Silicon Valley Bank: The Oversight Debacle
Today I want to return to the collapse of Silicon Valley Bank. Everyone has been wondering how the bank met its sudden demise, and whose poor oversight allowed that to happen. Now we have more details to help answer those questions — and, ideally, avoid a repeat performance elsewhere.
People first trained their fire on SVB’s audit firm, KPMG. How could the auditors let this happen, they asked? Now comes word that examiners at the Federal Reserve spotted trouble at the bank in 2022, and even SVB itself hired consultants who warned that the bank’s risk controls were “substantially below” its peers. Yet the bank still suffered catastrophe? How?
Those are important questions to raise. They drive to issues of transparency, investor protection, and the whole purpose of audits and risk oversight.
Let’s begin with the financial asset that caused all this trouble in the first place: the low-interest rate loans that SVB issued in the late 2010s. As interest rates rose in 2022, the value of those loans fell. After all, why would anyone buy the income stream from a loan carrying a 2 percent rate, when you can buy the income stream from a loan at 4.5 percent today? So SVB listed all those underwhelming loans on the balance sheet as securities “held to maturity”(HTM) rather than as “available for sale.”
Except, here in the real world, everyone knows those HTM securities aren’t worth their face value. So a bank carrying HTM securities faces an accumulating pile of unrealized losses on those instruments. That’s essentially what skewered SVB. The bank reported HTM securities worth $91.3 billion at the end of 2022, when the actual fair value was roughly $76 billion.
That’s an unrealized loss of $15.1 billion. Investors got skittish that SVB didn’t have enough capital to cover it, which led to a groupthink panic among depositors, who pulled out their savings all at once. Collapse.
The issue here is how rapidly those HTM securities piled up on Silicon Valley Bank’s balance sheet. Figure 1, below, shows how those assets suddenly spiked in 2021, until they equaled nearly half of the bank’s total assets.
Figure 2 is an even more alarming way to look at things.
That’s quite the ascent. So why didn’t alarm bells start ringing far, far earlier?
First Up: The Auditors
KPMG gave Silicon Valley Bank a clean audit opinion for 2022 and many years prior to that, even while those HTM securities and their unrealized losses piled up like cow manure. What’s up with that?
One could argue (and KPMG does argue) that the audits aren’t to blame because an audit only assesses the risk of material misstatement — and as far as we know, there was no such risk for SVB’s financial statement. That $15.1 billion in unrealized losses was reported on Page 125 of the bank’s 2022 annual report. Astute analysts could have researched that the same line-item one year earlier was only $1.34 billion, and virtually zero the year before that. The explosion of unrealized losses was no secret, and more than a few skeptics had been raising alarms about SVB’s risk posture for several months.
Except, raising alarms about a company’s liquidity risks and auditing its financial statements are not the same thing.
Critics will then ask: what about KPMG’s duty to assess SVB’s ability to continue as a going concern? That’s a fair question, but the answer is complicated. The auditor is supposed to make the going concern assessment (according to standards from the Public Company Accounting Oversight Board) based on “the auditor’s knowledge of relevant conditions and events that exist at or have occurred prior to the date of the auditor’s report.”
Well, KPMG knew the HTM securities had piled up unrealized losses thanks to the Fed’s interest rate hikes. But KPMG couldn’t know that depositors would then engage in a collective freakout amplified by social media, that would devastate the bank. It’s entirely possible that absent social media, the panic would not have happened, and SVB might have found some other way to survive.
Indeed, it’s worth quoting the PCAOB’s standard for going concern warnings (emphasis added by me):
The auditor is not responsible for predicting future conditions or events. The fact that the entity may cease to exist as a going concern subsequent to receiving a report from the auditor that does not refer to substantial doubt, even within one year following the date of the financial statements, does not, in itself, indicate inadequate performance by the auditor. Accordingly, the absence of reference to substantial doubt in an auditor’s report should not be viewed as providing assurance as to an entity’s ability to continue as a going concern.
My point here is not to let KPMG off the hook. It’s to point out that the whole purpose of financial audits may have drifted away from what matters most to investors: a sense of what risks lay in the future, and whether management is acting wisely enough to avoid stepping on those landmines.
Which brings us to a few other groups.
Where Was SVB Management?
One way to avoid the financial risks of those low-interest loans would be to hedge against them via other financial instruments. That’s not always cheap or easy, nor will hedges solve all your financial risk problems — but they can solve a bunch, which is why many banks do try to protect themselves with hedging. It’s not rocket science.
So why didn’t that happen at SVB? Did anyone with responsibility for oversight of SVB — management, the board, bank regulators, auditors — point out that the interest rate environment was volatile, so that even if the bank’s financial reporting was sound, its overall investment strategy was high risk?
Because let’s remember, that misjudgment about appropriate risk management is what screwed investors and depositors. So who let that misjudgment go forward?
First we can look at the board of directors. It’s their job to assure that appropriate risk management systems are in place, and interest rate risk is one of the most fundamental concerns for a bank. Did they raise concerns about SVB’s investment strategies in the late 2010s? Did they question the wisdom of working with mostly business customers, whose deposits would exceed the FDIC’s deposit insurance limits? Did they press bank management over why the chief risk officer job was left vacant for most of 2022? Why did the board’s risk committee go from seven meetings in 2021 to 18 meetings in 2022?
Second, we can look at management — which certainly should have known the bank’s risk management needs, and very well might have. According to the Financial Times, Silicon Valley Bank hired the consulting arm of BlackRock in October 2020 to review SVB’s risk management practices. In a report that landed on management’s desk in January, those BlackRock advisers flagged SVB as “substantially below” the bank’s peers on 11 different factors.
For example, the consultants found that SVB couldn’t generate real-time or weekly reports about its securities portfolio. “SVB listened to the criticism but rebuffed offers from BlackRock to do follow up work,” according to the FT.
Gathering prompt, accurate information about your company’s risks is a prime duty of management. Even if we excuse SVB management from misreading the interest rate environment (which we shouldn’t), how did it tolerate such a poor internal reporting environment for so long?
Honestly, that report from BlackRock (the contents of which have not yet been made public) is the sort of analysis investors want; not the anodyne auditor boilerplate from KPMG.
Where Were the Regulators?
This is another valid question. It is the job of the Federal Reserve to assure that banks are on sound financial footing and don’t endanger the banking system as a whole. So how did they let things reach this point?
It does seem that examiners at the San Francisco Fed did warn SVB about faulty risk management practices. According to the New York Times, the SF Fed issued six citations to the bank in 2021. Those citations warned that the bank wasn’t doing enough to assure easy access to cash. By July 2022, SVB was in a “full supervisory review” and rated deficient in corporate governance. (That probably explains why the bank’s risk committee was meeting so much more often.)
So in other words, everyone who knew Silicon Valley Bank was in serious trouble wasn’t communicating that to investors; and the only group who did communicate with investors (the auditors) were working under standards that let them not talk about the one issue that would matter most.
No wonder people are so cynical.