KPMG’s Audits of Three Failed Banks: What the 2025 Minority Senate Report Reveals About Whistleblower Protections
How the collapse of Silicon Valley Bank, Signature Bank and First Republic exposed gaps in auditor accountability — and why external whistleblower mechanisms are needed
A guest post by Abdelhamid Taha, member of the Secretariat of the All-Party Parliamentary Group on Investment Fraud & Fairer Financial Services (writing in a personal capacity).
Key Takeaways:
The report highlights major audit failures, including ignored going concern warnings at SVB, inadequate investigation of whistleblower allegations at Signature Bank, and failure to escalate internal concerns to the board at First Republic Bank.
Longstanding auditor-client relationships and the movement of former KPMG partners into senior roles at the banks raised significant independence concerns.
The current U.S. whistleblower framework does not adequately address allegations against auditors themselves, leaving a structural gap when the gatekeeper is the subject of concern.
Meaningful reform requires external whistleblower mechanisms for auditors, independent investigations, and stronger personal accountability for audit partners — areas where self-regulation has repeatedly fallen short.
Abdelhamid Taha is a financial regulation specialist and victim advocate with deep operational experience in anti-money laundering (AML) and compliance. He spent over 11 years at HSBC Egypt, including three years as AML and US Deferred Prosecution Agreement Compliance Champion. He currently serves as a Member of the Secretariat Committee for the UK’s All-Party Parliamentary Group on Investment Fraud and Fairer Financial Services. Taha writes on structural failures in financial regulation, audit governance, and corporate accountability. Full bio at the end of the article.
This is Part Two of a two-part series.
Part One of this series examined the internal failure pattern across four cases in Australia and the UK, the structural problem of independence within a partnership-owned investigation process, and the Enron-era origins of the US whistleblower protection framework.
Part Two examines a 2025 US Senate Minority Staff Report — which argues that framework still falls short when the auditor itself is the subject of concern — and the specific legislative architecture that Australia, the UK, and the US may now need to consider.
Act Five: Contemporary Evidence — What the 2025 Senate Minority Staff Report Actually Found
On September 17, 2025, Senator Richard Blumenthal, the ranking member of the US Senate Permanent Subcommittee on Investigations, released a Minority Staff Report following a 28-month inquiry into KPMG’s audits of Silicon Valley Bank, Signature Bank, and First Republic Bank.
The inquiry reviewed more than 400,000 pages of documents and involved nearly 100 hours of briefings and transcribed interviews with auditors and regulators. The report reflects the views of Senator Blumenthal and minority staff, rather than a bipartisan committee position.
KPMG has disputed the report’s conclusions. In public responses reported after the report’s release, the firm called the report misguided and erroneous, argued that it appeared to expect auditors to go beyond the role required by US audit rules, and noted that banking regulators had attributed the failures primarily to management and business-strategy issues at the banks.
The report itself says it does not take a position on whether KPMG violated auditing standards. That response does not eliminate the report’s findings, but it matters: what follows should be read as an analysis of the Minority Staff Report and the reform questions it raises.
With that framing in place, the title of the report — drawn from an internal KPMG communication the Subcommittee obtained — is worth pausing over:
“This Industry Is a Joke.”
Those are not the words of a regulator or a critic. They are the words of a KPMG auditor, recorded in an internal communication, describing their own client — Signature Bank — in the final weeks before it collapsed.
The Headline Finding
According to the Minority Staff Report, KPMG issued an unqualified audit opinion for Silicon Valley Bank 14 days before it collapsed, for Signature Bank 11 days before it collapsed, and for First Republic Bank 62 days before it collapsed — representing, in each case, KPMG’s assessment that the bank’s financial statements presented fairly, in all material respects, the financial position of the institution. The report argues that depositors and investors were left with the impression that each bank was financially sound.
The three banks that failed in early 2023 collectively held more assets than the 25 banks that collapsed in 2008 during the mortgage crisis. According to the report, the collapses wiped out $54 billion in stocks and bonds, with one pension fund losing nearly $700 million following First Republic Bank’s failure. The federal response also involved hundreds of billions of dollars in support to stabilise the banking system.
What matters most for this series is not the scale of the losses, but what the report says KPMG knew — and what it did with that knowledge.
