Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Business Continuity

When Your Bank Partner Fails: The BCP Scenario Fintechs Keep Skipping Until It's Too Late

The Synapse bankruptcy froze $265 million in fintech customer funds. Most fintech BCPs don't mention the bank partner failing at all. Here's how to plan for the scenario most compliance teams assume will never happen.

By Rebecca Leung · June 8, 2026 ·
Table of Contents

TL;DR:

  • When Synapse filed Chapter 11 in April 2024, $265 million in fintech customer funds froze. A $65–$95 million shortfall emerged between what customers were owed and what the banks actually held. Most fintech BCPs had no plan for this scenario.
  • Three distinct threats require planning: hard bank failure, consent-order-driven wind-down, and merger/acquisition where partnership terms don’t survive.
  • Operational dependencies that go offline immediately in a hard failure: ACH origination, debit card processing, real-time payments, and access to customer custodial funds.
  • The regulatory expectation has shifted: FFIEC BCM requirements and the 2023 interagency TPRM guidance both expect fintech BCPs to address critical third-party relationship failures — including bank partners.
  • Five components every fintech BCP needs: multi-bank strategy, data portability clauses, customer communication playbook, payment rail transition runbooks, and a real-time reconciliation ledger.

The Scenario Every Fintech BCP Should Address — But Most Don’t

Pull up the BCP for the average fintech. You’ll find something for ransomware. Something for cloud provider outages. Maybe a section on pandemic workforce disruption. What you rarely find is a structured plan for what happens when the bank partner — the institution whose charter and payment infrastructure the fintech’s entire product runs through — enters bankruptcy, receives an enforcement action that forces a wind-down, or gets acquired by an entity that doesn’t want the fintech relationship.

In May 2024, Yotta’s customers woke up to find their accounts inaccessible. Not because Yotta failed. Not because a cyberattack hit. Yotta’s bank middleware provider — Synapse Financial Technologies — had filed Chapter 11 on April 22, 2024, and the access freeze that followed was immediate and involuntary.

Synapse was the intermediary linking Yotta, Juno, Copper, and roughly a dozen other fintechs to their underlying partner banks, including Evolve Bank & Trust, AMG National Trust, and Lineage Bank. When Synapse’s operations stopped, the payment rails stopped. When the bankruptcy trustee began examining the books, a problem emerged: the total funds the partnering banks were holding was approximately $65–$95 million less than what customer records said was owed. More than 100,000 people lost access to over $265 million in funds for months. Some customers reported amounts as high as $38,000 still unresolved weeks into the crisis.

The FDIC deposit insurance they assumed protected their money? It covered bank failures — not a middleware bankruptcy where the underlying banks were still open, but the ledger reconciling who owned what had collapsed.

Why Most Fintech BCPs Miss This

Business continuity planning in financial services defaults to operational threat scenarios: natural disasters, cyberattacks, vendor outages, key-person loss. Bank partner failure sits in a different category. It’s a dependency failure that is simultaneously a legal event (bankruptcy or regulatory proceedings), an operational event (payment rails go down), a financial event (customer funds access freezes), and a customer protection event (notification, potential FDIC claim filing, regulatory reporting).

Most fintech compliance teams implicitly assume their bank partner is a going concern. The assumption makes sense historically — community banks and regional banks rarely fail — but the post-2022 environment has made that assumption harder to sustain. Since 2023, the FDIC, OCC, and Federal Reserve have issued consent orders against a growing list of BaaS-focused banks including Cross River, Lineage, Piermont, Sutton, and Evolve. The Federal Reserve issued a cease and desist against Evolve Bank & Trust in June 2024 — the same month that the Synapse bankruptcy trustee was unwinding the accounts Evolve held on behalf of Synapse-connected fintechs.

None of the fintechs on Synapse’s platform had a tested plan for this scenario.

The Three Scenarios Your BCP Needs to Address

Bank partner risk isn’t one scenario — it’s three, each with a distinct timeline and operational consequence.

