Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Third-Party Risk

BaaS Vendor Exit Planning After Synapse: What the FDIC Now Requires From Sponsor Banks and Their Fintech Partners

Synapse's 2024 bankruptcy froze $265M in customer funds and exposed a critical gap in BaaS vendor exit planning. Consent orders against Thread Bank, Evolve, and others — plus the FDIC's proposed recordkeeping rule — have now defined what 'adequate' exit planning actually means.

By Rebecca Leung · June 22, 2026 ·
Table of Contents

TL;DR

  • Synapse’s April 2024 bankruptcy froze $265M in customer funds; the trustee found a $65–$95M reconciliation gap because no one held independent customer records
  • FDIC consent orders against Thread Bank, Evolve, Blue Ridge, and others defined what vendor exit planning must include — including a specific plan to the Regional Director within 30 days of any BaaS partner termination
  • The FDIC’s proposed recordkeeping rule would require sponsor banks to maintain daily-reconciled beneficial owner records independent of their middleware providers
  • Fintechs face their own exposure: contracts without independent audit rights and no backup sponsor relationships are the gaps that will hurt when the next partner fails

April 22, 2024: Synapse Financial Technologies files for Chapter 11 bankruptcy. By May 11, more than 200,000 customer accounts at fintechs like Yotta, Juno, and Dave are frozen. The bankruptcy trustee starts trying to reconcile customer balances across four sponsor banks — Evolve, AMG, Lineage, and American Bank — and a middleware layer that no longer exists. The trustee finds a shortfall. Not $1 million. Not $10 million. Somewhere between $65 million and $95 million, depending on whose ledger you believed. The problem: nobody’s ledger agreed.

That’s not a technology failure. That’s a third-party risk management failure — specifically the failure to plan for what happens when the middleware in your customer-funds chain disappears.

Two years later, the regulatory response has defined exactly what “adequate” BaaS vendor exit planning looks like. If you’re a sponsor bank with fintech BaaS relationships — or a fintech that depends on a BaaS middleware provider or sponsor bank — this is what you now need to have.

What Synapse Actually Broke

Understanding Synapse requires understanding what middleware does in a BaaS arrangement. Synapse sat between approximately 100 fintech companies and their FDIC-insured sponsor banks. It processed transactions, maintained the ledger that showed which customer had which balance, and reconciled between the fintech’s view of customer accounts and the bank’s view of pooled “for benefit of” (FBO) deposits.

When Synapse filed Chapter 11 on April 22, 2024, it didn’t just interrupt transaction processing — it took the shared ledger with it. The four sponsor banks each held pooled FBO deposit balances, but they couldn’t independently determine which customer was owed which amount within each pool. Synapse held that mapping. Synapse was gone.

The CFPB subsequently took enforcement action against Synapse for failing to maintain adequate records and failing to ensure those records matched the records of partner banks. The more instructive question for the industry: why were the banks in a position where Synapse’s records were the only authoritative version?

The Synapse fallout triggered a cascade of consent orders at sponsor banks that hadn’t adequately managed their BaaS relationships. The list includes Evolve Bank & Trust, Blue Ridge Bank, Lineage Bank, Thread Bank, Sutton Bank, and Community Federal Savings Bank — not all Synapse-connected, but all flagged for inadequate third-party risk management in BaaS-adjacent arrangements.

Thread Bank’s May 2024 consent order from the FDIC is the most operationally specific about what exit planning must look like. The order required Thread to:

  • Develop an exit plan covering how to monitor fintech relationships — including third-, fourth-, and fifth-party providers — for service interruptions
  • Document detailed response steps, staffing requirements, and customer notification procedures if a partner experiences a service disruption
  • Define how regulators and external stakeholders will be notified during a disruption
  • When a BaaS partner contract terminates: submit a specific operational plan to the FDIC Regional Director within 30 days of the termination decision, detailing how the bank will execute an orderly wind-down of that relationship

That 30-day window is the operational discipline the consent order is requiring. Not “we have a general wind-down policy.” A specific plan, for this partner, submitted to the regulator, within 30 days of the decision to terminate.

The July 2024 joint statement from the OCC, FDIC, and Federal Reserve on bank-fintech arrangements reinforced the theme: banks cannot outsource responsibility for customer funds management to their fintech partners, regardless of what the contracts say.

The FDIC’s Proposed Recordkeeping Rule

In October 2024, the FDIC proposed a formal rule to codify what adequate BaaS recordkeeping looks like at the bank level. The rule was still working through rulemaking as of mid-2026, but its requirements have already been incorporated into examiner expectations through supervisory guidance and consent order language.