Silicon Valley Bank: The Ignored Warnings
According to the report, the Federal Reserve alerted KPMG to foundational weaknesses in Silicon Valley Bank’s internal audit department in April 2022. KPMG was already aware the department was struggling to produce sufficient, timely information — in fact, by the time the Federal Reserve raised concerns again in January 2023, KPMG told the regulator it had not relied on information the department produced in over three years.
According to the report, despite this documented awareness, KPMG completed its going concern checklist — a workpaper designed to assess 64 conditions that could signal risk to the bank’s continued operation — and answered “no” to every single one.
The Minority Staff Report found that at least six of those conditions demonstrably existed at the time KPMG signed off. Among the most striking: SVB had deleted a key interest rate risk metric — its Economic Value of Equity analysis, which showed a $4.7 billion loss to equity — from successive drafts of its annual 10-K filing.
KPMG reviewed those drafts. KPMG reviewed the redlined deletion. The going concern checklist was signed off by the lead audit partner the day before the unqualified opinion was issued. Fourteen days later, SVB collapsed.
Signature Bank: The Whistleblower Allegation KPMG Did Not Independently Investigate
This is the finding that speaks most directly to the argument of this series.
Early in the 2022 audit, KPMG learned of whistleblower allegations of widespread mortgage fraud that implicated portions of the bank’s financial statements pertaining to credit risk. According to the Minority Staff Report, KPMG did not conduct an independent review of those allegations. Instead, it relied on an oral summary provided by Signature Bank’s external counsel. The report says the law firm did not produce a written report, and that KPMG nevertheless concluded the allegations were unfounded. KPMG told the Subcommittee that it had complied with auditing standards by “shadowing” the outside-counsel investigation and assessing whether that process was reasonable.
The report’s criticism is sharper because the concerns did not come only from the whistleblower. According to the report, the FDIC had separately raised related concerns about Signature Bank’s documentation and support for valuations used in collateral-dependent loans.
Yet when KPMG met with the FDIC the day after Signature informed it of the whistleblower complaint, the report says KPMG did not ask the regulator about the substance of those allegations. KPMG ultimately issued an unqualified audit opinion after relying on the oral summary from Signature’s external counsel rather than conducting its own independent investigation.
This is the self-investigation paradox operating inside a statutory audit engagement rather than inside a Big Four firm’s HR process. The mechanism is closely analogous to what Part One documented in the cases reviewed there: the allegation is received, control of the assessment is left largely with the implicated institution, and the outcome is heavily shaped by the party with the most to lose from a finding of substance.
The internal KPMG communications obtained by the Subcommittee reinforce this picture. One KPMG auditor wrote to a colleague that Signature Bank had significant deficiencies — and that the bank did not appear to care.
The report also says the bank’s CFO, a former colleague of KPMG’s lead audit partner, persuaded the audit team that it did not need to seek certain additional information about deficiencies in the bank’s ability to properly value its assets. The report presents this as an example of how professional familiarity may have affected audit scepticism at a critical moment.
First Republic Bank: Concerns Documented, Board Not Told
According to the Minority Staff Report, ten days before First Republic Bank failed, KPMG met with the bank’s board of directors. KPMG had internal concerns about the assumptions the bank was using to justify its ability to continue as a going concern. The report says KPMG did not raise those concerns at the board meeting.
On the report’s account, KPMG had concerns. KPMG documented those concerns internally. KPMG attended the board meeting. And, according to the report, KPMG did not raise those concerns with the board. The information that might have triggered board action, regulatory escalation, or at minimum public disclosure existed inside KPMG’s own files — and, according to the report, the board it was supposed to serve did not receive it.
The Independence Finding: Institutional Marriage, Not Professional Distance
KPMG had audited Silicon Valley Bank since 1994, Signature Bank since its founding in 2001, and First Republic Bank since 1989, with only a three-year gap from 2007 to 2010. That is 28, 21, and 31 years respectively.
The Minority Staff Report found at least 11 instances in which KPMG auditors interacted professionally with former KPMG colleagues who had moved to work at the banks being audited.
Signature Bank’s Chief Risk Officer had been the KPMG lead audit partner who signed the bank’s 2021 audit opinion, joining the bank as Chief Risk Officer three months later while maintaining a financial relationship with KPMG for 17 months after his appointment.
