Feature Business Continuity
When Your Bank Partner Fails: The BCP Scenario Fintechs Keep Skipping Until It's Too Late
The Synapse bankruptcy froze $265 million in fintech customer funds. Most fintech BCPs don't mention the bank partner failing at all. Here's how to plan for the scenario most compliance teams assume will never happen.
Table of Contents
TL;DR:
- When Synapse filed Chapter 11 in April 2024, $265 million in fintech customer funds froze. A $65–$95 million shortfall emerged between what customers were owed and what the banks actually held. Most fintech BCPs had no plan for this scenario.
- Three distinct threats require planning: hard bank failure, consent-order-driven wind-down, and merger/acquisition where partnership terms don’t survive.
- Operational dependencies that go offline immediately in a hard failure: ACH origination, debit card processing, real-time payments, and access to customer custodial funds.
- The regulatory expectation has shifted: FFIEC BCM requirements and the 2023 interagency TPRM guidance both expect fintech BCPs to address critical third-party relationship failures — including bank partners.
- Five components every fintech BCP needs: multi-bank strategy, data portability clauses, customer communication playbook, payment rail transition runbooks, and a real-time reconciliation ledger.
The Scenario Every Fintech BCP Should Address — But Most Don’t
Pull up the BCP for the average fintech. You’ll find something for ransomware. Something for cloud provider outages. Maybe a section on pandemic workforce disruption. What you rarely find is a structured plan for what happens when the bank partner — the institution whose charter and payment infrastructure the fintech’s entire product runs through — enters bankruptcy, receives an enforcement action that forces a wind-down, or gets acquired by an entity that doesn’t want the fintech relationship.
In May 2024, Yotta’s customers woke up to find their accounts inaccessible. Not because Yotta failed. Not because a cyberattack hit. Yotta’s bank middleware provider — Synapse Financial Technologies — had filed Chapter 11 on April 22, 2024, and the access freeze that followed was immediate and involuntary.
Synapse was the intermediary linking Yotta, Juno, Copper, and roughly a dozen other fintechs to their underlying partner banks, including Evolve Bank & Trust, AMG National Trust, and Lineage Bank. When Synapse’s operations stopped, the payment rails stopped. When the bankruptcy trustee began examining the books, a problem emerged: the total funds the partnering banks were holding was approximately $65–$95 million less than what customer records said was owed. More than 100,000 people lost access to over $265 million in funds for months. Some customers reported amounts as high as $38,000 still unresolved weeks into the crisis.
The FDIC deposit insurance they assumed protected their money? It covered bank failures — not a middleware bankruptcy where the underlying banks were still open, but the ledger reconciling who owned what had collapsed.
Why Most Fintech BCPs Miss This
Business continuity planning in financial services defaults to operational threat scenarios: natural disasters, cyberattacks, vendor outages, key-person loss. Bank partner failure sits in a different category. It’s a dependency failure that is simultaneously a legal event (bankruptcy or regulatory proceedings), an operational event (payment rails go down), a financial event (customer funds access freezes), and a customer protection event (notification, potential FDIC claim filing, regulatory reporting).
Most fintech compliance teams implicitly assume their bank partner is a going concern. The assumption makes sense historically — community banks and regional banks rarely fail — but the post-2022 environment has made that assumption harder to sustain. Since 2023, the FDIC, OCC, and Federal Reserve have issued consent orders against a growing list of BaaS-focused banks including Cross River, Lineage, Piermont, Sutton, and Evolve. The Federal Reserve issued a cease and desist against Evolve Bank & Trust in June 2024 — the same month that the Synapse bankruptcy trustee was unwinding the accounts Evolve held on behalf of Synapse-connected fintechs.
None of the fintechs on Synapse’s platform had a tested plan for this scenario.
The Three Scenarios Your BCP Needs to Address
Bank partner risk isn’t one scenario — it’s three, each with a distinct timeline and operational consequence.
Scenario 1: Hard Failure (Bankruptcy or Receivership)
The Synapse playbook. The bank or middleware partner ceases operations or is placed into receivership. Impact is immediate and involuntary:
- ACH origination stops. Payments in flight may not clear or may reverse without notice.
- Debit card processing goes offline or is suspended pending account validation.
- Real-time payment connections (RTP, FedNow) are terminated.
- Customer fund access freezes until a trustee or receiver can validate who holds what.
Timeline: No prior notice. The fintech learns about the failure concurrently with customers, often through media reports or when payment processing alerts start firing.
Scenario 2: Consent-Order-Driven Wind-Down
Less sudden than outright failure, but operationally similar in eventual impact. Regulators issue a consent order requiring the bank to exit certain fintech partnerships, often within a defined timeframe. Evolve’s June 2024 cease and desist prohibited adding new fintech partners and required enhanced oversight of existing ones. Cross River’s 2023 FDIC consent order required FDIC approval before any new fintech onboarding.
