FDIC Bank-Fintech Recordkeeping Regulations Leave Unanswered Questions

WASHINGTON — Experts are warning that post-Synapse bankruptcy rules that hold banks accountable for the money fintechs place with them may keep consumers’ funds safe, but they could also create huge problems for banks.

If banks are held accountable for tracking the deposit accounts they hold for their financial technology partners, they could avoid much of the customer disappointment that came with last year’s bankruptcy of middleware provider Synapse. But new Federal Deposit Insurance Corp. rules could also make it harder for banks and financial technology companies to work together, banking lawyers and trade groups say.

It was recently unveiled FDIC Proposal requires banks to keep detailed records of the beneficial owners of deposit accounts. If a bank fails, the provision can ensure that deposit insurance can be accurately allocated. Banks must enter into agreements with partners, including fintechs, to provide them with the necessary data to track the ownership of funds, especially for high-activity accounts used for frequent transactions.

Regulators are increasingly concerned about bank-fintech partnerships, which often blur the lines between traditional deposit-taking institutions and nonbanks. In such arrangements, fintechs often handle sensitive activities such as payments, lending and deposit management on behalf of banks. In July, three federal banking agencies guidelines issued advising banks on risk management in fintech partnerships. This week extended the comment period after groups representing the banking and fintech sectors asked for more time to provide feedback.

The proposed rules aim to take the next step by requiring banks and their partners to keep more accurate records and ensure the traceability of funds.

In April, the middleware provider Financial Synapse came under public scrutiny after filing for bankruptcy. The legal proceedings led to accusations that it did not keep accurate records of which clients were owed money from trust accounts and that it did not properly reconcile transactions with client data.

Synapse has partnered with several banks to offer banking products, such as accounts and cards, using these trust accounts to manage funds. However, Synapse’s banking partners have failed to verify that Synapse keeps the necessary records. When the fintech filed for bankruptcy and closed its systems, the banks were unable to access the information needed to determine how much each customer was owed from the trust accounts.

Why this rule can cause problems

Ian P. Moloney, senior vice president and head of policy and regulation at the American Fintech Council, said that while the FDIC initiative is well-intentioned, the proposed trust account rules could end up being an overcorrection.

“Rather than creating additional regulatory burdens to combat specific problems identified by the agency, we need a new set of standards based on interdisciplinary dialogue and lessons learned from past successes and challenges,” he said. “We are optimistic that existing industry approaches, in close collaboration with regulators, are the most effective way to restore trust in these partnerships.”

The solution might be better control of banks, not more regulation.

One of the main problems with Synapse’s collapse was that partner banks had transferred full management and control of the product or service to Synapse, said Ryan Richardson, a partner at Davis Wright Tremaine. When bank balances suddenly stopped being recorded, it highlighted the risks of fintech-bank partnerships that allow fintechs to operate without full oversight, ultimately causing both the bank and the third party to suffer the consequences.

“Intermediary firms like Synapse don’t sell a bank partner’s products directly to the businesses or consumers who will use that bank partner’s products; instead, they sell them to other fintech firms and merchants, who in turn sell the bank partner’s products and services to their business or consumer customers,” he said. “This web of relationships introduces significant complexity and risk into the ecosystem, and banks that want to support these complex arrangements need controls that are commensurate with the complexity of the arrangements they support.”

The regulations increase the ability to track deposit accounts while creating new hurdles for regulated entities, said Kelly A. Brown, president and CEO of brokerage firm Ampersand.

“Requiring banks to identify and maintain detailed beneficial ownership information can reduce the risk of misallocated or uninsured deposits, particularly in complex third-party arrangements such as those with fintech firms or non-banks,” she said. “However, the increased compliance burden could also create operational challenges for banks, potentially discouraging partnerships with fintech firms, and there is concern that rapid implementation could lead to unintended consequences.”

