Custody Battles: The FDIC's Latest Proposed Rule on FBO Accounts

9 min

The FDIC has issued a proposed rule that would apply to practically all bank-fintech arrangements that use custodial deposit accounts to provide customers with transactional features (also called "FBO" accounts for short). The proposed rule would impose prescriptive and technical requirements directly on insured depository institutions ("banks") and affect fintechs or other third-party service providers that rely on these types of accounts. If the proposed rule is adopted, banks and fintechs will need to reassess their contracts related to custodial account services, data formats for sharing and reporting data, recordkeeping and access to data, validation and reconciliation efforts, business continuity, and related concerns.

The proposed rule follows the bankruptcy of and attendant complexities involving a major middleware provider that involved FBO accounts, is influenced by the 2023 bank failures, and follows on the heels of a recent proposed rule on brokered deposits and a request for information on bank-fintech partnerships. These developments suggest a heightened risk of faster and more severe bank runs in an era of digital financial services.

Comments are due 60 days following the publication in the Federal Register (meaning mid to late November). We expect that many banks, fintechs, technology service providers, and other interested parties will want to comment on aspects of this proposed rule, ranging from the technical feasibility to the reconciliation and data practices envisioned. The proposed requirements would apply regardless of the date a particular custodial deposit account was established—no grandfathering is provided.

Key Takeaways

  • New rules. The proposed rule makes more explicit the regulatory requirements and expectations for banks concerning FBO accounts and similar custodial arrangements. The FDIC would add a new Part 375 to its regulations ("Requirements for Accurate Custodial Deposit Accounts with Transaction Features and Prompt Payment of Deposit Insurance to Depositors"). The rule would leave intact the current Part 330 on deposit insurance coverage.
  • More bank-centric. Like the proposed rule on brokered deposits (e.g., its elimination of the primary purpose exception filing by non-banks), this proposed rule would more explicitly shift the regulatory burden and interaction with the FDIC to banks, which would essentially have the direct legal obligations under the proposed rule.
  • Ledger requirements. Banks would have to either (1) maintain a ledger of FBO accounts that third parties (e.g., fintechs) open or (2) have direct access to a ledger maintained by the third party so the bank can reconcile the accounts each day. If the fintech handles reconciliation, banks would have to maintain direct access to the third party's ledger. A party other than the third party would be required to validate these efforts and their accuracy. The bank in a fintech partnership could fulfill this role.
  • Specificity. The proposed rule would provide recordkeeping and format requirements that appear to tack in the direction of Part 370 of the FDIC's regulations (Recordkeeping for Timely Deposit Insurance Determination), but not all banks are subject to Part 370's requirements.
  • Annual certification and report. Banks will have to provide an annual certification signed by an executive officer to the FDIC (and its primary federal regulator, if different) that the bank has been reconciling these kinds of accounts (similar to the certification requirement in Part 370).
  • Written policies and procedures; enforcement. Banks would be required to maintain written policies and procedures for compliance. If a bank does not satisfy the proposed rule's requirements, the violation could be addressed in examinations or enforcement actions.

Coverage for BaaS Arrangements Generally

The proposed rule would cover bank-fintech arrangements, among others, that generally involve a non-bank as account holder establishing deposit accounts for beneficial owners.

For purposes of the proposed rule, "custodial deposit accounts with transactional features" would be defined as a deposit account that meets three requirements:

  • the account is established for the benefit of beneficial owners (hence, the FBO part)
  • the account holds commingled deposits of multiple beneficial owners and
  • a beneficial owner may authorize or direct a transfer through the account holder from the account to a party other than the account holder or beneficial owner (e.g., to make purchase or pay bills)

The account holder would be "the person or entity who opens or establishes a custodial deposit account with transactional features with an insured depository institution." In many BaaS arrangements, that's the fintech. This definition does not require that the "account holder" be the titled owner of the account.

A beneficial owner, consistent with current Part 330 of the FDIC's regulations concerning pass-through deposit insurance, would mean "a person or entity that owns … the funds in a custodial deposit account." In many BaaS arrangements, that's the customer that wants to use the fintech's services and other financial services.

Exceptions

The proposed rule would expressly exempt several kinds of accounts, even if they have transactional features, including custodial deposit accounts

  • In deposit placement networks or reciprocal networks (unless the network's purpose is to enable clients to make payment transactions using funds in the custodial deposit account at the network banks)
  • Established by broker-dealers or investment advisors
  • Holding security deposits tied to (1) property owners through HOAs or (2) residential or commercial leases
  • Maintained by a mortgage servicer in a custodial or other fiduciary capacity

Recordkeeping and Format Requirements

The required records would need to identify for each custodial deposit account (1) the beneficial owners of the custodial deposit account, (2) the balance attributable to each beneficial owner, and (3) the ownership category in which the beneficial owner holds the deposited funds.

