Guest Contributors: Jonah Crane and Adam Shapiro of Klaros Group
This is the second of three articles focused on a key question: as bank-fintech partnerships continue to play a vital role in driving financial services, how does the industry make this system safer and better?
In this second article,[i] we focus on encouraging the industry and regulators to adopt the right lessons from Synapse Financial Technologies’ (Synapse) bankruptcy by drawing from the root causes of its failure. We offer some best practices and discuss the potential role of the Federal Deposit Insurance Corporation’s (FDIC) recently proposed recordkeeping rule (Records NPR) — including areas of potential improvement — and conclude by noting how enhanced account ledgering by banks helps address one root cause of the Synapse failure: faulty account ledgering performed only by a third party.
This sets the stage for our final article of this series, which argues that the requirements of a final FDIC recordkeeping rule for custody accounts consistent with the core purpose of the proposed rule — i.e., requiring reconciliation of accounts at least daily by the bank at the close of business — is adequate but not ideal. Such a rule would help restore access to funds in any future fintech failure, and, in the event a bank fails, ensure the prompt and accurate payment of deposit insurance to depositors.
But there is an even better way: banks’ adoption of distributed ledger technology (DLT), which in hindsight would have likely eliminated: (i) consumer harm post-Synapse failure;
(ii) the need for Synapse partner banks to incur significant time and expense untangling terabytes of data; (iii) the need to appoint a Chapter 11 trustee (Trustee); and (iv) as our guest contributors at Klaros note, significant delays, post-Silicon Valley Bank (SVB) failure, associated with payroll services, bill payment services, and other entities’ inability to promptly restore access to their respective third-party ledger accounts (TPLA)[ii] accounts. These delays occurred given the lack of a clear, efficient process for confirming pass-through deposit insurance treatment by the FDIC. “If your bank fails, the [TPLAs] upon which your business depends can be frozen for an indeterminate amount of time. At that moment, the fact that your customers enjoy pass-through deposit insurance doesn’t help much.”[iii]
- Synapse’s Failure: Five Root Causes
As we briefly described in Part 1 of this series, Synapse functioned as a middleware provider between banks and fintechs. Synapse was a pioneer in what came to be known as “banking-as-a-service” (BaaS). In this role, Synapse opened accounts on behalf of approximately 100 fintech companies (and millions of end users) at four different partner banks, whose primary federal regulator was either the Federal Reserve, FDIC, or Office of the Comptroller of the Currency (OCC), and whose state regulators included Arkansas, Tennessee, Nebraska, and Colorado. Synapse managed ledgering for these accounts, tracking all transaction activity and account balances. It is our understanding that the partner banks could access a portal that provided snapshots of how much each end user was owed, but not which partner bank held those funds. None of the partner banks maintained a copy of Synapse’s account ledger. As a result, the partner banks and fintechs were all reliant on Synapse to determine how much each customer was owed at all times.
On April 22, 2024, Synapse filed for Chapter 11 bankruptcy. On May 11, the partner banks lost access to the records maintained by Synapse and were unable to determine which end-users rightfully should be able to withdraw their funds. As a result, they froze access to a portion of the funds for an extended period while they attempted to determine ownership. According to the Trustee’s ninth status report as of September 13, 2024, of the approximate $219 million aggregate funds held by Synapse’s partner banks in custodial “FBO” accounts, approximately $165 million (or roughly 75%) had been distributed to end users, with $54 million, or approximately 25%, remaining to be distributed.
