FDIC’s Proposed Changes to Custodial Deposit Accounts: Practical Implications for Fintechs and Their Banks

The Federal Deposit Insurance Corporation (FDIC) issued a Notice of Proposed Rulemaking (the Proposal) on September 17, 2024, that seeks to strengthen recordkeeping for bank deposits held by nonbank companies on behalf of their customers in certain “custodial deposit accounts,” also known as “omnibus accounts” or “FBO accounts.” 

The FDIC’s Proposal is the latest action in the federal banking agencies’ ongoing regulatory push to tighten oversight of the relationships between banks and nonbanks.

Although the Proposal is targeted at FDIC-insured depository institutions (banks), its effects may be felt most acutely by nonbank companies that rely on custodial deposit accounts to offer innovative payments products, such as certain payment card accounts, digital wallets and mobile payments, and fiat currency on- and off-ramps for digital assets. The Proposal would require investment in new recordkeeping and reconciliation systems, enhancements to compliance and risk management programs, and (perhaps most significantly) consent to substantially increased oversight by their bank partners. 

This Update provides a breakdown of the Proposal and its practical implications for fintechs and their bank partners. 

The Big Picture: Increasing Regulatory Scrutiny of Bank-Nonbank Relationships

U.S. federal banking agencies have been significantly tightening their regulatory oversight of relationships between banks and nonbanks for deposit products and services. As recently explained in the federal banking agencies’ Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services, “the agencies have observed an evolution and expansion of [bank-third party arrangements] to include more complex arrangements that involve the reliance on third parties to deliver deposit products and services.”[1] 

The tightening of regulatory oversight stems from the agencies’ general concern over the growing involvement of fintechs and other nonbank financial institutions that are not subject to consolidated supervision by federal banking agencies in the provision of deposit-related services to end users (both consumers and businesses), sometimes through multiple layers of nonbank intermediaries. The changes have been made through many different regulatory tools, including new interagency third-party risk management guidance,[2] revisions to the FDIC’s rules regarding misrepresentation of deposit insurance coverage[3] and subsequent cease-and-desist orders to nonbanks allegedly violating these rules,[4] proposed revisions to the anti-money laundering (AML) program rules to require consideration of banks’ “intermediaries” and “distribution channels” in their risk assessments,[5] and over a dozen public enforcement actions by the agencies against banks partnering with nonbank fintechs.[6]

The Synapse Bankruptcy 

As is clear from the extended and thoughtful discussion it received in the Proposal, key points of which are reproduced below, the April 2024 bankruptcy of Synapse Financial Technologies, Inc. (Synapse) impressed upon the FDIC the need for the Proposal to address some of the issues with custodial deposit accounts that arose with Synapse. 

Synapse was a so-called “middleware provider” for numerous fintech companies, meaning that its software bridged the information technology systems of fintech companies and banks. More specifically, Synapse provided application programming interfaces (APIs) and technological infrastructure that allowed businesses to integrate banking services into their own applications. This also included opening and managing deposit accounts, issuing debit and credit cards, and facilitating payments for customers. 

Synapse enabled fintech companies to quickly develop products and services that used deposit accounts at banks to hold customers’ funds. In these arrangements, fintech companies developed user interfaces and application logic and, importantly, maintained the ledgers of their customers, including the deposit amounts attributed to each individual customer.

Synapse also developed a cash management program through its subsidiary, Synapse Brokerage LLC, a licensed broker-dealer, which opened cash management accounts on behalf of its fintech partners and their end users. Although at the time of Synapse’s bankruptcy, Synapse Brokerage LLC had not yet established the cash management accounts, it had deployed a sweep network to hold deposits and earn interest on the sweep network deposits.[7]

In early May 2024, shortly after Synapse filed for bankruptcy protection, one of the banks that partnered with Synapse froze deposits that had been placed at the bank through relationships with Synapse and the fintech companies that Synapse serviced. The bank stated at the time that it froze the accounts because Synapse denied the bank access to an essential system through which the bank accessed information on end users, deposits, and transactions. As a result, end users who had deposited funds through these fintech companies that partnered with Synapse were unable to access their funds held at the bank. 

