Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Third-Party Risk

Partner Bank Liquidity KRIs: What Fintechs Should Monitor but Often Do Not

When your sponsor bank runs into trouble, you find out last. Here's what liquidity KRIs fintechs can actually track—before a Synapse-scale event freezes your customers' funds.

Table of Contents

TL;DR

  • The Synapse collapse in April 2024 froze $265M in customer funds—not because of a hack or fraud, but because a middleware provider’s ledgers couldn’t reconcile, and no one had a backup plan
  • Fintechs can’t read their partner bank’s internal balance sheet, but they can monitor indirect signals: settlement velocity, public call report data, regulatory enforcement disclosures, communication changes, and platform-level operational anomalies
  • The OCC, FDIC, and Federal Reserve issued a joint statement in July 2024 explicitly identifying liquidity risk and concentration risk as elevated concerns in bank-fintech arrangements
  • Every fintech operating on a BaaS model needs a KRI set that functions like an early warning system for sponsor bank stress—before the bank calls you, rather than after

In April 2024, Synapse Financial Technologies filed for bankruptcy. Over 100,000 end users across fintech apps built on Synapse’s middleware lost access to more than $265 million. Not because of fraud. Not because of a cyberattack. Because Synapse’s internal ledgers were so compromised they couldn’t answer the most basic question in banking: whose money is this, and where is it?

Evolve Bank & Trust—one of Synapse’s partner banks—declined to cover the shortfall. The CFPB later allocated $46 million toward victims, but users waited months for access to their own deposits. A year after the collapse, the litigation was still ongoing.

The Synapse failure was an extreme case. But the underlying risk it exposed isn’t extreme at all—it’s structural to how bank-fintech partnerships work. Fintechs building on sponsor bank infrastructure are operationally dependent on institutions they don’t control, can’t fully examine, and often don’t monitor. That’s a third-party risk gap that regulators noticed, and that practitioners need to close.

Why Fintechs Are Flying Blind on Sponsor Bank Health

In a typical bank-fintech arrangement, the fintech builds the product and customer experience while the sponsor bank holds the licenses, deposits, and balance sheet. The fintech moves fast; the bank provides the regulatory chassis.

What this structure obscures is the fintech’s exposure to the bank’s financial health. If your sponsor bank is under liquidity stress, you don’t get advance notice. You discover it when settlement slows, when your relationship manager stops returning calls, or when the FDIC posts a consent order on a Friday afternoon.

On July 25, 2024, the OCC, FDIC, and Federal Reserve issued a joint statement on bank-fintech arrangements, explicitly naming liquidity risk and concentration risk among the elevated concerns. The agencies noted that rapid fund flows in payment programs can create liquidity stress that neither the bank nor the fintech is fully prepared to manage. That’s not a hypothetical—it’s a description of what happened at Synapse.

The question is: what can fintechs actually monitor?

What Fintechs Cannot See (and What They Can)

Fintechs don’t have access to their partner bank’s deposit composition, wholesale funding ratios, reserve levels, or internal stress test results. That information belongs to the bank’s board and regulators. Expecting direct visibility into bank liquidity metrics is unrealistic.

But indirect monitoring is both feasible and necessary. Here’s the distinction:

What Fintechs Cannot Monitor DirectlyWhat Fintechs Can Monitor
Deposit outflow ratesSettlement velocity and timing anomalies
Wholesale funding dependencyRegulatory enforcement disclosures (OCC, FDIC)
Reserve ratiosQuarterly call report data (FDIC BankFind)
Internal stress test resultsRelationship manager / executive team changes
Board credit committee decisionsNews and industry reporting about the bank
FHLB borrowing levelsOther fintech partners’ public complaints
Brokered deposit concentrationsCommunication pattern changes

Most fintechs monitor none of these. A minority monitors settlement velocity informally. Almost none have formalized KRI thresholds that would trigger escalation.

The Seven KRIs Fintechs Should Be Tracking

1. Settlement Velocity

The most actionable real-time signal. Define a baseline settlement time for your program (ACH, card, wire) and flag deviations. A sudden increase in average settlement time—even by hours—can indicate the bank is experiencing intraday liquidity pressure.

Threshold example: Amber if average settlement time increases by more than 15% from the 30-day rolling average for three consecutive days. Red if any individual settlement misses the contracted SLA window by more than 4 hours without explanation.

Owner: Operations or Treasury

2. Fund Access Anomalies

Any instance where your fintech or end users experience unexpected holds, delays in fund availability, or unexplained rejections from the bank’s systems. One occurrence is an incident. A pattern is a KRI breach.

