United States Court of Appeals
FOR THE DISTRICT OF COLUMBIA CIRCUIT
Argued November 8, 2007 Decided February 8, 2008
No. 07-1003
GRANT THORNTON, LLP,
PETITIONER
v.
OFFICE OF THE COMPTROLLER OF THE CURRENCY,
RESPONDENT
On Petition for Review of a Final Decision and Orders of the
Office of the Comptroller of the Currency
Stanley J. Parzen argued the cause for petitioner. With
him on the briefs were Mark W. Ryan, Andrew J. Morris, and
Miriam R. Nemetz.
Jerome A. Madden, Counsel, U.S. Department of
Treasury, argued the cause for respondent. With him on the
brief was Horace G. Sneed, Director of Litigation.
Before: HENDERSON and TATEL, Circuit Judges, and
WILLIAMS, Senior Circuit Judge.
Opinion for the Court filed by Senior Circuit Judge
WILLIAMS.
2
Opinion concurring in the judgment filed by Circuit
Judge HENDERSON.
WILLIAMS, Senior Circuit Judge: Grant Thornton, LLP,
an accounting firm, appeals a final decision and order of the
Comptroller of the Currency that requires the firm to pay
$300,000 in civil penalties for recklessly failing to meet
Generally Accepted Auditing Standards (“GAAS”) in its audit
of the First National Bank of Keystone. Grant Thornton also
appeals the Comptroller’s cease and desist order mandating
that the firm comply with a host of conditions whenever it
audits depository institutions. We vacate the final decision
and both orders, finding that when an accounting firm merely
performs an external audit aimed solely at verifying the
accuracy of a bank’s books, it is not “participat[ing]” or
“engaging” in “an unsafe or unsound practice in conducting
the business” or “the affairs” of the bank, as those terms are
used in 12 U.S.C. §§ 1813(u)(4)(C), 1818(b)(1), and
1818(i)(2)(B)(i)(II).
* * *
In 1992 the First National Bank of Keystone, then a small
rural bank in West Virginia, sought to increase its revenues,
launching an ambitious loan securitization program. The bank
bought subprime or high loan-to-value loans from large
originators throughout the country. It then pooled these loans
with loans it had originated itself. The bank bundled the loans
into securities and sold them to institutional investors.
Keystone hired asset servicers to collect the principal, interest,
and penalties on the loans and to issue monthly checks of
interest income to Keystone. By 1999 the bank’s assets of
approximately $100 million had apparently skyrocketed to
about $1 billion.
3
Examiners from the Office of the Comptroller of
Currency (“OCC”) scrutinized the bank’s records periodically
from 1992 through 1999. In a 1997 report, the examiners
criticized the accuracy of the bank’s statements and the
effectiveness of the securitization program’s management.
Using a standard rating system, the OCC gave the bank very
low marks for its overall condition and management quality.
Because of Keystone’s failure to address these concerns,
the OCC initiated an enforcement action against the bank in
May 1998. As a result, Keystone and the OCC formally
agreed that the bank would retain a nationally recognized
independent accounting firm to audit the bank’s mortgage
operations, assess the accuracy of its financial statements, and
determine the validity of the bank’s accounting for loans it
purchased and bundled into securities. In July 1998 the bank
hired Grant Thornton to conduct the agreed-upon external
audit. In April 1999 Grant Thornton issued its audit opinion.
The opinion acknowledged the firm’s duty to “obtain
reasonable assurance about whether [Keystone’s] financial
statements [for 1997 and 1998] are free of material
misstatement,” and in effect stated that it had found such
assurance.
In August 1999 OCC examiners uncovered Keystone’s
fraud. The bank had inflated its interest income by nearly $98
million and its assets by about $450 million. These $450
million in assets supposedly belonging to Keystone were in
reality those of another bank. The scheme masked the fact
that Keystone had been insolvent since 1996. Several
members of Keystone management were convicted of felonies
for falsifying bank financial records, loan servicer reports, and
remittances, as well as lying to auditors and regulators. After
the OCC determined that Keystone was insolvent, it closed
the bank.
4
On March 5, 2004 the OCC invoked the Financial
Institutions Reform, Recovery, and Enforcement Act
(“FIRREA”) of 1989, Pub. L. No. 101-73, 103 Stat. 183, and
initiated an administrative proceeding claiming that Grant
Thornton, in auditing Keystone’s financial statements, had
“recklessly engag[ed] in an unsafe or unsound practice in
conducting [Keystone’s] affairs.” 12 U.S.C. § 1818(b)(1); see
also §§ 1813(u)(4), 1818(i)(2)(B). The government’s
evidence showed, among other things, that Grant Thornton
had relied on oral representations as to Keystone’s ownership
of approximately $236 million of the $450 million at issue,
even in the face of written communications suggesting the
opposite. At the end of the hearing, however, the
administrative law judge recommended that all charges be
dismissed because she found that Grant Thornton had not
acted recklessly.