Daily reconciliation: Sponsor banks would be required to reconcile custodial account balances daily — not on-demand, not monthly, daily. Every FBO account must be reconciled to the individual beneficial owner level each business day.

Beneficial owner records at the bank: The authoritative record of who owns what must live at the insured depository institution — not in a middleware layer the bank doesn’t control. Banks can use middleware to generate those records, but they must independently hold and validate them.

Annual independent validation: The bank’s recordkeeping systems and the processes for maintaining them must be independently validated every 12 months by a qualified third party.

Annual certification: Banks must certify annually to the FDIC that they’ve implemented the requirements, tested implementation within the preceding 12 months, and are in compliance.

The comment period closed January 16, 2025. The rule is pending finalization. But examiners were citing inadequate custodial account recordkeeping under existing supervisory guidance before the proposed rule even dropped — the formal rulemaking is putting structure around what already counts as a deficiency.

The Eight-Component Exit Plan

If you’re building or updating a BaaS vendor exit plan, here’s what regulators have signaled it needs to cover:

ComponentWhat to Document
Trigger eventsPartnership termination, regulatory order against partner, partner bankruptcy, major security incident
Customer fund reconciliationHow you independently verify customer balances without the partner’s ledger
Customer notificationTiming, channel, and messaging for affected account holders
Operational wind-down stepsAccount migration, outstanding transaction settlement, data transfer
Staffing planWho owns which responsibilities during wind-down; escalation contacts
Fourth- and fifth-party mappingSubcontractors to your BaaS partner who also need to be unwound or transitioned
Regulator notificationRegulator, timing, format, and designated contact
Timeline and milestonesHow fast can you migrate customers to an alternative? What are the sequencing dependencies?

The Synapse failure was primarily a breakdown of the customer fund reconciliation row. The four sponsor banks discovered, at the worst possible moment, that they couldn’t independently fill in that row without Synapse. Don’t build a plan where any single row depends entirely on your partner’s cooperation.

Concentration Risk: The Problem Exit Planning Doesn’t Solve Alone

Exit planning addresses the operational question: how do you wind down a failed relationship. Concentration risk is the strategic question: are you in a position where any single relationship failure becomes an existential event?

The OCC’s 2023 third-party risk guidance and the July 2024 joint agency statement both call out concentration risk as a specific supervisory concern for BaaS-exposed banks. Regulators are asking:

  • What percentage of your total assets or revenue depends on BaaS relationships overall?
  • What is your maximum exposure to any single fintech partner?
  • Do you have a credible backup for each material BaaS relationship?
  • Could you operate for 90 days if your largest BaaS partner failed or was acquired?

For fintechs, the mirror image: what happens if your sponsor bank receives a consent order and stops accepting new fintech business? That happened to fintech clients of Thread Bank, Blue Ridge, and Lineage throughout 2024. Some fintechs had backup banking relationships and migrated within weeks. Others found out they were operationally dependent on a single sponsor bank and had no credible path to continuity.

What Fintechs Need to Do (Not Just Banks)

The post-Synapse enforcement wave has been directed at sponsor banks. But fintechs absorb the customer-facing consequences of BaaS failures regardless of legal fault. A few specific actions:

Contract audit rights: Your BaaS agreement should give you the right to independently audit customer fund records — and specifically to receive reconciled data on a defined schedule, not only on request. Fintech partners of Synapse who had audit rights and were receiving regular reconciliation data from the banks directly were better positioned than those who depended entirely on Synapse’s ledger.

Operational continuity planning: Model what happens if your sponsor bank relationship ends abruptly. How long does customer migration take? What data do you need from the exiting bank? What contractual obligations are triggered? The time to work through those questions is before they’re urgent.

Customer communication independence: If your BaaS middleware or sponsor bank fails, you need to be able to communicate with your customers about what happened and what they should do — without depending on your vendor’s cooperation for the message content or delivery.

So What?

The Synapse case created a before/after dividing line in BaaS risk management. Before Synapse, “the fintech manages the ledger” was an acceptable answer in many third-party risk reviews. After Synapse, it’s a finding.

What your program needs right now:

  1. Review your BaaS contracts: Do you have independent audit rights over customer fund records? Do your agreements require your partners to maintain their own reconciliation records at the bank level? Do your termination provisions define the partner’s obligations during wind-down?