In late May, the bankruptcy court appointed an independent bankruptcy trustee for Synapse, former FDIC Chairman Jelena McWilliams. The trustee sought to facilitate the release of the fintech customers’ funds held at the banks as quickly as possible but had difficulty obtaining access to Synapse’s data due in part to Synapse’s termination of its employees, including employees who held credentials necessary to access systems and databases where the relevant records were stored. The latest trustee report noted that “Synapse had a contractual obligation to maintain, and to provide to [the bank], a complete and accurate ledger. However, the [b]ank has identified significant irregularities in Synapse’s ledgers that indicate the account balances set forth therein are materially inaccurate and cannot be used as the basis for distributing funds to end users.”[8] Even after obtaining access to Synapse’s data, the trustee and banks experienced difficulties obtaining, reviewing, and reconciling the data against the banks’ data. In addition, the trustee indicated that the deposits at the banks appear to be insufficient to cover the amounts owed by the fintech companies to their customers to the tune of tens of millions of dollars. 

In the FDIC’s view, the events that occurred following Synapse’s bankruptcy demonstrate the importance of strong recordkeeping practices in certain custodial account relationships to protect consumers, banks, and the deposit insurance fund. The situation exposed potential risks for end users holding deposits through nonbank arrangements, even in the absence of the failure of the bank holding the funds.[9] In addition, the difficulties encountered by the trustee in obtaining, reviewing, and reconciling Synapse’s records against the banks’ records would likely also have hindered the FDIC’s ability to make a prompt and accurate deposit insurance determination in the event one of the banks had failed. 

The Proposal

The Proposal would require banks holding “custodial deposit accounts with transactional features” to comply with new recordkeeping and related obligations. Although the Proposal is addressed to banks, many of the requirements will indirectly impose new obligations on the fintechs and other nonbanks that use the bank’s “custodial deposit account” services to provide deposit-related products to end users. 

Below, we summarize the scope of the Proposal, the key requirements for banks that maintain account records themselves, and the additional requirements that apply if the bank engages a third party (e.g., a nonbank fintech who is the accountholder of the custodial deposit account) to maintain the records. We also provide our take on the Proposal, including our belief that stakeholders that take advantage of the opportunity to provide comment letters should consider providing input on whether the requirements are feasible and at what cost.

Scope of Proposal

The Proposal would establish new recordkeeping requirements for banks with “custodial deposit accounts with transactional features,” defined as a deposit account that meets three requirements: 

1. The account is established for the benefit of beneficial owner(s).[10]
2. The account holds commingled deposits of multiple beneficial owners.
3. A beneficial owner may authorize or direct a transfer through the account holder from the account to a party other than the account holder or beneficial owner; this prong is intended to limit the rule to custodial deposit accounts that are established and used in a manner that allows beneficial owners to direct a transfer of funds from the account to another party.

The Proposal’s scope is limited to custodial deposit accounts with transactional features that hold “deposits,” meaning that other types of custodial accounts, such as those holding non-deposit securities, would be excluded.[11]

The Proposal would also expressly exempt 10 types of custodial deposit accounts, such as accounts that hold only trust deposits, accounts established by broker-dealers and investment advisors,[12] and accounts maintained pursuant to deposit placement networks, from the requirements even if they have transaction features.

Compliance Obligations for Banks Holding Covered Accounts

The Proposal would impose several new compliance obligations on the banks that hold covered custodial deposit accounts, even if they maintain the deposit records themselves. 

The level of burden this would place on each bank would depend largely on how many covered accounts it has and the maturity of its compliance, risk management, and internal control frameworks. 

Recordkeeping Requirements

In general, the Proposal would require banks that hold any custodial deposit accounts with transactional features subject to the rule to maintain records establishing the beneficial owners of those deposit accounts.[13] These records would establish, for each custodial deposit account, the beneficial owners of the custodial deposit account, the balance attributable to each beneficial owner, and the ownership category in which the beneficial owner holds the deposited funds. This requirement effectively means that banks will be required to assume the responsibilities for recordkeeping that are performed by third parties, rather than the bank, under the current regime. 

