Feature Third-Party Risk
BaaS Vendor Exit Planning After Synapse: What the FDIC Now Requires From Sponsor Banks and Their Fintech Partners
Synapse's 2024 bankruptcy froze $265M in customer funds and exposed a critical gap in BaaS vendor exit planning. Consent orders against Thread Bank, Evolve, and others — plus the FDIC's proposed recordkeeping rule — have now defined what 'adequate' exit planning actually means.
Table of Contents
TL;DR
- Synapse’s April 2024 bankruptcy froze $265M in customer funds; the trustee found a $65–$95M reconciliation gap because no one held independent customer records
- FDIC consent orders against Thread Bank, Evolve, Blue Ridge, and others defined what vendor exit planning must include — including a specific plan to the Regional Director within 30 days of any BaaS partner termination
- The FDIC’s proposed recordkeeping rule would require sponsor banks to maintain daily-reconciled beneficial owner records independent of their middleware providers
- Fintechs face their own exposure: contracts without independent audit rights and no backup sponsor relationships are the gaps that will hurt when the next partner fails
April 22, 2024: Synapse Financial Technologies files for Chapter 11 bankruptcy. By May 11, more than 200,000 customer accounts at fintechs like Yotta, Juno, and Dave are frozen. The bankruptcy trustee starts trying to reconcile customer balances across four sponsor banks — Evolve, AMG, Lineage, and American Bank — and a middleware layer that no longer exists. The trustee finds a shortfall. Not $1 million. Not $10 million. Somewhere between $65 million and $95 million, depending on whose ledger you believed. The problem: nobody’s ledger agreed.
That’s not a technology failure. That’s a third-party risk management failure — specifically the failure to plan for what happens when the middleware in your customer-funds chain disappears.
Two years later, the regulatory response has defined exactly what “adequate” BaaS vendor exit planning looks like. If you’re a sponsor bank with fintech BaaS relationships — or a fintech that depends on a BaaS middleware provider or sponsor bank — this is what you now need to have.
What Synapse Actually Broke
Understanding Synapse requires understanding what middleware does in a BaaS arrangement. Synapse sat between approximately 100 fintech companies and their FDIC-insured sponsor banks. It processed transactions, maintained the ledger that showed which customer had which balance, and reconciled between the fintech’s view of customer accounts and the bank’s view of pooled “for benefit of” (FBO) deposits.
When Synapse filed Chapter 11 on April 22, 2024, it didn’t just interrupt transaction processing — it took the shared ledger with it. The four sponsor banks each held pooled FBO deposit balances, but they couldn’t independently determine which customer was owed which amount within each pool. Synapse held that mapping. Synapse was gone.
The CFPB subsequently took enforcement action against Synapse for failing to maintain adequate records and failing to ensure those records matched the records of partner banks. The more instructive question for the industry: why were the banks in a position where Synapse’s records were the only authoritative version?
The Consent Order Wave: What Regulators Demanded
The Synapse fallout triggered a cascade of consent orders at sponsor banks that hadn’t adequately managed their BaaS relationships. The list includes Evolve Bank & Trust, Blue Ridge Bank, Lineage Bank, Thread Bank, Sutton Bank, and Community Federal Savings Bank — not all Synapse-connected, but all flagged for inadequate third-party risk management in BaaS-adjacent arrangements.
Thread Bank’s May 2024 consent order from the FDIC is the most operationally specific about what exit planning must look like. The order required Thread to:
- Develop an exit plan covering how to monitor fintech relationships — including third-, fourth-, and fifth-party providers — for service interruptions
- Document detailed response steps, staffing requirements, and customer notification procedures if a partner experiences a service disruption
- Define how regulators and external stakeholders will be notified during a disruption
- When a BaaS partner contract terminates: submit a specific operational plan to the FDIC Regional Director within 30 days of the termination decision, detailing how the bank will execute an orderly wind-down of that relationship
That 30-day window is the operational discipline the consent order is requiring. Not “we have a general wind-down policy.” A specific plan, for this partner, submitted to the regulator, within 30 days of the decision to terminate.
