A Cautionary Tale for Bank-Fintech Partnerships    

*This article was published in Bank Director magazine’s fourth quarter 2024 issue.

The recent bankruptcy of Synapse Financial Technologies and the resulting negative impact on Synapse’s bank partners, fintech clients and their end users should serve as a stark reminder of the importance of proper due diligence and compliance monitoring for all participants involved in banking as a service models and bank-fintech partnerships.

Synapse was a technology middleware provider that connected banks with nonbanks wanting to offer banking services to their customers. Following its bankruptcy filing in April, Synapse’s four partner banks alleged they had been denied access to Synapse’s dashboard system, which they relied on to facilitate transactions, resulting in the banks freezing end-user accounts.

According to status reports from the bankruptcy trustee overseeing Synapse’s case, the company used multiple partner banks to service different functions for the same fintech partner. In certain instances, fintech end-user deposits were deposited in an account at one bank while the same fintech end user’s withdrawals were processed from a different account at a different bank. The trustee noted that this model has made it “difficult to reconcile transactions and ensure end users receive access to the correct amount of funds due to each end user” — a position that has been echoed by several of Synapse’s partner banks while reconciliation efforts remain ongoing.

Exercise Diligence, Bolster Risk Management
Regulatory scrutiny has increased in recent years, resulting in enforcement actions. Federal bank regulators have recognized that while the “use of third parties can offer banking organizations significant benefits, such as access to new technologies,” these parties “can reduce a banking organization’s direct control over activities and may introduce new risks or increase existing risks, such as operational, compliance and strategic risks.”

Regulators are taking notice of the Synapse bankruptcy and resulting fallout, which could mean further scrutiny of fintech partnerships and banking as a service providers. For example, on June 14, the Federal Reserve issued a cease-and-desist order against West Memphis, Arkansas-based Evolve Bancorp, one of Synapse’s partner banking companies, citing shortcomings in managing its third-party fintech relationships. The order imposes various requirements, including restrictions on new fintech partnerships, and calls for the bank to produce “written policies and procedures to identify, manage, and monitor potential risks, including compliance, and fraud risks, associated with each fintech partner, product, program, service, business line, or customer.”

Banks that partner with fintechs — especially those that process large volumes of third-party transactions — should expect such regulatory scrutiny and increased supervision to continue. Federal bank regulators have signaled their intent to more consistently examine banks that provide partner banking services to fintechs.

What Regulators Say
To mitigate risk, banks should closely adhere to the guidance issued by federal regulators regarding third-party relationship risk management. For instance, the Joint Statement on Banks’ Arrangements With Third Parties to Deliver Bank Deposit Products and Services, issued on July 25, addresses potential risks that may be elevated for banks when delivering deposit products and services through a third party. The publication describes what the federal agencies view as effective risk management practices that banks should consider adopting to manage the potential risks from third-party deposit products and service arrangements.

Similarly, the Interagency Guidance on Third-Party Relationships: Risk Management, issued by the federal agencies in June 2023, states that “it is the responsibility of each banking organization to analyze the risks associated with each third-party relationship and to calibrate its risk management processes, commensurate with the banking organization’s size, complexity, and risk profile and with the nature of its third-party relationships.”

The guidance details how banks should evaluate risk when assessing, negotiating with and monitoring third-party relationships, and provides that banks must implement risk management practices that account for the risks of third-party providers. Such risk management practices would include conducting proper due diligence before entering into a relationship, compliance monitoring throughout the relationship and drafting third-party agreements to provide clear expectations for performance and responsibilities between the parties, as well as termination procedures and post-termination obligations. The guidance provides specific methodologies to comply with each of these risk management practices. Banks should ensure that their compliance policies and procedures incorporate such methodologies.