FDIC Proposes New Recordkeeping Requirements for Custodial Accounts

On September 17, 2024, the Federal Deposit Insurance Corporation (FDIC) proposed extensive new recordkeeping requirements and other compliance obligations (the “Proposal” ) for certain types of deposit accounts frequently used by banking-as-a-service (BaaS) platforms and other bank-fintech partnerships. The Proposal focuses on “pass-through” deposit insurance, where the end customer of a fintech (or other custodial party, such as a broker-dealer) is fully insured (up to the $250,000 maximum) as if the end customer were a depositor of the bank, notwithstanding the funds being held in a pooled account established by or for the fintech. The Proposal would have significant effects on banks and—indirectly, through application of the new rules—fintechs, program managers, and other participants in the BaaS and banking ecosystems.

Among other things, the Proposal would:

• Impose extensive new compliance obligations on banks that maintain covered custodial accounts, such as enhanced recordkeeping to identify the beneficial owners of the account and their respective interests in the account and maintenance of records in a specific electronic format set forth in the Proposal;
• Strengthen the contractual requirements between banks and third parties (e.g., fintechs and BaaS platforms) with which the bank has contracted to maintain records related to covered custodial accounts, potentially requiring the renegotiation of many deposit account agreements and other contractual relationships, as well as the build-out of extensive technical infrastructure at the bank and relevant third parties to facilitate compliance with the updated requirements; and
• Require the implementation of policies, procedures and internal controls to achieve compliance, as well as certifications of compliance and additional reporting to the FDIC and the bank’s primary federal regulator.

The requirements set forth in the Proposal would apply to any bank that maintains custodial deposit accounts with transactional features, regardless of asset size or number of accounts. Further, the requirements would apply to existing accounts, requiring the bank to incorporate the new requirements into its existing operational processes and contractual relationships with third parties.

In this Legal Update, we provide background on pass-through deposit insurance and discuss the proposed requirements set forth in the Proposal. In addition, we provide preliminary assessments of some of the real-world impacts of the Proposal, if it were adopted in its present form. Comments on the Proposal will be accepted for 60 days following its publication in the Federal Register, which is expected shortly. Banks, fintechs and other affected parties should review the Proposal carefully and consider submitting comments to the FDIC.

Background

Under the Federal Deposit Insurance Act, the FDIC insures bank deposits.¹ This insurance is provided to a depositor typically up to $250,000 per depositor, per insured bank, for each account ownership category.² The FDIC only insures deposits of banks, and deposit insurance is only paid in the event of the failure of a bank. Importantly, the FDIC’s deposit insurance coverage does not protect against the default, insolvency, or bankruptcy of any non-bank third parties with which banks might do business, even if a third party has a relationship with, or deposits funds at, a bank.

A depositor’s interest in the deposits of a bank that are held through or by a third party may be eligible for insurance on a “pass-through” basis up to the applicable deposit insurance limits for the depositor, rather than the third party.³ This means that—instead of a third party’s deposits at a bank being entitled to deposit insurance based on the third party’s aggregated deposits at the bank—each depositor on whose behalf the third party is acting is entitled to insurance of their interest in commingled deposits up to the applicable deposit insurance limits per bank (subject to the aggregation of the depositor’s other deposits at the bank). For example, if a third party held funds on behalf of an individual in a commingled account, and that individual had no other deposits at the bank, the individual would be entitled to the full $250,000 of deposit insurance coverage, without regard to the other commingled funds or other deposits of the third party at the bank.

Deposit insurance will “pass through” to a depositor if the depositor’s relationship with the third party is expressly disclosed, by way of specific references, in the deposit account records of the bank.⁴ The FDIC must be able to ascertain the details of the depositor’s relationship with the third party and interests of other parties in the account either from the deposit account records of the bank or from records maintained, in good faith and in the regular course of business, by the depositor or a third party that has undertaken to maintain such records for the depositor.

In certain situations, the FDIC has issued regulations that include recordkeeping and other requirements to support timely determination by the FDIC of deposit insurance coverage in the event of a bank’s failure—for example, the FDIC imposes certain data standards on banks with over $2 billion in assets and at least 250,0000 deposit accounts or $20 billion in assets,⁵ and requires certain banks with more than 2 million deposit accounts to implement certain recordkeeping requirements.⁶ In the Proposal, the FDIC specifically asks whether there are any aspects of these existing frameworks that it should consider in connection with this rulemaking.

Overview of the Proposal

Scope

The Proposal would apply to custodial deposit accounts with transactional features, which are defined as an account where:

• The account is established for the benefit of beneficial owners;
• The account holds commingled deposits of multiple beneficial owners; and
• The beneficial owner of the deposits may authorize or direct a transfer through the third-party “account holder”⁷ to a party other than the account holder or beneficial owner (e.g., to make purchases or pay bills).