Scenario 1: Hard Failure (Bankruptcy or Receivership)

The Synapse playbook. The bank or middleware partner ceases operations or is placed into receivership. Impact is immediate and involuntary:

  • ACH origination stops. Payments in flight may not clear or may reverse without notice.
  • Debit card processing goes offline or is suspended pending account validation.
  • Real-time payment connections (RTP, FedNow) are terminated.
  • Customer fund access freezes until a trustee or receiver can validate who holds what.

Timeline: No prior notice. The fintech learns about the failure concurrently with customers, often through media reports or when payment processing alerts start firing.

Less sudden than outright failure, but operationally similar in eventual impact. Regulators issue a consent order requiring the bank to exit certain fintech partnerships, often within a defined timeframe. Evolve’s June 2024 cease and desist prohibited adding new fintech partners and required enhanced oversight of existing ones. Cross River’s 2023 FDIC consent order required FDIC approval before any new fintech onboarding.

Timeline: Typically weeks to months of runway, but:

  • The bank’s compliance team immediately increases scrutiny, documentation demands, and RFI volume
  • The fintech may receive termination notices before the BCP has even been reviewed
  • Transition timelines are dictated by the regulator, not the fintech’s operational readiness

Scenario 3: Merger or Acquisition

The bank partner is acquired, merges, or changes strategic direction. The acquirer may not want the fintech book of business, may impose different terms, or may impose a wind-down on the acquired bank’s fintech relationships.

Blue Ridge Bank — which exited its OCC consent order in 2024 after completing remediation — is a case where a smaller community bank worked through enforcement and survived. But not every fintech relationship survived the process. Acquisition-driven transitions can arrive with contract assignment clauses that give the acquiring bank the right to terminate fintech partnerships with limited notice.

What Goes Offline Immediately in a Hard Failure

Understanding the operational cascade is essential for designing an effective response plan. In a hard bank partner failure, these are the systems that break in sequence:

DependencyWhat FailsImpact Window
ACH originationBatch payments, direct deposits, bill pay stop processingImmediate — same-day or next-day
Debit card issuingCards decline at point of sale, ATM withdrawals failImmediate
Real-time payments (RTP/FedNow)Instant transfers suspendedImmediate
Customer funds accessBalances visible but not accessible pending trustee validationDays to months depending on proceedings
Regulatory licensesFintech may need bank-specific state licenses re-filedWeeks to months
Customer notificationFDIC claim filing, state notification requirements30–90 days depending on jurisdiction

The payment rail failures hit customers immediately. The reconciliation and regulatory proceedings then run in parallel for months, which is what happened after Synapse: customers couldn’t access funds while the bankruptcy court worked through the $65–$95 million shortfall.

Five Components Every Fintech BCP Needs

1. A Multi-Bank Strategy — Before You Need It

The single most effective BCP control for bank partner failure is maintaining a qualified backup bank partner relationship before the primary one is in distress. This doesn’t mean splitting production volume across two banks from day one — that creates complexity and cost. It means:

  • Identifying at least one qualified alternate bank partner with compatible API infrastructure
  • Executing a framework agreement or letter of intent that would allow expedited onboarding
  • Running an annual connectivity test to confirm the backup relationship remains viable

If you discover the backup bank only after your primary bank has entered a consent order, the timing problem will be severe. Banks under regulatory scrutiny are not adding new fintech relationships — and the banks you’d want to migrate to are doing their own due diligence reviews that take three to six months under the current regulatory environment.

2. Data Portability Clauses in Every Bank Partner Agreement

When a bank fails or exits, fintechs need two things: their customer data and their transaction history. Both of these are often sitting in the bank’s systems or in a middleware layer the bank controls. Without explicit contractual rights, accessing that data in a wind-down scenario requires going through a bankruptcy court or regulator — which means delays measured in months.

Every bank partner contract should include:

  • Right to export all customer records, transaction history, and account data in a standard format (CSV, JSON, or defined API) within a defined timeframe (typically 30–60 days)
  • Data destruction schedule that protects customer information after termination
  • Access to the real-time ledger of customer funds held in custodial accounts at the bank
  • Incident notification window requiring the bank to notify the fintech of any material operational disruption within 24–48 hours

The FDIC’s proposed Recordkeeping for Custodial Accounts rule — proposed in September 2024 in direct response to the Synapse failure — would require banks to maintain real-time records of which customers own which funds. That rule, when finalized, will help. But your contracts need to secure these rights today.

