Synapse Failure Spurs FDIC To Specify Record Keeping for Bank Sponsored Fintechs

The Federal Deposit Insurance Corporation (“FDIC”) has proposed that insured depository institutions ("IDIs") be required to keep records of individual accounts that are typically held in pooled custodial accounts that support prepaid card programs, wallets and other depository and payment services provided to customers through fintechs.^[1]While many, perhaps most, relationships between fintechs and their depository IDIs specify that records be kept by the fintech at the subaccount level, this recordkeeping stemmed from FDIC regulations governing pass-through FDIC insurance. Compliance with those regulations was optional and required if the IDI and fintech wanted so-called “pass-through” coverage in which the FDIC insurance coverage limit of $250,000 would apply to each individual subaccount held in the custodial pooled account instead of to the total funds held in the pool.^[2]Those regulations currently require only identification of the parties to the subaccounts and their interests in the account. Many but not all prepaid card and other fintech products offer FDIC insurance at the subaccount level. This proposed rule would make such accounting mandatory for IDIs offering pooled custodial accounts with “transactional features” to qualify for pass-through insurance coverage.^[3]The list of exceptions to the proposed rule’s coverage makes it clear that the rule is aimed squarely at prepaid cards and other fintech depository services. The proposed rule goes far beyond the current requirements for pass-through insurance and may impose substantial systems development, operational, procedural and training burdens even on IDIs currently offering “custodial accounts with transactional features.”

What Would Be Required?

The proposal specifies:

1. certain data elements;
2. specific electronic formatting of records;
3. daily reconciliation of accounts at the subaccount level;
4. documented internal controls;
5. written policies and procedures;
6. contractual provisions that must be included in agreements with third parties in connection with covered accounts, including such contracts with processors, software vendors and program managers;
7. systems providing the IDI “direct, continuous and unrestricted” access to electronic records maintained by a third party, including access during business interruption events;
8. annual independent validation by the IDI or a third party of recordkeeping by third party service providers;
9. annual certification of compliance by the IDI’s CEO, COO or most senior officer stating that the IDI has implemented and tested the recordkeeping requirements; and
10. annual reporting to the FDIC and the IDIs’ federal functional regulators, including
    1. material changes to the supporting IT systems;
    2. lists of account holders that maintain custodial depository accounts and the total number of beneficial owners;
    3. results of the IDI’s testing of recordkeeping requirements; and
    4. results of independent validation of records maintained by third parties.^[4]

The rule would be enforced through the supervisory process applicable to each IDI, including cease and desist and civil penalties pursuant to 12 U.S.C. §1818. The rule would not impact other recordkeeping requirements.

Why?

As the immediate reason for the rules proposal, the FDIC cites its difficulties in providing FDIC-insured accountholders prompt access to their funds that resulted from the recent bankruptcy of Synapse Financial Technologies, Inc., as follows:

“[T]he bankruptcy of Synapse Financial Technologies, Inc. (Synapse), a technology company that worked with several IDIs [insured depository institutions] and numerous financial technology (fintech) companies, has affected the ability of consumers to access funds placed at IDIs for a number of months, resulting in significant and ongoing harm to those consumers. In many cases, it was advertised that the funds were FDIC-insured, and consumers may have believed that their funds would remain safe and accessible due to representations made regarding placement of those funds in IDIs. Consumers have been unable to access their funds at IDIs for an extended period of time while the IDIs attempt to determine ownership of the funds deposited by fintechs. Since May 2024, the FDIC National Center for Consumer and Depositor Assistance has received more than a thousand inquiries, complaints, and concerns from consumers regarding the Synapse bankruptcy. Published reports further suggest that some of those consumers affected by the Synapse bankruptcy had placed the funds in accounts through a fintech that they used for day-today living expenses thereby intensifying the effect of their loss of access.”^[5]

The FDIC estimates that this particular bit of fallout from the Synapse bankruptcy, i.e., compliance with the proposed rule, will cost the U.S. banking system as a whole $250 million in the first year and $120 million in each subsequent year.^[6]

Which IDIs Are Covered?

