FDIC proposes to strengthen custodial deposit account recordkeeping in bank-fintech partnerships

The FDIC proposal is the latest measure by the federal banking agencies to address perceived risks arising from bank-fintech arrangements - in this case, those involving "custodial accounts with transactional features." Through recordkeeping and related requirements, the proposal seeks to ensure that banks, as well as the FDIC, can quickly assess amounts held by beneficial owners of these accounts upon the failure of banks, fintech partners or other service providers to these arrangements.

The FDIC recently proposed a rule intended to strengthen insured depository institutions' (IDIs) recordkeeping for custodial deposit accounts with transactional features.[1] As highlighted in the statements of several FDIC officials,[2] the proposal is part of a trend among the federal banking agencies to increase scrutiny of IDI-fintech relationships. For example, in a recent joint statement, the federal banking agencies expressed concerns about the perceived risks associated with banking-as-a-service (BaaS) and similar arrangements between IDIs and fintechs (or other nonbanks), while also expressing support for such relationships as long as they are appropriately structured and conducted in a safe and sound manner. See here for our client update regarding this statement.

The accounts that are the subject of the FDIC's latest proposal are "custodial deposit accounts with transactional features." Essentially, these are accounts that pool the funds of multiple underlying beneficial owners (typically the customers of a fintech) to support deposit and payment services through a third-party account holder, such as a fintech. The proposal seeks to facilitate prompt and accurate determination of beneficial owners' deposit insurance coverage in the event of a failure of an IDI. The proposal also seeks to reduce the likelihood of a disruption to beneficial owners' access to their funds in the event of an IDI's or account holder's failure, an impact that prominently occurred in the wake of the recent failure of a fintech "middleware" company.

Below is a discussion of certain key takeaways from the proposal, as well as a brief summary of the proposal's requirements. Comments on the proposal are due 60 days after the date of publication in the Federal Register.

Key Takeaways

• Broad scope of the proposal. The proposal's recordkeeping and compliance requirements would broadly apply to all IDIs holding custodial deposit accounts with transactional features. This term would encompass accounts established by account holders on behalf of beneficial owners in which beneficial owners' funds are pooled and which are used by beneficial owners to transfer funds to third parties. The proposal includes a number of exemptions for certain types of accounts. These exemptions are primarily based on the application of other regulatory requirements to such accounts (e.g., custodial deposit accounts opened by mortgage servicers and securities industry participants) and also include an exemption that would apply to deposit placement networks.
• Lack of threshold requirement. Unlike other recordkeeping requirements aimed at ensuring that the FDIC can promptly assess deposit insurance coverage (e.g., 12 C.F.R. Part 370), application of the proposal would not vary based on the size of the IDI, the number of custodial deposit accounts with transactional features held by the IDI or the frequency or size of the transactions conducted through the accounts. In his statement on the proposal, FDIC Vice Chairman Travis Hill highlighted the lack of any threshold requirement in the proposal, and the proposal itself solicits comments on this point.[3]
• Statutory authority. In issuing the proposal, the FDIC relies on its statutory responsibility to determine applicable deposit insurance coverage "as soon as possible" following the failure of an IDI. Although aspects of the proposal, especially the recordkeeping requirements, may assist the FDIC in making this determination following the failure of an IDI, the proposal acknowledges that it will have benefits beyond this scenario, including upon the failure of fintechs, nonbank partners or other service providers. FDIC Director Jonathan McKernan highlighted that he believes aspects of the proposal, such as compliance, annual certification and reporting requirements, may be heavy-handed and potentially surpass FDIC statutory authority.[4]
• Impacts on pass-through insurance. Custodial deposit accounts are generally eligible for pass-through deposit insurance if they meet certain conditions set forth in 12 C.F.R. Part 330. The proposal does not expressly require IDIs to implement the recordkeeping requirements from the proposal for pass-through insurance to apply to the covered custodial deposit accounts, nor does the FDIC indicate that it plans to make any updates to the regulatory provisions relating to pass-through insurance to account for the proposal. The FDIC, however, notes that an expected effect of the proposal is that IDIs holding the covered custodial deposit accounts would maintain their account records in accordance with the proposal "in order for [these accounts] to qualify for pass-through deposit insurance."
• Scrutiny on IDI-fintech relationships. The proposal comes as part of a broader push by the federal banking agencies to understand and place guardrails around bank-fintech relationships, which some regulators perceive as representing a "significant incursion into consumer deposit taking and payment activities" by nonbanks that presents "significant risks."[5] In addition to the joint statement on risks posed by BaaS and similar arrangements, the federal banking agencies have issued a request for information (RFI) on IDI-fintech relationships, proposed amendments to the brokered deposit rule to address the changing nature of deposits and pursued enforcement or other actions against IDIs and nonbanks misrepresenting deposit insurance coverage as a result of IDI-fintech partnerships, among other measures.[6] Given that the federal banking agencies are accepting comments on the RFI until September 30, 2024, Vice Chairman Hill stated that he believed the proposal was prematurely issued and would have benefited from these comments.

Summary of the Proposal

Custodial deposit accounts with transactional features

The proposal would only apply to IDIs that hold "custodial deposit accounts with transactional features." The proposal defines custodial deposit accounts with transactional features as deposit accounts that meet three requirements:

• The account is established by account holders for the benefit of beneficial owner(s);
• The deposits of multiple beneficial owners are commingled in the account; and
• A beneficial owner may authorize or direct a transfer through the account holder from the account to a party other than the account holder or beneficial owner.

Essentially, the proposal would apply to any custodial deposit account established by an account holder on behalf of beneficial owners and used by beneficial owners to transact with other third parties-for example, to make purchases or pay bills.

