Fed Chair Powell Got It Wrong

Regulators Have Clear Authority, Duty To Supervise Third-Party Service Providers Like Synapse; What Happened To Synapse's Missing Money?

Hey all, Jason here.

🇫🇷 Happy Bastille Day to those who celebrate!

If you somehow missed my big news last week, I’m excited to announce that I wrote a book! Yes, it’s about banking-as-a-service.

While it doesn’t officially publish until December, you can pre-order it now. If you order directly from the publisher and use the promo code “BaaSIsland,” you get 20% and free shipping in the US or UK.

I’m also looking forward to participating in Unit21’s Fraud Fighters virtual summit this week — details & registration for that below.

If you enjoy reading this newsletter each Sunday and find value in it, please consider supporting me (and finhealth non-profits!) by signing up for a paid subscription. It wouldn’t be possible to do what I do without the support of readers like you!

👀 Spotlight on Fintech

Sponsored content: Long gone are the days of ZIRP (Zero Interest-Rate Policy), driving growth at all costs for Fintechs. How does the current regulatory and economic climate impact how Fintechs must balance growth vs. risk?

Join Jason Mikula & friends THIS WEEK! for a Fintech Spotlight.

They’ll be talking about…

🏦 Sponsor banks, Fintech partnerships, and third-party risk
📈 How to balance growth & risk that’s sustainable (and attractive to capital!)
⚖️ Practical advice and outlooks from Fintech industry insiders
And more!

You won’t want to miss this action-packed session. Save your spot today!

Register Now

Synapse Bankruptcy: What About The Missing Money?

Evolve Bank & Trust and Lineage have made progress in untangling Synapse’s ledgers and reconciling accounts, a report from CNBC based on a single anonymous source says. But the cause and size of the shortfall in customer funds, which could be as much as $96 million, remains unknown.

As of the most recent status report filed by the Synapse chapter 11 trustee on July 3rd, former FDIC Chair Jelena McWilliams:

• AMG National Trust has paid out a total of $100.7 million in FBO funds and is prepared to disburse the remaining approximately $9.5 million; of the $100.7 million, AMG had paid out $55 million before the appointment of McWilliams as trustee. According to people familiar with the matter, AMG is requiring fintech programs to sign a “waiver” prior to releasing funds.

• Evolve holds about $46.9 million in FBO funds it received as RDFI for Synapse Brokerage.

• Lineage holds about $61.7 million, the majority of which are FBO funds.

• American Bank still holds $43,339.67 in FBO funds for a single end user — which, a source familiar with the matter says, hasn’t yet been disbursed because that end user isn’t actually owed the money.

AMG has represented that it has been able to return funds to end users because it was able to “fully reconcile” the FBO funds it held — but fully reconcile against what, exactly?

Both Lineage and Evolve have told the court that they do not believe Synapse’s ledgers are accurate or reliable — including providing specific examples of inconsistencies between Synapse’s ledger data and the actual flow of funds in the banks’ FBO accounts.

Evolve elaborated in a public statement on July 12th, saying in part (emphasis added):

“[T]he Bank’s investigation of ledgers provided to the Bank by Synapse has revealed numerous material irregularities and inconsistencies in Synapse Brokerage program balances. In multiple instances, the ledgers provided by Synapse show significant differences in Synapse Brokerage end user balances from one day to the next, without corresponding movement of funds. Some of these irregularities impact millions of dollars of end user funds, without explanation.”

To the extent AMG or the other banks have relied or are relying on Synapse’s ledger data, there is also a question as to the point in time of that data.

Synapse’s ledgers could be used to assign accounts, including those with negative balances, to specific bank partners.

According to McWilliams’ initial status report filed on June 7th, information the partner banks sought in order to undertake reconciliation included (emphasis added):

• The criteria used to decide which of the Partner Banks were allocated negative-balance accounts on the Synapse trial balance and why some Partner Banks have no negative account balances while other Partner Banks have significant negative account balances;

• Whether negative account balances and their allocations match or approximate the actual FBO cash balances;

The June 7th status report also noted that (emphasis added) “[t]he source of the shortfall, including whether end user funds and negative balance accounts were moved among Partner Banks in a way that increased or decreased the respective shortfalls that may have existed at each Partner Bank at an earlier time, is not known at this time.”

Although McWilliams was appointed as trustee on May 24th, former Synapse employees retained access to key systems, like database system MongoDB, which holds the ledger data, until June 20th — and McWilliams and the bank partners did not have access until this time. It is unknown if any former Synapse employees accessed or altered any information during this timeframe.

What About The Shortfall?

Even if the banks have made progress towards reconciling and releasing funds, there remains a substantial elephant in the room: the gap of between $65 million and $96 million in what the banks hold vs. what is owed to end users.