On December 7, 2006 the Comptroller rejected the ALJ’s
recommendation and fined Grant Thornton. Relying or
purporting to rely on the evidence introduced by Harry Potter,
the OCC’s audit wizard, the Comptroller found that Grant
Thornton participated in an unsafe or unsound practice by
recklessly failing to comply with GAAS in planning and
conducting the Keystone audit. In a cease and desist order,
the Comptroller limited Grant Thornton’s freedom to accept
and conduct audits independently, hire accountants, and
handle working papers.
Grant Thornton attacks the Comptroller’s decision and
orders on multiple grounds. We need address only one. We
find that the Comptroller exceeded his statutory authority in
characterizing Grant Thornton’s external auditing activity as
“participat[ing] in . . . [an] unsafe or unsound [banking]
practice,” see § 1813(u)(4), and as “engaging . . . in an unsafe
or unsound practice in conducting [Keystone’s] business,” see
5
§ 1818(b)(1), and in “conducting [Keystone’s] affairs,” see
§ 1818(i)(2)(B)(i)(II). Those conclusions end the case.
* * *
We review the OCC’s interpretation of FIRREA and
related statutory provisions de novo because multiple agencies
besides the Comptroller administer the act, including the
Board of Governors of the Federal Reserve Board, the Federal
Deposit Insurance Corporation, and the Office of Thrift
Supervision in the Treasury Department. See Proffitt v.
FDIC, 200 F.3d 855, 863 n.7 (D.C. Cir. 2000); Rapaport v.
Department of Treasury, 59 F.3d 212, 215-17 (D.C. Cir.
1995); Wachtel v. Office of Thrift Supervision, 982 F.2d 581,
585 (D.C. Cir. 1993) (“[§ 1818(b)] is … also administered by
the Federal Reserve Board, the Comptroller of the Currency,
and the FDIC, and thus deference under Chevron … is
inappropriate.”); see also Collins v. NTSB, 351 F.3d 1246,
1253 (D.C. Cir. 2003) (noting Congress’s observation that
“more than one agency may be an appropriate Federal
banking agency with respect to any given [type of banking]
institution,” citing § 1813(q)).
The relevant statutory structure is unusual to say the least.
It is a bit as if provisions penalizing theft started by defining a
“thief” as “a person who commits theft, to wit, one who
intentionally takes away the property of another,” etc., and
then imposed penalties on any “thief who intentionally takes
away the property of another,” etc. The upshot obviously
involves a good deal of linguistic duplication; and imposition
of a penalty requires that the accused be shown both to fit the
statutory definition and to have committed the acts actually
triggering punishment.
6
Here the crucial definition is that of an “institution-
affiliated party” (“IAP”), which includes
(4) any independent contractor (including any attorney,
appraiser, or accountant) who knowingly or recklessly
participates in –
…
(C) any unsafe or unsound practice, which caused or
is likely to cause more than a minimal financial loss
to or a significant adverse effect on, the insured
depository institution.
12 U.S.C. § 1813(u)(4). We assume without deciding that an
accounting firm like Grant Thornton can qualify as an
independent contractor.
The relevant substantive provisions of FIRREA echo the
definition. Under 12 U.S.C. § 1818(b)(1), the Comptroller of
the Currency may issue a cease-and-desist order if a bank or
IAP “is engaging or has engaged . . . in an unsafe or unsound
practice in conducting the business of [an] insured depository
institution”; and under § 1818(i)(2)(B)(i)(II) the Comptroller
may impose civil monetary penalties when a depository
institution or IAP “recklessly engages in an unsafe or unsound
practice in conducting the affairs of [an] insured depository
institution” which causes a more than minimal loss to the
bank or meets other aggravating circumstances.
While the definitional section doesn’t specify that the
accused must have engaged in the “unsafe or unsound
practice” in “conducting the business of” the bank,
§ 1818(b)(1), or in “conducting the affairs of” the bank,
§ 1818(i)(2)(B)(i)(II), the OCC doesn’t dispute that, to prevail
under the substantive provisions, it must show that Grant
7
Thornton’s audit activity amounted to such “conducting.” See
OCC Br. at 4.
Nor does the Comptroller contest that the phrase “unsafe
or unsound practices,” in all its appearances here, means
“unsafe or unsound banking practices.” The latter is, indeed,
the formulation that the Comptroller uses in his Notice of
Assessment of a Civil Monetary Penalty, at 17-18 and his
Final Decision and Order, at 17. That reading (besides being
undisputed and according with conventional banking
terminology) harmonizes the definitional section,
§ 1813(u)(4), with the two substantive sections penalizing one
who recklessly participates or engages in “an unsafe or
unsound practice in conducting the business” or “the affairs”
of a depository institution. § 1818(b)(1), (i)(2)(B)(i)(II).