Threshold example: Amber if two or more unexplained fund access delays occur in a 30-day window. Red if any delay exceeds 24 hours without written bank explanation.

3. Regulatory Enforcement Disclosures

The FDIC, OCC, and Federal Reserve publish consent orders, cease-and-desist orders, and formal agreements publicly. Your compliance team should be monitoring these for your partner bank on at least a monthly basis. The FDIC’s Thread Bank consent order in May 2024 came after Thread experienced rapid growth that outpaced its internal controls—exactly the kind of early indicator a monitoring KRI could have flagged.

Threshold example: Amber immediately upon any public enforcement action involving the bank. Red if the enforcement action restricts the bank’s ability to onboard or maintain fintech partnerships.

Data source: FDIC enforcement actions (FDIC.gov), OCC enforcement actions (OCC.treas.gov)

4. Call Report Metrics (Quarterly)

The FDIC publishes Call Report data for every insured institution quarterly. Key metrics to pull for your sponsor bank:

  • Tier 1 leverage ratio (flag if below 8%)
  • Net interest margin trend (flag if declining 3+ consecutive quarters)
  • Non-performing loan ratio (flag if above 2%)
  • Brokered deposit percentage (flag if rising meaningfully quarter-over-quarter)
  • Return on assets (flag if negative)

This data lags by 90 days, but it’s the closest thing to an audited financial snapshot that’s publicly available.

Data source: FDIC BankFind Suite

5. Executive and Relationship Manager Changes

A sudden change in relationship manager—especially without a warm handoff—is an operational signal worth tracking. Departure of key executives at the bank (CFO, Chief Risk Officer, Head of Fintech Partnerships) can indicate internal instability. Monitor LinkedIn and industry press.

Threshold example: Amber if relationship manager changes without proactive communication from the bank. Red if two or more senior executives depart within a 90-day window.

6. Communication Pattern Changes

Banks under regulatory or financial stress often change their communication patterns before anything is public. Response times lengthen. Meetings get cancelled or rescheduled. Contract renewals get delayed. Escalations that normally get same-day turnaround start taking a week.

This is a qualitative KRI, but it’s worth operationalizing. Assign someone to formally assess communication quality quarterly, and flag material changes.

7. Concentration Risk: Program Dependency

This one runs in both directions. If your fintech represents more than 15-20% of the bank’s total deposits or fee income, you have a concentration that creates systemic risk—and makes the bank less willing to let you leave if the relationship deteriorates.

Conversely, if the bank has more than five fintech partners of your size, a single partner’s rapid growth or contraction can create volatility across the whole program.

Track: Your fintech’s estimated share of the bank’s total deposits (estimated from call report data) and the number of known fintech partners at the bank.

Building This Into Your Third-Party Risk Program

The OCC/FDIC/Fed joint statement made clear that regulators expect both sides of a bank-fintech arrangement to understand and manage the risks the partnership creates. That means fintechs can no longer treat sponsor bank health as someone else’s problem.

Practically, partner bank liquidity monitoring should be embedded in two places: your third-party risk KRI program and your contingency funding plan. The KRIs above provide the early warning signal. The CFP provides the response.

Your liquidity KRI program should already have metrics for your own balance sheet. Add a separate section specifically for third-party-driven liquidity events—because a sponsor bank disruption creates a fundamentally different scenario than an internal cash flow shortfall.

The Thread Bank consent order from May 2024 required the bank’s board to approve risk tolerance thresholds for each fintech partner based on adverse financial scenarios. Fintechs need the inverse: a documented analysis of what a bank-side liquidity event looks like, and what the fintech does in response.

What the Synapse Rule Changes

The FDIC’s proposed “Synapse rule,” introduced in October 2024, requires sponsor banks to maintain accurate, auditable, real-time records of beneficial ownership in custodial accounts. This addresses the core failure in the Synapse collapse: the inability to reconcile who owned what.

What it doesn’t change: fintechs’ responsibility to maintain their own independent ledger. The lesson from Synapse isn’t just that Synapse’s ledger was bad—it’s that no one else in the chain maintained an independent, authoritative copy. If you rely entirely on your partner bank or middleware provider to reconcile your customer funds, you are one bankruptcy away from the Synapse scenario.

Sponsor-bank enforcement illustrates a related dynamic: regulators can hold sponsor banks accountable for their fintech programs’ compliance failures. When the bank gets a consent order, the fintech program can be disrupted regardless of whether the fintech did anything wrong. That’s a systemic risk that no amount of internal compliance work protects you from—only monitoring and a real backup plan does.