In addition, there remains an estimated $65 – $95 million shortfall between the money held by Synapse’s partner banks and the amount owed to fintech end-users, with no clear indication of which parties will be required to make up the difference.[iv]
a. Root Cause #1: Multiple Synapse Entities, Multiple Partner Banks and Fintechs, and Multiple Account Types
Account irregularities were exacerbated by, and may in part have resulted from, Synapse’s numerous and complex relationships with fintechs and partner banks. Early in its operations, Synapse opened accounts for approximately 100 fintech partners at four partner banks.[v] Synapse fully intermediated the relationship between the fintech and the bank. In 2020, in an apparent effort to maintain even more control over the funds flow, Synapse developed a cash brokerage program following its acquisition of a small broker-dealer, which became Synapse Brokerage LLC (Brokerage). This program began opening cash brokerage accounts on behalf of its fintech partners at these four banks.[vi]
Synapse called its new product “Modular Banking,” and it encouraged fintechs to use Brokerage because funds could be moved freely between different banks. Its website said:
Synapse Brokerage LLC is a registered broker-dealer and member of FINRA and SIPC. As a result, Synapse can participate directly in the flow-of-funds and thereby, segment and distribute core services across multiple sponsor banks, yet deliver these services as unified solutions to its customer fintechs and their end-users.[vii]
Synapse essentially told the world that only it would know where the money is. This ability to segment and distribute services across multiple banks meant that keeping each partner bank in the dark about what fraction of the whole deposit base the bank held was not an accident — it was part of the strategy. Synapse aggressively marketed modular banking, even to existing fintechs that signed up for the direct account model. There are even reports that Synapse moved some fintechs’ end-users’ funds into Brokerage without authorization.
Only Synapse knew which fintechs had agreed to use both the deposit account and brokerage account programs for its end-users, and only Synapse knew through which partner bank to route the transactions. As the Trustee noted, in some cases, end user deposits were made to one account of a particular fintech partner, while withdrawals for that same account were made from a different account at a different partner bank.[viii]
The complexity associated with Synapse’s business model not only increased the risk of a wholesale failure — it made it exceedingly “difficult,” in the Trustee’s words, “to reconcile transactions and ensure end users receive access to the correct amount of funds due to each end user.”[ix] Taken together, complexity combined with insufficient systems, Synapse looks to have been poised for disaster.
b. Root Cause #2: Account Ledgering Irregularities
Synapse was obligated by its contracts with partner banks to maintain and provide complete and accurate account ledgering. However, significant ledger irregularities were alleged by several partner banks indicating the account balances set forth in Synapse’s ledger were “materially inaccurate” and, therefore, could not be used as the basis for distributing funds to end users.[x] Following the bankruptcy, one partner bank determined it needed a third party to conduct a reconciliation to understand which Brokerage end users even had funds at the bank and how much was owed to each one. According to reports, this post-bankruptcy reconciliation to calculate end-users’ actual balances involved collecting and analyzing Synapse’s account and transaction data and comparing it to the bank’s own data, to track the flow of funds into and out of Brokerage end users’ accounts.
Without an accurate ledger, this partner bank noted it did not have “the two essential pieces of information it needs to distribute end user funds in its possession: (i) [w]hich [] Brokerage end users have funds at [the partner bank]? and (ii) [f]or those [] Brokerage end users with funds at [partner bank], how much does the [partner bank] owe to each end user?[xi]
This third party’s work necessitated the transfer, restoration, and validation of the databases necessary to perform the reconciliation. Doing this work after-the-fact was an enormous effort, and it shows that account irregularities compound over time. The third party had to extract, copy, transfer, and restore more than 100 databases maintained by Synapse, comprising nearly 10 terabytes of data.[xii]
As of September 13, 2024, a third party retained by this partner bank had separately obtained access to millions of the partner bank’s transactional records and was in the process of analyzing Synapse’s databases and the partner bank’s records — which did not match — to reconcile account-by-account, transaction-by-transaction activity with reported account balances over time.[xiii] The anticipated timeline for completing this reconciliation was approximately eight weeks “subject to possible contingencies.”[xiv]
Another partner bank that was involved in originating ACH entries and initiating wire transfers from Synapse has alleged significant “deficiencies and contradictions.”[xv] The final trial balance payment settlement account that Synapse generated in the hours prior to its bankruptcy filing was materially different than the actual cash balance that the partner bank verified against the Federal Reserve’s records. This partner bank was “forced to undertake to reconcile end user accounts and calculate end user balances based on the information that [was] made available to it by the Trustee through the bankruptcy process.”[xvi] It ultimately had to engage a former Synapse engineer to assist with recovering, preserving, and analyzing the Synapse data, a “process [that] has been complicated and time-consuming.”[xvii]