While the trustee’s and banks’ status reports haven’t specifically spoken to the potential causes of this shortfall, prior reporting and allegations from Synapse’s cofounder and former CEO, Sankaet Pathak, offer some theories.

Errors and incompetence: for example, last October, Pathak sent Evolve a letter alleging that a configuration error on Evolve’s part caused a third-party payment processor to incorrectly debit payments from end user funds. At that time, Pathak alleged the inappropriate debits had been happening since at least 2020.

In a supporting declaration Pathak filed as part of the bankruptcy case on May 23rd, while in Santorini, Greece, he wrote, (emphasis added) “On or about September 15, 2023, I had a telephone conference with Scot Lenoir, CEO of Evolve, in which I notified Mr. Lenoir of my concern regarding the discovery of Evolve’s improper debits which I now know exceed $27,000,000.00 from its own FBO Accounts holding depositor funds since 2017 to pay itself and its third-party compensation.”

Mercury migration: as part of the same declaration, Pathak claimed that during business banking platform Mercury’s migration off of Synapse’s systems to working directly with Evolve, it caused $49 million of Synapse-related depositor funds to be improperly moved.

A former Synapse operational employee, granted anonymity given the sensitivity of the information, told Fintech Business Weekly it’s likely Mercury communicated the amount to be transitioned to Evolve — and that Evolve didn’t or couldn’t verify this information before acting on it.

“Inappropriate” transactions: audit firm Kroll and law firm Jones Day were engaged by Synapse sometime during 2022-2023. While part of this engagement was to investigate and attempt to remedy reconciliation issues between Synapse and Evolve, sources with knowledge of the situation say that the firms were also tasked with investigating whether any “inappropriate” transactions had taken place.

One example of such a potentially inappropriate transaction offered by a former Synapse employee: Evolve would remit the “deposit rebate” payments owed to Synapse into an account, which Synapse would then be responsible for moving portions of as necessary into accounts holding funds for fintech programs and their end users.

But, according to the former employee, on at least one occasion, the funds were intentionally not moved, meaning that when Evolve debited that same account for fees Synapse owed to the bank, it was debiting funds that likely belonged to fintech programs and their end users.

Fed Chair Powell Got It Wrong: Regulators Have Clear Authority, Duty To Supervise Third-Party Service Providers Like Synapse

Last week, Federal Reserve Chairman Jerome Powell testified to both the Senate Banking Committee and House Financial Services Committee. And while the hearings ostensibly focused on monetary policy, legislators questioned Powell about a wide range of topics — including the bankruptcy of middleware platform Synapse and the catastrophic impact it has had on end users.

Specifically, Senator Sherrod Brown (D-OH) emphasized to Powell, as a regulator, “it’s your job to make sure that banks protect the people whom they serve,” and he asked what the Fed is doing to help customers impacted by Synapse’s collapse.

Powell argued that, while the Fed is the primary federal regulator of Evolve Bank & Trust, a key Synapse bank partner, that it does not supervise Synapse.

Fed Chair Powell testifying at last week’s Senate Banking Committee hearing. Image: CNBC/YouTube

In Synapse’s more recent “modular banking” model, which made use of cash management accounts via its broker-dealer entity, one could argue that its four partner banks, Evolve, Lineage, AMG, and American, were service providers to the broker entity, which is regulated by the SEC and FINRA.

However, for most of Synapse’s approximately 10 years of operations, this is not how the company’s model was structured. Until around fall 2023, Synapse’s fintech programs generally offered checking accounts provided by Evolve Bank & Trust. In that original model, a customer-facing fintech, like Yotta or Juno, used Synapse’s infrastructure to facilitate an end user opening and using the account held at Evolve.

Even after the transition to the cash management/brokerage model, end users’ accounts at Evolve remained open — meaning they continued to be customers of and have a direct legal and contractual relationship with the bank.

In that original model, it’s clear that Synapse functioned as a third-party service provider to Evolve, and, even in the brokerage model, there’s an argument that, at least in some capacities, Synapse continued to act as a service provider to its partner banks.

There are clear and established frameworks for how banks should work with and supervise their third-party service providers, including “fintechs.”

In fact, last June, the Federal Reserve, OCC, and FDIC published updated and harmonized guidance on how banks should approach managing third-party risk.

That guidance recognizes that (spacing adjusted and emphasis added):

[T]he use of third parties, especially those using new technologies, may present elevated risks to banking organizations and their customers, including operational, compliance, and strategic risks.

Importantly, the use of third parties does not diminish or remove banking organizations' responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations, including but not limited to those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive or abusive acts or practices) and those addressing financial crimes.