Although the OCC’s Notice of Charges for Issuance of an
Order to Cease and Desist might be read as claiming that the
“unsafe or unsound practice” in which Grant Thornton
allegedly engaged was Keystone’s own fraud, see id. at 20, its
final decision identified the practice as Grant Thornton’s
conduct of the audit: “Clearly, Grant Thornton itself
‘participated’ in an unsafe or unsound practice when it
violated GAAS in carrying out its audit.” Final Decision and
Order, at 17; see also id. at 20. Thus, the Comptroller’s orders
rest on the idea that recklessly conducting a non-GAAS audit
of a bank constitutes participation in an unsafe or unsound
practice in conducting the business or affairs of the bank. But
however incompetently or recklessly the audit may have been
performed, conduct of the audit cannot be shoehorned into the
controlling statutory language.
First, Grant Thornton didn’t participate in an “unsafe or
unsound [banking] practice” because an audit of the sort
conducted here is not a banking practice. Grant Thornton was
fulfilling the classic reporting function of external auditors—
8
examining the company’s books from the outside and
verifying the accuracy of its records and the adequacy of its
internal controls. This sort of outside look into a bank’s
activity is not a “practice” of a depository institution or bank.
FIRREA defines a “depository institution” as “any bank or
savings association.” § 1813(c)(1). It defines a “bank” as
“any national bank and State bank, and any Federal branch
and insured branch.” § 1813 (a)(1)(A). As this definition is
in part circular, itself depending on the meaning of the word
“bank,” Congress evidently relied on common understanding
to fill the gap. The language of Webster’s Third New
International Dictionary (1981), identifying a bank as “an
establishment for the custody, loan, exchange, or issue of
money, for the extension of credit, and for facilitating the
transmission of funds by drafts or bills of exchange,” id. at
172, seems apt. A review of a bank’s books is quite distinct
from the “custody, loan, exchange, or issue … of money” or
“facilitating the transmission of funds.” Id. We do not
attempt to define the full universe of activities that encompass
“banking practices.” Yet we are certain that an external
auditor whose sole role is to verify a bank’s books cannot be
said to be engaging in a “banking practice.” We do not
answer the question of whether an internal auditor with an
equally limited role (if there be any such) is conducting the
bank’s business.
In oral argument, Comptroller’s counsel advanced the
idea that because § 1831m(f)(1) requires that banks, in order
to stay in business, undergo GAAS-compliant audits on an
annual basis, it follows that such audits are necessarily part of
a bank’s business. See Oral Argument, 45:24-45:38; see also
§ 1831m(a)-(f). This seems to us a complete non-sequitur.
That a bank must engage outsiders to perform services does
not necessarily turn such providers into bankers. In the case
of auditors, of course, the need to enlist their services comes
in part from the law, in part from the practicalities of raising
9
the bank’s own capital, but it is hard to see why the element of
legal compulsion should change the matter. It makes as much
sense to say that Grant Thornton was conducting Keystone’s
business as it is to say that an Underwriters Laboratories
representative who inspects a toaster is “engaged in
conducting the manufacture of toasters,” or that a Department
of Agriculture representative checking a smokehouse for
compliance with meat safety laws is “engaged in conducting
the operation of a smokehouse.”
Second, we have some assistance from the Supreme
Court on the meaning of a phrase closely parallel to those in
question here. In Reves v. Ernst & Young, 507 U.S. 170
(1993), the Court construed the following language from
RICO: “to conduct or participate, directly or indirectly, in the
conduct of [an enterprise’s] affairs.” Id. at 177-79 (discussing
18 U.S.C. § 1962(c)). Reasoning that Congress meant
something broader than “conduct [the enterprise’s] affairs,”
but narrower than merely “participate in [its] affairs,” the
Court concluded that a covered party “must have some part in
directing [the enterprise’s] affairs.” Id. at 179. Grant
Thornton played no such directive role in Keystone’s affairs.
A directing role can, of course, be a minor one. In
Cavallari v. Office of Comptroller of the Currency, 57 F.3d
137, 140-41 (2d Cir. 1995), the court affirmed the
Comptroller’s classification of an attorney as an IAP because
he provided oral and written advice to a bank that exchanging
loan guaranties, resulting in the bank’s gaining an interest in a
financially unsound company, was in the bank’s best interest.
The court’s holding also rested on the fact that the lawyer
drafted the paperwork needed to complete the transaction.
Thus he advised the bank, in a forward-looking capacity, on
how to conduct the bank’s own business—lending. By
actively encouraging a dubious transaction, he played a part in
conducting the bank’s business in a way that was “contrary to
10
accepted standards for banking operations.” Id. at 143. In
contrast, while Grant Thornton’s audit may have been
“strikingly incompetent,” as described at length by the
concurring opinion, it neither proffered advice on nor assumed
any directive role in Keystone’s conduct of its affairs. The
Comptroller nowhere suggests that Grant Thornton was in
cahoots with Keystone’s fraudulent managers.
Judge Henderson’s concurrence describes our opinion as
a “rejection” of accountant liability as an IAP under
§ 1818(b)(1) and § 1818(i)(2)(B)(i)(II). Op. of Henderson, J.,
at 2. Insofar as she may suggest a categorical rejection, the
description is wide of the mark. Our discussion above makes
clear that an accountant who plays an active role in directing a
bank’s unsafe or unsound practices, or its wrongful
transactions, as the lawyer in Cavallari did, can be sanctioned
as an IAP; he would then have actually participated in an
unsafe or unsound practice in conducting the business or
affairs of a bank.