All FDIC insured IDIs that provide custodial accounts with transactional features that are not explicitly exempt from the rule.^[7]

Which Accounts Are Covered?

A “custodial deposit account” arrangement, for purposes of this proposal, is a relationship where one party is responsible for opening a deposit account at an IDI on behalf of others, who may own the funds but often lack a direct relationship with the IDI.

The term “custodial deposit accounts with transactional features” would be defined as a deposit account that meets three requirements: (1) the account is established for the benefit of beneficial owner(s); (2) the account holds commingled deposits of multiple beneficial owners; and (3) a beneficial owner may authorize or direct a transfer through the account holder from the account to a party other than the account holder or beneficial owner.^[8]

“Beneficial owner” is defined as “a person or entity that owns, under applicable law, the funds in a custodial deposit account.” The NPR clarifies that the definition of “beneficial owner” for purposes of the proposed rule is based on the definition used for deposit insurance coverage under 12 CFR part §330.5, which is not the same as definitions of “beneficial owner” under the Bank Secrecy Act, the Corporate Transparency Act or the Customer Due Diligence rule, which relate to the beneficial owners of entities rather than of accounts.^[9]

The proposed rule would apply to such accounts already in existence as well as newly opened accounts.^[10]

What Exemptions Would Apply?

The proposed rule would not apply to custodial accounts:

• that hold only trust accounts as defined in the FDIC deposit insurance regulations;
• established by government depositors;
• established by broker dealers under the SEC Act of 1934 and investment advisors under Investment Advisors Act of 1940;
• established by attorneys on behalf of clients (IOLTA accounts);
• maintained in connection with certain employee benefit plans;
• maintained by real estate brokers, agents, title companies and qualified intermediaries under the Internal Revenue Code;
• established by a mortgage service company in a custodial or other fiduciary capacity;
• where Federal or State law prohibits the disclosure of identities of the beneficial owners (which the FDIC expects to be rare);
• established pursuant to an agreement for a deposit placement network or reciprocal network, unless beneficial owners are afforded transactional features; and
• established to hold security deposits for home ownership, condominium or commercial or leasehold interests.^[11]

When Would the Requirements Take Effect?

The proposed rule would take effect upon adoption of the final rule, but the first certification of compliance by a covered IDI’s senior officer would be required one year after the effective date of the final rule.

When Is the Deadline for Comments?

Comments must be received by the date 60 days after publication of the Notice of Proposed Rulemaking in the Federal Register.  The FDIC requests comments on all aspects of the proposal and poses a substantial list of topics on which it particularly seeks comments.^[12]

What Else?

Misuse of FDIC logo and legends. As noted above in relation to the FDIC’s view of the Synapse bankruptcy, the FDIC is also concerned about misleading uses of the FDIC logo and other indicia of FDIC insurance coverage. The FDIC repeatedly cited misuse of the insurance indicia to state or imply that a consumer is protected from financial failure of a fintech company, such as Synapse, whereas FDIC insurance only covers failure of the insured financial institution. The FDIC also expressed concern about other misuses of its logos and legends to inaccurately indicate insurance coverage of fintech activities or accounts. The FDIC indicated that such misuses may be addressed through the supervisory powers and are also subject to enforcement by the FDIC pursuant to its authority under section 8 of the Federal Deposit Insurance Act, which may include cease-and-desist orders and civil money penalties.^[13]

Portability of Accounts. The FDIC points out that the standardization of account data elements and electronic file formats will “reduce the IDI’s costs of partnering with additional non-banks, and vice versa, since such a partnership would not require the development of a bespoke information management system for affected custodial deposit accounts.”^[14] Although not discussed by the FDIC in its NPR, such standardization of subaccount records might also increase competition among IDIs for program manager and other fintech relationships, since presumably, such accounts would be easier to move from one processing system to another, removing one costly barrier to switching sponsor banks.