The guidance also flags that use of third-parties, like Synapse, can reduce banks’ direct control over activities and create new risks or increase existing risks, saying (emphasis added):

Increased risk often arises from greater operational or technological complexity, newer or different types of relationships, or potential inferior performance by the third party. A banking organization can be exposed to adverse impacts, including substantial financial loss and operational disruption, if it fails to appropriately manage the risks associated with third-party relationships.

Banks using third-party service providers, especially for critical functions, like ledgering and payment processing, should monitor those service providers on an ongoing basis to (emphasis added):

(1) confirm the quality and sustainability of a third party’s controls and ability to meet contractual obligations;

(2) escalate significant issues or concerns, such as material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and

(3) respond to such significant issues or concerns when identified.

Perhaps most relevant vis a vis Fed Chair Powell’s comments at last week’s hearing is that regulatory agencies, including the Fed, are charged with reviewing “supervised banking organizations’ risk management of third-party relationships as part of [their] standard supervisory processes.” Those reviews should “evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.”

It is unclear if the Fed’s supervision of Evolve included reviews of the bank’s risk management of its relationship with Synapse or its other third-party fintech partnerships, which at times have included middleware platform Solid and household names like Affirm, Wise (TransferWise), and Dave.

But regulators’ authority doesn’t end with supervising banks — they have the ability to directly examine third parties, like Synapse, and can take corrective actions against them, including enforcement (spacing adjusted and emphasis added):

When circumstances warrant, an agency may use its legal authority to examine functions or operations that a third party performs on a banking organization’s behalf. Such examinations may evaluate the third party’s ability to fulfill its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect customers and to provide fair access to financial services.

The agencies may pursue corrective measures, including enforcement actions, when necessary to address violations of laws and regulations or unsafe or unsound banking practices by the banking organization or its third party.

Fed Had Direct Authority To Supervise Synapse

In addition to the authority federal regulators have via their supervision of the banks under their jurisdiction, there is a separate authority to directly supervise service providers granted to the Consumer Financial Protection Bureau (CFPB) as part of Dodd-Frank, passed in the wake of the 2008 financial crisis.

Dodd-Frank defines a “service provider” as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.”

The act grants the CFPB the authority to supervise service providers to banks under the CFPB’s purview — those with over $10 billion in assets — but also service providers to nonbanks and small insured depository institutions and small insured credit unions.

The actual supervision this authority permits is coordinated and carried out through the Federal Financial Institutions Examination Council (FFIEC).

Under the FFIEC framework, Synapse would be considered an “independent technology service provider,” in that it is not owned in whole or in part by an insured depository institution.

According to the FFIEC’s IT examination handbook:

Responsibility for the examination of independent TSPs is based on the class of insured financial institution being serviced. If more than one class of insured institution is serviced, the examination is conducted jointly, and on a rotated basis, as agreed to among the federal financial institution regulators responsible for the classes of serviced institutions.

For most of Synapse’s existence, it worked only with Evolve Bank & Trust, an Arkansas-chartered Fed member bank, making the St. Louis Federal Reserve its primary federal regulator — and, by extension, making the Fed responsible for overseeing Synapse.

FFIEC Framework for evaluating risk levels of technology service providers. While Synapse worked with few banks, the banks it worked with did not provide effective oversight, Synapse was using new and untested technology and undergoing significant organization change, and it seems likely that Synapse banks experienced “problems or concern,” given the known, long-standing reconciliation issues between Synapse and Evolve.

In its more recent “modular banking” approach, Synapse also worked with Lineage, a state-chartered non-member supervised by the FDIC, and OCC-chartered AMG and American Bank.

If, in the modular approach, Synapse was still considered a service provider to the banks, the OCC, FDIC, and Fed would jointly be responsible for supervising the company.

The Bank Service Company Act

There is another piece of esoteric legislation — the Bank Service Company Act (BSCA), first passed in 1962 and amended in 1982 and again in 2010.

The legislation was originally passed to enable smaller banks to pool resources to buy computers — at the time, extremely expensive — to help automate the processing of surging volumes of checks.

On its face, the BSCA wouldn’t appear to come into play in Synapse’s case, as it speaks specifically to companies owned by one or multiple banks:

[T]he term ‘‘bank service company’’ means—

(A) any corporation—
(i) which is organized to perform services authorized by this Act; and
(ii) all of the capital stock of which is owned by 1 or more insured depository institutions; and
(B) any limited liability company—
(i) which is organized to perform services authorized by this Act; and
(ii) all of the members of which are 1 or more insured depository institutions.

However, regulators have, at times, taken a more expansive view of the scope of the BSCA.