Data Formatting

The Proposal provides a specific electronic file format for maintenance of records on beneficial owners and their interests in the deposited funds. The specified data file format would be required regardless of whether the bank maintains the necessary records itself or maintains those records through an arrangement with a third party. This effectively means that a third party maintaining records must build out a recordkeeping and reconciliation system that meets the standard to which banks are held. 

Daily Reconciliation

Banks would be required to conduct reconciliations against the beneficial ownership records no less frequently than at the close of business daily. This and related internal control requirements are intended to enable the FDIC to make a prompt deposit insurance determination in the event of the bank’s failure. 

Written Policies and Procedures

Banks that hold custodial deposit accounts with transactional features would be required to establish and maintain written policies and procedures to achieve compliance with the rule’s requirements. Because the Proposal touches on matters as varied as customer account recordkeeping, third-party risk management, contingency planning, and recovery and resolution planning, this is likely to require updates to a wide range of policies and procedures and the creation of several new processes. 

Annual Certification of Compliance

Banks would be required to complete an annual certification of compliance, signed by the chief executive officer, chief operating officer, or the highest-ranking official of the institution, stating that the bank has implemented and tested the recordkeeping requirements. The compliance certification would be submitted to the FDIC and the bank’s primary federal regulator.

Annual Report

Banks would further be required to complete a report annually for submission to the FDIC and the bank’s primary federal regulator that (1) describes any material changes to their information technology systems relevant to compliance with the rule; (2) lists the account holders that maintain custodial deposit accounts with transactional features, the total balance of those custodial deposit accounts, and the total number of beneficial owners; (3) sets forth the results of the institution’s testing of its recordkeeping requirements; and (4) provides the results of the required independent validation of any records maintained by third parties. 

Additional Compliance Obligations if Third Parties Maintain Records

While the Proposal generally would require that banks maintain records of beneficial ownership for custodial deposit accounts, it would permit those records to be maintained by the bank through a third party (e.g., accountholders, vendors, software providers, or service providers) if certain requirements are satisfied. However, the Proposal makes clear that this option would not allow a bank to shift its responsibility for ensuring that the requirements of the rule are satisfied to the third party. 

Even though the third party would be the one maintaining the records in this scenario, the bank would still have significant responsibilities relating to oversight of the third party and would still be required to conduct daily reconciliations. As a practical matter, this means that the bank would likely still need to implement many of the policies, procedures, and controls that it would need if it were maintaining the records itself, plus additional ones to ensure it complies with its oversight responsibilities. 

In addition, because the third party would be taking on responsibility for maintaining the records, this scenario would also require the third party to implement new policies, procedures, and controls to ensure the records are accurate and reconciled with the bank at least daily. The third party would also have to provide their bank partners with substantially more access to, and oversight of, their business operations than they have under the current regulatory regime. Nonbanks that are unable or unwilling to comply with these requirements may face significant challenges, if not outright prohibitions, on the provision of deposit-related products and services to their end user customers. 

Direct, Continuous, and Unrestricted Access to Records

The bank would be required to have direct, continuous, and unrestricted access to records maintained by the third party in the standardized file format, including access in the event of a business interruption, insolvency, or bankruptcy of the third party. 

This could be accomplished, for example, by the bank and the third-party implementing capabilities to enable secure real-time exchange of data, where authorized bank personnel can access the records at any time. Although there will be a significant technology build-out required for many institutions and nonbank third parties, the requirement for access in the event of interruptions, insolvencies, or bankruptcies adds legal and operational hurdles. 

This requirement can be viewed as a direct reaction to the difficulties that banks holding funds of Synapse Financial Technology faced during its bankruptcy process. 

Continuity Plans

The bank also would be required to have continuity plans in place, including backup recordkeeping for the required beneficial ownership records and technical capabilities to ensure compliance with the Proposal’s requirements. The Proposal suggests the following elements be considered: 

• Storing copies of prior daily or weekly account balances and beneficial ownership balances internally at the bank or at another location independent of the third party. 
• Establishing legal authority and technological capability for the bank to access daily transaction records associated with the custodial deposit account directly from payment networks, processors, or service providers used by the third party. 
• Maintaining at the bank sufficient trained staff, technical systems, and other resources to process transaction records necessary for the bank to reconcile and establish accurate records for ownership interests in the custodial deposit account in the event the third party is disrupted.