Parts of the rule, such as data collection and daily reconciliations of customer balances, are designed to ensure accurate records, which is helpful, said Grant Butler, a partner at K&L Gates. But he believes the proposal may be an overreaction to an isolated incident, and he’s not convinced Synapse has exposed a broader regulatory problem.

“The question is whether these requirements are appropriately calibrated to the risk,” he said. “Custodial deposit agreements have operated for decades without the issues discussed in the proposed rule, including the types of custodial accounts excluded from the proposed rule, without specifically identifying the detailed requirements.”

Casey Jennings of Seward & Kissel says the proposal was expedited by regulators looking to respond to the ongoing Synapse disaster. He acknowledged that the proposal is relatively narrow in scope, excluding partnerships such as broker-dealer sweep deposits and deposits through bank networks, but he believes it creates unnecessary confusion.

New Rules vs. Old Rules

Jennings noted that the proposal does not explain how the new recordkeeping requirements interact with existing rules under Part 370 of the FDIC regulations, a section that allows banks to rely on custodian recordkeeping, while the proposal places the recordkeeping requirement on banks.

“The proposal does not reconcile this philosophical difference, nor does it reconcile the practical overlap,” he said. “It is (also) unclear whether, under the proposal, beneficial owners now become ‘customers’ of the bank under the Bank Secrecy Act, which could have significant practical implications.”

Part 370 applies to banks with a large number of deposit accounts. As the FDIC noted in its proposal, many institutions that do business with fintechs do not meet the compliance threshold. Butler says he doubts the FDIC would significantly change the existing Part 370 requirements beyond minor tweaks.

“For institutions that would have to comply with each rule, the differences in the requirements of each rule would result in compliance and operational burdens,” he said. “The FDIC anticipates and attempts to address these concerns by expressing the view that the proposed rule is complementary to the requirements of Part 370 and that it will consider whether amendments to Part 370 are warranted.”

Richardson said that while the two requirements do not conflict, the FDIC should focus on this imposition when developing the final recordkeeping rule.

“I agree that the final rule needs to be more explicit about its relationship to Part 370, which governs account recordkeeping for deposit insurance purposes and has some relationship to certain types of custodial accounts,” he said. “I don’t necessarily think the proposed rule and Part 370 are in direct conflict, but the industry needs to understand how the FDIC expects banks to comply with both provisions simultaneously if required.”

Too little, too late?

Dennis Merkley, banking general counsel at Howard & Howard, said recordkeeping security measures may not be enough to prevent another middleware disaster. He suggested that recordkeeping problems in the fintech industry may still be lurking, undetected, and could pose a future risk.

“If there are other middleware companies with data storage issues like Synapse, implementing the proposed rule will theoretically expose that, but it may be too late,” he said. “If the data isn’t in place or can’t be identified through a forensic audit, it’s only a matter of time before that middleware company goes under, too.”

Others, like Richardson, argued that the financial industry consensus was that much of the Synapse disaster could have been prevented and that the proposed regulations, if finalized, would be an important step toward preventing it from happening again.

“One thing he doesn’t address — and perhaps can’t address — is how banks should expect fintechs to provide ledgers and reconciliation data if the fintech simply no longer exists, employees have packed up and gone home, and systems are down or no longer being maintained,” he noted. “This has been, and continues to be, a difficult part of business continuity planning for banks and their relationships with third parties — whether it’s a fintech, a software or hardware provider, or a shipping service that moves cash between traditional branches… fintechs are the latest weakness in this saga, but the problem is the same.”

Leel Sinai, legal counsel in the finance department at Hayne Boone, emphasized that the decision to maintain records now lies with banks, as they can no longer outsource compliance matters to fintech companies.

“The compliance burden would be much higher for banks, and fintech firms would have to be prepared to make concessions to banks to ensure that FBO agreements meet applicable regulatory requirements,” he said. “The (role) agreement would need to ensure that third parties maintain accurate records, conduct daily reconciliations and implement internal controls.”