The concurring opinion also invokes legislative history to
cast doubt either on our interpretation of the relevant
provisions, or possibly on our opinion’s non-existent
categorical rejection of accountant liability. In any event, the
proposed use of legislative history doesn’t work. First, the
text of the statute is clear enough that resort to legislative
history is unnecessary. See Claybrook v. Slater, 111 F.3d
904, 907 (D.C. Cir. 1997) (“If statutory language is clear … it
is both unnecessary and inappropriate to track legislative
history.”). Second, even if mining legislative history were
necessary to interpret the provisions, the section of the House
Report commenting directly on § 1813’s IAP definition
unsurprisingly tracks the statute’s actual language. It notes
that “[a]ppraisers, accountants, and attorneys have
participated in some of the serious misconduct in banks and
thrift institutions.” H.R. Rep. No. 101-54(I), at 466 (1989),
11
reprinted in 1989 U.S.C.C.A.N. 86, 262 (emphasis added);
see also id. (stating that independent contractors are liable
under the provisions “only if they participate in the conduct of
the affairs of . . . insured financial institutions”). Then it
distinguishes between an attorney who provides a bank advice
or services in good faith and an attorney who also “knowingly
participates in other activities which result in serious
misconduct,” saying that the former is not a target for
enforcement action, whereas the latter is. Id. at 467.
Third, the legislative history cited in the concurring
opinion, highlighting the role of “poor quality audit work” in
the banking scandals of the late 1980s, appears in the
preliminary, narrative sections of the House Report; it doesn’t
specifically comment on particular provisions of FIRREA, let
alone any part of §§ 1813 or 1818. Id. at 300-01. Nothing
links Congress’s apparent concern that poor auditing “delayed
regulatory action” and thus “raised the . . . cost of resolving
thrift failures” to the sections at issue here. Id. at 301.
Certainly other provisions of FIRREA seem responsive to this
general concern. Some, for example, imposed stricter
auditing requirements on banks and required banks to give the
Comptroller access to “books, records, accounts, reports, files,
and property . . . used by . . . an independent certified public
accountant retained to audit” banks or their funds. 12 U.S.C.
§ 1827(d)(2); see also 12 U.S.C. § 1441a(k)(1)(B) (1989) (a
FIRREA provision that contained language identical to that of
§ 1827(d)(2), though the language was removed in a 1991
amendment); FIRREA, §§ 220, 501. And Congress’s
commissioning of a feasibility report on means of enhancing
transparency between audits and the bank regulatory agencies,
id. § 1001, 12 U.S.C § 1811 note, also appears aimed in part
at reducing the risk of defective audits. In short, assigning the
provisions in dispute their ordinary-language meanings
creates no inconsistency with the House Report.
12
Finally, we note that Congress has given the Comptroller
wide latitude to punish accountants who transgress GAAS in
their audits of depository institutions:
In addition to any authority contained in [12 U.S.C.
§ 1818], the Corporation or an appropriate Federal
banking agency may remove, suspend, or bar an
independent public accountant, upon showing of good
cause, from performing audit services required by this
section.
12 U.S.C. § 1831m(g)(4)(A). While Congress added this
provision after adoption of FIRREA (as part of the Federal
Deposit Insurance Corporation Improvement Act, Pub. L. No.
102-242, § 36, 105 Stat. 2236, 2244 (1991)), its presence
makes clear that giving the words of FIRREA their ordinary
meaning leaves the banking authorities ample power to
sanction delinquent auditors. Here, of course, we need not
address the application of § 1831m(g)(4)(A) to Grant
Thornton, as the Comptroller has not tried to rest its case on
that section.
* * *
We vacate the Comptroller’s final decision and orders
for the reasons stated.
So ordered.
KAREN LECRAFT HENDERSON, Circuit Judge, concurring in
the judgment:
I agree with my colleagues that we should vacate the civil
monetary penalty and cease and desist order the Office of the
Comptroller of the Currency (OCC) imposed on Grant
Thornton; however, I am not persuaded by their reasoning and
therefore concur in the judgment only. The Congress enacted
the Financial Institution Reform, Recovery and Enforcement Act
of 1989 (FIRREA), Pub. L. 101-73, 103 Stat. 183 (1989), as a
direct response to the savings and loan crisis of the late 1980s.
See H.R. Rep. No 101-54, at 291–92 (1989), as reprinted in
1989 U.S.C.C.A.N. 87. The House Banking, Finance and Urban
Affairs Committee Report (House Report) accompanying the
legislation discusses the causes of that crisis. Among them, the
Report highlights “poor quality audit work” as one of the
primary ones. The House Report explains:
The public accounting industry and certified public
accountants (CPAs) played a major role in masking the
insolvency of many failed thrifts, and often did not
report fraud and insider abuse by thrift managements to
thrift regulators. In a study of failed S & L’s [sic] under
the supervision of the Federal Home Loan Bank of
Dallas, the GAO reported,
For six of the eleven failed S & L’s [sic] we
reviewed, CPA’s [sic] did not adequately audit
or report the S & L’s financial condition or
internal control problems in accordance with
professional standards.