Certain types of accounts would be excluded from the definition of custodial deposit account with transactional features because they are subject to other regulations or have limited transactional activity. Exempt account types are custodial deposit accounts:

• That hold only trust deposits;
• Established by government depositors;
• Established by brokers-dealers under the Securities and Exchange Act of 1934, and investment advisers under the Investment Advisers Act of 1940;
• Established by attorneys or law firms on behalf of clients, commonly known as interest on lawyers trust accounts (i.e., IOLTA accounts);
• Maintained in connection with employee benefit plans and retirement plans;
• Maintained by real estate brokers, real estate agents, title companies, and qualified intermediaries under the Internal Revenue Code;
• Maintained by mortgage servicers in a custodial or other fiduciary capacity;
• For which federal or state law prohibits disclosure of the identities of the beneficial owners of the deposits;
• Maintained in connection with deposit placement networks or reciprocal networks (unless the network’s purpose is to enable clients to make payment transactions using funds in the custodial deposit account at the network bank); or
• Holding security deposits tied to property owners for a homeownership, condominium, or other similar housing association governed by state law, and accounts holding security deposits tied to residential or commercial leasehold interests.

Recordkeeping

The Proposal would require banks that hold any custodial deposit accounts with transactional features (as defined above) to maintain certain records related to the account. These records would need to identify the beneficial owners of the custodial deposit account, the balance attributable to each beneficial owner, and the ownership category in which the beneficial owner holds the deposited funds.

The records required under the Proposal would need to be maintained in an electronic file format prescribed by the FDIC. The specified format would be required regardless of whether the bank maintains the necessary records itself or through an arrangement with a third party, such as a vendor, processor, software or service provider, or a similar entity.

The Proposal would require banks to maintain appropriate internal controls that include (1) maintaining accurate deposit account balances, including the respective individual beneficial ownership interests associated with the custodial deposit account; and (2) conducting reconciliations against the beneficial ownership records no less frequently than at the close of business daily. Controls also would need to be designed to consider multi-layer relationships, where applicable, and the associated risks these relationships may present related to recordkeeping.

Third-Party Recordkeeper Requirements

As noted above, a bank would be able to use a third party (including the account holder) to maintain the records required under the Proposal, if certain additional requirements are satisfied. The bank would be required to have direct, continuous, and unrestricted access to records maintained by the third party in the FDIC-prescribed file format, including access in the event of a business interruption, insolvency, or bankruptcy of the third party.

Where records are maintained by a third party, the bank would be required to have a direct contractual relationship with the third party that includes certain risk-mitigation measures. Specifically, the contract between the bank and the third party maintaining the records would need to:

• Clearly define roles and responsibilities for recordkeeping, including assigning to the bank rights of the third party that are necessary to access data held by other parties;
• Include an explicit provision requiring the third party to implement appropriate internal controls to be able to (i) accurately determine the beneficial ownership interests represented in the custodial deposit account; and (ii) conduct reconciliations against the beneficial ownership records no less frequently than as of the close of business daily; and
• Provide for periodic validations, by a person independent of the third party, to verify that the third party is maintaining accurate and complete records and that reconciliations are being performed consistent with the Proposal’s recordkeeping requirements. If the validation is performed by a party other than the bank, the results must be provided to the bank.

Records maintained by a third party could only be used to satisfy the Proposal’s requirements vis-à-vis the bank if the bank itself implements appropriate internal controls to (1) accurately determine the respective beneficial ownership interests associated with the custodial deposit account with transactional features, and (2) conduct reconciliations against the beneficial ownership reports no less frequently than as of the close of business daily.

Further, a bank relying on a third party recordkeeper also would be required to have continuity plans in place, including backup recordkeeping for the required beneficial ownership records and technical capabilities. These plans may include (i) storing copies of prior daily or weekly account balances and beneficial ownership balances internally at the bank, or at another location independent of the third party; (ii) establishing legal authority and technological capability for the bank to access daily transaction records directly from payment networks, processors, or service providers used by the third party; and (iii) maintaining at the bank sufficient trained staff, technical systems, and other resources to process transaction records necessary for the bank to reconcile and establish accurate ownership records in the event of a business disruption of the third party.

Compliance Requirements

A bank that holds custodial deposit accounts within the scope of the Proposal would be required to establish and maintain written compliance policies and procedures. To the extent a bank maintains the relevant records through a third party, these policies and procedures would also need to address the compliance requirements that are specific to a bank maintaining records through a third party.

The Proposal includes an annual certification and reporting process for banks holding covered custodial accounts. The CEO, COO, or highest ranking official of the bank would be required to annually certify that the bank has implemented and tested its implementation of the recordkeeping requirements within the preceding 12 months. The certification would be submitted to both the FDIC and the bank’s primary federal regulator. In addition to the annual certification of compliance, the bank would be required to submit an annual report on its custodial deposit account activities to the FDIC and its primary federal regulator.

