Feature Third-Party Risk
Partner Bank Liquidity KRIs: What Fintechs Should Monitor but Often Do Not
When your sponsor bank runs into trouble, you find out last. Here's what liquidity KRIs fintechs can actually track—before a Synapse-scale event freezes your customers' funds.
Table of Contents
TL;DR
- The Synapse collapse in April 2024 froze $265M in customer funds—not because of a hack or fraud, but because a middleware provider’s ledgers couldn’t reconcile, and no one had a backup plan
- Fintechs can’t read their partner bank’s internal balance sheet, but they can monitor indirect signals: settlement velocity, public call report data, regulatory enforcement disclosures, communication changes, and platform-level operational anomalies
- The OCC, FDIC, and Federal Reserve issued a joint statement in July 2024 explicitly identifying liquidity risk and concentration risk as elevated concerns in bank-fintech arrangements
- Every fintech operating on a BaaS model needs a KRI set that functions like an early warning system for sponsor bank stress—before the bank calls you, rather than after
In April 2024, Synapse Financial Technologies filed for bankruptcy. Over 100,000 end users across fintech apps built on Synapse’s middleware lost access to more than $265 million. Not because of fraud. Not because of a cyberattack. Because Synapse’s internal ledgers were so compromised they couldn’t answer the most basic question in banking: whose money is this, and where is it?
Evolve Bank & Trust—one of Synapse’s partner banks—declined to cover the shortfall. The CFPB later allocated $46 million toward victims, but users waited months for access to their own deposits. A year after the collapse, the litigation was still ongoing.
The Synapse failure was an extreme case. But the underlying risk it exposed isn’t extreme at all—it’s structural to how bank-fintech partnerships work. Fintechs building on sponsor bank infrastructure are operationally dependent on institutions they don’t control, can’t fully examine, and often don’t monitor. That’s a third-party risk gap that regulators noticed, and that practitioners need to close.
Why Fintechs Are Flying Blind on Sponsor Bank Health
In a typical bank-fintech arrangement, the fintech builds the product and customer experience while the sponsor bank holds the licenses, deposits, and balance sheet. The fintech moves fast; the bank provides the regulatory chassis.
What this structure obscures is the fintech’s exposure to the bank’s financial health. If your sponsor bank is under liquidity stress, you don’t get advance notice. You discover it when settlement slows, when your relationship manager stops returning calls, or when the FDIC posts a consent order on a Friday afternoon.
On July 25, 2024, the OCC, FDIC, and Federal Reserve issued a joint statement on bank-fintech arrangements, explicitly naming liquidity risk and concentration risk among the elevated concerns. The agencies noted that rapid fund flows in payment programs can create liquidity stress that neither the bank nor the fintech is fully prepared to manage. That’s not a hypothetical—it’s a description of what happened at Synapse.
The question is: what can fintechs actually monitor?
What Fintechs Cannot See (and What They Can)
Fintechs don’t have access to their partner bank’s deposit composition, wholesale funding ratios, reserve levels, or internal stress test results. That information belongs to the bank’s board and regulators. Expecting direct visibility into bank liquidity metrics is unrealistic.
But indirect monitoring is both feasible and necessary. Here’s the distinction:
| What Fintechs Cannot Monitor Directly | What Fintechs Can Monitor |
|---|---|
| Deposit outflow rates | Settlement velocity and timing anomalies |
| Wholesale funding dependency | Regulatory enforcement disclosures (OCC, FDIC) |
| Reserve ratios | Quarterly call report data (FDIC BankFind) |
| Internal stress test results | Relationship manager / executive team changes |
| Board credit committee decisions | News and industry reporting about the bank |
| FHLB borrowing levels | Other fintech partners’ public complaints |
| Brokered deposit concentrations | Communication pattern changes |
Most fintechs monitor none of these. A minority monitors settlement velocity informally. Almost none have formalized KRI thresholds that would trigger escalation.