The extent and difficulty of these efforts post-bankruptcy tells us that Synapse was unable to maintain accurate ledgers. The volume, speed, and complexity of the transactions overwhelmed its systems — systems that have been shown to be inadequately developed and maintained. Meanwhile, Synapse’s partner banks, which reportedly knew about Synapse’s ledgering irregularities for up to two years prior to the bankruptcy, either failed to reconcile their own accounts to Synapse’s records, or allowed the irregularities to compound for months, if not years.[xviii]
c. Root Cause #3: Partner Bank Lapses
Today, two of Synapse’s partner banks are under regulatory consent orders. While Synapse was not specifically named in these orders, the issues involved (e.g., board governance and BSA/AML concerns) relate to bank-fintech partnership “risk management” failures.[xix]
One partner bank’s cease and desist order (by the Federal Reserve and the Arkansas State Banking Department) was issued on June 14, 2024, two months after the Synapse bankruptcy filing.[xx] As noted below, this consent order stemmed from an examination of the partner bank conducted in early 2023. Therefore, this partner bank must have been aware of significant operational and compliance issues for at least one year preceding Synapse’s bankruptcy filing. Another partner bank consent order (by the FDIC) was issued on January 30, 2024, four months before the Synapse bankruptcy filing. Although this consent order did not specify the timing of an earlier exam, the level of detail and breadth of issues contained in the consent order also suggest that significant compliance issues must have been known by the partner bank well before Synapse’s bankruptcy filing. In the case of both banks, it appears these issues were left unaddressed.
Banks are expected to maintain contingency and business continuity plans that address the potential failure of critical third parties. Synapse was clearly such a critical third party, and yet none of the partner banks appears to have had a plan in place for what to do in the event of operational issues at Synapse — let alone failure.
The partner banks’ lack of direct bank access to Synapse’s ledger, lack of contingency planning, and failure to maintain their own copy of the ledger all contributed to their respective failures to fulfill the most fundamental responsibility in banking: To keep track of the money.
Res ipsa loquitur — “the thing speaks for itself.” The fact that the failure of a startup technology provider left several banks unable to process accounts worth over $250 million, and that tens of millions of dollars remain frozen over four months later — with many millions apparently unaccounted for — means that those banks clearly had major lapses in their risk management and third-party oversight. Had the banks pushed sooner or more forcibly for detailed reconciliations or greater access to Synapse’s systems, it is difficult to imagine that they would not have recognized the scope of the problem. In hindsight, it appears the banks may not have fully understood the way money moved across Synapse partner banks.
d. Root Cause #4: Regulatory Lapses
Could banking regulators have acted sooner to prevent Synapse’s failure? This question was, in part, the subject of a hearing before the U.S. Senate Banking Committee on July 9, 2024, when Federal Reserve Chairman Jerome Powell answered a question by Ranking Member Senator Brown about the Synapse bankruptcy. Below is an excerpt from their colloquy:[xxi]
Senator Brown: Since mid-May, tens of thousands of people [ . . . ] have lost access to their money due to the bankruptcy of this fintech middleman. Reports indicate that as much as $95 million may have gone missing. The Fed oversees one of Synapse’s partner banks . . . As a regulator it’s your job to make sure that banks protect the people whom they serve. What’s the Fed doing to help customers who felt the impact by the Synapse collapse? What are you doing to regain access to their money?
Chairman Powell: So we do supervise the bank, we don’t supervise Synapse or let alone the fintechs that feed into Synapse, and we’re strongly encouraging [one partner bank] to make money available to those depositors. We also as you may know [. . . ] did an enforcement action [ . . . ] and we hit them with an enforcement action around these very risk management issues — again before the [ . . . ] current situation developed.
Senator Brown: [ . . .] It’s critical that consumers are made whole as soon as possible. We will continue to talk to you about that. We will watch, we will let you know we’re watching. The Fed needs to use its supervisory authority to ensure that [partner bank] is committing the resources necessary to return those funds to the account holders.”
The consent order under discussion was issued on June 14, 2024,[xxii] but, as noted above, it stemmed from an examination of the partner bank that was conducted in early 2023. It is clear that both partner banks and the regulators must have known there were significant compliance and operational failures at the banks with regard to Synapse accounts well before Synapse’s bankruptcy filing.
