WASHINGTON — The post-Synapse-bankruptcy rules holding banks accountable for the money fintechs place with them could keep consumers' funds safe, but might also lead to blinding headaches for banks, experts warned.
If banks are responsible for keeping track of the custodial deposit accounts they hold for fintech partners, they could avoid much of the customer heartache that accompanied last spring's bankruptcy of middleware provider Synapse — but the new Federal Deposit Insurance Corp. regulations could also make it difficult for banks and fintechs to work together, bank lawyers and trade groups said.
The recently unveiled
Regulators are increasingly concerned about bank-fintech partnerships, which often blur the line between traditional deposit-taking institutions and non-banks. In such arrangements fintechs often handle sensitive activities like payments, lending and deposit management on behalf of banks. In July, the three federal banking agencies
The proposed rule aims to take the next step, by compelling banks and their partners to step up recordkeeping and ensure traceability of funds.
In April, middleware provider
Synapse had partnered with several banks to offer banking products like accounts and cards, using these custodial accounts to manage funds. Synapse's banking partners, however, didn't verify that Synapse was keeping the necessary records. When the fintech filed for bankruptcy and shut down its systems, the banks were unable to access the information needed to determine how much was owed to each customer from the custodial accounts.
Why the rule could cause problems
While the FDIC's initiative is well-intentioned, the proposed rule on custodial accounts may be an overcorrection, said Ian P. Moloney, Senior Vice President and Head of Policy and Regulatory Affairs at the American Fintech Council.
"Rather than creating additional regulatory burdens to combat idiosyncratic issues identified by the agency, we need a fresh set of standards informed by interdisciplinary dialogue and the lessons we have learned from past successes and challenges," he said. "We are optimistic that existing industry-led approaches, in close collaboration with regulators, is the most effective way to restore confidence in these partnerships."
The solution could be better controls within banks, rather than more regulations.
One major issue with the Synapse collapse was that partner banks pushed full operation and management of a product or service over to Synapse, said Ryan Richardson, partner at Davis Wright Tremaine. When bank balances suddenly went unaccounted for, it underscored the risks of fintech-bank partnerships that allow fintechs to operate without full oversight, ultimately causing both the bank and the third party to face the consequences.
"Middleware firms like Synapse don't sell a bank partner's products directly to businesses or consumers that will use that bank partner's products; instead, they sell to other fintechs and merchants, who in turn sell the bank partner's products and services to their business or consumer customers," he said. "This daisy chain of relationships introduces considerable complexity and risk into the ecosystem, and banks that want to support these complex arrangements need controls in place that are commensurate with the complexity of the arrangements they support."
The rule enhances deposit account traceability while simultaneously imposing new hurdles for regulated entities, said Kelly A. Brown, chairman and CEO at deposit broker Ampersand.
"By requiring banks to identify and maintain detailed information on beneficial owners, it could reduce the risk of misallocated or uninsured deposits, particularly in complex third-party arrangements like those with fintechs or non-banks," she said. "However, the increased compliance burden might also cause operational challenges for banks, potentially discouraging fintech partnerships, and there is concern that the rapid implementation could lead to unintended consequences."
Certain parts of the rule, like data collection and daily reconciliation of customer balances, are designed to ensure accurate records, which is useful, said Grant Butler, partner at K&L Gates. However, he believes the proposal might be an overreaction to an isolated incident and isn't convinced that Synapse revealed a broader regulatory issue.
"The question is whether these requirements are appropriately calibrated to the risks," he said. "Custodial deposit arrangements have operated for decades without the types of issues discussed in the proposed rule, including the types of custodial accounts exempted from the proposed rule, without specifically-prescribed granular requirements."
Casey Jennings of Seward & Kissel argues that the proposal was rushed by regulators anxious to respond to the ongoing Synapse debacle. He acknowledged that the proposal is relatively narrow in scope, excluding partnerships like broker-dealer sweep deposits and deposits through bank networks, but believed it introduces unnecessary confusion.
New rule vs. old rules
Jennings pointed out that the proposal doesn't clarify how the new recordkeeping requirements interact with existing rules under Part 370 of FDIC regulations. That's the section that permits banks to rely on the custodian's recordkeeping, while the proposal puts the recordkeeping onus on banks.
"The proposal does not reconcile this philosophical difference, nor does it reconcile the practical overlap between the requirements," he said. ""It is [also] unclear under the proposal whether the beneficial owners now become 'customers' of the bank under the Bank Secrecy Act, which could have significant practical ramifications."
Part 370 applies to banks with large numbers of deposit accounts. As the FDIC noted in its proposal, many institutions that partner with fintechs fall below the threshold for compliance. Butler says he doubts the FDIC will substantially alter the existing Part 370 requirements aside from minor tweaks.
"For those institutions which would have to comply with each rule, the differences between the requirements of each rule would result in compliance and operational burdens," he said. "The FDIC anticipates and attempts to address these concerns by stating the view that the proposed rule complements the requirements of Part 370, and that it will consider whether amendments to Part 370 are warranted."
Although the two requirements wouldn't clash, Richardson said, the FDIC should focus on this overlap as it develops its final recordkeeping rule.
"I do agree that a final rule needs to more clearly address its intersection with Part 370, which governs account recordkeeping for deposit insurance purposes and has some cross-over to certain types of custodial accounts," he said. "I don't necessarily think the proposed rule and Part 370 sit in direct conflict, but the industry needs to understand how the FDIC expects banks to comply with both concurrently, where that may be required."
Too little, too late?
Recordkeeping measures may not be sufficient to prevent another middleware fiasco, said Dennis Merkley, a banking attorney at Howard & Howard He suggested that fintech recordkeeping issues may still be lurking, undetected, and could pose future risks.
"If there are other middleware firms with recordkeeping issues like Synapse, implementing the proposed rule will theoretically bring that to light, but it may be too late," he said. "If the records are not in place or cannot be identified through a forensic audit, then it is just a matter of time until that middleware firm also fails."
Others, like Richardson, argued that the financial industry uniformly agrees that much of the Synapse debacle was preventable, and the proposed rule, if made final, takes an important step toward preventing a repeat in the future.
"One thing it doesn't — and maybe can't — address is how banks should expect fintechs to make ledgers and reconciliation data available if the fintech flatly doesn't exist anymore, employees have packed up and gone home, and systems are shut down or are no longer being maintained," he noted. "This has been and continues to be a tricky part of business continuity planning for banks and their relationships with third parties – whether that's a fintech or a software or hardware provider or the truck service that moves cash around among traditional branches…fintechs are the latest foible in the saga, but the issue is the same."
Leel Sinai, of counsel in the Finance Practice Group at Hayne Boone, stressed that the ball on recordkeeping is now in the banks' court, since they can no longer outsource compliance to fintechs.
"The onus of compliance would be significantly higher for banks, and fintechs will need to be prepared to make concessions to banks so that FBO arrangements meet applicable regulatory requirements," he said. "The [role defining] contract would need to ensure third parties maintain accurate records, conduct daily reconciliations, and implement internal controls."
