Fintech
Five Lessons for Partner Banks from Synapse Failure
Experts say that investing appropriately in data governance, compliance and staffing can help manage the risks that come with offering banking as a service.
The collapse of the banking-fintech brokerage firm Synapse, which led to the freezing of accounts that fintech clients could not access (worth an estimated $65 million to $96 million), is raising some fundamental questions about how such partnerships are designed.
The fallout from Synapse’s collapse has also caught the attention of regulators. On Thursday, the agencies issued a joint statement warning about the risks associated with banks relying on third parties, along with a request for information on a range of fintech arrangements. The agencies are considering whether additional measures could ensure that banks effectively manage risks.
Across the industry, practitioners are weighing the fallout from Synapse’s failure and the lessons fintechs and partner banks should learn from the debacle. In July, a virtual round table organized by software company Unit21 asked industry experts to give their opinion on the security measures that banks and fintechs could adopt.
For all participants in such partnerships, it’s important to ensure “a certain level of due diligence on the part of the banks and also on the part of the technology companies, to know who you’re working with and then be able to address the risks through … controls built into the technology,” said Sheetal Parikh, general counsel and chief compliance officer at Treasury Prime.
Here are the key points that emerged from the round table:
Proactively assess account reconciliation gaps through internal data capture. In the Synapse situation, fintech clients’ inability to access funds was caused by a reconciliation issue between the banks and the fintech. The consolidation of fintech clients’ funds into a single “benefit-of” omnibus account, or FBO, opened up opportunities for reconciliation discrepancies, Parikh argued.
To avoid these issues, it’s important for partner banks to bring data, including fintech customer account information, in-house, the panelists said. Banks shouldn’t rely on fintech partners to safeguard users’ account data; the bank should have line of sight to their account data, said Keith Vander Leest, head of payments at Cross River Bank.
“Over the last 12 months it has become very clear that the foster care model [for user account management] that’s not something a bank should be comfortable with,” he said. In an FBO account, “you should have visibility through subledgers into the customers of individual partners.” Partner banks should also have know-your-customer and know-your-business information about fintechs’ customers, rather than relying on the fintech to protect them.
Internal data integration also forms the basis for other types of controls that partner banks can implement, including anti-money laundering (AML) compliance.
“Once you have the right infrastructure in place, essentially the data headers, you can bring the monitoring of sanctions effectiveness and AML in-house,” said Sarah Beth Felix, CEO of Palmera Consulting. “It’s all a big pot of stew.”
Maintain fintech users’ eligibility for FDIC “pass-through” deposit insurance coverage. Fintech account holders are eligible for FDIC “pass-through” insurance if the underlying bank fails and other conditions are met. However, eligibility depends on banks and fintechs keeping good records of account holders, including who owns the funds.
“These accounts are eligible for FDIC ‘pass through’ [insurance]but a lot of the requirements to determine whether that applies have to do with … making sure that the account is in the correct name, making sure that there are accounting records and books that the insured depository institution has access to,” Parikh said.
Recognize the investment needed in compliance and fraud mitigation. Partner banks that have moved too quickly, those “hungry” for scale, have relied too heavily on partners to meet AML and sanctions risks, Felix said. Instead, institutions must invest in meeting these responsibilities themselves. For some boards, that may mean acknowledging that they may have to temporarily operate at a loss to keep compliance on track.
“They need to have someone on the board with some kind of knowledge of AML, sanctions… It’s the same drum that feeds every one of our federal regulatory agencies,” Felix said.
Banks must also avoid reducing their capacity to implement anti-money laundering and fraud mitigation measures due to staff shortages.
“They’re under-hiring and thinking, ‘Well, I’ll hire people as the volume increases,’ and while that’s a good thing … having a full-time person or employee assigned to this doesn’t do the bank any good, and it’s certainly not going to get any easier as criminals find out about it,” Felix said.
Vander Leest said that hiring Bank Secrecy Act and AML experts should be a priority for fintech companies.
Reconsider business continuity risks. Before the Synapse collapse, the concepts of business continuity and disaster recovery were typically associated with natural disasters; now, however, business continuity plans should incorporate third-party risks, including issues affecting intermediaries.
“What is changing is that traditionally we have looked at [business continuity risks] in the context of things like disasters or tornadoes that hit and there are disruptions,” Parikh said. “We’re thinking about this in terms of venture-backed companies losing funding. After Synapse… it’s going to change the standards of what we consider a disaster or disruption.”
While banks need to carefully evaluate potential fintech partners, it is also up to fintechs to carefully evaluate potential banking partners. FinTech companies should evaluate potential partner banks by examining the questions they ask.
“If your banking partner doesn’t ask you, ‘What do you do for AML? Show me what your alerts look like? Show me what your provisions look like? Show me the resumes of the people on your AML and sanctions team?’ If your banking partners don’t ask you, the fintech, those things, to me, that’s a red flag for a fintech that says, ‘Wait, maybe I need a second banking partner,’” Felix said.