The FDIC or the regulator may require that a bank file this certification and report more frequently than annually.

Under the Proposal, the bank is ultimately responsible for complying with these requirements. If the bank does not satisfy the requirements, the bank’s primary federal regulator could address the non-compliance through the examination process or enforcement actions. As a result of this potential regulatory risk, banks will likely require written assurances from relevant third parties, and any failure to adhere to these requirements could cause the bank to terminate the relationship.

Key Takeaways

As described above, the Proposal would establish sweeping new requirements on banks that provide covered custodial accounts, as well as fintechs, program managers, and other third parties that use—or provide services in connection with—those accounts. We continue to study the Proposal and its potential impacts; however, there are a few foreseeable impacts of the Proposal if adopted in its present form:

• The Proposal’s impact on the availability of pass-through deposit insurance for covered custodial accounts is not clear. While the Proposal does not expressly condition availability of pass-through insurance on compliance with the Proposal’s requirements, nor does it amend the existing deposit insurance regulations in 12 C.F.R. Part 330 governing the availability of pass-through deposit insurance, the preamble includes a statement that an expected effect of the Proposal would be to “require [banks] with custodial deposit accounts that have transactional features to maintain records for such accounts in a format prescribed by the FDIC in order for these custodial deposit accounts to qualify for pass-through deposit insurance.”⁸ In contrast, in the regulatory history of other FDIC regulations imposing recordkeeping requirements to aid in timely resolution of a bank failure—as the Proposal is also intended to accomplish—the FDIC has expressly stated that the heightened recordkeeping and systems requirements would not change the standards for evaluating pass-through insurance coverage.⁹ If the FDIC intends for the Proposal to alter the standards for availability of pass-through deposit insurance, this intent, and the relationship and applicability of the existing regulations in 12 C.F.R. Part 330, should be made clear. Commenters should consider seeking clarification of the FDIC’s position as to whether the Proposal is intended only as a compliance obligation on banks, or whether the FDIC intends to make material changes to the availability of pass-through deposit insurance on covered custodial accounts.
• The Proposal would require banks to implement specific contractual provisions in their agreements between the bank and relevant third parties, which we expect will require banks and third parties to revisit their contractual relationships and respective allocation of responsibilities and compliance costs. We expect these negotiations to take place even if a bank maintains its own records because many existing relationships do not contemplate the proposed daily reconciliation requirements and highly prescriptive data file format. Further, many, if not most, banks currently rely on third parties to maintain beneficial ownership information (e.g., customer name, address, taxpayer ID number) and balance and transaction information, and certain third parties may be reluctant to share this information with banks in the form and frequency required under the Proposal based on competitive, commercial, or security concerns.
• Although the Proposal focuses on arrangements for which the beneficial owners of a covered custodial account would be eligible for pass-through deposit insurance (and particularly on arrangements where pass-through deposit insurance is feature communicated to the end customer), the Proposal as currently drafted applies to any covered custodial account provided by a bank. This may include custodial accounts with “transactional features” that would make the account subject to the Proposal, but for which the underlying customer relationship is not intended to qualify for—and does not represent to the customer the availability of—pass-through deposit insurance.
• While the exemptions from covered custodial accounts should insulate many CD brokers, mortgage servicers, the securities industry, and other highly regulated industries from the compliance burden of the Proposal, these third parties will need to consider how they prove to a bank that they qualify for the exemption. As we have seen with the brokered deposits saga, the FDIC expects a degree of omniscience on the part of banks that often is not commercially reasonable.

Finally, while the Proposal is targeted only at recordkeeping for covered custodial accounts, the FDIC and other regulators remain interested in the substance of bank-fintech arrangements, including the use of custodial accounts. For example, the FDIC and federal banking agencies recently extended the comment period for the agencies’ Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses. Furthermore, the federal banking agencies have been carefully reviewing bank-fintech relationships, and have issued several enforcement actions to banks in connection with partner lending programs and BaaS arrangements. While the enforcement actions cover a number of areas, they generally reflect a concern that banks are not adequately monitoring their third-party service providers. This continued focus, combined with the attention generated by the Proposal, may lead to further definition or clarification of obligations under banking and other laws applicable to participants in these arrangements.

 

---

 

¹ 12 U.S.C. § 1821(a)(1).

² Id.

³ 12 C.F.R. §§ 330.5, 330.7.

⁴ 12 C.F.R. § 330.5(b).

⁵ See 12 C.F.R. § 360.9.

⁶ See 12 C.F.R. Part 370.

⁷ An account holder may be the titled owner of the account, or a person that contracted with the bank to establish the account, in the case of accounts titled in the name of the bank itself for benefit of the account holder’s customers.

⁸ Proposal, at 41 (emphasis added).

⁹ See Recordkeeping for Timely Deposit Insurance Determination, 81 Fed. Reg. 10026, 10031 (Feb. 26, 2016) (proposed rule).