So What? Building Your Monitoring Stack

For fintechs operating on sponsor bank rails, the question isn’t whether to monitor your partner bank—it’s how to do it with the information actually available. Here’s the minimum viable monitoring stack:

Daily: Settlement velocity tracking vs. 30-day baseline
Weekly: Fund access anomaly log review
Monthly: FDIC/OCC enforcement action scan for your sponsor bank
Quarterly: Call report pull for key financial ratios, communication quality assessment, executive team scan
Event-triggered: Any regulatory action, executive departure, or public news about the bank

This isn’t about forecasting bank failures. It’s about having enough warning time to activate your contingency plan before your customers lose access to their money. Synapse’s fintech partners had essentially zero warning time. With the right KRI program, some of them might have had weeks.

The KRI Library (132 Key Risk Indicators) includes a dedicated Third-Party Risk section with pre-built templates for vendor and partner monitoring—including settlement velocity, concentration risk, and regulatory action thresholds. See the full list at the KRI Library product page.

Sponsor bank risk is a concentration risk with a delayed fuse. Build the KRI program before you need it.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What are partner bank liquidity KRIs for fintechs?
Partner bank liquidity KRIs are leading indicators a fintech uses to monitor whether its sponsor or custodial bank is showing signs of financial stress—before that stress causes an operational disruption, settlement failure, or access freeze. Because fintechs don't have access to their bank's internal balance sheet data, these KRIs focus on observable signals: settlement delays, changes in communication frequency, regulatory action disclosures, public financial filings, and abnormal transaction behavior.
What happened with Synapse and why does it matter for fintech liquidity risk?
Synapse Financial Technologies filed for bankruptcy in April 2024, freezing over $265 million belonging to more than 100,000 end users across multiple fintech platforms. The collapse revealed that Synapse's internal ledgers were so compromised they couldn't answer basic questions about whose money sat where. Partner banks—including Evolve Bank & Trust—refused to cover the shortfall. The CFPB subsequently allocated $46 million to victims, but many users waited months to access their own funds. The Synapse event exposed the systemic risk embedded in BaaS structures when fintechs don't monitor the financial health and ledgering integrity of the institutions holding their customers' money.
Can a fintech actually monitor its sponsor bank's liquidity?
Directly, no. A fintech doesn't have access to its partner bank's deposit base, wholesale funding mix, or reserve ratios. Indirectly, yes. Observable signals include: settlement velocity changes, any unusual holds or delays in fund access, changes in the bank's public call report data (FDIC data is published quarterly), regulatory enforcement disclosures on FDIC and OCC websites, any change in relationship manager or executive team, and news about the bank's fintech program from other fintech clients or industry press.
What did regulators say about fintech liquidity and concentration risk in 2024?
On July 25, 2024, the OCC, FDIC, and Federal Reserve issued a joint statement specifically identifying liquidity risk, concentration risk, operational risk, and compliance risk as elevated concerns in bank-fintech partnership arrangements. The agencies said fintechs and banks must understand and manage the risk that rapid fund flows—particularly in payment programs—can create liquidity stress that neither party is fully prepared for. The FDIC also issued a proposed 'Synapse rule' in October 2024 requiring sponsor banks to maintain accurate, auditable records of beneficial ownership in custodial accounts.
How should fintechs document their partner bank monitoring KRIs?
Each KRI should have: a definition (what exactly is being measured), a data source (where the metric comes from), a threshold (amber and red levels), an owner (who reviews it), an update frequency (daily, weekly, monthly, or event-triggered), and an escalation path (what happens when amber or red fires). For partner bank KRIs specifically, the escalation path should connect directly to your contingency funding plan or BCP, because a threshold breach from a bank-side liquidity event may require activating your transition-to-a-backup-bank scenario.
What should a fintech's contingency plan include if its sponsor bank fails?
At minimum: an identified backup bank (ideally pre-onboarded), a documented fund transfer and customer notification protocol, a real-time ledger reconciliation process you own independently of the bank, a communication plan for customers, and a regulatory notification checklist. The Thread Bank consent order (May 2024) specifically required the bank's board to approve risk tolerance thresholds for each fintech partner 'based on an enterprise-wide financial analysis of each fintech partner's financial projections under expected and adverse scenarios'—but fintechs need mirror-image contingency plans that don't rely on the bank to perform that analysis.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

KRI Library (132 Key Risk Indicators)

132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.

◆ Keep reading

Related posts.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.