When Synapse Financial Technologies declared bankruptcy in April, the financial industry was still reeling from the Silicon Valley Bank failure the year before and the subsequent run on some banks.
Synapse’s failure highlighted some of the key risks inherent in fintech programs that rely on a “for the benefit of” account. These are a type of custodial deposit account where a third party (which can be the bank itself) opens and maintains the account at a bank for the benefit of another party.
Fintech platforms offering deposit accounts often open FBO accounts at partner banks to hold their end customer funds, which are reflected as a single account on the bank’s records but hold a pool of funds for many end users. Typically, a third party maintains detailed customer and transaction records in its systems.
When a bank fails, access to deposit accounts is usually frozen until the Federal Deposit Insurance Corp. can assess the insurance requirements. The agency needs quick access to detailed and accurate end-customer account information from the third party’s systems.
However, the Synapse turmoil brought the other side of the coin to the forefront – what happens when the third party managing an FBO account fails and its records become irreconcilable or unavailable? This scenario has created significant challenges at Synapse’s partner banks, leaving some end customers without access to their funds even months later.
On April 22, Synapse filed for Chapter 11. By May 11, its four partner banks lost access to middleware provider Synapse’s records, unable to identify end-users for fund withdrawals. According to the Sept. 12 Trustee report, of the $219 million in custodial FBO accounts, $165 million, or 75%, has been distributed to end-users, with $54 million, or 25%, remaining. A recent report from law firm Troutman Pepper identified a $65-$95 million shortfall between bank-held funds and amounts owed to fintech end-users, with unclear responsibility for making customers whole.
“FBO accounts are not inherently the problem. They have been used for years to support critical banking services and should remain a feature of our banking landscape,” Patrick Haggerty, senior director at financial services advisory firm Klaros Group, said in an email. “That said, as use cases have proliferated, so have risks. Banks offering FBO accounts should expect to face enhanced regulatory scrutiny. Expectations are rising, particularly with respect to contingency planning and financial controls.”
Amid the Synapse ordeal, the FDIC proposed a recordkeeping rule last month to bolster recordkeeping for bank deposits received from third-party or non-bank entities that accept those deposits on behalf of consumers and businesses. The proposal aims to address the risks related to these third-party arrangements, like faulty account ledgering, and protect depositors.
Troutman Pepper’s report analyzed the root causes of Synapse’s collapse and the lessons learned that can be kept in mind to avoid future failures.
Multiple entities, account types
Synapse operated from multiple entities and accounts, including Synapse Brokerage, after acquiring a small broker-dealer firm. The new modular banking product opened cash brokerage accounts for its over 100 fintech partners at four banks. Synapse encouraged fintechs to use the product as it facilitated funds to move freely between the different banks.
The middleware provider assured that it knew where money was and that its strategy to segment and distribute services across multiple banks was to keep each partner bank oblivious to what fraction of the whole deposit base the bank held, according to the report. Synapse pushed for modular banking even to the existing fintechs, which signed up for the direct model and reportedly moved some fintechs’ end-users’ funds into its brokerage unit without authorization.
“The money is in the bank,” Matthew Bornfreund, partner at Troutman Pepper, told Banking Dive, adding that banks are responsible for keeping track of who owns that money.
“Banks have long been allowed to outsource responsibilities and hire vendors,” Bornfreund said. “But the bank is also the party that's insured by the [Federal Deposit Insurance Corporation], and so if the FDIC is wanting to make sure that they know whose deposits are connected, it makes sense that the party that's the assured party is the one that's responsible for keeping those records.”
When a bank and fintech team up, it is essential that both adhere to the third-party risk management guidance issued last month while understanding the account agreements governing the partnership, compliance with the FDIC’s false advertising rule, and each party seeking ways to evaluate and improve account ledgering practices consistent with the final FDIC recordkeeping rule.
Since partnership agreements are foundational, they should clearly delineate respective roles and responsibilities – banks should ensure that the agreements detail their robust oversight mechanisms to monitor the fintech partner’s activities, specify the frequency and scope of reporting to the bank, periodic audits and the criteria for evaluating the partner’s performance and the process to be followed in case of discrepancies or violations, the report recommended
Account ledgering irregularities
Another important lesson learned: fintech relationships involve a wide range of account types and structures and access to FBO account ledgers is necessary, but FBO account ledgers are not adequate to identify and correct ledgering irregularities.
