FDIC Guidance on Bank-Fintech Partnerships, What It Means in Practice

Practical analysis of FDIC bank fintech guidance: FIL-44-2023, proposed deposit rules, record-keeping requirements, and lessons from the Synapse bankruptcy.

By Canarie Team·

The FDIC has been the most active federal regulator in defining expectations for bank-fintech partnerships. Between FIL-44-2023 on third-party risk management, the proposed rule on custodial deposit accounts with transactional features, and the agency's post-Synapse rulemaking on third-party deposit arrangements, the FDIC has constructed a regulatory framework that treats BaaS oversight as a distinct supervisory priority.

For banks supervised by the FDIC, which includes most community banks operating as sponsor banks, these aren't abstract guidance documents. They translate directly into examination procedures, information requests, and enforcement actions. Understanding what the FDIC expects and how it examines fintech partnerships is the difference between a clean exam and an MRA.

Key Takeaways:

  • FDIC FIL-44-2023 establishes that banks must maintain the same compliance standards for fintech-delivered products as for products delivered through their own channels
  • The proposed rule on third-party deposit arrangements would require banks to maintain records sufficient to determine deposit insurance coverage for every depositor, even when accounts are held through intermediaries
  • The Synapse bankruptcy exposed critical gaps in record-keeping and reconciliation that regulators are now addressing through rulemaking
  • FDIC examiners are specifically trained on BaaS examination procedures and are asking increasingly detailed questions about fintech program oversight

FDIC FIL-44-2023: The Foundation

FIL-44-2023, issued in June 2023, was the FDIC's implementation of the interagency third-party risk management guidance. While it mirrors the OCC and Federal Reserve versions in structure, the FDIC's accompanying commentary added specificity relevant to the institutions it supervises, predominantly community banks and state-chartered nonmember banks.

Key elements that directly affect sponsor bank operations:

Activities conducted through third parties are bank activities. The FDIC made explicit what was always implied: when a fintech originates loans, opens deposit accounts, or processes payments under the bank's charter, those are the bank's activities. The bank must apply the same compliance management system (CMS) to fintech-delivered products as it applies to products offered through its own branches.

Risk assessment must precede the relationship. The FDIC expects banks to assess whether a proposed fintech partnership is consistent with the bank's strategic plan, risk appetite, and compliance capacity before entering the relationship. Banks that sign fintech contracts and then figure out how to manage the compliance are doing it backward.

Board accountability is explicit. FIL-44-2023 states that the board of directors is responsible for "overseeing the development and implementation of the institution's third-party risk management process." For sponsor banks, this means the board must understand the institution's fintech program at a level of detail that allows informed decision-making, not rubber-stamp approvals based on management summaries.

The FDIC will examine the bank's fintech oversight directly. The letter makes clear that FDIC examiners may "conduct examinations of the functions or operations performed by a third party on the institution's behalf." This means examiners can, and do, examine the fintech's operations as part of the bank's examination. Banks should prepare their fintech partners for this possibility.

The Proposed Rule on Third-Party Deposit Arrangements

In response to the Synapse bankruptcy and growing concerns about the custody chain for BaaS deposits, the FDIC proposed a rule in late 2024 addressing third-party deposit arrangements. While the rule has not been finalized as of this writing, its provisions signal where regulatory expectations are heading.

The proposed rule would require:

Reconciliation obligations. Banks that hold deposits placed through third-party platforms (including fintech apps) would be required to reconcile the total deposits held with the individual deposit records maintained by or for the bank on a daily basis. This directly addresses the core failure in the Synapse collapse, where discrepancies between Synapse's ledger and the banks' records made it impossible to determine how much money belonged to each depositor.

Record-keeping for pass-through insurance. For deposits held in custodial accounts (FBO accounts), the structure used in most BaaS deposit programs, the bank would need to maintain or have immediate access to records identifying each beneficial owner and their individual balance. Under current FDIC rules (12 CFR § 330.5), pass-through deposit insurance coverage requires that the custodial relationship and individual ownership interests be determinable from the bank's records or the records of the agent (the fintech or middleware provider).

Direct-to-bank record model. The proposed rule signals the FDIC's preference for a model where the bank maintains its own records of individual depositors, rather than relying on an intermediary's ledger. This represents a significant operational shift for BaaS programs that currently rely on middleware providers to maintain sub-ledger records.