The Seven KRIs Fintechs Should Be Tracking
1. Settlement Velocity
The most actionable real-time signal. Define a baseline settlement time for your program (ACH, card, wire) and flag deviations. A sudden increase in average settlement time—even by hours—can indicate the bank is experiencing intraday liquidity pressure.
Threshold example: Amber if average settlement time increases by more than 15% from the 30-day rolling average for three consecutive days. Red if any individual settlement misses the contracted SLA window by more than 4 hours without explanation.
Owner: Operations or Treasury
2. Fund Access Anomalies
Any instance where your fintech or end users experience unexpected holds, delays in fund availability, or unexplained rejections from the bank’s systems. One occurrence is an incident. A pattern is a KRI breach.
Threshold example: Amber if two or more unexplained fund access delays occur in a 30-day window. Red if any delay exceeds 24 hours without written bank explanation.
3. Regulatory Enforcement Disclosures
The FDIC, OCC, and Federal Reserve publish consent orders, cease-and-desist orders, and formal agreements publicly. Your compliance team should be monitoring these for your partner bank on at least a monthly basis. The FDIC’s Thread Bank consent order in May 2024 came after Thread experienced rapid growth that outpaced its internal controls—exactly the kind of early indicator a monitoring KRI could have flagged.
Threshold example: Amber immediately upon any public enforcement action involving the bank. Red if the enforcement action restricts the bank’s ability to onboard or maintain fintech partnerships.
Data source: FDIC enforcement actions (FDIC.gov), OCC enforcement actions (OCC.treas.gov)
4. Call Report Metrics (Quarterly)
The FDIC publishes Call Report data for every insured institution quarterly. Key metrics to pull for your sponsor bank:
- Tier 1 leverage ratio (flag if below 8%)
- Net interest margin trend (flag if declining 3+ consecutive quarters)
- Non-performing loan ratio (flag if above 2%)
- Brokered deposit percentage (flag if rising meaningfully quarter-over-quarter)
- Return on assets (flag if negative)
This data lags by 90 days, but it’s the closest thing to an audited financial snapshot that’s publicly available.
Data source: FDIC BankFind Suite
5. Executive and Relationship Manager Changes
A sudden change in relationship manager—especially without a warm handoff—is an operational signal worth tracking. Departure of key executives at the bank (CFO, Chief Risk Officer, Head of Fintech Partnerships) can indicate internal instability. Monitor LinkedIn and industry press.
Threshold example: Amber if relationship manager changes without proactive communication from the bank. Red if two or more senior executives depart within a 90-day window.
6. Communication Pattern Changes
Banks under regulatory or financial stress often change their communication patterns before anything is public. Response times lengthen. Meetings get cancelled or rescheduled. Contract renewals get delayed. Escalations that normally get same-day turnaround start taking a week.
This is a qualitative KRI, but it’s worth operationalizing. Assign someone to formally assess communication quality quarterly, and flag material changes.
7. Concentration Risk: Program Dependency
This one runs in both directions. If your fintech represents more than 15-20% of the bank’s total deposits or fee income, you have a concentration that creates systemic risk—and makes the bank less willing to let you leave if the relationship deteriorates.
Conversely, if the bank has more than five fintech partners of your size, a single partner’s rapid growth or contraction can create volatility across the whole program.
Track: Your fintech’s estimated share of the bank’s total deposits (estimated from call report data) and the number of known fintech partners at the bank.
Building This Into Your Third-Party Risk Program
The OCC/FDIC/Fed joint statement made clear that regulators expect both sides of a bank-fintech arrangement to understand and manage the risks the partnership creates. That means fintechs can no longer treat sponsor bank health as someone else’s problem.
Practically, partner bank liquidity monitoring should be embedded in two places: your third-party risk KRI program and your contingency funding plan. The KRIs above provide the early warning signal. The CFP provides the response.
Your liquidity KRI program should already have metrics for your own balance sheet. Add a separate section specifically for third-party-driven liquidity events—because a sponsor bank disruption creates a fundamentally different scenario than an internal cash flow shortfall.