In response to the ledgering issues, the FDIC has proposed new reconciliation requirements for “custodial deposit accounts with transactional features.” The recordkeeping proposed rule mandates the bank maintain “direct, continuous, and unrestricted access to the records” of any third-party maintaining ledgers for CDAWTFs.
However, the Troutman Pepper report argues that third-party ledger accounts are a better term because the term captures more accurately the risks involved when the bank does not directly maintain its ledgers and can be applied to any type of account, not limiting it to custodial accounts.
Banks also need to focus on “ledgering hygiene,” requiring fintechs to have separate accounts that more clearly define funds for customers, operations, payment fees to third parties, contingency reserves, and network settlement.
Banks should distinguish individually identified sub-accounts from general pooled accounts, especially when middleware companies like Synapse are involved, the report recommended. However, the report found that the FDIC’s recordkeeping rule does not consider sub-accounts, a common feature of fintech partnerships. Middleware providers help bridge the gap between legacy banks and fintechs using the latest technology.
Partner bank lapses
Banks and fintechs should have a contingency plan in case the partnerships fail. Those plans should anticipate the operational risk related to an account ledger outage, identify ways to mitigate risk, and deploy reserves to make end-users whole in such an emergency.
After Synapse failed, Evolve Bank & Trust was issued a cease-and-desist order by the Federal Reserve around two months after Synapse declared bankruptcy stemming from a review conducted in early 2023, while another partner bank, Lineage Bank, was issued a consent order by the FDIC at the end of January this year. Though the timing of the earlier exam was not specified in both cases, it was apparent that the partner banks knew about the compliance issues related to its middleware provider, Synapse.
The consent orders against two of Synapse’s partner banks related to their board governance and BSA/AML issues without detailing the underlying issues, which might cloud those partner banks’ relationships with other parties apart from Synapse.
A different ledgering solution is needed to track the flow of funds throughout any multi-party bank-fintech partnership ecosystem, the report said.
Regulatory lapses
Regulators must prioritize the most critical risks when handing over a consent order to a bank, move away from a “check-the-box” supervision model, and lean toward a “risk-based” supervision model, the report said
Regulators have highlighted the complexity of banking-as-a-service arrangements and disclaimed supervisory responsibility for regulating the nonbanks involved. To address this issue, supervisory processes could be updated to more directly engage with the banks' fintech partners, enabling earlier identification of risks using technology and allowing the bank and fintech to take corrective action, the report indicated
Another question the report raised, pointing to over 300 days’ delay between an actual reported exam and issuance of a consent order, was whether supervisors need additional resources to work more efficiently.
“How do the [Financial Industry Regulatory Authority] and the banking regulator teams work together?” Alexandra Steinberg Barrage, partner at Troutman Pepper, noted. In the case of Synapse, there was a broker, “but was there coordination about what the broker was actually doing, or what their modular banking business model really was?” she said, adding that it’s hard to know since there’s not much information available.
Gross mismanagement
Qualified staff are crucial to effective bank-fintech partnerships, and fintechs’ priority of speed to market might conflict with compliance requirements, the report found. In bank-fintech partnerships, fintechs need leadership with deep risk management and bank supervision expertise with a strong compliance focus, regular and adequate training programs, and the need for interdisciplinary teams, the report said.
Interagency guidance, too, requires banks to assess fintech partners' staffing depth and expertise, ensure their own staff has the necessary knowledge for risk management, and evaluate the qualifications of key personnel.
“Right now, the industry is already taking really important steps to create standards that would bind them, because right now they don't get supervised or examined by the banking regulators; yet, they're so integral to the bank's functioning of these programs,” Steinberg Barrage said.
“So as the next step … we are working with people on the bank side and the tech side that are very focused on best practices, developing this ultimately with a view towards keeping the industry accountable,” she said,“and I think it is absolutely the right time for it to be happening.”