Why did it take so long for regulators to act? Why did (in one case) more than 300 days pass between issuance of the report of examination and the consent order? We know federal regulators were stretched thin by bank failures in 2023, and it is unlikely they could have anticipated Synapse’s complete implosion. But those reasonable explanations do not change the fact that only the regulators (not the individual banks) would have been able to identify common issues across all Synapse related accounts.
Could market regulators have acted sooner to prevent Synapse’s failure? In addition to the role of the banking regulators, the role of Brokerage raises questions about the effectiveness of FINRA oversight of broker-dealer sweep programs, as well as whether the combined SIPC and FDIC regimes appropriately protect users of such programs. Both traditional and fintech broker-dealers make extensive use of such programs, generally with sound ledgering and reconciliation control frameworks. Regulators therefore should assess whether they can take steps to maintain customer confidence in the sector.
e. Root Cause #5: Gross Mismanagement
Within the first month in the bankruptcy case, the U.S. Trustee — not to be confused with the later appointed Chapter 11 trustee,[xxiii] former FDIC Chairman Jelena McWilliams — filed an emergency motion to convert the case to Chapter 7. The U.S. Trustee argued, among other things, that Synapse “has grossly mismanaged the estate and there is substantial and continuing loss to or diminution of the estate and an absence of a reasonable likelihood of reorganization.”[xxiv] The supporting declaration notes that “[Synapse] inexplicably cut off access to its computer systems on a weekend,” and that there appeared to be no “reasonable explanation for [Synapse] cutting off access to its computer systems.”[xxv] This declaration also stated that “there appears to be no dispute that these actions have played a material role in end users losing access to their funds” and that “at a minimum, an independent fiduciary is needed to see if a resolution can be reached that minimizes further harm to depositors.”[xxvi]
One of the largest impacted fintech programs has alleged that the shortfalls may not be due simply to poor record-keeping, but rather improper use of customer funds to pay fees owed to the bank and a botched migration of a fintech account that (allegedly) transferred funds belonging to customers of other fintechs out of a Synapse FBO account.[xxvii]
Separately, the Trustee and its counsel were informed early in the bankruptcy case that master credentials to the Synapse AWS environment were known to only two former Synapse engineers, who as of June 14, 2024, had not responded to the Trustee and proposed counsel’s requests to provide credentials. As a workaround, the Trustee had to work with a separate cloud provider to gain access to the Synapse environment.[xxviii]
Ultimately, the U.S. Trustee’s emergency motion to convert the case was denied by Judge Barash, and for now, the bankruptcy case continues in Chapter 11. As of September 13, 2024, the Trustee maintained that the bankruptcy case “should remain in chapter 11 for the time being.”[xxix]
2. Addressing Root Causes
The root causes identified above inform the best practices below. They are worthy of further development, ideally by the several bank-fintech partner teams focused on standard setting efforts, in future collaboration with regulators.[xxx]
a. Addressing Multiple Entities, Multiple Partner Banks and Fintechs, and Multiple Account Types
The right lesson from Synapse is not to prescriptively manage the ability of an insured depository institution (IDI) to work with multiple fintechs, middleware entities, and/or account types. Instead, a more prudent, principles-based approach involves adherence to applicable third-party risk management guidance and ensuring that in each circumstance where a bank and fintech engage:
- There is a thorough and consistent understanding of the account agreements governing the partnership(s);
- Account titling remains consistent with the account structure described in the underlying account agreements;
- Each follows sound risk management practices, commensurate with the complexity, risk, size, and nature of the activity and relationship; and
- Each seek ways to evaluate and potentially improve account ledgering practices (as described directly below and in Part 3), consistent with any final FDIC recordkeeping rule following the Records NPR.
Another lesson from Synapse: partnership agreements are foundational and should clearly delineate respective roles and responsibilities. For example, banks should ensure partnership agreements outline robust oversight mechanisms that the bank will employ to monitor the fintech partner’s activities. This oversight is essential to ensure compliance with regulatory requirements and contractual obligations. The agreements should specify the frequency and scope of reporting to the bank as well as periodic audits, the criteria for evaluating the partner’s performance, and the procedures for addressing any discrepancies or violations. By establishing clear and comprehensive contractual language, and processes for enforcing those contractual commitments, partner banks can mitigate potential risks such as fraud, money laundering, and operational failures.