Independent audits are an integral part of the system of
controls designed to identify and report problems in
thrift’s [sic] when they arise. A lack of professionalism
and poor quality audit work by CPA’s [sic] helped mask
the presence of fraud at a number of failed thrifts. In
many instances auditors did not notify regulators about
poor management practices at failing thrifts, which
2
ultimately delayed regulatory action against many
unscrupulous thrift managements. This delay has
significantly raised the . . . cost of resolving thrift
failures.
Id. at 301. In light of the Congress’s express conclusion that
“poor quality audit work” played a large role in causing the
savings and loan crisis, which crisis produced FIRREA, I cannot
join in the majority’s holding that “when an accounting firm
merely performs an external audit aimed solely at verifying the
accuracy of a bank’s books, it is not ‘participat[ing]’ or
‘engaging’ in ‘an unsafe or unsound practice in conducting the
business’ or ‘the affairs’ of the bank as those terms are used in
12 U.S.C. §§ 1813(u)(4)(C), 1818(b)(1), and
1818(i)(2)(B)(i)(II).” Maj. Op. at 2. As the majority itself
notes, the statutory interplay among these subsections is
“unusual to say the least” and “obviously involves a good deal
of linguistic duplication.” Maj. Op. at 5. But 12 U.S.C.
§ 1818(b)(1) and 12 U.S.C. § 1818(i)(2)(B)(i)(II) expressly
include an Institution Affiliated Party (IAP) within their
respective sanctions so that there must be some way in which an
IAP accountant “participates” or “engage[s]” in “an unsafe or
unsound practice in [the] conduct[]” of the “business”/“affairs”
of a bank. The Second Circuit has decided as much with regard
to an IAP attorney. Cavallari v. OCC, 57 F.3d 137, 142–43 (2d
Cir. 1995). Because an IAP accountant can be sanctioned under
section 1818(b)(1) and section 1818(i)(2)(B)(i)(II), I believe that
the majority’s rejection of such a result here is wrong.
The OCC’s sanctions levied against Grant Thornton should
nonetheless be vacated. The same House Report makes clear
that the Congress did not intend FIRREA to be used to levy a
firm-wide penalty against an IAP unless “most or many of the
managing partners or senior officers of the entity have
participated in some way in the egregious misconduct.” H.R.
3
Rep. No. 101-54, at 467. During the hearings before the House
Banking, Finance and Urban Affairs Committee (Committee),
several organizations, including the American Institute of
Certified Public Accountants and the American Bar
Association’s Business Law Section, expressed
[c]oncern . . . that [the OCC] could obtain enforcement
orders against a corporation, firm, or partnership, such as
a large accounting, appraisal, or law firm, since the term
“person” includes entities as well as individuals, and that
therefore enforcement orders would not be limited to
those individuals who may have been responsible for the
wrongful action.
Id. at 466–67. In response, the Committee explained:
[T]he Committee expects the [OCC] to limit
enforcement actions in the usual case to individuals who
have participated in the wrongful action, to prevent
unintended consequences or economic harm to innocent
third parties.
However the Committee strongly believes that [OCC]
should have the power to proceed against such entities if
most or many of the managing partners or senior
officers of the entity have participated in some way in
the egregious misconduct. For example, a removal and
prohibition order might be justified against the local
office of a national accounting firm if it could be shown
that a majority of the managing partners or senior
supervisory staff participated directly or indirectly in the
serious misconduct to an extent sufficient to give rise to
an order. Such an order might well be inappropriate if
it was taken against the entire national firm or other
geographic units of the firm, unless the headquarters or
4
these units were shown to have also participated, even if
only in a reviewing capacity.
Id. at 467 (emphases added).1 At the time of the Keystone audit,
Grant Thornton had approximately 300 partners and 3,500 other
employees in 40 offices throughout the United States. Hr’g Tr.
2160, Nov. 23, 2004. The failure of Grant Thornton’s Keystone
audit, however, was caused by the actions of only two
individuals. The OCC made no finding that the flaws in the
Keystone audit resulted from any systemic problem within Grant
Thornton. Nor is there any evidence in the record that “most or
many of the managing partners or senior officers of [Grant
Thornton] . . . participated . . . in the egregious misconduct”
which produced the deficient audit. See H.R. Rep. No. 101-54,
at 467. Therefore, I agree that the sanctions against Grant
Thornton should be vacated.
I also firmly disagree with the majority’s vacillating
assessment of the audit Grant Thornton conducted. See Maj.
