By now, policymakers understand the impact of Synapse’s bankruptcy on the tens of thousands of depositors who had funds in one of the company’s fintech partner accounts. The harm is material and also of historical significance: Synapse bankruptcy could prevent depositors from recovering their FDIC-insured funds. Since the creation of the Federal Deposit Insurance Corporation in 1933, no depositor has lost an insured dollar.
Due to the unforeseen nature of the event, it is less clear what steps regulators should take in response.
In my view, all solutions begin with greater supervision. “Supervision” is a technical term with a specific meaning: it describes the authority given to government agencies to review businesses. It is one of three activities commonly available to regulators. The others are enforcement and rule writing. Enforcement is the ability to punish bad actors and provide remedies to consumer victims. As it implies, rule writing is the power to interpret laws and establish regulations to implement them.
Supervision prevents problems from happening. Agencies with supervisory authority can “look under the hood” to spot potential issues. Regulators can insist on fixes when they identify a vulnerable situation and provide forward-looking guidance to highlight proper procedures for complying with rules. It complements enforcement.
The fundamental cause of the Synapse crisis stems from the fact that no government agency had supervisory authority over the company. The Federal Reserve did not have consolidated supervision over Synapse’s banking-as-a-service (BaaS) activities because it was not a part of a bank holding company. The view of banking regulators who supervised Synapse’s bank partners stopped at the banking perimeter. The Federal Reserve can review Evolve Bank & Trust, but it cannot supervise the activities of Synapse, or any other non-bank BaaS middleware firm.
Going forward, banking regulators should cease to permit their banks to partner with unsupervised BaaS companies. Taking this step will not end the fintech industry, but it will reset the relationship between fintechs and supervision. The fintech sector can avail itself of BaaS and still be held accountable through supervision. This approach is not a possible outcome – it’s a reality already. Some bank holding companies have BaaS shops within their organizations.
Essential steps include:
- All bank-fintech partnerships must have a continuous ledger that is accurate, verifiable, and always available to the fintech, the sponsor bank, and the independent middleware provider.
- BaaS, fintech, and depositor funds should be held in segregated accounts.
- Fintechs should place reserve deposits with their sponsor banks as collateral. Sponsor banks should have a separate account for each fintech.
- Prudential regulators should review their third-party risk management guidance to ensure they are as strict as possible. The guidance was updated last year, but this event shows that more should be done.
- The FDIC should not permit any fintech to claim it has deposit insurance if funds are held in “for benefit of” (FBO) accounts where ledgers cannot verify end-user balances at all times. Due to several cases where fintechs misrepresented the safety of funds, the FDIC published new policies warning against misleading use of the FDIC’s name, logo, and insured status.
- The CFPB should apply its Unfair Deceptive or Abusive Acts or Practices (UDAAP) authority. UDAAPs can occur throughout the entire product life cycle of every consumer financial product and service.
- BaaS firms must be supervised. Some BaaS providers are housed within bank holding companies, but others are completely independent of any banking supervisory authority. Effective state or federal oversight could have made a difference.
Regulators were not caught completely off guard. In addition to the action taken against Evolve this month, prudential regulators have issued enforcement orders to almost every sponsor BaaS bank over the course of the last two years. The list includes First Fed, Vast Bank, B2 Bank, Metropolitan Commercial Bank, Cross River Bank, Choice Financial Group, Evolve Bank (see below), Blue Ridge Bank, Piermont Bank, Lineage Bank, and Sutton Bank. Nevertheless, those were enforcement actions taken against supervised banks. They have had an effect on the fintech industry. Still, the lack of supervision of independent BaaS is still a problem.
Remedies for depositors
Today, the Synapse bankruptcy reveals how hard it is to unwind from poorly unsupervised regulatory arbitrage. The FDIC’s Deposit Insurance Fund protects depositors from a bank failure, but none of the banks involved in this crisis have done so. Even worse, there is a lack of clarity about how much depositors have lost. Forensic accountants are trying to discern the ledger, but no one has access to the needed information.
Former FDIC Board Chair Jelena McWilliams, serving as the Chapter 11 trustee for the Synapse bankruptcy, has asked regulators (the Federal Reserve, FDIC, Office of the Comptroller of the Currency, Securities and Exchange Commission, and the Financial Institutions Regulatory Authority) to provide relief for consumers. In a June 20th letter, she revealed that consumer deposits worth between $65 and $96 million are still missing.
This is easier said than done. How much consumers deserve to receive is a mystery. Synapse began to have trouble reconciling debits and credits when reporting back to the sponsor banks that were supposedly holding consumer funds. Because the ledger system required sponsor banks to trust Synapse, the system was vulnerable to failure. For over a month, Synapse has locked depositors out of their accounts. The company’s management laid off its workforce, some senior executives left the country, and their engineers cannot access the master credentials to one of Synapse’s two cloud environments.
In October, Synapse sent a letter to account holders announcing its intention to transfer consumer deposits into American Depository Management Company (ADMC) cash management accounts at nine different program banks (AMG National Trust; American Bank, NA; Third Coast Bank; Western Alliance Bank; Webster Bank, NA; Old National Bank; ServisFirst Bank; NewBank; and Customers Bank). Once inside the ADM consortium, depositors with more than $250,000 could flow their accounts into more than one institution, thus generating additional insurance protection. As a part of the transition, Synapse set up brokerage accounts at Synapse Brokerage LLC on behalf of consumer depositors. In this arrangement, an ADMC program bank could hold funds sourced from multiple fintech companies and card issuers.