The person whose professional function was to challenge the bank’s risk management from the outside became, almost immediately, the person responsible for managing that risk from the inside — while still financially connected to his former firm.
At no point, according to the report, did anyone in this chain identify a conflict. The report says it did not find a direct causal link between these longstanding relationships and the audit outcomes, but concluded that the apparent familiarity raised broader concerns for the auditing industry.
The Client-Retention Finding
In the final weeks of SVB’s existence, after KPMG learned the bank’s board was considering accepting bids for a new auditor in response to regulatory scrutiny, the firm’s leadership made contact with bank executives in what the report characterises as an attempt to retain the engagement.
This included a surprise appearance by a senior KPMG figure at a closed board meeting, and a review of a potential $3–4 million charity sponsorship at the request of the bank’s CEO. The report characterises this as client retention activity, conducted at the moment the independence of the audit relationship was most critical.
As of July 2026, no public enforcement penalty against KPMG in relation to these three audits has been announced.
The Regulatory Architecture Finding
The Minority Staff Report makes an observation that connects directly to the central argument of this series: in its view, the agency charged with regulating the auditing industry — the PCAOB — has been significantly constrained in its ability to impose the kind of enforcement that would change auditor behaviour.
The Big Four audit approximately 90% of all publicly traded companies in the United States and control 99.7% of the market share for S&P 500 audits. Regulators who are concerned that severe enforcement against one firm could destabilise the market face a structural incentive to calibrate their response accordingly. The firms, the report implies, may be aware of this. The phrase used is telling: they may feel confident they are too big to fail.
Act Six: The Model That Works Better
The SEC Whistleblower Program is built on principles that directly address several of the failure modes documented across this series.
External by design. Concerns are submitted directly to the SEC — not to the institution, not to its legal counsel, not to an internal ethics committee controlled by the institution’s leadership.
The allegation is outside the institution’s control from the moment it is made. There is no oral summary from the bank’s own law firm. There is no internal workpaper that concludes the matter has no audit implications. The receiving body is independent by structure, not merely by policy.
Financial incentive for disclosure. Whistleblowers who provide original information leading to a successful enforcement action receive between 10% and 30% of sanctions collected when those sanctions exceed $1 million.
By the end of FY2024, the SEC had awarded more than $2.2 billion to 444 individual whistleblowers since the programme’s inception in 2011; in FY2025, it awarded a further more than $60 million to 48 individual whistleblowers.
The financial reward for disclosure is designed to counteract the financial and career risks of speaking up — a structural counterweight, not a moral appeal.
Civil and in some circumstances criminal protection against retaliation. SOX Section 806 establishes civil remedies for retaliation against whistleblowers at publicly traded companies, including reinstatement, back pay, and litigation costs.
In certain circumstances, separate criminal anti-retaliation provisions may also apply. The individual who makes the decision to marginalise, transfer, or expel a whistleblower potentially faces consequences — not institutional censure alone.
Named individual accountability at the institutional level. SOX Section 304 allows the SEC to require CEOs and CFOs to reimburse incentive compensation received during periods when the company was in violation of securities laws. The accountability attaches to named individuals, not to the institution’s balance sheet.
And now — specifically in response to the audit failures examined in the Minority Staff Report — Senator Blumenthal has recommended that Congress create a dedicated Office of the Whistleblower to receive actionable information specifically regarding auditors. This is a targeted external channel for concerns about audit firms themselves, modelled on the SEC Whistleblower Program’s independence and incentive architecture, but applied to the gatekeepers rather than only to their clients.
This is the kind of targeted auditor-whistleblower mechanism that neither Australia nor the UK has yet adopted. It is the one the evidence most directly demands.
Act Seven: What the Legislation Needs to Contain
The Blumenthal report recommends an auditor whistleblower office. The broader legislative architecture, however, needs to go further if it is to address the failure modes described across this series.
Australia has recently resuscitated reform proposals for accounting, audit, and consulting firms — options that have sat largely unimplemented since the PwC tax scandal in 2023 — opening a new consultation process closing August 12, 2026.
The UK’s FRC investigation of PwC’s WHSmith audit is live.