For example, a 1999 financial institution letter from the FDIC to banks it supervised seemingly implied that any third-party service provider could be covered by it, saying in part, (emphasis added) “The [BSCA] requires insured financial institutions to notify their appropriate federal banking agency in writing of contracts or relationships with third parties that provide certain services to the institution” and that “Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party ‘shall notify such agency of the existence of the service relationship.’”

Notably, a recently issued notice of proposed rulemaking “would revise the FDIC's, OCC's, and FRB’s regulations concerning required notifications under the Bank Service Company Act” to “implement the statutory requirements for FDIC, FRB, and OCC-regulated institutions to provide notification of certain third-party service relationships, and it would create an ongoing requirement to periodically update the information those institutions provide the FBAs.”

State Banking Regulators’ Role In Overseeing Third-Parties

State banking regulators may also have authority to supervise banks’ third-party vendors.

In Evolve’s case, Susannah Marshall, the commissioner of its state regulatory body, the Arkansas State Bank Department, highlighted this authority in testimony she gave last year to the House Financial Services Committee, saying in part, (emphasis added) “The Bank Service Company Act authorizes federal regulators to examine bank service providers for potential risks. Many state bank regulators, including my agency, have the same responsibility and explicit authority under state law to oversee the same vendors.”

Although Marshall seems to confuse the potential scope of the BSCA vs. that granted by Dodd-Frank and carried out through the FFIEC, to which she is a liaison on behalf of the Conference of State Bank Supervisors, the point remains the same: some state regulators, including Arkansas, have the authority to supervise third-party vendors like Synapse.

In the same hearing, Marshall insisted that state bank regulators are up to the task of supervising state-chartered banks — and their service providers — saying, (emphasis added) “State regulators are the ‘boots on the ground,’ protecting consumers from companies that run afoul of or seek to circumvent state law. Their approach to consumer protection is strong and effective. State regulators are closer to the consumer and are locally accountable, a dynamic that greatly benefits consumers in need of regulatory assistance.”

Finally, as if the preceding powers weren’t enough, the CFPB also has authority to examine nonbank firms that it designates as “posing a risk to consumers,” which, in retrospect, Synapse clearly did.

Middleware Firms Welcome The Clarity Of Regulation

Speaking generally on the topic of fintech at last week’s Financial Technology Association’s conference, CFPB Director Chopra told Semafor that “[t]here is a ‘move fast and break things’ mentality” in fintech and that “[i]n some circumstances, that’s OK. In other circumstances… it’s just catastrophic.”

Chopra declined to say if the CFPB was investigating Synapse’s collapse, but did say the agency has “long had an issue with rent-a-bank” models and described the Synapse situation as an “obvious and serious lapse of judgment.”

Asked how it would view regulators exercising more direct supervision over middleware firms, Treasury Prime’s general counsel and chief compliance officer Sheetal Parikh told Fintech Business Weekly that “Treasury Prime is very open to the idea of direct regulation commensurate to the scope of its products and services. We see ourselves akin to other technology core providers like Jack Henry, FIS and Fiserv, who are regulated under the Bank Service Company Act.”

Parikh added that “[i]f being directly regulated allows providers to give bank partners additional comfort and relieve some of the regulatory pressure that banks often absorb, we fully support and encourage the direct regulatory paradigm.”

Peter Hazlehurst, cofounder and CEO of Synctera, another platform in the space, pointed out increasing uncertainty in the regulatory environment, telling Fintech Business Weekly that “[t]here’s more to think about now, post-Chevron: we need a new law passed to make things stick, since it appears that regulators’ clarification of laws is no longer acceptable.”

Hazlehurst argued that “regulators giving oversight of platforms like us is a great thing” and suggested that “introducing a FinTech charter or eMoney way for folks like us to be formally in the system would be even better.”

Representatives for Unit, another middleware intermediary, did not return a request for comment on how it viewed the regulatory environment in the wake of Synapse’s collapse.

At the end of the day, perhaps Fed Chair Powell’s statement was actually accurate after all: although the Federal Reserve clearly did have the authority to supervise Synapse, it seems to have chosen not to use it.

Other Good Reads

What Happens When Your Bank Isn’t Really a Bank and Your Money Disappears? (NYTimes)

⚽️ Fintech + Football: A £100bn+ Open Goal (Fintech R&R)

Why Can’t We Have A National Fintech Charter? (Fintech Takes)

Bank-fintech guidance needs more clarity, FDIC’s McKernan says (Banking Dive)

The Hydraulic Effect of Loper Bright Enterprises in Consumer Finance: More Regulation By Enforcement (Adam Levitin)

About Fintech Business Weekly

Looking to work with me in any of the following areas? Email me.

• Vendor, partner & investment opportunity advice and due diligence

• Fintech advising & consulting

• Sponsoring this newsletter

• News tip or story suggestion — reach me on Signal at +1-316-512-1571