Regarding the maintenance of account ledgers, it is imperative that these agreements explicitly assign the obligation to maintain accurate and up-to-date financial records to ensure transparency, accountability, and the integrity of financial transactions. This includes detailing the processes for recording transactions, reconciling accounts, and reporting financial data (which processes may eventually be detailed in any final rule following the Records NPR).
Some banks may ultimately be incentivized to enter into direct agreements with fintechs as a means of reducing operational complexity. Others may find that continuing to work with sophisticated, well-managed technology platforms presents various advantages. For example, these platforms can enable the exchange of data to facilitate banks’ risk management and oversight of fintech programs. These platforms may also be the most incentivized to devote the resources needed to upgrade account ledgering. The lesson from Synapse is therefore not that technology platforms are a broken model; rather, banks need to maintain a heightened focus on effective risk management, and ensuring the bank is appropriately set up to handle the operational and financial risks associated with bank-fintech arrangements.
b. Addressing Account Ledgering Irregularities
The lesson from Synapse is that fintech relationships involve a huge array of account types and structures, and in the face of such diversity, access to “FBO account” ledgers is necessary but not sufficient to identify and correct ledgering irregularities. The FDIC has responded to the ledgering issues exposed by Synapse by proposing new reconciliation requirements for what the agency calls “custodial deposit accounts with transactional features” (CDAWTFs). The central requirement of the Records NPR is that banks maintain “direct, continuous, and unrestricted access to the records” of any thirdparty maintaining ledgers for CDAWTFs.[xxxi] While the Records NPR thankfully stops short of enshrining the term “FBO account,” it is unfortunately limited to a narrow conception of the accounts involved.
In Part 1 of this series, we argued that “TPLA” is a better term because it more accurately captures the risks involved when the bank does not directly maintain its own ledgers. TPLA is also more useful, as it can be applied to any type of account (i.e., it is not limited to custodial accounts). In other outlets, we will provide our thoughts on the confusion that will come from the terms and definitions introduced in Records NPR, including a new distinction between “account holder” and “account owner.” But beyond the muddled terminology — which, again, is not a minor issue — it is uncertain that without needed technical changes, any final rule stemming from Records NPR would prevent the next Synapse, or in the event a bank fails, necessarily ensure the prompt and accurate payment of deposit insurance to depositors.
To prevent similar ledgering irregularities, banks and regulators should look beyond factors such as beneficial ownership and commingling of funds. Ledgering mischief can also occur in directly owned accounts, segregated accounts, or any account where the bank relies on a third party to maintain the ledgers — i.e., TPLA. In many (if not most) cases, the accounts opened through Synapse were the result of deposit account agreements executed directly between the end user and the partner bank (with Synapse sometimes identified in the agreement as a service provider of the bank). The key factor was that the partner bank relied on Synapse to maintain the records — the account type was irrelevant.
More importantly, banks need some means to understand the aggregate deposits from their fintech customers, including those at other banks. Direct ledger access does not prevent a third-party from telling an incomplete story. Recall that Synapse worked with multiple banks, and no individual partner bank knew the total deposits managed in Synapse related accounts. Synapse could have, for example, told one fintech customer that only half of its users deposits were at a partner bank, while at the same time told the partner bank that the deposit represented all of that fintech’s users’ deposits.
Banks also need to focus on ledgering hygiene. This means, among other things, requiring fintechs to have separate accounts that more clearly delineate funds for customers, operations, payment fees to third parties, contingency reserves, and network settlement. Also, when necessary, banks should distinguish individually identified subaccounts from general pooled accounts, especially when there are nested fintech relationships, such as those involving a middleware like Synapse. The Records NPR, unfortunately, does not address subaccounts, although these are common features of fintech partnerships.
c. Addressing Partner Bank Lapses
Another clear lesson from Synapse is that both banks and fintechs ought to undertake comprehensive contingency planning (e.g., liquidity and operational contingency plans) in case the partnership terminates. This contingency planning should not only anticipate the operational risk associated with an account ledger outage and how to mitigate that risk (see our forthcoming Part 3), but also how to efficiently deploy reserves to make end-users whole in the event of such an account ledger outage.