Notification requirements. Banks would need to notify the FDIC when entering into significant third-party deposit arrangements, giving the agency visibility into the growth of BaaS deposit programs across the system.

Lessons from the Synapse Bankruptcy

The May 2024 bankruptcy of Synapse Financial Technologies was the inflection point for FDIC rulemaking on bank-fintech relationships. Synapse operated as a middleware provider between multiple FDIC-insured banks and their fintech partners. When Synapse filed for bankruptcy, it revealed:

A $65-85 million shortfall between what Synapse's records showed depositors should have and what the banks actually held. Over 100,000 consumer accounts were affected across multiple banks.

Inadequate record-keeping. The banks relied on Synapse to maintain the sub-ledger mapping individual depositors to their balances. When Synapse's records proved unreliable, the banks could not independently determine who owned what. This violated the foundational principle of deposit insurance: the ability to determine coverage at the point of failure.

No reconciliation process. The banks had not been performing regular reconciliation between Synapse's ledger and their own records. Discrepancies accumulated over months or years without detection.

Customer harm. Consumers who believed their deposits were FDIC-insured and safely held at a bank could not access their money for months. Some received only partial distributions based on the trustee's best reconstruction of the records.

The Synapse failure taught regulators, and the industry, several practical lessons:

  1. Banks cannot outsource record-keeping accountability. Even if a middleware provider maintains the sub-ledger, the bank must be able to independently verify balances and ownership.
  2. Daily reconciliation is the new baseline. Monthly or quarterly reconciliation is insufficient for deposit programs with high transaction volumes.
  3. Contingency planning must include middleware failure. Banks need a documented plan for how they would service accounts if their middleware provider fails, including direct access to customer data and alternative processing capabilities.
  4. FDIC insurance representations by fintechs must be accurate. Several fintechs in the Synapse ecosystem marketed their products as "FDIC insured" in ways that created consumer confusion about who held their deposits and what was actually covered.

How FDIC Examiners Evaluate Fintech Programs

FDIC examiners assigned to sponsor banks follow examination procedures that have been updated to address BaaS-specific risks. Based on recent examination cycles and publicly available supervisory guidance, examiners focus on:

Compliance management system (CMS) coverage. Does the bank's CMS cover all products and services delivered through fintech partners? Examiners test this by sampling fintech-originated transactions, reviewing disclosures, and comparing the bank's policies to actual fintech practices. A bank with strong policies but no evidence that those policies are applied to fintech operations will receive findings.

BSA/AML program adequacy. Examiners evaluate whether the bank's BSA program accounts for the unique risks of fintech-originated activity: higher transaction volumes, different customer demographics, non-face-to-face onboarding, and potential for rapid scaling. They specifically ask about the bank's access to transaction data, the timeliness of suspicious activity monitoring, and the bank's SAR filing process for fintech-sourced alerts.

Consumer compliance in fintech products. Examiners review fintech disclosures, marketing materials, and complaint data. They look for UDAAP risks, particularly in marketing that overpromises, buries fees, or misrepresents the relationship between the fintech and the bank. Reg E error resolution procedures are a frequent focus area because fintech products often involve complex transaction flows where error resolution responsibility is unclear.

Deposit insurance representations. Examiners check whether the fintech's marketing accurately represents deposit insurance coverage. After Synapse, the FDIC issued specific guidance on proper use of the FDIC name and insurance representations. Fintechs cannot claim their accounts are "FDIC insured" without clearly identifying the bank and the terms of coverage. Examiners will review fintech websites, apps, and marketing materials for compliance.

Third-party oversight documentation. Examiners request the bank's due diligence files, contract terms, monitoring evidence, complaint data, board reports, and escalation records. The depth of review correlates with the number and complexity of fintech relationships. A bank with one fintech partner may have a focused review. A bank with ten partners should expect a multi-week examination.

Practical Steps for FDIC-Supervised Sponsor Banks

Based on current FDIC expectations and the trajectory of rulemaking, sponsor banks supervised by the FDIC should:

  1. Conduct an immediate reconciliation assessment. Can the bank independently determine, at any point in time, the total deposits attributable to each fintech program and each individual depositor? If the answer relies on a middleware provider's ledger without independent verification, the bank has a gap.