3. Customer Communication Playbook

Every bank partner failure scenario eventually requires explaining something difficult to customers: why their money is unavailable, what their options are, and what they need to do. Having pre-drafted templates and regulatory notification procedures prevents the worst of the reactive chaos.

At minimum, the playbook should include:

  • Scenario-specific notification drafts: soft closure (“transitioning providers”), hard closure (“service interrupted”), fund access delay
  • State breach notification checklist — some states treat a fintech’s inability to provide access to customer funds as a reportable event
  • CFPB complaint intake escalation procedure — expect complaint volume to spike immediately in a hard failure
  • Bank partner notification protocol — who at the fintech contacts whom at the bank (or the bankruptcy trustee) to validate fund balances
  • Social media escalation procedure — Yotta’s customers organized publicly on Twitter/X within hours of the Synapse freeze

4. Payment Rail Transition Runbooks

For each payment rail your fintech relies on — ACH origination, debit card processing, RTP, FedNow, wire origination — the BCP needs a step-by-step runbook for migrating that capability to the backup bank. These runbooks should be tested, not just documented.

A runbook that’s never been executed isn’t a BCP — it’s a template that may or may not work under pressure. At minimum, test the runbook against a tabletop scenario annually: “Your bank partner has just sent a termination notice with 60 days of runway. Walk me through how you move ACH origination.”

5. A Real-Time Customer Fund Reconciliation Ledger

The $65–$95 million Synapse shortfall was a reconciliation problem: the fintech platforms showed customer balances that weren’t matched by actual funds at the bank. The disparity built up over years of middleware intermediation without consistent ledger reconciliation.

Every fintech should maintain its own independently reconciled record of the customer funds held on its behalf at the partner bank. This ledger should reconcile daily against the bank’s records — not weekly or monthly. In a failure scenario, this record becomes your primary tool for validating customer claims, working with the bankruptcy trustee, and filing FDIC claims.

The Regulatory Framework You’re Now Expected to Meet

The July 25, 2024 joint statement from the OCC, FDIC, and Federal Reserve on bank-fintech arrangements explicitly flagged operational, liquidity, and concentration risks in these partnerships as areas of elevated supervisory concern. The June 2023 interagency TPRM guidance (OCC Bulletin 2023-17) requires institutions to plan for the need to replace a critical provider that can no longer fulfill its obligations — and to be able to minimize the negative impact on recovery time objectives independently of the failed provider.

For the bank partner failure scenario specifically, the FFIEC BCM booklet’s requirements on third-party dependencies apply directly. A fintech without a documented, tested plan for bank partner failure is an operational resilience gap that an examiner — or a bank partner’s own due diligence team — will now flag.

So What? The BCP Gap Nobody Wants to Admit

Ask most fintech compliance teams whether their BCP covers bank partner failure. You’ll get one of three answers: “We assumed that was covered under vendor continuity,” “We’ve never thought about it,” or “Our bank partner has been around for 20 years — that’s not a real scenario.”

The Synapse bankruptcy answered all three.

Bank partner failure isn’t a tail risk anymore. It’s a documented scenario with real case studies, real regulatory follow-up, and real victims who spent months trying to access funds they thought were safe. The FDIC is writing rules to prevent a recurrence. Your bank partner’s compliance team is asking about your continuity plans. Your examiners are starting to ask too.

The hardest part of this planning isn’t the technology — it’s the conversation. Telling your CEO that you need a backup bank relationship, data portability clauses, and a customer fund reconciliation ledger requires framing the scenario credibly. That’s easier when you can point to the Synapse playbook.

For a complete BCP framework including third-party dependency mapping, recovery runbooks, and tabletop exercise scenarios, the Business Continuity & Disaster Recovery (BCP/DR) Kit includes templates built for financial services teams managing exactly these dependencies.