In my view, the notices were written in language that could have been hard for a consumer to reasonably understand. They were replete with double negatives and conditional phrases.
Explaining Banking as a Service (BaaS)
Synapse built a BaaS platform where fintechs could quickly bring untested ideas to market. It gave a paying startup the ability to print debit cards, join a card network, and process payments. It streamlined compliance. Synapse had relationships required to construct the full spectrum of banking infrastructure: cybersecurity to fight money laundering, programs to verify the identities of account applicants, software for remote deposit of checks, and core payment processors. Synapse was a convenience store for fintech startups – operating outside of any real supervision.
Since 2014, over 100 fintechs contracted with Synapse to create deposit and credit accounts. Others include Changed, Copper, Gig Wage, Grabr, Gravy, IDT, Latitud, Sunny Day Fund, TClub (doing business as Abound), and Yieldstreet. Many used Synapse’s middleware banking-as-a-service (BaaS) to offer a debit card account. Synapse held the keys that permitted fintechs to offer banking services – including accounts with deposit insurance – but without becoming a chartered bank.
The emergence of BaaS has occurred during a period when the number of banks has contracted. Only 83 de novo applications received approval between 2010 and 2024 – a rate thirteen times lower than the number of mergers or closures. The correlation reflects greater regulatory scrutiny, significant cost, and time needed to secure approval. In 2022, one neobank received a national bank charter, but only after three years and $100 million in expenses. Several other neobanks have purchased chartered institutions, shuttered their physical operations, and reorganized around a digital-only model. They are the exception.
In very different ways, Yotta and Juno show how BaaS supports new ideas – some good and others not. To the positive, Yotta’s prized-linked accounts brought to market a well-intentioned aspiration that embedding prizes inside transaction accounts could nudge consumers to save money. In a different direction, Synapse’s BaaS permitted Juno to merge crypto with payments in a way that would have been impossible at a regulated bank. BaaS let a fintech dance on the edge of the banking perimeter.
The easy fixes have happened. It is unclear what happens next. New problems are on the horizon.
The hard decisions are ahead. The partner banks have distributed almost all of the deposits on their balance sheet associated with specific end-users.
The June 20th trustee report clarifies how funds in partner bank DDAs have been distributed back to account holders, in contrast to the tied-up deposits that had been stored in FBOs: “Partner Banks have informed me that DDAs can be easily reconciled and such end-users repaid, and those efforts are successfully underway.
However, the ease of unwinding DDA accounts differs from the challenge of identifying which end-users’ funds are held in FBO Accounts. The shaky governance structure at Synapse metastasized into harm when dollars were shifted out of partner bank DDAs and into pooled FBOs. Moreover, there appears to be a shortfall in the overall FBO Accounts funds in the range of $65 million to $96 million according to reconciliation progress to date.”
As of June 20th, AMG and American Bank have distributed their DDA funds, Evolve has returned 88 percent of DDA funds, and Lineage Bank (another Synapse sponsor bank) has returned almost all of the funds held it holds in its DDAs. Not all of the funds in FBOs are stranded. Because their account records remained reconciled with end-user balances, AMDC’s partner banks have also returned those funds. However, other partner banks receiving FBO funds do not have information to confirm how much should be credited to each end-user DDA account. The Trustee is contracting with a company to conduct forensic accounting.
As of the trustee’s second report (June 20th), four partner banks have funds in FBO accounts.
Funds by Partner Banks Attributed to FBO accounts
| Bank | June 20th status |
| AMG | $11 million (20 fintechs) |
| Evolve FBO | $46.9 million |
| Lineage FBO | $61.5 million (FBO) and $338K (DDA) |
| American | $43.4K (1 fintech) |
The prospects dim further if Synapse moves into Chapter 7. Then, all operations will cease, and a trustee will distribute all of Synapse’s assets to its secured creditors.
On June 14th, the Federal Reserve issued an enforcement order to Evolve. The order requires Evolve to strengthen its oversight of fintech partners. Evolve must contract with a third-party firm to review its third-party programs for compliance with consumer laws and regulations. It must also increase its capital planning framework for fintech partners. Notably, the Fed asserted that the basis of this order was independent of Synapse’s bankruptcy.
The problems metastasized a few days later. Evolve acknowledged that a ransomware attack by a Russian hacking firm had compromised the personally identifiable information of account holders at its partner fintech accounts. Some major fintechs, including Affirm and Wise, are among the affected. As is the case with any breach, it is hard to understand the full scope of the incident. Nonetheless, at one time or another, Evolve has sponsored partnerships with some of the largest fintech providers: Dave, Earnin, BlockFi, Mercury, SoLo, FloatMe, FTX, Branch, Alloy, Affirm, Wise, and others. Still, the extent of data theft appears to be significant – one report suggests the data stolen could be equivalent in volume to 2.8 billion pages of text.
Conclusion
The event underscores the need for consistent supervision. Synapse and its middleware peers can no longer be permitted to assemble banking platforms and operate outside of banking supervision.
Broadly speaking, this event should force policymakers to reconsider the suitability of independent BaaS middleware companies. In a world where BaaS exists only inside a bank holding company, supervision can occur before a problem arises. BaaS should exist only where it can be supervised. If left unaddressed, the problem will continue to pose threats to depositors, to trust in the banking system, and to the security of private data.