As events over the past six months remind us, regulation that covers Banking-as-a-Service (BaaS) sits in a gray area. Sponsor banks per se are well-regulated. But by and large, nonbank partners are not. That makes the bank ultimately and often solely responsible for compliance violations. When something breaks without the right controls, the bank is left holding the bag. It may not be equipped to handle the situation. The risk grows as third-party partners multiply.

A rule just proposed by the FDIC addresses some of that risk. A common arrangement in BaaS partnerships is for FBO accounts to hold deposits of multiple beneficial owners, in which a beneficial owner may initiate a transaction to someone else. A failure is when those funds “disappear” because of poor recordkeeping by one or more entities — a BaaS platform, partner bank, or a third party that owns end customers. The idea behind the proposed rule is that a licensed bank, as the regulated entity, is responsible for accurately keeping track of funds held in these accounts on its own ledger. If an entity fails, funds can be accurately distributed to customers.

“FDIC believes these circumstances [surrounding Synapse] have raised concerns about the accuracy and integrity of [account] records. These circumstances also raise questions about the completeness, accuracy, and integrity of custodial deposit account records for other [insured depository institutions’] arrangements with third parties to deliver deposit products and services.” — FDIC

If a third party fails and makes it impossible to reconcile funds with depositors, a problem with similar ramifications to a bank failure emerges — customers can’t access their funds. The crux of the problem is that recordkeeping and reconciliation for deposits and payments in pooled FBO accounts are not as easy as they sound. Each party’s records must be accurate and match up. When they don’t match up, there must be a source of truth to fall back on. That source of truth should come from the regulated entity (recordkeeping for accounts offered directly to customers are for the most part covered by preexisting regulation).

The “trust the third party” approach to partnerships is a liability (we’ve written about it in the context of enforcement actions). A third party’s operational failures are ultimately a partner bank’s problem and must be backstopped by that bank. This is particularly important for banks that want to be in the BaaS space.

What’s there for the partner bank to maintain, according to the proposed rule? Briefly, the account balance attributed to each beneficial owner, the ownership category in which the deposited funds are held, and other records maintained by the bank (if certain additional requirements are satisfied, a partner could also do it). We’ve argued before that sponsor banks must appreciate the complexity of third-party relationships — maintaining records well is just one more responsibility.