On September 17, 2024, the Federal Deposit Insurance Corporation (FDIC) issued a notice of proposed rulemaking (NPRM), Recordkeeping for Custodial Accounts, that would establish new recordkeeping requirements for insured depository institutions (IDIs) about certain custodial accounts that are often used by financial technology companies and banking as a service (BaaS) providers to hold their customers’ deposits and facilitate transactions. The NPRM appears to be a direct response to the May 2024 collapse of Synapse Financial Technologies, a fintech provider that maintained custodial transaction accounts for end-users. Synapse, former FDIC Chair Jelena McWilliams as bankruptcy trustee for Synapse, and certain partner banks have been unable to reconcile the actual amount of funds in the custodial accounts with existing records related to those accounts, restricting end-users’ access to the funds.
The NPRM refers to the accounts it covers as “custodial deposit accounts with transactional features,” defined as “deposit account[s]: (1) [e]stablished for the benefit of beneficial owners; (2) [i]n which the deposits of multiple beneficial owners are commingled; and (3) [t]hrough which beneficial owner(s) may authorize or direct a transfer through the account holder from the custodial deposit account to a party other than the account holder or beneficial owner.”
Specifically, for each nonexempt covered account, the proposed rule would require IDIs to maintain records in a prescribed format of account ownership, beneficial ownership, ownership right and capacity (e.g., single account, trust account, business account), current balances, and accrued interest balances. Each IDI that holds nonexempt covered accounts would be required to implement internal controls appropriate to its size and the nature, scope, and risk of its activities related to those covered accounts, including by maintaining accurate balances at the beneficial ownership level and reconciling account balances at the close of each business day.
The NPRM would permit IDIs to contract with a third party (e.g., a fintech or BaaS provider that established the covered account) to “assist the [IDI] in meeting” the recordkeeping requirements of the proposed rule. The IDI must:
- Have direct, continuous, and unrestricted access to the records maintained by the third party, even in the event of the third party’s business interruption, insolvency, or bankruptcy.
- Have a continuity plan and technical capabilities to ensure compliance with the NPRM, including backup recordkeeping capabilities.
- Implement internal controls to accurately determine and daily reconcile the beneficial ownership of covered accounts.
- Have a contractual relationship with the third party that:
- Clearly defines roles and responsibilities for recordkeeping, including by assigning to the IDI the third party’s rights to access data held by other parties.
- Requires the third party to implement internal controls that would be required of the IDI if the IDI were performing the outsourced function.
- Requires a periodic, but not less than annual, validation by an independent third party to assess and verify that the third party is maintaining accurate and complete records consistent with the provisions of the proposed rule.
- Does not relieve the IDI of its responsibilities under the proposed rule.
The proposed rule would exempt certain covered accounts from its requirements, including: (1) accounts holding only trust deposits; (2) accounts established by a government depositor; (3) accounts established by or on behalf of one or more brokers, dealers, or investment advisers; (4) interest on lawyers trust accounts; (5) accounts held in connection with an employee benefit plan or retirement plan; (6) accounts maintained in connection with a real estate transaction; (7) accounts maintained by a mortgage servicer in a custodial or other fiduciary capacity; (8) accounts that are prohibited by federal or state law to disclose the identities of the beneficial owners of the deposits; (9) accounts maintained through deposit placement or reciprocal networks for purposes other than payment transactions; (10) accounts holding security deposits for homeownership associations governed by state law; and (11) accounts holding security deposits tied to residential or commercial leasehold interests.
IDIs holding nonexempt covered accounts would be required to establish and maintain written policies and procedures to achieve compliance with the proposed rule and annually certify compliance with the proposed rule to the IDI’s FDIC regional or area office and the appropriate federal banking agency. Further, these IDIs would be required to submit a report to the IDI’s FDIC regional or area office and the appropriate federal banking agency a description of any material changes to the IDI’s information technology systems; a list of account holders that maintain nonexempt covered accounts at the IDI, the total balance of these accounts, and total number of beneficial owners of these accounts; the results of the IDI’s periodic recordkeeping compliance testing; and the results of the independent validations of records maintained by third parties.
Violations of the proposed rule would be subject to enforcement actions under Section 8 of the Federal Deposit Insurance Act and potential termination of the offending IDI’s deposit insurance.
In an accompanying press release, FDIC Chair Martin Gruenberg stated that the proposed rule “is an important step to ensure that banks know the actual owner of deposits placed in a bank by a third party such as Synapse, whether the deposit has actually been placed in the banks, and that the banks are able to provide the depositor their funds even if the third party fails” that would “strengthen the FDIC’s ability to make deposit insurance determinations” and “strengthen compliance with anti-money laundering and countering the finance of terrorism law.”
While the NPRM, if finalized as proposed, would facilitate FDIC administration of pass-through deposit insurance claims by end-users whose funds are held in custodial accounts, the main, practical impact of the rule would likely be that fintech companies and BaaS providers will need to develop recordkeeping and reporting obligations that satisfy explicit FDIC requirements – all under the close scrutiny of their IDI partners. We anticipate that IDIs that hold custodial accounts subject to a final rule as well as their fintech company and BaaS provider partners will need to implement considerable updates to technology systems, internal control practices, and their contractual arrangements to comply with these requirements.
The FDIC’s proposal follows revised rules governing FDIC deposit insurance coverage advertising and misrepresentation, a recent proposed rulemaking and request for information relating to brokered deposits, a July joint statement and request for information relating to bank–fintech arrangements, general third-party risk management guidance that federal agencies updated in 2023, and a handbook the agencies released earlier this year to assist community banks in implementing the guidance.
The FDIC is seeking comment on the NPRM. Interested IDIs, fintech companies, and BaaS providers should review the NPRM and consider submitting comments. Comments on the NPRM are due 60 days after the proposed rule’s publication in the Federal Register.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.