Op. at 10 (“while Grant Thornton’s audit may have been
‘strikingly incompetent,’. . .” (emphasis added)). A fuller
exposition of the facts will prove my point: The First National
Bank of Keystone (Keystone) had operated for years as a small,
1
The OCC argues that this language limiting firm-wide liability
applies only to “12 U.S.C. § 1818(e)’s removal and prohibition
sanctions against professional firms . . . . There was no hint in the
House Report that professional firms were not subject to [other]
enforcement actions or that it would be inappropriate to impose non-
prohibition remedial actions and [civil monetary penalties] against
professional firms acting as IAPs.” OCC’s Br. 33. Not so. The
House Report makes clear that the discussion of removal and
prohibition sanctions is offered as simply one example of the “special”
circumstances under which firm-wide liability might be applied. See
H.R. Rep. No. 101-54(I), at 467.
5
community bank in Keystone, West Virginia. In the early
1990s, however, Keystone changed its business focus and
became heavily involved in the business of purchasing and
securitizing sub-prime mortgages. Its new business, so it
appeared, increased the value of its loan portfolio from $100
million in 1992 to over $1 billion by 1997. Reality was much
different—Keystone was losing money as it was being looted by
its management. To preserve the illusion of profitability,
Keystone’s management fraudulently misrepresented its
financial condition. At the center of the fraud was a business
arrangement Keystone entered into with United National Bank
(United) of Wheeling, West Virginia. Under the arrangement
Keystone was to act as a mortgage purchasing agent for United.
Keystone canvassed the market for available mortgages and
notified United on a daily basis of its findings. When suitable
mortgages were available, United provided Keystone with the
funds to purchase the mortgages on United’s behalf. Keystone
then arranged for two outside firms, Compu-Link and Advanta,
to service the mortgages for United while the mortgages were
prepared for securitization.2 After purchasing the mortgages
with funds provided by United and arranging for servicing and
securitization, Keystone included the mortgages on its books as
assets despite the fact that United owned them. See OCC Dec.
at 4–5.
During the 1990s, the OCC repeatedly investigated
Keystone. The investigations never uncovered the full extent of
the Keystone fraud; however, they did reveal irregularities in
Keystone’s management and accounting practices reflected in
the quarterly reports Keystone was required to file with the
2
In 1998 alone, Keystone purchased over $960 million in
mortgages for United.
6
OCC. On May 8, 1998 the OCC informed Keystone that it was
considering imposing a civil monetary penalty after Keystone
filed an inaccurate report for the third quarter of 1997; however,
Keystone forestalled the penalty by entering into a formal
Supervisory Agreement with the OCC which required Keystone
to strengthen internal accounting controls and retain a national
accounting firm to “audit the bank and correct the accounting
and internal control deficiencies” the OCC had noted during its
earlier examinations of Keystone. OCC Dec., Findings of Fact
(FF) 133.3
In July 1998, Keystone hired Grant Thornton to perform the
required audit. Before performing any work, Grant Thornton
representatives attended a meeting between the OCC and
Keystone to discuss the OCC’s earlier investigations of
Keystone. The OCC representatives explained that Keystone
had overstated its assets by about $90 million (almost 10% of its
reported assets) in three earlier quarterly reports. Grant
Thornton assigned one partner, Stanley Quay, and one associate,
Susan Buenger,—both from its Cincinnati office—to perform
3
The Supervisory Agreement required that Keystone retain a
national accounting firm to, inter alia,
(1) “perform an audit of the Bank’s mortgage banking
operations and determine the appropriateness of the Bank’s
accounting for purchased loans and all securitizations”;
(2) reconcile Keystone’s records and loan servicer records;
and
(3) assess the appropriateness of all carrying values of entries
on the balance sheet and income statement.
FF 133 (quoting OCC Ex. 353) (internal citations omitted).
7
the Keystone audit.4 During the pre-audit planning the two
became aware of several additional facts manifesting that the
Keystone audit required heightened scrutiny, to wit:
(1) in a short period of time Keystone had grown rapidly
in asset size and profitability (FF 82, 83); (2) Keystone
was heavily involved in significant and complex
securitizations (FF 82–114); Keystone faced significant
liquidity risk (FF 148, 149, 167); (4) Keystone was
troubled and undercapitalized (FF 135, 167); (5) Grant
Thornton had been retained by Keystone in order to
comply with the OCC Formal Agreement that required
the bank to retain an external auditor to resolve the
bank’s accounting inaccuracies and deficiencies and to
establish an internal control structure (FF 132–134); (6)
The OCC had just downgraded the bank to an
unacceptable composite “4” CAMELS rating, and
downgraded Keystone’s management to the lowest
rating of “5” (FF 150); (7) the FBI had investigated
[Keystone’s “senior vice president” and “controlling
officer”] Ms. Church with respect to illegal “kickbacks”
related to the bank’s residential lending (FF 171); (8)
Mr. Michael Graham, a vice president of KMC
[Keystone Management Company (a Keystone
subsidiary)], was cited by the OCC as being responsible
for an unexplained $31 million “input error” in the
bank’s accounting for residual assets (FF 139); (9)
Keystone recently had recorded ownership of $44
million in trust accounts even though they were not
4
At that time Quay had worked on over 600 financial institution
audits. Tr. 2159, Nov. 23, 2004. Buenger had over four years of
auditing experience with Grant Thornton. See Tr. 2590, Nov. 24,
2004.