Timeline: Typically weeks to months of runway, but:
- The bank’s compliance team immediately increases scrutiny, documentation demands, and RFI volume
- The fintech may receive termination notices before the BCP has even been reviewed
- Transition timelines are dictated by the regulator, not the fintech’s operational readiness
Scenario 3: Merger or Acquisition
The bank partner is acquired, merges, or changes strategic direction. The acquirer may not want the fintech book of business, may impose different terms, or may impose a wind-down on the acquired bank’s fintech relationships.
Blue Ridge Bank — which exited its OCC consent order in 2024 after completing remediation — is a case where a smaller community bank worked through enforcement and survived. But not every fintech relationship survived the process. Acquisition-driven transitions can arrive with contract assignment clauses that give the acquiring bank the right to terminate fintech partnerships with limited notice.
What Goes Offline Immediately in a Hard Failure
Understanding the operational cascade is essential for designing an effective response plan. In a hard bank partner failure, these are the systems that break in sequence:
| Dependency | What Fails | Impact Window |
|---|---|---|
| ACH origination | Batch payments, direct deposits, bill pay stop processing | Immediate — same-day or next-day |
| Debit card issuing | Cards decline at point of sale, ATM withdrawals fail | Immediate |
| Real-time payments (RTP/FedNow) | Instant transfers suspended | Immediate |
| Customer funds access | Balances visible but not accessible pending trustee validation | Days to months depending on proceedings |
| Regulatory licenses | Fintech may need bank-specific state licenses re-filed | Weeks to months |
| Customer notification | FDIC claim filing, state notification requirements | 30–90 days depending on jurisdiction |
The payment rail failures hit customers immediately. The reconciliation and regulatory proceedings then run in parallel for months, which is what happened after Synapse: customers couldn’t access funds while the bankruptcy court worked through the $65–$95 million shortfall.
Five Components Every Fintech BCP Needs
1. A Multi-Bank Strategy — Before You Need It
The single most effective BCP control for bank partner failure is maintaining a qualified backup bank partner relationship before the primary one is in distress. This doesn’t mean splitting production volume across two banks from day one — that creates complexity and cost. It means:
- Identifying at least one qualified alternate bank partner with compatible API infrastructure
- Executing a framework agreement or letter of intent that would allow expedited onboarding
- Running an annual connectivity test to confirm the backup relationship remains viable
If you discover the backup bank only after your primary bank has entered a consent order, the timing problem will be severe. Banks under regulatory scrutiny are not adding new fintech relationships — and the banks you’d want to migrate to are doing their own due diligence reviews that take three to six months under the current regulatory environment.
2. Data Portability Clauses in Every Bank Partner Agreement
When a bank fails or exits, fintechs need two things: their customer data and their transaction history. Both of these are often sitting in the bank’s systems or in a middleware layer the bank controls. Without explicit contractual rights, accessing that data in a wind-down scenario requires going through a bankruptcy court or regulator — which means delays measured in months.
Every bank partner contract should include:
- Right to export all customer records, transaction history, and account data in a standard format (CSV, JSON, or defined API) within a defined timeframe (typically 30–60 days)
- Data destruction schedule that protects customer information after termination
- Access to the real-time ledger of customer funds held in custodial accounts at the bank
- Incident notification window requiring the bank to notify the fintech of any material operational disruption within 24–48 hours
The FDIC’s proposed Recordkeeping for Custodial Accounts rule — proposed in September 2024 in direct response to the Synapse failure — would require banks to maintain real-time records of which customers own which funds. That rule, when finalized, will help. But your contracts need to secure these rights today.
3. Customer Communication Playbook
Every bank partner failure scenario eventually requires explaining something difficult to customers: why their money is unavailable, what their options are, and what they need to do. Having pre-drafted templates and regulatory notification procedures prevents the worst of the reactive chaos.
At minimum, the playbook should include:
- Scenario-specific notification drafts: soft closure (“transitioning providers”), hard closure (“service interrupted”), fund access delay
- State breach notification checklist — some states treat a fintech’s inability to provide access to customer funds as a reportable event
- CFPB complaint intake escalation procedure — expect complaint volume to spike immediately in a hard failure
- Bank partner notification protocol — who at the fintech contacts whom at the bank (or the bankruptcy trustee) to validate fund balances
- Social media escalation procedure — Yotta’s customers organized publicly on Twitter/X within hours of the Synapse freeze
4. Payment Rail Transition Runbooks
For each payment rail your fintech relies on — ACH origination, debit card processing, RTP, FedNow, wire origination — the BCP needs a step-by-step runbook for migrating that capability to the backup bank. These runbooks should be tested, not just documented.
A runbook that’s never been executed isn’t a BCP — it’s a template that may or may not work under pressure. At minimum, test the runbook against a tabletop scenario annually: “Your bank partner has just sent a termination notice with 60 days of runway. Walk me through how you move ACH origination.”