Although these concepts will likely be familiar to banks from existing third-party risk management expectations, their application to a third party who may also be an accountholder and customer of the bank may introduce new dynamics.

Internal Controls for Daily Reconciliation Against Third-Party Records

Records of beneficial ownership maintained by a third party could only be used to satisfy the Proposal’s requirements if the bank implements appropriate internal controls to accurately determine the respective beneficial ownership interests associated with the custodial deposit account with transactional features and conduct reconciliations against the beneficial ownership records no less frequently than as of the close of business daily.

Contractual Requirements

Where records are maintained by a third party, the bank would be required to have a direct contractual relationship with the third party that includes certain risk mitigation measures, including contractual agreement to several of the provisions listed above: 

• Roles and responsibilities. The contract would need to clearly define roles and responsibilities for recordkeeping, including assigning to the bank rights of the third party that are necessary to access data held by other parties. 
• Express provision requiring internal controls and daily reconciliation. The contract would need to include an express provision requiring the third party to implement appropriate internal controls to be able to accurately determine the beneficial ownership interests represented in the custodial deposit account. The contract must also require the third party to conduct reconciliations against the beneficial ownership records no less frequently than as of the close of business daily.
• Periodic, independent validations of records and recordkeeping. The contract would need to provide for periodic validations by a person independent of the third party to verify that the third party is maintaining accurate and complete records and that reconciliations are being performed consistently with the recordkeeping requirement for beneficial ownership interests. If the validation is performed by a party other than the bank, the results must be provided to the bank.

Our Take

A majority of the FDIC’s commissioners, including commissioners from both parties, have already declared that they intend to support the Proposal when it is ready for finalization. In other words, it is not a question of whether the Proposal will be finalized, but what requirements will be included in the final version.[14] Given the bipartisan support and taking into consideration both the timing of the Proposal vis-à-vis the general election cycle and the momentum the agencies have built up in their push to reshape the regulatory environment for bank-nonbank relationships, we believe that the period from the end of the comment period to the vote on a final rule could be relatively short. 

In addition to registering their views on whether they do or do not support the Proposal as a whole, we believe that stakeholders that take advantage of the opportunity to provide comment letters should consider providing input on whether the requirements are feasible and at what cost. From our preliminary conversations with stakeholders, we understand that there could be sizable implementation costs incurred by banks and nonbanks alike due to the need for investments in new recordkeeping and reconciliation technology and increased compliance spend. In addition to providing input on these direct costs, we believe it is equally worthwhile for stakeholders to provide input on any indirect costs or tradeoffs, such as whether the Proposal would inadvertently reshape nonbanks’ products and services in a way that is detrimental to end users, undermine their efforts to promote financial inclusion, or introduce new risks. 

The comment period for the Proposal ends 60 days after its publication in the Federal Register, which we anticipate will occur in the coming days, placing the deadline on or shortly after November 18, 2024. In addition to being able to provide comments on the Proposal itself, interested parties may also consider providing comments on the agencies’ closely related request for information on bank-fintech arrangements and associated risk management practices and implications.[15]

If you have any questions or would like to comment on the Proposal, please reach out to the authors of this Update. 

Endnotes:

[1] See FDIC FIL-45-2024 (July 25, 2024).

[2] See Interagency Guidance on Third-Party Relationships: Risk Management, 88 Fed. Reg. 37920 (June 9, 2023). Although this refers to “third-party relationships,” it also applies to parties in multilayer relationships without a direct relationship to the bank. These indirect sources of risk are sometimes referred to as “nth party risk.”

[3] See FDIC Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo 89 Fed. Reg. 3504, (Jan. 18, 2024).

[4] See, e.g., FDIC Press Release, ”FDIC Demands Five Entities Cease Making False or Misleading Representations About Deposit Insurance” (Jan. 19, 2024). 

