Burdensome Proposed FDIC FBO Account Rules Loom Large for Banks and FinTechs

On September 17, 2024, the Federal Deposit Insurance Corporation (FDIC) published a notice of proposed rulemaking (the Proposed Rule) that would heighten record-keeping requirements on FDIC-insured depository institutions (banks) that maintain transactional deposit accounts for financial technology (FinTech) firms and other third parties that act as agents on behalf of an end customer—e.g., a digital-wallet customer, a buyer of a prepaid access card, and the like. If the FDIC finalizes the Proposed Rule, banks that maintain so-called FBO or for-the-benefit-of accounts (also referred to as custodial accounts) with their FinTech partners will need to update their program agreements and data-keeping practices, reconcile customer account balances on a daily basis, and make annual filings with the FDIC.

Under current FDIC rules, “pass-through” deposit insurance is a method of insuring depositors whose funds are placed and held at an FDIC-insured bank through a third party. “Pass-through” refers to arrangements through which FBO deposit accounts are established by a third party for the benefit of one or more other parties, also known as principals. The deposit account can be established for the benefit of a single owner, or it can be a commingled account where deposits from multiple principals are deposited in the same account.

The Proposed Rule is a response to FDIC concerns that under current FDIC record-keeping requirements (found at 12 C.F.R. part 330), banks may have difficulty determining who are the beneficial owners of FBO accounts, possibly resulting in these owners’ not being able to access their FDIC-insured funds promptly in the event of (i) a failure of the bank or (ii) an insolvency of the FinTech.

The FDIC points to the aftermath of Synapse Financial Technologies, Inc.’s (Synapse) bankruptcy to illustrate the need for heightened record-keeping requirements. Synapse—a “middleware” company—provided the technology for third parties to use banks’ FBO or custodial deposit accounts to hold funds. After Synapse went bankrupt, a bank claimed that the bankrupt Synapse denied it sufficient access to consumer deposit information, causing the bank to freeze the funds in FBO deposit accounts. This account freeze meant that end consumers could not access their digital-wallet funds because Synapse’s record keeping made it difficult for the bank to determine the owners of the funds that Synapse deposited at the bank. The FDIC states that if the proposed record-keeping requirements of the Proposed Rule are adopted, the risk of similar issues in the future will be mitigated, permitting a solvent bank to provide a beneficial owner with more immediate access to their funds or, in the case of a failed bank, permitting the FDIC to promptly determine deposit insurance coverage and return up to the applicable deposit insurance limit to a beneficial owner. 

TO WHOM DOES THE PROPOSED RULE APPLY?

The new requirements in the Proposed Rule apply to banks that offer and maintain “custodial deposit accounts with transactional features,” which is defined as a deposit account:

(1) that is established for the benefit of beneficial owners;

(2) in which the deposits of multiple beneficial owners are commingled; and

(3) through which beneficial owners may authorize or direct a transfer through the FinTech or similar account holder from the FBO account to a party other than the account holder or beneficial owner.

The Proposed Rule exempts 10 specific types of custodial deposit accounts that otherwise meet the definition above, which are custodial deposit accounts that:

1. hold only trust deposits;
2. are established at the bank by government depositors;
3. are established by brokers or dealers under the Securities Exchange Act of 1934 and investment advisers under the Investment Advisers Act of 1940;
4. are established by attorneys or law firms on behalf of clients;
5. are maintained in connection with employee benefit plans and retirement plans;
6. are maintained by real estate brokers, real estate agents, title companies, and qualified intermediaries under the Internal Revenue Code;
7. are maintained by a mortgage servicer in a custodial or other fiduciary capacity;
8. are subject to a federal or state law prohibiting the disclosure of the identities of the beneficial owners of the deposits;
9. are maintained under an agreement to allocate or distribute deposits among participating banks in a network for purposes other than payment transactions of customers of the bank or participating banks; and
10. hold security deposits tied to (i) property owners for a homeownership, condominium, or other similar housing association governed by state law and (ii) residential or commercial leasehold interests.

WHAT ARE THE PROPOSED RECORD-KEEPING REQUIREMENTS?

Either the bank or a third party may conduct the proper record keeping under the Proposed Rule. However, if record keeping is done through a third party, the bank is not relieved from, and may not contract out of, its responsibility to ensure all requirements are satisfied.

A bank that maintains records must ensure the following criteria are met, regardless of who is conducting the record keeping:

1. Records contain required content. For each custodial deposit account, the required records must identify (a) the beneficial owners of the account, (b) the balance attributable to each beneficial owner, and (c) the ownership category in which the funds are held.
2. Records are properly formatted. The Proposed Rule provides a standard electronic-data format to which banks and third parties must adhere.
3. Internal controls. The Proposed Rule requires banks to maintain appropriate internal controls that include (i) maintaining accurate deposit account balances, including the respective individual beneficial-ownership interests associated with the custodial deposit account; and (ii) conducting reconciliations against the beneficial-ownership records no less frequently than at the close of business daily, with the understanding that reconciling variances due to unposted transactions and timing of transactions occurs and should be addressed according to standard banking practices that are sufficient to manage and resolve such variances.

If records are maintained through a third party, the Proposed Rule places the following additional obligations on banks:

1. Maintain direct, continuous, and unrestricted access to the records. This means that both banks and third parties must ensure the bank will be able to access records, even if the bank or third party fails.
2. Establish internal controls, continuity plans, and technical capabilities to ensure compliance. Banks and third parties may need to establish new technology and create backup record keeping to comply with the new requirements. The appropriate internal controls may depend on the bank’s nature, scope, and business activity risks. In developing a continuity plan, banks may consider storing copies of account balances outside the third party, ensuring access to daily transaction records, and employing sufficient resources to deal with a third-party disruption.
3. Conduct daily reconciliation. Banks must reconcile their account balance records against the beneficial-ownership records “no less frequently than at the close of business daily.”
4. Be in a direct contractual relationship with the third party. Importantly, the contract must (a) clearly define roles and responsibility for record keeping; (b) expressly require the third party to establish the internal controls needed to accurately determine ownership interests and conduct daily reconciliations; and (c) require a periodic validation by an independent party to verify the third party is providing accurate and complete records.

WHAT ARE THE PROPOSED RULE’S COMPLIANCE REQUIREMENTS?

To comply with the Proposed Rule, banks must:

1. Create and maintain written policies and procedures to achieve compliance. Banks must create or update their existing written policies to comply with all elements of the new requirements listed above.
2. File an annual certification. The bank’s certification must confirm it complied with the record-keeping requirements by implementing and testing them. It must be signed by the bank’s highest-ranking official and filed with the FDIC and its primary federal regulator.
3. File an annual report. Banks must also file an annual report with the FDIC and primary federal regulator. This report must (i) describe material changes to the bank’s information technology systems; (ii) list the account holders, total account balances, and total number of beneficial owners; and (iii) state results of compliance testing and independent validation of records maintained by third parties.

WHEN ARE COMMENTS DUE?

The Proposed Rule was published in the Federal Register on October 2, 2024. Interested parties have until December 2, 2024, to submit written comments. The full Proposed Rule and directions for submitting comments can be found here. Among other requests, the FDIC has requested comments on the technological and operational burdens of complying with the heightened requirements. Additionally, interested parties should consider commenting on the appropriate scope of the Proposed Rule and providing suggestions on ways to minimize the burden of information collection.

Julia Lagnese, Associate, co-authored this alert.