Senator Blumenthal’s Minority Staff Report has recommended Congressional action in the US. In each jurisdiction, there is a live process. In each jurisdiction, that process will produce something — the question is whether that something is specific enough to change the incentive structure, or general enough to leave it intact.
General principles already exist in all three jurisdictions, but the cases examined in this series suggest that they have not produced protection robust enough for the circumstances described here. What is required is a named mechanism for each identified failure mode.
Failure mode one — Internal control of the allegation. Mandatory external intake for any allegation implicating a partner or senior manager, routed directly to the relevant regulator and not through the firm under any circumstances.
According to the Minority Staff Report, the Signature Bank whistleblower allegation reached KPMG during a live audit and was assessed through an oral summary from Signature Bank’s external counsel rather than through KPMG’s own independent investigation.
A dedicated Office of the Auditor Whistleblower would have received that allegation directly, assessed it independently, and acted on it without a single KPMG partner involved in the determination of its significance.
Failure mode two — Investigation capture. A statutory requirement that any investigation into a partner-level allegation at a regulated professional services firm be conducted by an investigator appointed by the regulator, with terms of reference set by the regulator.
Not selected by firm leadership.
Not briefed by the people the allegation concerns.
Not concluded with a finding the alleging party never receives.
Failure mode three — Privilege obstruction. A presumptive disclosure rule: any document produced in connection with an internal investigation into a whistleblower allegation at a regulated professional services firm is disclosable to the relevant regulator upon request, with the firm bearing the burden of demonstrating genuine privilege — not the regulator bearing the burden of overcoming it.
The PwC Australia timeline, measured in years rather than months, was materially shaped by privilege claims. That inversion of burden could have changed the timeline.
Failure mode four — Absence of personal accountability. An SMCR-style personal accountability regime for audit partners — requiring named individuals to document the escalation decision and demonstrate they took reasonable steps when they became aware of a potential breach.
The SVB lead audit partner signed a going concern checklist showing no risks, 14 days before the bank’s collapse, despite the Minority Staff Report identifying at least six conditions that demonstrably existed. Whether that failure was negligence or something worse, the outcome is the same: a clean opinion days before collapse.
Under an SMCR-equivalent regime, the question would not be limited to whether he intended to mislead. It would be whether he took reasonable, documentable steps to ensure the checklist reflected reality. The documentation requirement alone changes the decision calculus. You cannot tick a box and walk away when your name is attached to the decision in a legally accountable way.
Failure mode five — No structural deterrent to shadow architecture enforcement. Civil remedies — primarily available to whistleblowers themselves, requiring them to fund their own litigation — are insufficient to deter institutional decisions to marginalise someone who has raised a protected concern.
Where the evidence establishes that a named individual made or ratified a decision to marginalise a person who raised a protected concern, meaningful personal consequences — civil and where appropriate criminal — must follow for the decision-maker, not merely for the institution.
Failure mode six — No financial incentive to disclose. A financial reward programme modelled on the SEC’s — calibrated to Australian and UK enforcement scales, but built on the same principle: that the financial benefit of disclosure must structurally exceed the financial cost of suppression from the perspective of the individual considering disclosure.
The Minority Staff Report estimates combined audit fees of nearly $20 million for the three failed banks. According to the report, KPMG has faced no disgorgement of those fees. Until revenue earned from audits criticised for missing or discounting serious warning signs can be disgorged and redirected toward rewarding those who surfaced what the audit missed, the economics of silence will continue to favour silence.
Epilogue: The Question the Profession Must Answer
America did not build the SEC Whistleblower Programme because it had good values. It built it because Enron, WorldCom, and Arthur Andersen demonstrated, at catastrophic cost, that good values were insufficient — that without an architecture designed to make disclosure the rational choice and suppression the personally costly one, institutions would consistently choose suppression.
The 2025 Senate Minority Staff Report demonstrates that the lesson was only partially learned. SOX reformed much of the corporate reporting architecture. But, as the Minority Staff Report argues, the auditor side remains insufficiently exposed to external whistleblower mechanisms.