  2. Review deposit insurance representations. Audit every fintech partner's website, app, and marketing materials for proper FDIC insurance disclosures. Ensure the bank's name is clearly identified as the institution where deposits are held.

  3. Establish daily reconciliation. Implement daily reconciliation between the bank's records and any intermediary's sub-ledger. Investigate and resolve discrepancies within 24 hours.

  4. Document contingency plans. Create and test a contingency plan for each middleware provider that addresses: how the bank would access customer data, how it would process transactions, and how it would communicate with affected customers if the middleware provider failed.

  5. Brief the board specifically on FDIC expectations. Ensure the board understands the FDIC's evolving guidance, the Synapse lessons, and the bank's current compliance posture. Board awareness is an examination checkpoint.

For a broader framework on managing these obligations across multiple partners, see our guide on managing fintech partner compliance at scale.

How Canarie Supports FDIC Compliance for Sponsor Banks

FDIC examination expectations for sponsor banks translate into hundreds of discrete compliance tasks: reconciliation, disclosure reviews, marketing audits, complaint analysis, BSA testing, and board reporting. Each task requires evidence. Each examination cycle requires the bank to produce that evidence on demand.

Canarie maps FDIC guidance to specific compliance tasks, assigns them to the right team members, and captures completion evidence. When examiners request documentation of your fintech oversight activities, the evidence is already organized by obligation, partner, and time period, not buried in email threads and shared drives.

See how FDIC-supervised banks prepare for exams with Canarie →

Frequently Asked Questions

Does FDIC deposit insurance automatically cover deposits held through fintech apps?

Not automatically. Deposit insurance covers deposits held at FDIC-insured banks, not deposits held at fintechs. For fintech-originated deposits to qualify for FDIC insurance, they must actually be deposited at an insured bank, and the records must identify the individual depositor's ownership interest. Under 12 CFR § 330.5, pass-through insurance requires that the custodial relationship and individual balances be ascertainable from the bank's records or the deposit broker's records. The Synapse failure demonstrated what happens when those records are unreliable.

What did FIL-44-2023 change for banks that already had third-party risk management programs?

FIL-44-2023 replaced the FDIC's prior guidance (FIL-44-2008) and aligned the agency with the interagency framework. Banks that already followed OCC Bulletin 2013-29 or the Federal Reserve's SR 13-19 likely had most elements in place. The key changes for FDIC-supervised banks include: explicit coverage of fintech and BaaS relationships, stronger board oversight expectations, and clearer requirements for the planning stage of third-party relationships. Banks that had weaker programs under the older FDIC guidance face the most adjustment.

How is the FDIC addressing fintech marketing of FDIC insurance?

The FDIC has taken multiple actions. It finalized a rule in 2024 updating the regulations on misuse of the FDIC name and insurance logo (12 CFR Part 328). The rule prohibits fintechs from implying that their products are FDIC insured unless the marketing clearly identifies the insured bank and accurately describes the terms of coverage. The FDIC has also issued cease-and-desist letters to fintechs making misleading deposit insurance claims. Banks are expected to monitor their fintech partners' marketing for compliance with these requirements.

Will the proposed third-party deposit rule apply to all sponsor banks?

The proposed rule would apply to all FDIC-insured institutions that accept deposits through third-party arrangements, including BaaS programs. While the rule is not yet final, the FDIC's examination practices already reflect its principles. Banks should not wait for finalization to implement daily reconciliation, improve record-keeping, and develop contingency plans for intermediary failure. The direction of regulatory expectations is clear, and examination findings will cite supervisory expectations even before a final rule takes effect.

Topics:FDICFintech ComplianceSponsor BanksRegulatory Guidance

Related Articles

March 1, 2026

How Many Fintech Partners Can a Sponsor Bank Manage Compliantly

February 23, 2026

Sponsor Bank Exam Findings, The Most Common and How to Prevent Them

February 19, 2026

What Goes in a Fintech Partner Compliance Review

Ready to automate your compliance workflows?

See how Canarie transforms regulatory requirements into executed tasks with built-in evidence capture.

Explore the PlatformTalk to Sales