The risk management issues subject of the consent orders covering Synapse’s two partner banks cover board governance and BSA/AML issues. The underlying issues are not specifically described in the consent orders; they may also straddle those partner banks’ relationships with parties other than Synapse. Instead of focusing on partner bank lapses from the lens of any one consent order, Synapse’s failure instructs us to think more broadly and critically about whether any final rule stemming from the Records NPR would adequately address the lack of any one partner bank’s visibility into the flow of funds outside their respective institution.
As noted above in Part 1.a., end user deposits were sometimes made to one account of a particular fintech partner, while withdrawals for that same account were made from a different account at a different partner bank. The Records NPR’s focus on individual IDIs’ compliance with proposed recordkeeping and internal control requirements means it does not address this broader multi-bank partner lack of transparency problem. This is true even if the above recommendations in Part 2.b. are adopted. Without more, how will any IDI (or regulator) be able to identify any commingling of end user deposits across multiple partner banks and accounts?
In the absence of a radically different ledgering solution, neither fintechs, technology providers, partner banks, nor regulators will be able to track the flow of funds throughout any multi-party bank-fintech partnership ecosystem, including on a real time basis.
d. Addressing Regulatory Lapses
The right lesson from Synapse is for regulators to meaningfully reflect on these questions:
- Prioritization: One partner bank’s cease and desist order was very wide-ranging. It included findings across nearly every category, from BSA/AML to third-party and operational risk, to credit risk. The order included, as one element among many others within a broader set of risk management recommendations, a requirement to ensure that “ledger and sub-ledger responsibilities of the Bank and fintech partners” are clearly defined and maintained. But the order (issued after the Synapse failure) gives the partner bank 90 days to develop a plan for addressing this recommendation — along with dozens of others. Recommendations relating to consumer compliance and international wires were subject to more stringent deadlines. As was the case with Silicon Valley Bank, it’s possible regulators could have avoided the worst outcomes by focusing attention on the most critical issues. More broadly, how do regulators move away from a “check-the box” supervision model and more towards a more effective “risk-based supervision” one? How can they best “prioritize[e] the most significant risks and maintai[n] flexibility to adapt to changing circumstances?
- Scope of Supervision: Regulators have highlighted the “complexity” associated with BaaS arrangements and disclaimed supervisory responsibility for regulating the nonbanks involved in these relationships. To what extent could supervisory processes be updated to more meaningfully include engagement with the banks’ fintech partners? Would more direct engagement result in the early identification of risks (and therefore increase the likelihood of efficient corrective action on the part of the bank and the fintech partner?). Bank regulators have authority to supervise service providers to banks. While extensive use of that direct authority may not be practical, incorporating critical technology providers into the supervisory process has the potential to more quickly identify and address potential operational issues arising from these complex arrangements.
- Delays in Regulatory Feedback: Does the lapse in time between a report of exam and a consent reveal something deeper about our supervisory process — e.g., do supervisors need additional resources to maximize efficiencies?
- State and Federal Regulatory Coordination; Coordination Across Federal Regulators: Are existing frameworks for state and federal regulatory cooperation robust enough to identify system wide issues across multiple partner banks with different lead federal banking regulators and state regulators? In relation to FINRA’s oversight of Brokerage, there are good risk-based reasons (e.g., the risks of fractional reserve banking) why regulatory oversight of smaller broker-dealers should be as intensive as bank regulation. As Brokerage only started offering its “Modular Banking” offering at scale less than a year before the Synapse bankruptcy, it is entirely conceivable that FINRA may have, perfectly appropriately, not had a regular examination of Brokerage while the activity was taking place. The lesson of Synapse’s bankruptcy may well be that FINRA needs better tools to identify broker-dealers that have started, or are rapidly expanding, sweep activities in order to be able to conduct targeted off-cycle examinations to assess the quality of ledgering and reconciliation controls. Another lesson is to ensure there is ample coordination between FINRA and the relevant state and federal banking regulators.
e. Addressing Gross Mismanagement
One of the biggest challenges for entities entering bank-fintech partnerships is human capital. Fintechs build fast. But speed to market and compliance are a difficult balancing act, which is why the right leadership and personnel — those with a deep understanding of risk management and ideally bank supervision — are mission-critical to a fintech’s success.