8
Keystone assets (FF 139); (10) Keystone also recently
had claimed ownership of $16 million in residual
interests in securitizations even though Keystone had
pledged those interests to other parties (FF 139); (11) the
bank had a history of filing inaccurate Call Reports, key
insiders had been assessed CMPs [civil monetary
penalties] in connection with those inaccuracies, and the
OCC was considering additional CMPs against these
same insiders (FF 151); and (12) the OCC examiners
had accused Ms. Church of manipulating Call Reports so
that the bank’s “well capitalized” status under FDICIA
[the Federal Deposit Insurance Corporation
Improvement Act] continued to be reported even though
inaccurate (FF 140).
OCC Dec. 10–11. Despite these obvious red flags, Quay and
Buenger began with what Grant Thornton’s audit manual termed
a “Basic” audit. FF 176–77, 182–83. Performing only a
“Basic” audit, Quay and Buenger were to (1) obtain written
confirmation from Compu-Link and Advanta that they were in
fact servicing the loans Keystone had reported on its balance
sheet and (2) verify Keystone’s claimed $98 million in interest
income for the year 1998.5 The original Keystone audit plan
called only for a “test of reasonableness.” OCC Dec. 38. At
5
Interest income can be verified in at least two different ways. See
OCC Dec. 27–28 (discussing tests). The first method, a “test of
reasonableness,” requires only that the auditor examine the bank’s
self-reported figures and evaluate their reasonableness based on
“expected relationships” with other information in the bank’s financial
statements. See FF 66–68, 180. The more searching method, a “test
of details,” requires the auditor to review the bank’s “primary financial
documents such as . . . remittances and cash receipts” and to “trace[]
those items into bank records.” FF 63–65.
9
some point after the audit plan was prepared, however, a Grant
Thornton supervisor in a different local office reviewed the plan
and determined that Keystone should be classified “maximum
risk.” See FF 184, 186, 188. According to Grant Thornton’s
audit manual, in auditing a maximum risk client, an auditor is
required to perform a “Comprehensive” audit, including a “test
of details” to verify the accuracy of the client’s interest income.
FF 185–89. Despite Keystone’s classification as “maximum
risk,” the original audit plan was not amended and Quay and
Buenger proceeded with the “Basic” audit.
At the commencement of the audit, Buenger attempted to
independently verify the size of Keystone’s mortgage portfolio.
Keystone’s records indicated that, as of December 31, 1998,
Compu-Link and Advanta had serviced Keystone-owned
accounts worth, according to Keystone, approximately $227.2
million and $242.6 million respectively. In reality, however,
Compu-Link had serviced approximately $14 million in
Keystone accounts and Advanta had serviced approximately
$6.3 million. Buenger asked Compu-Link and Advanta in
writing to verify the size of Keystone’s loan portfolios. Compu-
Link verified, without explanation, that it had serviced just over
$227 million “of Keystone loans.”6
After receiving no response from Advanta for several weeks,
Buenger followed up by telephone and fax. The Advanta
manager in charge of the Keystone accounts, Patricia Ramirez,
then sent Buenger a statement via FedEx indicating that Advanta
had serviced only approximately $6.3 million in Keystone
6
The Administrative Law Judge suggested that the reason for the
discrepancy was that Keystone management influenced Compu-Link
to pool the Keystone and United accounts when responding to Grant
Thornton’s request. See ALJ Dec. 9–10.
10
mortgages in 1998—a figure less than 1/38 of the $242 million
Keystone reported.7 Several weeks later Buenger again
telephoned Ramirez. Ramirez told Buenger that she had located
another pool of “Keystone” mortgages worth approximately
$236 million. Immediately after the call, however, Ramirez
emailed Buenger stating that the $236 million in mortgages were
owned by “Investor # 406,” identified in the email as “United
National Bank.” Notwithstanding the titanic discrepancy,
Buenger did not request a written clarification as required under
Generally Accepted Auditing Standards (GAAS).8 Instead,
relying on the earlier telephone call with Ramirez, Buenger
simply concluded that the $242 million figure was accurate.
7
Most of the mortgages were “high-loan-to value . . . second and
third mortgage loans.” FF 83.
8
The American Institute of Certified Public Accountants (AICPA)
adopted Generally Accepted Auditing Standards to govern the
performance of a financial audit. See Ferriso v. NLRB, 125 F.3d 865,
871 (D.C. Cir. 1997). Under 12 U.S.C. § 1831m(f)(1) an auditor
examining a federally insured depository institution is required to
comply with GAAS. GAAS requires, inter alia, that an auditor
exercise “due professional care” and “professional skepticism” in
conducting an audit. See GAAS § .02 (2007); AICPA, Codification
of Statements on Auditing Standards (AU) § 230.07 (2007). GAAS
also specifies that “[w]henever the auditor has concluded that there is
significant risk of material misstatement . . . of the financial statements
. . . more experienced personnel[,] more extensive supervision [or] . . .
expand[ed] . . . [auditing] procedures” may be required. See AU
§ 312A.17. GAAS also requires that all “significant” confirmations
of financial data be obtained in writing. See AU § 330.29. Buenger’s
reliance on her telephone conversation with Ramirez that Ramirez had
located an additional $236 million in “Keystone loans” flagrantly
violated the requirement that all “significant” confirmations of
financial data be in writing.