The Thread Bank consent order from May 2024 required the bank’s board to approve risk tolerance thresholds for each fintech partner based on adverse financial scenarios. Fintechs need the inverse: a documented analysis of what a bank-side liquidity event looks like, and what the fintech does in response.
What the Synapse Rule Changes
The FDIC’s proposed “Synapse rule,” introduced in October 2024, requires sponsor banks to maintain accurate, auditable, real-time records of beneficial ownership in custodial accounts. This addresses the core failure in the Synapse collapse: the inability to reconcile who owned what.
What it doesn’t change: fintechs’ responsibility to maintain their own independent ledger. The lesson from Synapse isn’t just that Synapse’s ledger was bad—it’s that no one else in the chain maintained an independent, authoritative copy. If you rely entirely on your partner bank or middleware provider to reconcile your customer funds, you are one bankruptcy away from the Synapse scenario.
Sponsor-bank enforcement illustrates a related dynamic: regulators can hold sponsor banks accountable for their fintech programs’ compliance failures. When the bank gets a consent order, the fintech program can be disrupted regardless of whether the fintech did anything wrong. That’s a systemic risk that no amount of internal compliance work protects you from—only monitoring and a real backup plan does.
So What? Building Your Monitoring Stack
For fintechs operating on sponsor bank rails, the question isn’t whether to monitor your partner bank—it’s how to do it with the information actually available. Here’s the minimum viable monitoring stack:
Daily: Settlement velocity tracking vs. 30-day baseline
Weekly: Fund access anomaly log review
Monthly: FDIC/OCC enforcement action scan for your sponsor bank
Quarterly: Call report pull for key financial ratios, communication quality assessment, executive team scan
Event-triggered: Any regulatory action, executive departure, or public news about the bank
This isn’t about forecasting bank failures. It’s about having enough warning time to activate your contingency plan before your customers lose access to their money. Synapse’s fintech partners had essentially zero warning time. With the right KRI program, some of them might have had weeks.
The KRI Library (132 Key Risk Indicators) includes a dedicated Third-Party Risk section with pre-built templates for vendor and partner monitoring—including settlement velocity, concentration risk, and regulatory action thresholds. See the full list at the KRI Library product page.
Sponsor bank risk is a concentration risk with a delayed fuse. Build the KRI program before you need it.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What are partner bank liquidity KRIs for fintechs?
What happened with Synapse and why does it matter for fintech liquidity risk?
Can a fintech actually monitor its sponsor bank's liquidity?
What did regulators say about fintech liquidity and concentration risk in 2024?
How should fintechs document their partner bank monitoring KRIs?
What should a fintech's contingency plan include if its sponsor bank fails?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
◆ Keep reading
Related posts.
Third-Party Risk
The Marquis Software Breach: What 80 Banks and Credit Unions Need to Learn About Vendor Concentration Risk
In August 2025, Akira ransomware hit Marquis Software Solutions through an unpatched SonicWall firewall. By the time breach notifications went out—over two months later—80 banks and credit unions had been exposed, 824,000 consumers' data was compromised, and a ransom had reportedly been paid. Here's what your third-party risk program should take from it.
Jul 7, 2026
Third-Party Risk
AI Foundation Model Concentration Risk: When Your Entire AI Stack Depends on Three Vendors
The Cambridge Centre for Alternative Finance's 2026 report found 76% of financial institutions rely on OpenAI, 57% on Google, and 35% on Anthropic — while 63% build on external models rather than their own. Under OCC 2023-17 and DORA, that's not just an AI strategy question. It's a third-party concentration risk your TPRM program probably isn't mapped to address.
Jul 5, 2026
Third-Party Risk
Vendor Financial Health Monitoring: The Early Warning Program OCC 2023-17 Expects for Critical Third Parties
OCC 2023-17's ongoing monitoring phase requires active financial health surveillance for critical third-party vendors — but most institutions treat it as an annual renewal checkbox. Here's what a defensible early warning program looks like, what warning signs to track, and what the Synapse collapse demonstrated about gaps in current practice.
Jul 3, 2026