Most banks, on the other hand, tend to have very well-positioned compliance management systems, which often require multiple levels of review. Most banks also manage outdated legacy technology systems and various regulatory compliance requirements. Speed to market is not the defining feature of well-managed banks. As heavily regulated entities, banks’ management of various risks, and the strength of their financial and managerial resources (i.e., “safety and soundness”), is paramount.
The right lesson from Synapse is to build an interdisciplinary, well-trained, compliance-focused team that receives regular, effective training. The most successful partnerships are those where both the fintechs and the banks hire not only top engineers, but also people with a deep knowledge of compliance management and risk mitigation, who undergo regular, effective training. This involves, at a minimum, targeted training by both leadership and staff on compliance-related responsibilities, including all aspects of BSA/AML requirements.
Ongoing training, skill assessment, and retooling are not only examples of best practices based on the Synapse failure — they are also described in the Interagency Guidance on Third-Party Relationships: Risk Management.[xxxii] Among the considerations that banks must make with their fintech partners: assessing the depth of resources (including staffing)[xxxiii] as well as an evaluation of the qualifications and experience of a third party’s principals and other key personnel related to the activity to be performed.[xxxiv] Similarly, banks must also engage their own staff with the “requisite knowledge and skills in each stage of the risk management life cycle.”[xxxv]
3. Conclusion
The Synapse failure is no different than many others: a combination of human, operational, and systemic lapses, coupled with a collective failure to act on the many warning signs that emerged over years. In short, a failure to imagine.
Finding solutions to hard problems requires identifying root causes, and any root cause analysis is only as good as its action plan. We have provided some lessons to get this action plan started, but we leave it up to emerging standard setters — in collaboration with regulators — to execute on this mission critical work.
Our forthcoming and final Part 3 shifts our focus towards imagining “the killer use case” — an account ledgering solution, via distributed ledger technology, that would not only have eliminated each root cause of Synapse’s failure, but also represents a prudent path forward for reasons beyond Synapse.
[i] Part 1 of our series is here.
[ii] A TPLA (as defined in Part 1) is any account where a party other than the bank is responsible for maintaining the account ledger. A TPLA can have either split title, where one party establishes the account for the benefit of other parties, or unified title, where the legal and beneficial owner are the same party (i.e., there is no “FBO”). But TPLAs would not include an account established by one party for the benefit of another party where the bank itself maintains the ledger because these accounts do not present novel risks. From the bank’s point of view, a TPLA can refer to many account types (demand, custody, trust, etc.).
[iii] Konrad Alt & Patrick Haggerty, New Headaches for FBO Account Managers Post-SVB, Fintech Nexus (Mar. 22, 2023), https://www.fintechnexus.com/new-headaches-for-fbo-account-managers-post-svb/.
[iv] See Chapter 11 Trustee’s Eighth Status Report at 7, In re Synapse Financial Tech. Inc., No. 1:24-bk-10646-MB (Bankr. C.D. Cal. Aug. 30, 2024) (Bloomberg Law).
[v] Chapter 11 Trustee’s Initial Status Report at 3, In re Synapse Fin. Techs. Inc., No. 1:24-bk-10646-MB (Bankr. C.D. Cal. June 7, 2024).
[vi] Id. at 3-4.
[vii] Modular Banking for Fintechs, Synapse (Mar. 27, 2023), available at https://web.archive.org/web/20230327092413/https:/synapsefi.com/modular-banking-for-fintechs.
[viii] Id.
[ix] Id.
[x] Id. at Exhibit A.
[xi] Id.
[xii] Id.
[xiii] Id. at Exhibit B.
[xiv] Id.
[xv] Id.
[xvi] Id.
[xvii] Id.