11
This was only the most eye-popping deficiency in the
Keystone audit. Despite Keystone’s classification as “maximum
risk,” Quay and Buenger used only the “test of reasonableness”
to verify Keystone’s self-reported interest income figures. Their
test of “reasonableness” was based on fraudulent financial
information Buenger obtained directly from Keystone. They
made no effort to independently verify the accuracy of the
figures as they were required to do under GAAS and Grant
Thornton’s own internal audit manual.9 In reality almost the
entire $98 million that Keystone reported in interest income for
1998 did not exist—a fact that could have quickly been verified
by requesting the monthly remittances Keystone received from
its loan servicers.10 See FF 220–27. Nor does it appear that the
9
See, e.g., FF 225 (“Grant Thornton did not follow the
requirements of its audit manual to conduct a ‘Comprehensive’ audit
that called for primary reliance upon a ‘test of details’ in connection
with the audit of interest income from loans serviced by third-party
servicers.”); FF 230 (“Before an analytical test could be used for
substantive purposes in place of a ‘test of details,’ GAAS, as described
in Grant Thornton’s auditing manual, required Grant Thornton’s
auditors to identify and describe the internal controls pertinent to the
assertions to be audited, test the controls to be relied upon, and
re-evaluate such controls in light of the results to determine if reliance
would be warranted.”); FF 232 (“Where an entity’s internal controls
have not been tested for reliability, GAAS imposes a duty upon the
auditor to independently verify all financial data generated internally
or otherwise provided by the client’s management before that data
may be used for auditing purposes.”); see also FF 166, 179, 185–86,
233–36.
10
Had Quay and Buenger applied a “test of details” instead of a
“test of reasonableness,” they would have almost certainly detected the
Keystone fraud. When, some months after the Grant Thornton audit,
the OCC learned from Compu-Link and Advanta that Keystone’s
12
auditors confirmed that any of the reported interest income was
in fact deposited in Keystone’s account by reviewing Keystone’s
general ledger. Compare Tr. 2502–10, Nov. 24, 2004 with FF
257.
Having failed to detect the Keystone fraud, Grant Thornton
issued an unqualified audit opinion in April 1999 confirming
that “the audit had been conducted pursuant to GAAS and that
Grant Thornton had obtained reasonable assurance that the
bank’s financial statements were free from material
misstatements.” FF 253. Only four months later, however—in
August 1999—OCC examiners discovered that Keystone had
fraudulently reported over $98 million in interest income, FF
259, and over $450 million in assets (approximately 50% of the
total assets reported by Keystone), id., and was “hopelessly
insolvent,” OCC Dec. 1. In September 1999, OCC ordered
Keystone closed and appointed the Federal Deposit Insurance
Corporation (FDIC) as receiver. The Keystone collapse cost
the FDIC approximately $600 million to resolve.11 Tr. 351,
Nov. 12, 2004.
The conduct of the two Grant Thornton auditors can only be
described as strikingly incompetent. They failed to comply with
GAAS as required under 12 U.S.C. § 1831m(f)(1). They failed
to assess, in Grant Thornton’s own words, the “maximum risk”
mortgage portfolios were grossly overstated, the OCC contacted Grant
Thornton. Grant Thornton performed a “test of details” and uncovered
the fraud in under one hour. See OCC. Dec. 30 (citing FF 226).
11
Recent litigation in the District of West Virginia resulted in the
entry of a $25 million judgment against Grant Thornton for losses that
“ ‘but for’ Grant Thornton’s gross negligence, the FDIC would have
avoided.” Grant Thornton LLP v. FDIC, Nos. 1:00-0655 et al., 2007
U.S. Dist. LEXIS 19379, at *100 (D. W. Va. Mar. 14, 2007).
13
Keystone represented. They relied upon a telephone
conversation regarding the loan amount Advanta had serviced
despite the fact that Advanta advised them in writing at least
twice that Advanta had serviced only a fraction of the amount of
loans Keystone’s records showed. They failed to amend their
audit plan to require a “test of details”—in violation of Grant
Thornton’s own manual—after Keystone was classified a
“maximum risk” audit.
Accountants and auditors perform a critical role in insuring
the integrity of financial institutions. See H.R. Rep. No. 101-54,
at 301 (“Independent audits are an integral part of the system of
controls designed to identify and report problems in thrift’s [sic]
when they arise.”). Although I recognize that “[a]uditors do not
function as insurers and their reports do not constitute a
guarantee,” OCC Dec. 2, nonetheless “bank regulators, the
bank’s shareholders and the public,” id., expect to rely on an
auditor’s professional competence and deserve better than what
happened here.