On September 17, 2024, the Federal Deposit Insurance Corporation (FDIC) rulemaking board proposed new recordkeeping rules intended to bolster the FDIC’s ability to make deposit insurance determinations for accounts that are the product of a partnership between an FDIC-insured depository institution (IDI) and a financial technology company (fintech). However, despite the proposed rule’s focus on fintechs, the proposed rule will likely apply broadly and create an increased burden on many IDIs, not just IDIs that partner with fintechs. According to FDIC Vice Chair Travis Hill, 600 to 1,100 banks could be subject to requirements imposed by the rule.

The FDIC is proposing new recordkeeping requirements for IDIs to “promote the FDIC’s ability to promptly make deposit insurance determination and, if necessary, pay deposit insurance claims ‘as soon as possible’ in the event of failure of an IDI” and to create “consumer protections benefits, such as promoting timely access by consumers to their funds, even in the absence of the failure of an IDI.” The FDIC is seemingly concerned that accounts opened through a bank-fintech partnership are not afforded the same protections as traditional bank accounts. In support of the proposed rule, Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra, also a member of the FDIC Board of Directors, stated that “Over the past decade, we have seen a significant incursion into consumer deposit taking and payments activities by companies that aren’t banks or credit unions. These firms want the public benefits of being a bank or credit union, without the public obligations.”

Synapse Bankruptcy

In the commentary to the proposed rule, the FDIC cites the bankruptcy of Synapse Financial Technologies, Inc., (Synapse) a middleware provider that bridged the technological gap between fintech companies and IDIs, as a significant prompt for the proposed rule. Synapse’s software allowed fintech companies to offer banking services through application programming interfaces (APIs) integrated with IDIs.

However, when Synapse filed for bankruptcy in April 2024, consumers who had deposited funds through these fintech companies suddenly found themselves unable to access their money, because, in many cases, the ledgers were maintained by the now-defunct entity.

The Synapse bankruptcy highlighted several key issues for the FDIC. First, it exposed IDIs’ challenges in obtaining accurate and reliable records from third parties. Second, the incident revealed gaps in recordkeeping practices and raised concerns about the integrity of custodial deposit account data.

The delays and complications experienced during the Synapse bankruptcy prompted the FDIC to propose this new rule aimed at strengthening recordkeeping for custodial deposit accounts. The proposed rule “is an important step to ensure that banks know the actual owner of deposits placed in a bank by a third party… and that the banks are able to provide the depositor their funds even if the third party fails,” said FDIC Chairman Martin J. Gruenberg.

FBOs

The proposed rule targets accounts known as “fbo” (for the benefit of) accounts in the bank-fintech partnership space. In the typical arrangement, fintech end-user funds are comingled into one or more accounts held at (and owned by) the partner bank. The funds are then tracked (or “sub-ledgered”) using data supplied to the bank by the fintech. Fintech end-users can “deposit” and “withdraw” from the fbo account by making ACH debit and credit entries via the fintech’s platform.

This configuration permits millions of dollars to transfer into and out of fbo accounts in a day, creating AML risk, terrorist financing risk, and (most commonly) ACH kiting risk for the bank partners. The Synapse bankruptcy exposed an additional risk: loss of information about who the “beneficiaries” are of funds held in the fbo accounts.

FDIC’s Proposed Rule

The proposed rule would apply to accounts identified as “custodial deposit accounts with transactional features.” These accounts are defined as accounts that (1) are established for the benefit of beneficial owners, (2) hold commingled deposits from multiple beneficial owners, and (3) allow beneficial owners to authorize or direct transfers through the account holder to third parties. A “beneficial owner” is the person or entity that owns the funds in a custodial deposit account, which would include fintech end-users. (Note: The proposed rule specifically exempts certain accounts that are customarily used in other business arrangements, including accounts “maintained by a mortgage servicer in a custodial or other fiduciary capacity” and accounts “only holding trust deposits,” largely because existing rules address the risks that the proposed rule is intended to mitigate.) Other banks, however, may find the new requirements unduly burdensome.

If enacted, the proposed rule would require IDIs with qualifying custodial deposit accounts to maintain records related to each account individually. These records must identify the beneficial owners, the balance attributable to each owner, and the ownership category in which the deposited funds are held. Additionally, the rule specifies that records must be maintained in a designated electronic file format, regardless of whether the IDI manages the records internally or through a third party. IDIs would also be required to maintain appropriate internal controls, including (1) maintaining accurate deposit account balances and associated beneficial ownership interests, and (2) conducting daily reconciliations against the beneficial ownership records. Importantly, the proposed rule does not supersede or alter any existing statutory or regulatory requirements.

A qualifying IDI would also be required to establish and maintain written policies and procedures to ensure compliance. Further, the chief executive officer, chief operating officer, or highest-ranking official of the IDI would be required to certify annually that the institution has implemented and tested its recordkeeping procedures within the preceding 12 months. In addition to the annual compliance certification, the IDI would be required to submit an annual report, which must include:

• A description of any material changes to the IDI’s information technology systems;
• A list of the account holders that maintain custodial deposit accounts with transactional features subject to the rule, the total balance of those accounts, and the total number of beneficial owners;
• Results from the IDI’s testing of its recordkeeping implementation; and
• Results of any independent validation of records maintained by third parties.

Final Takeaways

Most banks that deliver banking services by partnering with fintechs are likely going to take the proposed rulemaking in stride: 20-year-old third-party risk management guidance established the principle that the use of technology does “does not transfer the risks of the product, service, or activity from the bank to the outsource provider.” And updated guidance issued in June of 2023 highlighted the activities of bank-fintech partnerships, and reiterated the principle that “the use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner.”

Under the proposed rule, if a bank has one deposit account covered by the proposal, the bank will need to fully comply with all aspects of the rule. IDIs will have to revamp their policies and procedures to ensure their recordkeeping, internal compliance, and information technology processes can satisfy the requirements in the proposed rule.

The proposal estimates that between 600 and 1,100 banks could be affected, even though only a few dozen are heavily engaged in the type of activity targeted by the rule. As a result, FDIC Vice Chairman Hill encouraged stakeholders to provide comments as to whether the FDIC should impose certain thresholds for when the proposed rule would apply to a particular IDI. In that vein, IDIs, fintechs, and other impacted parties should be sure to review the proposed rule and consider how it might impact their business. The FDIC is accepting comments from stakeholders for 60 days following the September 17, 2024, publication date of the proposed rule.

Moving forward, we will likely see more proposed regulations in this space. Director Chopra insists that “this proposal must not be the end of [their] work on this issue.” He indicates that the FDIC’s focus will now turn to (1) disclosure requirements for pass-through deposit insurance, (2) enforcement actions against non-banks that make misrepresentations about deposit insurance or misuse the FDIC name or logo, and (3) requirements for non-banks like Venmo, PayPal, and Cash App, which offer deposit-style products directly, to promptly sweep people’s balances to their linked insured account.