5. A Real-Time Customer Fund Reconciliation Ledger
The $65–$95 million Synapse shortfall was a reconciliation problem: the fintech platforms showed customer balances that weren’t matched by actual funds at the bank. The disparity built up over years of middleware intermediation without consistent ledger reconciliation.
Every fintech should maintain its own independently reconciled record of the customer funds held on its behalf at the partner bank. This ledger should reconcile daily against the bank’s records — not weekly or monthly. In a failure scenario, this record becomes your primary tool for validating customer claims, working with the bankruptcy trustee, and filing FDIC claims.
The Regulatory Framework You’re Now Expected to Meet
The July 25, 2024 joint statement from the OCC, FDIC, and Federal Reserve on bank-fintech arrangements explicitly flagged operational, liquidity, and concentration risks in these partnerships as areas of elevated supervisory concern. The June 2023 interagency TPRM guidance (OCC Bulletin 2023-17) requires institutions to plan for the need to replace a critical provider that can no longer fulfill its obligations — and to be able to minimize the negative impact on recovery time objectives independently of the failed provider.
For the bank partner failure scenario specifically, the FFIEC BCM booklet’s requirements on third-party dependencies apply directly. A fintech without a documented, tested plan for bank partner failure is an operational resilience gap that an examiner — or a bank partner’s own due diligence team — will now flag.
So What? The BCP Gap Nobody Wants to Admit
Ask most fintech compliance teams whether their BCP covers bank partner failure. You’ll get one of three answers: “We assumed that was covered under vendor continuity,” “We’ve never thought about it,” or “Our bank partner has been around for 20 years — that’s not a real scenario.”
The Synapse bankruptcy answered all three.
Bank partner failure isn’t a tail risk anymore. It’s a documented scenario with real case studies, real regulatory follow-up, and real victims who spent months trying to access funds they thought were safe. The FDIC is writing rules to prevent a recurrence. Your bank partner’s compliance team is asking about your continuity plans. Your examiners are starting to ask too.
The hardest part of this planning isn’t the technology — it’s the conversation. Telling your CEO that you need a backup bank relationship, data portability clauses, and a customer fund reconciliation ledger requires framing the scenario credibly. That’s easier when you can point to the Synapse playbook.
For a complete BCP framework including third-party dependency mapping, recovery runbooks, and tabletop exercise scenarios, the Business Continuity & Disaster Recovery (BCP/DR) Kit includes templates built for financial services teams managing exactly these dependencies.
For the related TPRM minimum standards that now define what your bank partner needs from you during their own oversight reviews, see The BaaS Consent Order Playbook: What 10+ Enforcement Actions Reveal About TPRM Minimum Standards. For the exit planning controls that belong in every critical vendor contract, see Critical Vendor Exit Planning: How to Build a Wind-Down Strategy Before You Need One. And for the ongoing monitoring signals that should have warned Yotta before Synapse’s problems became their problem, see Partner Bank Liquidity KRIs: What Fintechs Should Monitor but Often Do Not.
Sources: Federal Reserve enforcement action against Evolve Bancorp, June 2024; FDIC — Agencies Issue Statement on Bank Arrangements with Third Parties, July 2024; CNBC — Synapse bankruptcy, customer funds frozen, May 2024; CNBC — FDIC proposes custodial deposit recordkeeping rule, September 2024; OCC Bulletin 2023-17 — Interagency Guidance on Third-Party Relationships
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Does my BCP need to address what happens if my bank partner fails?
What happened to fintech customer funds during the Synapse bankruptcy?
What are the three scenarios a fintech BCP should address for bank partner risk?
What should be in a fintech's bank partner failure BCP?
What did the FDIC propose to prevent another Synapse?
Does my fintech need a separate bank partner risk section in its BCP, or is it covered by vendor continuity?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
◆ Keep reading
Related posts.
Business Continuity
Power and Telecommunications Resilience: What the 2026 FFIEC BCM Booklet Requires You to Document and Test
The 2026 FFIEC BCM Booklet elevated power and telecommunications resilience from a supporting concern to a standalone examination focus. Here's what examiners now look for in generator testing, telecom redundancy documentation, and alternate site utility independence.
Jul 4, 2026
Business Continuity
Your BCP Activation Just Became a Regulatory Notification Trigger: What FCA/PRA PS26/2 Requires by March 2027
The FCA and PRA published PS26/2 in March 2026, establishing a new operational incident reporting regime that hardwires regulatory notification into BCP activation. Financial institutions with UK operations have until March 18, 2027 to comply. Here's what needs to change in your BCP.
Jul 1, 2026
Business Continuity
BCP Update Triggers: When FFIEC Requires You to Revise Your Business Continuity Plan Between Annual Reviews
Annual BCP review isn't enough. The FFIEC BCM Handbook and ISO 22301 both identify specific events that require mid-cycle plan updates. Here's the six-trigger framework that keeps your program defensible year-round.
Jun 25, 2026