There’s a right way and a wrong way to build and manage bank-fintech business relationships. Well, make that many ways to do both, as there are several critically important factors and practices that need to be considered (and monitored) in every such relationship, no matter its specific goals and structure.

Over the past several weeks, vexing examples have popped up in the press and regulatory circles of just what happens when partnerships among regulated entities and specialised financial services companies or other providers are not created or maintained as sensibly and securely as they need to be. No doubt that’s one reason US banking authorities pounced this past week on the issue, with words of caution in an unusual joint, public reminder to the financial institutions under their supervision, essentially warning them: “Do it (third-party partnering) right - or don’t do it at all.”

Leaders of the three main US financial institution oversight bodies, the Federal Reserve (Fed), Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued an unusual combined statement this past week, serving notice to banks under their supervision that third-party arrangements must be carefully analysed for potential risks. This was somewhat of a departure from a largely ‘hands-off’ approach (at least from a public standpoint) as the number of bank/fintech partnerships has steadily risen across America (and elsewhere in the world) over the past several years.

Noting that their three-party, combined message “reemphasizes (the regulators’) existing guidance; it does not alter existing legal or regulatory requirements or establish new supervisory expectations”, the authorities involved nonetheless cautioned banks to take a fresh look at risks involved in all third-party partnerships. They specifically recommended renewed scrutiny be given to arrangements where banks use “intermediate platform providers, processors, middleware providers, aggregation layers, and/or program providers” to deliver or facilitate deposit products and transaction services for end users.  

Financial services leaders have for the past few decades leaned more and more on outside providers to help them deliver various products and functionality to customers, and in fact many of those outsourcing and facilitative relationships have been cited as examples of best industry practice. The US regulators’ joint statement didn’t question the propriety, validity or practicality of most such arrangements, but it did enumerate several areas of particular concern where/when – as bank/fintech ties have grown in number and complexity and involved cross-functional transactions and account processes – the agencies observe that “risks may be elevated” for those involved.

“Operational and Compliance” processes identified as key focus areas

It’s clear that the Fed, FDIC, and OCC view “significant operations performed by a third party” as potentially most problematic for institutions under their supervision. Their statement raised concerns about how such reliance might hamper a bank’s “crucial existing controls” over deposit functions. It specifically cautioned that banks must conduct ongoing diligence and monitoring of all such relationships, shared systems, and processes – especially when it comes to assigning responsibility among the institution and its partners to provide critical, ongoing, customer-impacting functions.

Synapse failure: a complicated mess with fingers pointing in all directions

One recent case in the news has particularly highlighted the risks of losing or fragmenting access to systems of record for bank and client transactions, the collapse and bankruptcy of San Franciso-based Synapse Financial Technologies. Synapse is what’s known as a fintech “middleman” in the banking as a service (BaaS) space. As explained in official documents and news surrounding its collapse and bankruptcy filing in April, the company provided account transaction processing and statements between other fintechs and their financial institution “hosts”, for tens of thousands (at least) of customers.

The Synapse bankruptcy has been highlighted by experts like former Goldman Sachs product manager and financial newsletter writer Jason Mikula as a prime example of just how a bank/fintech partnership can become very tough to manage, or even understand, when it becomes too disjointed or complex.

Synapse’s failure – still being argued and dissected in the courts as of today – is a case involving hundreds of millions in deposit balances, several commercial banks, most prominently Lineage Bank and Evolve Bank and Trust, as well as several other smaller banks and even Silicon Valley Bank (as a creditor), plus numerous other fintech providers, including Mercury, Juno, Yotta, and Yieldstreet.

What’s wrong with the Synapse relationships to all these providers? Apparently, lack of clear procedures for reconciling and reporting for all those accounts, and as has been repeatedly accused, a lack of general, ongoing oversight by all or some of the parties involved.

In the fight to find out just who owes what to whom after the company’s shutdown, it seems many of Synapse’s previous partners, on numerous sides, are pointing not just at the company itself but also to one or more of the others to assign blame for inadequate information on accounts and funds held and due these companies and their clients. One big question looms: Amid all the legal filings and nasty accusations, has anyone (other than the owners of Synapse and perhaps some of the companies and creditors involved) actually lost any money from Synapse’s collapse? That answer is still undetermined.

Breaking the rules, or just ignoring them?

Les Sokolin, who publishes another online financial newsletter, Fintech Blueprint, explains, in an excerpt from a story covering another more positive take on the legitimate potential of BaaS relationships, just what he believes happened in the Synapse collapse: “Synapse aggregated Fintechs by sitting on Evolve, its ledger accounting did not agree with the underlying bank accounting, and problems were pushed to the future until nearly $100MM of funds went missing.” He further noted that one of the fintechs using Synapse as a partner to help support its business banking offering, Mercury, “made these issues visible when switching from Synapse to its underlying bank Evolve”, where, Sokolin said, “the numbers didn’t match, and now we have regulatory action shutting everything down and bankruptcy proceedings in every direction.”

It didn’t help that while all the arguing in court and in the media was starting to heat up, Evolve was hit with a data breach after it was targeted by cybercriminals in a ransomware attack, Sokolin said. “On top of that Evolve gets hacked, and everyone from Wise to Stripe has its customer data floating around on the black markets.”

Hardships and hard lessons, but many positive FI/fintech partnership examples persist

It sounds like lots of bad news for the many parties involved, and certainly was and is for numerous end users or clients of products supplied by Synapse partners who saw their access to ‘frozen’ funds in their accounts managed by the company cut off, at least for a time, as the company’s bankruptcy proceedings continue. This has caused hardships for many of those customers – who may not have been aware of the complex chain of companies, including their own providers, using Synapse to manage their statement reconciliation and balance details for FDIC-insured and bank-domiciled accounts.

The Synapse debacle certainly does not reflect the ‘whole story’ of how bank/fintech relationships have revolutionised and in countless cases improved the efficiency and service offerings within the financial services industry. Indeed, there are hundreds, and likely thousands of mutually beneficial partnerships between financial institutions of all sizes and fintechs across the US. Many more thrive in other countries and regions - Europe being a prime example of open banking and bank/fintech tie-ins and distribution structures, as we have covered extensively in Finextra articles and webinars.

Such arrangements might involve banks serving as the legal banking and account holding homes for their fintech partners and customers. Conversely, many financial institutions have reached out to nimbler and more innovative fintech company providers to help them operate or expand parts of their own core or external businesses, or perhaps facilitate offering new products or services - beyond their standard expertise - to their own customers.

Message delivered – only ‘clean and clear’ partnerships wanted, say US regulators

What the US regulators did in their joint statement was send a clear, specific ‘wake-up call’ to financial institutions. It was a reminder to banks and other regulated financial services companies to be more than usually diligent when setting up and maintaining third-party relationships, especially where customer transactions or funds are involved. They also asked, via a concurrent Request for Information (RFI) from the OCC, for public comment – within 60 days - on current processes, practices, and concerns surrounding such bank/fintech partnerships.

There’s very little doubt that the vast majority of current financial institutions and their fintech partners have taken care to construct sensible, practical, secure, and regularly-monitored arrangements to do business together. Many of these partnerships have created additional value for the parties involved, and also brought innovation, enhanced efficiency, and a richer client experience and product availability to the financial services marketplace. For those who haven’t followed best practices, done their due diligence, or maintained ongoing oversight of all elements of such partnerships, there will surely be a shakeout soon after the clarion call from US authorities for better awareness and risk management of bank/third party relationships.

Everyone will be better served in the long run by heeding the regulators’ reminders - even if tough lessons had to be learned by some involved before they finally got the message.