[xviii] See Michael Roddan, Inside the Collapse of Synapse: Missing Funds Were Known to Investors, Banks for Years, The Information (June 1, 2024, 8:00 AM), https://www.theinformation.com/articles/inside-the-collapse-of-synapse-missing-funds-were-known-to-investors-banks-for-years.
[xix] See The Semiannual Monetary Policy Report to the Congress: Before the S. Comm. on Banking, Hous. & Urb. Affs., 118th Cong., at 01:05:00 (2024).
[xx] Cease and Desist Order Issued Upon Consent Pursuant to the Federal Deposit Insurance Act, as amended, In re Evolve Bancorp, Docket Nos. 24-012-B-HC, 24-012-B-SM (Fed. Rsrv. Sys. June 7, 2024).
[xxi] Supra note 19 (statements of The Honorable Jerome H. Powell, Chair, Bd. of Governors of the Fed. Rsrv. Sys. and Sen. Sherrod Brown, Chairman, S. Comm. on Banking, Hous. & Urb. Affs.) (“We also as you may know […] did an enforcement action [ . . . ] and we hit them with an enforcement action around these very risk management issues—again before the [ . . . ] current situation developed.”).
[xxii] Cease and Desist Order Issued Upon Consent Pursuant to the Federal Deposit Insurance Act, as amended, In re Evolve Bancorp, Docket Nos. 24-012-B-HC, 24-012-B-SM (Fed. Rsrv. Sys. June 7, 2024).
[xxiii] A trustee appointed in a chapter 11 bankruptcy case manages the affairs of the debtor and makes all decisions about property of the estate. The trustee performs many of the same roles as a trustee in a chapter 7 case, except different deadlines and procedures apply. The trustee has the right to propose a plan of reorganization. See Trustee, What Is Their Role In A Bankruptcy Case?, U.S. Bankr. Ct., https://www.cacb.uscourts.gov/faq/trustee-what-their-role-bankruptcy-case#. A U.S. Trustee, however, is an impartial case trustee that administers the case and liquidates the debtor’s nonexempt assets. A U.S. Trustee monitors the conduct of bankruptcy parties and private estate trustees, oversees related administrative functions, and acts to ensure compliance with applicable laws and procedures. See Trustees and Administrators, U.S. Cts., https://www.uscourts.gov/services-forms/bankruptcy/trustees-and-administrators.
[xxiv] See Emergency Motion to Convert Case to Chapter 7 Under 11 U.S.C. § 1112(b) or, in the Alternative, to Direct Appointment of a Chapter 11 Trustee Under § 1104(a); Declaration of Alfred Cooper III at 4, In re Synapse Fin. Techs., Inc., No. 1:24-bk-10646-MB (Bankr. C.D. Cal. May 17, 2024).
[xxv] Id. at 7.
[xxvi] Id.
[xxvii] See Complaint, Yotta Techs. Inc. v. Evolve Bancorp, Inc., No. 3:24-cv-6456 (N.D. Cal. Sept. 13, 2024) (alleging mismanagement of the FBO accounts by at least one partner bank).
[xxviii] Chapter 11 Trustee’s Second Status Report at 9, In re Synapse Fin. Techs. Inc., No. 1:24-bk-10646-MB (Bankr. C.D. Cal. June 14, 2024).
[xxix] Chapter 11 Trustee’s Ninth Status Report at 9, In re Synapse Fin. Techs. Inc., No. 1:24-bk-10646-MB (Bankr. C.D. Cal. Sept. 13, 2024).
[xxx] See Coalition for Financial Ecosystem Standards, FS Vector, https://fsvector.com/cfes/; Alloy Labs Inst., https://www.alloylabs.com/institute.
[xxxi] Recordkeeping for Custodial Accounts, 89 Fed. Reg. 80135 (proposed Oct. 2, 2024) (to be codified at 12 C.F.R. pt. 375.3(c)(1))
[xxxii] See Fed. Deposit Ins. Corp., FIL-29-2023, Interagency Guidance on Third-Party Relationships: Risk Management (June 6, 2023).
[xxxiii] Id. at 39.
[xxxiv] Id. at 40.
[xxxv] Id. at 32.