The July 2024 joint statement from the OCC, FDIC, and Federal Reserve on bank-fintech arrangements reinforced the theme: banks cannot outsource responsibility for customer funds management to their fintech partners, regardless of what the contracts say.
The FDIC’s Proposed Recordkeeping Rule
In October 2024, the FDIC proposed a formal rule to codify what adequate BaaS recordkeeping looks like at the bank level. The rule was still working through rulemaking as of mid-2026, but its requirements have already been incorporated into examiner expectations through supervisory guidance and consent order language.
Daily reconciliation: Sponsor banks would be required to reconcile custodial account balances daily — not on-demand, not monthly, daily. Every FBO account must be reconciled to the individual beneficial owner level each business day.
Beneficial owner records at the bank: The authoritative record of who owns what must live at the insured depository institution — not in a middleware layer the bank doesn’t control. Banks can use middleware to generate those records, but they must independently hold and validate them.
Annual independent validation: The bank’s recordkeeping systems and the processes for maintaining them must be independently validated every 12 months by a qualified third party.
Annual certification: Banks must certify annually to the FDIC that they’ve implemented the requirements, tested implementation within the preceding 12 months, and are in compliance.
The comment period closed January 16, 2025. The rule is pending finalization. But examiners were citing inadequate custodial account recordkeeping under existing supervisory guidance before the proposed rule even dropped — the formal rulemaking is putting structure around what already counts as a deficiency.
The Eight-Component Exit Plan
If you’re building or updating a BaaS vendor exit plan, here’s what regulators have signaled it needs to cover:
| Component | What to Document |
|---|---|
| Trigger events | Partnership termination, regulatory order against partner, partner bankruptcy, major security incident |
| Customer fund reconciliation | How you independently verify customer balances without the partner’s ledger |
| Customer notification | Timing, channel, and messaging for affected account holders |
| Operational wind-down steps | Account migration, outstanding transaction settlement, data transfer |
| Staffing plan | Who owns which responsibilities during wind-down; escalation contacts |
| Fourth- and fifth-party mapping | Subcontractors to your BaaS partner who also need to be unwound or transitioned |
| Regulator notification | Regulator, timing, format, and designated contact |
| Timeline and milestones | How fast can you migrate customers to an alternative? What are the sequencing dependencies? |
The Synapse failure was primarily a breakdown of the customer fund reconciliation row. The four sponsor banks discovered, at the worst possible moment, that they couldn’t independently fill in that row without Synapse. Don’t build a plan where any single row depends entirely on your partner’s cooperation.
Concentration Risk: The Problem Exit Planning Doesn’t Solve Alone
Exit planning addresses the operational question: how do you wind down a failed relationship. Concentration risk is the strategic question: are you in a position where any single relationship failure becomes an existential event?
The OCC’s 2023 third-party risk guidance and the July 2024 joint agency statement both call out concentration risk as a specific supervisory concern for BaaS-exposed banks. Regulators are asking:
- What percentage of your total assets or revenue depends on BaaS relationships overall?
- What is your maximum exposure to any single fintech partner?
- Do you have a credible backup for each material BaaS relationship?
- Could you operate for 90 days if your largest BaaS partner failed or was acquired?
For fintechs, the mirror image: what happens if your sponsor bank receives a consent order and stops accepting new fintech business? That happened to fintech clients of Thread Bank, Blue Ridge, and Lineage throughout 2024. Some fintechs had backup banking relationships and migrated within weeks. Others found out they were operationally dependent on a single sponsor bank and had no credible path to continuity.
What Fintechs Need to Do (Not Just Banks)
The post-Synapse enforcement wave has been directed at sponsor banks. But fintechs absorb the customer-facing consequences of BaaS failures regardless of legal fault. A few specific actions:
Contract audit rights: Your BaaS agreement should give you the right to independently audit customer fund records — and specifically to receive reconciled data on a defined schedule, not only on request. Fintech partners of Synapse who had audit rights and were receiving regular reconciliation data from the banks directly were better positioned than those who depended entirely on Synapse’s ledger.