The proposed rule also would provide specific file format requirements, regardless of whether the bank maintains the records itself or through an arrangement with a third party. These would be included in an Appendix A to Part 375. Appendix B to Part 375 would include the ownership right and capacity codes for the last data field of the required report, which borrows heavily—though not completely—from Part 370's codes. Although the differences are relatively minor, complete harmonization between the two might reduce the compliance burden for banks that would have to file under both regulatory frameworks.

Even short of a bank failure, the FDIC anticipates that these records of beneficial ownership would be useful to the bank in the event of a disruption affecting the account holder—whether directly at, for instance, a fintech, or through a middleware provider, as with Synapse and the banks that relied on its services.

For records kept by third parties—such as the account holder itself or middleware vendors and software providers—the bank would be required to have direct, continuous, and unrestricted access to records maintained by the third party in the standardized file format, including access in the event of a business interruption, insolvency, or bankruptcy of the third party.

The bank also would be required to have continuity plans in place, including backup recordkeeping for the required beneficial ownership records and technical capabilities to ensure compliance with the proposal's requirements.

Accurate Balances and Daily Reconciliation

Banks would be required to maintain accurate deposit account balances, including the respective individual beneficial ownership interests associated with the custodial deposit account, and to conduct reconciliations against the beneficial ownership records no less frequently than at the close of business each day.

Reconciliations would compare multiple data elements and, in the event of any differences, bring the data elements into agreement.

Contractual Requirements

The proposed rule builds on third-party risk management expectations. If records are maintained by a third party, the bank would be required to have a direct contractual relationship with the third party that includes specific risk mitigation measures. The contract would need to:

  • Clearly define roles and responsibilities for recordkeeping, including assigning to the bank rights of the third party that are necessary to access data held by other parties.
  • Include an explicit provision requiring the third party to implement appropriate internal controls to be able to accurately determine the beneficial ownership interests represented in the custodial deposit account and conduct reconciliation against the beneficial ownership records at least daily.
  • Provide for periodic validations by an independent party to verify that the third party is maintaining accurate and complete records and that the required reconciliations are being performed. If the bank does not perform the validations itself, the results must be provided to the bank.

The contractual language could not attempt to relieve the bank of its Part 375 responsibilities.

Annual Reporting

In addition to the ongoing compliance requirements discussed above, a bank must complete an annual report, in addition to the annual certification (similar to Part 370's requirements), that

  • Describes any material changes to the information technology systems relevant to compliance with the rule
  • Lists the account holders that maintain custodial deposit accounts with transactional features, the total balance of those custodial deposit accounts, and the total number of beneficial owners
  • Sets forth the results of the institution's testing of its recordkeeping requirements and
  • Provides the results of the required independent validation of any records maintained by third parties

The report would be due within one year of the rule's finalization and then annually thereafter.

If a bank experiences a significant change in its deposit-taking operations or if the FDIC or the primary regulator identifies aspects of the institution's operations that pose elevated risks of compliance with Part 375, the certification and report may be required more frequently.

Considerations for Commenters

The FDIC has asked for, among other questions, comments on the potential technological and operational challenges banks might face in implementing the proposed rule, and on any specific aspects of the standardized electronic format for recordkeeping that need further clarification or modification. We anticipate that banks, fintechs, and middleware providers will likely present detailed considerations about the feasibility of the proposed provisions, including from a technological perspective.

Although the proposed rule exempts certain arrangements, it does not provide much detail on specific types of custodial account arrangements that may be covered—these types of accounts are used across the financial services industry in areas such as prepaid accounts, payment processing, lending, and bill payment services. Accordingly, it may be worthwhile for commenters to seek additional exemptions or clarifications, including how the rule could have an impact on custodial accounts with sub-account features. Relatedly, entities and arrangements that are proposed for exemption (such as broker-dealers) may want to comment to preserve or expand these exemptions, as applicable/necessary.

Unlike Part 370, the proposed rule lacks minimum thresholds for its applicability, such as a minimum number of custodial deposit accounts with transactional features, or a minimum asset size of such accounts or of the banks that would be covered by Part 375. Commenters may wish to present relevant data that explains compliance burdens in absolute and relative terms.

We also note that Part 330 of the FDIC's regulations could be updated, referenced, or integrated to better correspond to the new proposed Part 375. For instance, in the preamble, the FDIC states that the proposed rule, if finalized, would require compliance with Part 375 so that such accounts "qualify for pass-through deposit insurance." Draft, Proposed Rule, 41. That notable policy change could be more clearly reflected in revisions to Part 330 itself as well as the proposed rule. The proposed rule merely states that "[a bank] that has custodial deposit accounts with transactional features is required to maintain records of beneficial ownership in a prescribed format to preserve beneficial owners' and depositors' entitlement to the protections afforded by Federal deposit insurance." Proposed Section 375.1 (emphasis added). That's an important change, and it should be clearly and consistently reflected in the regulations.

Please reach out to the authors or another Venable attorney if you would like to comment on the proposed rule.