.
SVB’s deposits peaked at the end of the first quarter of 2022 and fell $25 billion, or 13%, during the final nine months of the year. That means deposits were declining during the period of KPMG’s audit. If the decline was affecting the bank’s liquidity when KPMG signed off on the audit report, that information likely should have been included. Since it wasn’t, the question becomes, did KPMG know or should it have known what was going on? In other words, what did they know and when did they know it?
Auditors use their reports to highlight “critical audit matters” that involve challenging, subjective or complex judgments. KPMG in that section of its report focused on the accounting for credit losses at SVB. But it didn’t address SVB’s ability to continue holding debt securities to maturity—which, in the end, the bank lacked.
Whatever KPMG knew about the two banks’ financial situation and what it missed will likely be the subject of regulatory scrutiny and lawsuits. The audit profession has been taken to task before for its negligent, and even fraudulent behavior, both in the savings and loan debacle and financial crisis of 2008-2009. Add to that the failure of companies like Enron and WorldCom in the early 2000s, and Congress should act now to investigate the profession’s failures in an industry whose health is essential to a stable financial system. Given the current mess with SVB, which is likely to spread in my opinion, will this lead to further harm to the public beyond that discussed above?
Douglas Carmichael, the Public Company Accounting Oversight Board’s chief auditor from 2003 to 2006, said it was unclear how the regulator could have determined the bank’s financial condition. “It seems like a premature analysis. How could they know without examining?” he said. Perhaps so, but isn’t that the job of the auditor to inform the bank regulators of trouble ahead?
The Justice Department and the Securities and Exchange Commission are investigating the collapse of SVB. The investigations are also examining stock sales that SVB’s financial officers made days before the bank failed. Did they trade on inside information about the bank’s pending financial problems? If so, they may have committed fraud and should be punished for their actions. They would have taken advantage of non-public information and left the depositors holding the proverbial bag.
Massachusetts regulators are also investigating the executives’ trading and what they knew or said about the bank’s business in the 90 days before its demise, according to Secretary of the Commonwealth William Galvin, who oversees the state’s securities division.
SVB CEO Greg Becker sold nearly $30 million of stock in 2021 and 2022. Becker sold $3.6 million worth of shares on February 27, 2023, just days before the bank disclosed a large loss that triggered its stock slide and collapse. Altogether, SVB executives and directors cashed out of $84 million worth of stock during the two years preceding the bank failure. The sales have sparked criticism of SVB's management leading to calls for a clawback of that money
Did SVB Do Enough to Warn Investors and the Public?
SVB cautioned in its latest annual report to investors that its business was heavily focused on lending to newer companies in the technology, life-science and healthcare industries. “Our loan concentrations are derived from our borrowers engaging in similar activities that could cause those borrowers to be similarly impacted by economic or other conditions,” it said.
This is a tepid warning that problems could lie ahead but does the disclosure go far enough? For example, what is management doing about assessing the risk of economic conditions? What controls are in place to ferret out problems before they get out of hand? Clearly, the answer is little or none.
From the 3Q21 through the 3Q22, the certifications of financial statements required by the Sarbanes-Oxley Act and attached to the annual reports signed by Greg W. Becker, the SVB chief executive officer, and Daniel Beck, its chief financial officer, attested to the accuracy of financial reporting, the disclosure of any material changes to the Bank’s internal control over financial reporting, and the disclosure of all fraud. The 3Q22 Report stated “[t]here are no material changes to the risk factors set forth in our 2021 Annual Report on Form 10-K.”
An important question is why did the CEO and CFO certify the financial statements? How could they given the failure to detect inherent risks in their banking business? We must ask what the purpose of the certification process is other than to set specific standards to hold management responsible for missing (or ignoring) material misstatements in the financial statements and fraud?
The failure of SVB and the Signature Bank is a cautionary tale that bank regulation needs to be tightened and auditors need to be held liable for missing the red flags that indicate fraud may exist.
Blog posted by Dr. Steven Mintz, The Ethics Sage, on April 13, 2023. You can sign up for Steve’s newsletter and learn more about his activities on his website (https://www.stevenmintzethics.com/) and by following him on Facebook at: https://www.facebook.com/StevenMintzEthics and on Twitter at: https://twitter.com/ethicssage. Check out professional recommendations on LinkedIn: https://www.linkedin.com/in/steven-mintz-aka-ethics-sage-98268126/.