Operational continuity planning: Model what happens if your sponsor bank relationship ends abruptly. How long does customer migration take? What data do you need from the exiting bank? What contractual obligations are triggered? The time to work through those questions is before they’re urgent.
Customer communication independence: If your BaaS middleware or sponsor bank fails, you need to be able to communicate with your customers about what happened and what they should do — without depending on your vendor’s cooperation for the message content or delivery.
So What?
The Synapse case created a before/after dividing line in BaaS risk management. Before Synapse, “the fintech manages the ledger” was an acceptable answer in many third-party risk reviews. After Synapse, it’s a finding.
What your program needs right now:
-
Review your BaaS contracts: Do you have independent audit rights over customer fund records? Do your agreements require your partners to maintain their own reconciliation records at the bank level? Do your termination provisions define the partner’s obligations during wind-down?
-
Build your exit plan: Cover all eight components above. Make it specific enough to file with a regulator within 30 days of a termination decision — because for sponsor banks, that’s now the expectation.
-
Test your reconciliation capability: Run a drill where your middleware provider is unavailable. Can you independently reconcile customer balances? If the answer isn’t an unambiguous yes, that’s where to start.
-
Quantify concentration risk: Calculate your exposure to your top three BaaS relationships. Bring those numbers to your risk committee with a remediation timeline if any single relationship represents more than 15–20% of your revenue or material operational capability.
-
Map your fourth-party dependencies: Your BaaS provider uses subcontractors. Some of those subcontractors may have independent obligations to you — or may have none at all. Know which is which before you need to know.
The FDIC’s proposed recordkeeping rule will eventually set the formal standard. Synapse set the informal one two years ago. Examiners at every BaaS-exposed bank are now asking whether you have an answer to the question the Synapse trustee couldn’t answer: if your middleware disappears tomorrow, can you tell every customer exactly how much they’re owed?
If the answer isn’t yes, your exit plan isn’t done.
Related reading: Vendor Breach Response: What to Do When a Critical Supplier Reports an Incident | Cloud Concentration Risk: When Your AWS, Azure, or GCP Dependency Becomes a Regulatory Problem | DORA Third-Party ICT Risk: Contracts, Concentration Risk, and the 19 Critical Providers You Now Answer To
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What did the Synapse bankruptcy reveal about BaaS vendor exit planning?
What does the FDIC's proposed recordkeeping rule require of sponsor banks?
What did the Thread Bank FDIC consent order require for vendor exit planning?
What concentration risk questions are regulators asking BaaS-exposed banks?
What obligations do fintechs have when their BaaS middleware or sponsor bank fails?
Does the FDIC's proposed recordkeeping rule apply to fintechs or only to banks?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Keep reading
Related posts.
Third-Party Risk
The Marquis Software Breach: What 80 Banks and Credit Unions Need to Learn About Vendor Concentration Risk
In August 2025, Akira ransomware hit Marquis Software Solutions through an unpatched SonicWall firewall. By the time breach notifications went out—over two months later—80 banks and credit unions had been exposed, 824,000 consumers' data was compromised, and a ransom had reportedly been paid. Here's what your third-party risk program should take from it.
Jul 7, 2026
Third-Party Risk
AI Foundation Model Concentration Risk: When Your Entire AI Stack Depends on Three Vendors
The Cambridge Centre for Alternative Finance's 2026 report found 76% of financial institutions rely on OpenAI, 57% on Google, and 35% on Anthropic — while 63% build on external models rather than their own. Under OCC 2023-17 and DORA, that's not just an AI strategy question. It's a third-party concentration risk your TPRM program probably isn't mapped to address.
Jul 5, 2026
Third-Party Risk
Vendor Financial Health Monitoring: The Early Warning Program OCC 2023-17 Expects for Critical Third Parties
OCC 2023-17's ongoing monitoring phase requires active financial health surveillance for critical third-party vendors — but most institutions treat it as an annual renewal checkbox. Here's what a defensible early warning program looks like, what warning signs to track, and what the Synapse collapse demonstrated about gaps in current practice.
Jul 3, 2026