According to the report, KPMG received a whistleblower allegation of widespread fraud at Signature Bank during a live audit, assessed it through the bank’s own lawyers, received an oral summary, and issued a clean opinion. The report also says that ten days before First Republic collapsed, KPMG had internal concerns about the bank’s ability to survive as a going concern and did not raise them with the board. The lead auditor for Silicon Valley Bank signed a going concern checklist with no risks identified, 14 days before the bank’s collapse, and has since told the Subcommittee that assessing a “risky or even reckless business strategy” was not KPMG’s responsibility.
The profession’s response so far — independent governance boards, conflict registers, leadership resignations accepted with generous exit packages, remediation programmes, transparency reports — has addressed every failure mode except the one that determines all the others: the individual, personal, legal consequence for the named person who decides the allegation does not need to go further.
Until that decision-maker is identifiable — by name, by role, by documented decision, and by personal legal exposure — we are not reforming the system. We are redecorating it.
And somewhere inside each of the Big Four right now, there is a person who has seen something they cannot unsee. They have read the policy. They know what it says.
They also know what happened to the last person who believed it.
Senator Blumenthal has called for an Office of the Whistleblower for auditors. Australia’s consultation on firm reform closes August 12, 2026. The FRC’s WHSmith inquiry is live. In each jurisdiction, the window is open.
The evidence is in. The architecture is documented. The question is no longer whether the pattern is real. The question is whether we have the political will to replace an architecture that consistently fails with one that is structurally required to work.
Who is Abdelhamid Taha?
Abdelhamid Taha is an independent financial regulatory analyst, AML/compliance specialist, and public interest advocate. He spent over 11 years at HSBC Egypt (2005–2016), where he served as AML and Deferred Prosecution Agreement (DPA) Compliance Champion for three years during the bank’s high-profile US regulatory scrutiny period. In this role, he designed and delivered compliance training, identified suspicious transaction patterns, prepared Suspicious Activity Reports to elevated post-DPA standards, and contributed to rebuilding financial crime controls under intense regulatory pressure. He also held responsibilities as Business Information Risk Officer (BIRO), managing information security and incident reporting.
For the past decade, Taha has worked independently at the intersection of financial regulation, systemic risk analysis, and victim advocacy. He has formally engaged with regulators, ombudsmen, ministers, and parliamentary bodies across the UK, New Zealand, UAE, and US. His submissions and intelligence have been acknowledged by central bank governors, government ministers, and national ombudsmen, with several leading to or being confirmed by major FCA enforcement actions.
He currently serves as a Member of the Secretariat Committee for the UK’s All-Party Parliamentary Group on Investment Fraud and Fairer Financial Services (May 2026–present). In this role, he contributes to legislative engagement on the Financial Services and Markets Bill, including proposed FSMA amendments and evidence-based briefings for the House of Lords.
Taha’s focus is on supporting individuals harmed by institutional failures, providing analytical research, regulatory navigation support, and evidential rigour in cases involving the FCA, Financial Ombudsman Service (FOS), and Financial Regulators Complaints Commissioner (FRCC). His motivation is rooted in advancing financial system integrity and protecting victims of misconduct.
Sources & Key References
U.S. Senate Permanent Subcommittee on Investigations (September 17, 2025). “This Industry is a Joke”: How KPMG’s Unqualified Audits of Silicon Valley Bank, Signature Bank, and First Republic Bank Allowed Troubled Banks to Hide Their Failures in Plain Sight (Minority Staff Report). Full report (PDF)
U.S. Securities and Exchange Commission (2026). Annual Report to Congress on the Dodd-Frank Whistleblower Program – Fiscal Year 2025. Download PDF
Part One of this series: Big Four Whistleblowers and the Architecture of Silence – Analysis of internal whistleblower handling and structural failures at PwC and KPMG in Australia and the UK. Read Part One
Financial Reporting Council (UK) (June 2026). Investigation into PwC’s statutory audit of WH Smith plc. FRC Announcement
KPMG public responses to the U.S. Senate Minority Staff Report (September 2025), as reported in the media following the report’s release.
Australian Government (2026). Consultation on reforms to accounting, audit, and consulting firms (consultation closing August 12, 2026).
This article is part of Big4News’ Expert Voices Series
Expert Voices
This section features candid interviews with whistleblowers, legal experts, and financial professionals who have direct experience with the inner workings of Deloitte, PwC, EY, and KPMG.