Certain types of custodial deposit accounts are exempted from the proposal because the FDIC believes that the policy objectives of the proposal would not be advanced by applying additional recordkeeping requirements to those accounts because either (i) the account is not expected to have transactional features or (ii) the account is already subject to recordkeeping requirements through another regulatory regime. Exempted custodial deposit accounts include, among others, custodial deposit accounts that hold only trust deposits; that are established at an IDI by government depositors, brokers, dealers or investment advisers; that are created in connection with employee benefits plans and retirement plans; and that are maintained in connection with a deposit placement network for purposes other than payment transactions.

Even with these exemptions, the proposal estimates that between 600 and 1,100 IDIs would be required to comply with the proposal. In his statement on the proposal, Vice Chairman Hill advocated for some form of minimum threshold to trigger the requirements of the proposal. Otherwise, according to Vice Chairman Hill, if an IDI has one covered custodial deposit account, it would be required to fully comply with all aspects of the proposal, including compliance, annual certification and reporting requirements. He opined that only "a few dozen" IDIs are heavily engaged in the type of activity targeted by the proposal and suggested that the proposal be more narrowly tailored to apply to such IDIs.

Recordkeeping requirements

The cornerstone requirement of the proposal is that IDIs holding covered custodial deposit accounts would need to implement certain standardized recordkeeping requirements, which the FDIC indicates are intended to mitigate risks relating to account record discrepancies between IDIs and fintech or nonbank partners. In particular, IDIs would be required to maintain records establishing:

• The beneficial owner(s) of the custodial deposit account;
• The balance attributable to each beneficial owner; and
• The ownership category in which the beneficial owner holds the deposited funds.

The proposal would require that these records be maintained in a specific electronic file format, which is described in detail in Appendix A to the proposal.[7]

The proposal would also require IDIs holding covered custodial deposit accounts to maintain internal controls that:

• Maintain accurate deposit account balances, including the respective individual beneficial ownership interests associated with the custodial deposit account; and
• Conduct reconciliations against the beneficial ownership records no less frequently than at the close of business daily, recognizing that reconciling variances due to unposted transactions and timing of transactions occur and should be addressed based on standard banking practices.

The proposal makes clear that the internal controls should "enable the IDI to be able to accurately determine individual beneficial ownership interests for deposits held in custodial deposit accounts, and would expedite a deposit insurance determination in the event of the IDI's failure."

In the proposal, the FDIC recognizes that many IDIs, including community banks, regularly rely on third-party vendors or software providers to assist in carrying out certain banking functions. Therefore, under the proposal, IDIs may choose to maintain the records required by the proposal through a contractual relationship with a third party, including the fintech or other nonbank partner itself. The FDIC also recognizes in the proposal that these third-party relationships can become complex and lead to operational challenges in the event of a failure. Therefore, if relying on a third party, the IDI would be required to have:

• Direct, continuous and unrestricted access to the records in the format specified in Appendix A to the proposal;
• A continuity plan that includes backup recordkeeping and compliance capabilities; and
• A direct contractual relationship with the third party that defines roles and responsibilities for recordkeeping, requires the third party to implement the internal controls described above and provides for periodic validations by an independent party to verify compliance with the proposal.

IDIs would remain responsible for compliance with the rule even if they contract with third parties for the provision of recordkeeping services. As a result, the proposal would not only impact the recordkeeping and compliance practices of IDIs, but would likely have a significant impact on those of their fintech and other nonbank partners.

Compliance requirements

The proposal would impose compliance requirements on IDIs with covered custodial deposit accounts to maintain written policies and procedures to ensure compliance with the rule. If an IDI chooses to maintain the records required by the proposal through a third party, then the IDI's written policies and procedures would also be required to address achieving compliance with the requirements specific to maintaining records through a third party described above.

In addition, IDIs holding covered custodial deposit accounts would be required to implement an annual certification and reporting process. With regard to the certification, IDIs' chief executive officer, chief operating officer or the highest ranking official of the IDI would be required to annually certify that the IDI:

• Implemented the proposed recordkeeping requirements for the covered custodian accounts;
• Tested the implementation of the recordkeeping requirements within the preceding 12 months; and
• Is in compliance with all requirements of the proposal at the time of the annual certification.

IDIs would also be required to prepare an annual report containing:

• A description of any material changes to the IDI's information technology systems since the prior annual report that are relevant to the requirements of the proposal;
• A list of the account holders that maintain custodial deposit accounts with transactional features subject to the proposal, as well as the total balance of those custodial deposit accounts, and the total number of beneficial owners;
• The results of the IDI's testing of its implementation of the recordkeeping requirements; and
• The results of any independent validation of records maintained by third parties as required by the proposal.

An IDI would be required to submit the certification and report to the FDIC and the IDI's primary federal regulator (i.e., the Federal Reserve or OCC for state member banks or national banks, respectively). Although required annually, the proposal gives the FDIC and the IDI's primary regulator the authority to require the certification and report more frequently if an IDI experiences a significant change in its deposit-taking operations or an elevated risk of compliance is identified.

In his statement, Vice Chairman Hill stated that the proposal should be revised to align with the comparable requirements in the safety and soundness standards of 12 C.F.R. Part 370. Those regulations do not include a policies and procedures requirement, and the certification of compliance is qualified to "the best of the knowledge and belief [of the applicable officer] after due inquiry." Vice Chairman Hill stated that he believes such revisions would reduce the burden on IDIs, while still achieving the proposal's objectives.

Under the proposal, violations of its requirements could be addressed through the supervisory process, including though examinations or enforcement actions.

If you have any questions regarding the matters covered in this publication, please reach out to any of the lawyers listed below or your usual Davis Polk contact.

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.