For weeks, I have debated whether to enter this fray regarding “F/B/O Accounts” and the recent FDIC Notice of Proposed Rulemaking (NPR) regarding banks hosting custodial accounts. Each morning, my LinkedIn feed is clogged with various industry participants decrying what the FDIC calls “Custodial Accounts” as the worst poison to infect a bank or the best solution for smaller banks seeking to stay relevant in an ecosystem increasingly dominated by cutting-edge technology solutions. As my team prepares for both Acquire or Be Acquired (one of the largest banking conferences in the country) and Money 20/20 (one of the largest FinTech conferences in the country), I am struck by this dichotomy.    

While F/B/O Accounts have historically provided a practical mechanism for non-bank entities to provide services through chartered financial institutions, recent criticisms from regulatory bodies have brought attention to potential weaknesses in their management, particularly concerning transparency, risk management, and compliance with anti-money laundering (AML) laws. These criticisms have raised concerns over how well financial institutions can monitor and safeguard the integrity of these structures.

Why are F/B/O Accounts so important?

As I tell students in my banking law class, for centuries, banks have operated from a single, centralized core ledger ("The Warrior Monks who Invented Banking," BBC). There is a record of each deposit (liability of the bank) and each loan (asset of the bank). Fundamentally, this concept underpins all modern payments, deposit, and lending systems across banking and FinTech. However, as banks grow and seek to diversify, they are limited by the existing systems in which banks operate. Save some recent initiatives for “fast payments” (e.g., FedNow), banks still operate on a multi-day bank-to-bank settlement system where one institution is always “taking the risk” of non-payment. NACHA and card network rules spend hundreds of pages allocating risk amongst participants in these systems. The core competency of many FinTech companies is to expedite data exchange and reduce this risk. The core of FinTech payments apps has been for the customer to know in real time whether they have funds for a transaction and then to guarantee those funds to the counterparty. Banks are really bad at this use case -all one needs to do is understand how many employees in a bank are tasked with handling ACH returns, check returns, card returns, or associated account fraud.   

The F/B/O Account solves one of these fundamental problems. The bank's “core” system sees one massive, omnibus account with everyone's comingled money. A sub-core or subledger system then allocates these funds to each end user. The benefit of the subledger is that the bank and FinTech can “see” pending deposits or withdrawals while these transactions work their way through a multi-day clearing system. The subledger immediately deducts or adds funds to the user's ledger and provides near-real-time balances. Even more importantly, as the network effect grows, more and more customers can transact “on us” and enjoy nearly instantaneous settlement with both payors and payees sharing the same FinTech integration. 

While this seems like great news, there's still cause for concern. 

The real problem here is that many banks, candidly, forgot their role in the FinTech equation. My team works with dozens of FinTech sponsor banks from the SIFIs down to the FinTech-forward community banks. What they embrace, and we preach, is the need for ongoing and constantly evolving oversight and control. Many banks viewed FinTech partnerships the way many banks have treated card programs over the last few decades. With the sophistication of the card networks and the technological capabilities of the processors and gateways, banks could take a passive role and rely on these third parties to monitor customers, de-risk transactions, and combat fraud. However, with BaaS and FinTech partnerships, many early-adopter banks were relying on the “integrators” in the same way banks relied on card processors. This proved a bad decision. The infrastructure was not sufficiently closed and controlled, and the integrators did not have the resources or capabilities for outsourced fraud, AML, and transaction monitoring. This led to some public failures and the recent FDIC criticism:

• Lack of visibility. One of the primary concerns raised by regulators is the potential lack of transparency regarding the actual owners of the funds in F/B/O structures. Since the financial institution often only sees the intermediary holding the omnibus (top-level) account, the bank may not have a direct line of sight into who the ultimate beneficiaries are. This opaque setup can be exploited for illicit purposes, such as money laundering or tax evasion. Regulatory agencies, including the Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC), have increasingly flagged the difficulty in tracing the ownership chain in F/B/O accounts. The absence of clear reporting mechanisms can hinder effective monitoring of these accounts and leaves room for potentially suspicious transactions to go unnoticed. This is also a concern regarding a bank failure (triggering FDIC pass-through insurance) or the FinTech failure where the bank is unable to understand which users are entitled to the funds, resulting in blocked access to customers' funds.
• AML and KYC compliance challenges. F/B/O accounts often blur the lines of responsibility between the FinTech and the financial institution. While the FinTech may conduct Know Your Customer (KYC) and due diligence procedures on behalf of the bank, it has been noted that these processes are not always sufficiently rigorous. Regulators have found that intermediaries may lack the comprehensive resources or procedures necessary to vet all the underlying account holders or beneficiaries properly. In addition, banks are sometimes criticized for relying too heavily on the intermediary’s KYC and Anti-Money Laundering (AML) checks. This delegation can create significant blind spots in the bank's overall compliance efforts, leading to regulatory lapses. The bank's BSA/AML controls are often built to look at “core” accounts - just one, massive omnibus account without the ability to look through to the beneficial owners. Recently, regulators have emphasized the need for banks to take a more active role in monitoring the ultimate beneficiaries of F/B/O accounts, including performing their own checks to ensure compliance with financial regulations, particularly BSA/AML.
• Risk concentration and operational risk. F/B/O Accounts inherently blend multiple beneficiaries (users/customers) under a single omnibus, on-core account, creating potential risk concentration issues. Should the FinTech fail, or if there are operational failures in handling these accounts, it could lead to significant disruptions. For example, we have seen headline-grabbing ledger failures that cause delays or complications in distributing funds to the beneficiaries, raising legal and reputational risks for the banks involved. In addition, regulators are asking banks to analyze liquidity risks or concentration risks associated with FinTech partnerships closely. The concern is that a FinTech failure (or a “Twitter Storm”) causes a bank run. We have not seen this to be the case as generally, the infrastructure to integrate a FinTech into a bank is not easily portable and these are some of the “stickiest” deposits in the bank.     
• Inadequate reporting and oversight.  Another criticism that has emerged relates to the lack of adequate reporting mechanisms in F/B/O accounts. Because FinTechs typically manage these accounts, banks might not receive comprehensive data on the account activities of the end users. This can impede the bank's ability to detect suspicious patterns or potential fraud and make it harder to fulfill their obligations under regulatory reporting requirements such as Suspicious Activity Reports (SARs) with FinCEN.  As financial services become more digitized and globalized, regulators are increasingly pushing for greater visibility into F/B/O structures to address these potential gaps.

So, are F/B/O Accounts gone?

In short, the answer is no. The F/B/O Account structure serves an important purpose in banks. These structures only die off if there is no need for third-party FinTech integrations. One need only looks to recent consumer sentiment surveys (like the McKinsey & Co. article quoted below) to understand that FinTech is outpacing traditional banking in customer acquisition and growth. FinTechs will always look to develop more advanced, more capable ledgering systems. What will change, however, is banks must develop greater oversight and control of these structures. The days of banks relying on sophisticated third-party technology vendors, processors, program managers, and compliance vendors have now passed. Unlike the legacy cores (direct FFIEC examined) or the large card processors (decades of compliance and operational experience), the FinTech world is dominated by new, dynamic, disruptive technology that will inherently be “at odds” with traditional banking risk tolerances. The beauty of bank-FinTech partnerships, however, is that they blend the best of both - the technology capability and development skills of the FinTech with the risk management controls of traditional banking.  

Ignore those predicting the “end of FinTech banking.” Instead, view this as the growth cycle where too many banks became too dependent on untested technology. The pendulum will now swing back and those financial institutions that can properly embrace and risk-manage these challenges will be those leading the next evolution of banking. If anything, the “moat” around FinTech partnerships is getting deeper and wider. However, if your institution is on the island, the economic benefits are significant.