[5] See OCC, Federal Reserve, FDIC, and NCUA, Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements (Proposed Rule), 89 Fed. Reg. 65242 (August 9, 2024); FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Programs (Proposed Rule), 89 Fed. Reg. 55428 (July 3, 2024). 

[6] As just one example of a recent enforcement action, on June 14, 2024, the Federal Reserve Board issued an enforcement action against Evolve Bancorp, Inc. and Evolve Bank & Trust. Examinations conducted in 2023 found that Evolve “engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework” for its partnerships with various financial technology companies that, in turn, provide access to banking products and services to their end customers. See Federal Reserve Press Release, “Federal Reserve Board issues an enforcement action against Evolve Bancorp, Inc. and Evolve Bank & Trust for deficiencies in the bank’s anti-money laundering, risk management, and consumer compliance programs” (June 14, 2024). 

[7] See In re Synapse Financial Technologies Inc., Debtor, U.S. Bankruptcy Court (C.D. Cal.), Trustee’s Third Status Report (June 21, 2024), p.3.

[8] In re Synapse Financial Technologies Inc., Debtor, U.S. Bankruptcy Court (C.D. Cal.), Trustee’s Ninth Status Report (Sept. 13, 2024), Exhibit A, p.1. 

[9] In addition to Synapse, the preamble to the Proposal highlighted the events that followed the failure of Voyager Digital (Voyager) in July 2022 as an illustrative example of a situation where end users were unable to access funds in custodial deposit accounts at banks. Voyager claimed to hold customers’ U.S. dollar funds at an insured bank and falsely represented that customer funds held with Voyager were insured with the FDIC up to $250,000 in the event of Voyager’s failure, not just the failure of the bank where Voyager deposited customer funds. See FDIC and Federal Reserve Joint Letter to Voyager Digital Regarding Potential Violations of Section 18(a)(4) of the Federal Deposit Insurance Act (July 28, 2022). After Voyager declared bankruptcy, many customers were unable to access the funds in their accounts for a period of time. The Voyager situation, and several others like it, were key events that led the FDIC to revise its rules for deposit insurance misrepresentation in December 2023. See FDIC Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo, 89 Fed. Reg. 3504 (Jan. 18, 2024). 

[10] The Proposal defines “beneficial owner” as “a person or entity that owns, under applicable law, the funds in a custodial deposit account.” The Proposal’s definition of “beneficial owner” is not intended to incorporate the meaning of “beneficial owner” as that term may be used for purposes of other laws, such as the Bank Secrecy Act. The Proposal’s definition of “beneficial owner” should not be confused with other definitions of the same term, including those associated with rules implemented by the Financial Crimes Enforcement Network, such as the Corporate Transparency Act or the Customer Due Diligence rule, which relate to beneficial owners of legal entities rather than accounts.

[11] See 12 U.S.C. § 1813(l) (defining “deposit”).

[12] This proposed exemption could leave unaddressed challenges for end users posed by the Synapse bankruptcy. As previously noted, Synapse developed a cash management program through its subsidiary, Synapse Brokerage LLC, a licensed broker-dealer, which opened cash management accounts on behalf of its fintech partners and their end users. Although at the time of Synapse’s bankruptcy, Synapse Brokerage LLC had not yet established the cash management accounts, it had deployed a sweep network to hold deposits and earn interest on the sweep network deposits. Without detail in the Proposal, it is yet unclear whether and to what extent funds held in cash management accounts would be considered held in covered custodial deposit accounts such that they would be subject to the Proposal, or if the cash management accounts would be exempt under the Proposal’s exemption for broker-dealers.

[13] The Proposal contains no minimum threshold for numbers or volume of custodial deposit accounts with transactional features or the asset size of the banks, thereby applying to any and all banks holding such accounts.

[14] See Statements of Chairman Martin Gruenberg, Vice Chairman Travis Hill, Jonathan McKernan, Rohit Chopra, and Michael J. Hsu dated September 17, 2024.

[15] In connection with the Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services in July, the agencies also published a request for information seeking comment on bank-fintech arrangements, including associated risk management practices and implications. See Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses, 89 Fed. Reg. 61577 (July 31, 2024). The comment period for the request for information ends October 30, 2024.