  2. Build your exit plan: Cover all eight components above. Make it specific enough to file with a regulator within 30 days of a termination decision — because for sponsor banks, that’s now the expectation.

  3. Test your reconciliation capability: Run a drill where your middleware provider is unavailable. Can you independently reconcile customer balances? If the answer isn’t an unambiguous yes, that’s where to start.

  4. Quantify concentration risk: Calculate your exposure to your top three BaaS relationships. Bring those numbers to your risk committee with a remediation timeline if any single relationship represents more than 15–20% of your revenue or material operational capability.

  5. Map your fourth-party dependencies: Your BaaS provider uses subcontractors. Some of those subcontractors may have independent obligations to you — or may have none at all. Know which is which before you need to know.

The FDIC’s proposed recordkeeping rule will eventually set the formal standard. Synapse set the informal one two years ago. Examiners at every BaaS-exposed bank are now asking whether you have an answer to the question the Synapse trustee couldn’t answer: if your middleware disappears tomorrow, can you tell every customer exactly how much they’re owed?

If the answer isn’t yes, your exit plan isn’t done.


Related reading: Vendor Breach Response: What to Do When a Critical Supplier Reports an Incident | Cloud Concentration Risk: When Your AWS, Azure, or GCP Dependency Becomes a Regulatory Problem | DORA Third-Party ICT Risk: Contracts, Concentration Risk, and the 19 Critical Providers You Now Answer To

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What did the Synapse bankruptcy reveal about BaaS vendor exit planning?
Synapse's April 2024 Chapter 11 filing froze $265 million in customer funds across approximately 200,000 accounts. The bankruptcy trustee discovered a shortfall of $65–$95 million between what the four sponsor banks held and what customers were owed — because nobody could reconcile the ledger without Synapse's middleware. The failure exposed that sponsor banks had allowed the customer funds reconciliation capability to live entirely in a third-party middleware layer they didn't control, without maintaining independent records.
What does the FDIC's proposed recordkeeping rule require of sponsor banks?
The FDIC's proposed rule (October 2024, still working through rulemaking) would require sponsor banks to: maintain daily reconciled records of custodial account beneficial owners, perform annual independent validation of their recordkeeping systems, and submit annual certifications of compliance. Critically, the rule would require the bank — not the middleware or fintech — to hold the authoritative record of which customer is owed which amount. A bank cannot delegate that responsibility to a BaaS middleware provider.
What did the Thread Bank FDIC consent order require for vendor exit planning?
Thread Bank's May 2024 FDIC consent order required the bank to develop an exit plan covering: monitoring of fintech relationships including third-, fourth-, and fifth-party providers for service interruptions; detailed response steps and staffing requirements if a partner experiences a disruption; customer notification procedures; and regulator notification protocols. When a BaaS partner terminates, Thread Bank must submit a specific operational wind-down plan to the FDIC Regional Director within 30 days of that decision.
What concentration risk questions are regulators asking BaaS-exposed banks?
Regulators are asking: What percentage of the bank's total assets or revenue depends on BaaS relationships? What is the maximum exposure to any single fintech partner? Does the bank have a credible alternative to each major fintech relationship? Could the bank operate for 90 days if its largest BaaS partner failed? Can the bank independently reconcile all customer balances without relying on middleware records? These questions appear in third-party risk program reviews and OCC/FDIC examinations of banks with significant BaaS exposure.
What obligations do fintechs have when their BaaS middleware or sponsor bank fails?
Fintechs don't have the same direct regulatory obligations as sponsor banks, but they carry significant practical and contractual risk. Fintechs should: ensure their BaaS contracts include independent audit rights over customer fund records; have a backup sponsor bank relationship or migration plan; maintain their own reconciliation records independent of middleware; and have a customer communication protocol that doesn't depend on the vendor's cooperation. Fintechs whose BaaS middleware or sponsor bank fails inherit the customer-facing consequences regardless of who is contractually at fault.
Does the FDIC's proposed recordkeeping rule apply to fintechs or only to banks?
The proposed rule directly regulates insured depository institutions (the sponsor banks), not fintechs. But its practical effect reaches fintechs: if your sponsor bank must maintain daily independent reconciliation of custodial account records, they will push corresponding obligations down to fintech partners through contract requirements. Fintechs that can't provide daily reconciliation data to their sponsor banks will become compliance liabilities for those banks — and may lose the relationship.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Third-Party Risk Management (TPRM) Kit

Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.

◆ Keep reading

Related posts.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.