For the related TPRM minimum standards that now define what your bank partner needs from you during their own oversight reviews, see The BaaS Consent Order Playbook: What 10+ Enforcement Actions Reveal About TPRM Minimum Standards. For the exit planning controls that belong in every critical vendor contract, see Critical Vendor Exit Planning: How to Build a Wind-Down Strategy Before You Need One. And for the ongoing monitoring signals that should have warned Yotta before Synapse’s problems became their problem, see Partner Bank Liquidity KRIs: What Fintechs Should Monitor but Often Do Not.


Sources: Federal Reserve enforcement action against Evolve Bancorp, June 2024; FDIC — Agencies Issue Statement on Bank Arrangements with Third Parties, July 2024; CNBC — Synapse bankruptcy, customer funds frozen, May 2024; CNBC — FDIC proposes custodial deposit recordkeeping rule, September 2024; OCC Bulletin 2023-17 — Interagency Guidance on Third-Party Relationships

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Does my BCP need to address what happens if my bank partner fails?
Yes. The FFIEC BCM booklet explicitly requires institutions to address third-party dependency failures in their BCP, and the June 2023 interagency third-party risk management guidance requires both banks and their fintech partners to have continuity plans that address critical relationship failures. After Synapse, regulators are actively reviewing whether fintech BCPs address the bank partner failure scenario — not just vendor outages and cyberattacks.
What happened to fintech customer funds during the Synapse bankruptcy?
When Synapse Financial Technologies filed Chapter 11 in April 2024, access to more than $265 million in end-user funds held across fintech platforms was frozen. The bankruptcy trustee found a shortfall of approximately $65–$95 million between what customer records said was owed and what the partnering banks actually held. More than 100,000 customers lost access to their accounts for months, and some platforms — including Yotta — effectively ceased operations. FDIC deposit insurance did not apply because the failure was the fintech middleware layer, not the underlying insured bank.
What are the three scenarios a fintech BCP should address for bank partner risk?
Three scenarios have distinct operational consequences: (1) Hard failure — bank files for insolvency or a supervisory authority places it into receivership; customer fund access freezes, payment rails go offline without notice. (2) Enforcement-driven wind-down — a consent order restricts new onboarding and forces existing fintechs to transition; typically weeks to months of runway but significant documentation pressure. (3) Merger or acquisition — bank is sold or absorbed; partnership terms may not survive, contracts may be renegotiated, and processing continuity depends on the acquirer's fintech appetite.
What should be in a fintech's bank partner failure BCP?
Five elements: (1) A multi-bank strategy — identify and maintain at least one qualified backup bank partner before you need it; (2) Data portability clauses in every bank partner agreement — contractual right to export customer records, transaction history, and account data in a defined format within a defined timeframe; (3) A customer communication playbook — pre-drafted notices for each scenario, regulatory notification checklist, and escalation contacts; (4) Payment rail transition documentation — step-by-step runbooks for migrating ACH origination, debit card processing, and real-time payment connections to an alternate bank; (5) A wind-down ledger — real-time reconciliation of customer funds the bank holds on your behalf, so you can validate balances and minimize dispute surface in a failure scenario.
What did the FDIC propose to prevent another Synapse?
In September 2024, the FDIC proposed a 'Recordkeeping for Custodial Accounts' rule requiring banks that partner with fintechs to maintain detailed, real-time records of which customer is owed which funds. The goal is to eliminate the reconciliation failures that prolonged the Synapse bankruptcy — where the discrepancy between Synapse's records and the banks' actual holdings took months to unravel and produced a $65–$95 million shortfall. The FDIC's proposed rule would make those records available to a bankruptcy trustee or regulator immediately upon demand.
Does my fintech need a separate bank partner risk section in its BCP, or is it covered by vendor continuity?
It needs its own section. Generic vendor continuity plans address outages and SLA misses — scenarios where the vendor is operational but delayed. Bank partner failure is categorically different: payment processing stops without notice, customer accounts freeze, regulatory permissions may be suspended, and the response timeline is dictated by a bankruptcy court or regulatory supervision process, not a normal incident ticket. The scope of impact — customer access to funds — also triggers consumer notification and potential regulatory reporting obligations that don't apply to most vendor outages.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Business Continuity & Disaster Recovery (BCP/DR) Kit

BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.