FDIC Proposes Significant Obligations in Connection With Custodial Accounts

On September 17, the Federal Deposit Insurance Corporation (FDIC) Board of Directors issued a notice of proposed rulemaking (NPR) that would create additional obligations for insured depository institutions (IDIs) in connection with certain custodial accounts established by account holders for the benefit of others. Among other things, IDIs would be required to have “direct, continuous, and unrestricted access” to third-party records including the balance attributable to each beneficial owner of covered custodial accounts, which would likely flow through as a burden to fintechs or other market participants with the direct customer relationship. In that regard, the FDIC likely has, unsurprisingly, dramatically underestimated the burden of compliance.

The NPR will be subject to 60 days of public comment after it is published in the Federal Register. The NPR does not specifically address a timeframe for compliance after the rule is finalized but notes that subject to certain exceptions, banking regulations that impose additional reporting, disclosures, or other new requirements shall take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in final form — although this would not be a practical deadline to implement the changes contemplated by the NPR.

A more detailed summary is provided below.

Scope

• Generally, the NPR would require IDIs to have access to beneficial ownership records for each “custodial deposit account with transactional features” unless an exception applies.¹   
• A “custodial deposit account with transactional features” means a deposit account (1) established for the benefit of beneficial owners, (2) in which the deposits of multiple beneficial owners are commingled, and (3) “through which beneficial owner(s) may authorize or direct a transfer through the account holder from the custodial deposit account to a party other than the account holder or beneficial owner.”²  
• There is some ambiguity in the NPR as to the scope of condition #3. Specifically, the NPR does not use the term “directly or indirectly,” and in certain account structures users of an associated front-end transaction account arguably do not instruct transfers from the custodial account to third parties. They instruct transfers from their transaction account, which may result in withdrawals from the custodial account.³ Whether the FDIC will clarify this aspect of the scope remains to be seen.
• Further, the “account holder” through which the customer may instruct transfers is construed broadly to cover any business that contracted with an IDI to establish a custodial account.  That is to say, it does not matter if an account is titled in the name of the IDI rather than of the third party on behalf of beneficial owners.
• Certain exceptions are provided, including for

1. accounts only holding trust deposits (as defined in FDIC regulations)⁴  
2. accounts established by broker-dealers and investment advisers (i.e., sweep accounts)⁵  
3. accounts maintained pursuant to an agreement to allocate or distribute deposits among participating insured depository institutions in a network for purposes other than payment transactions of customers of the insured depository institution or participating insured depository institutions⁶  

• Although the NPR technically applies only to IDIs, banks would certainly pass through various obligations to their partners with the underlying customer relationships and customer records, although that would not relieve banks of their own responsibilities.

Access to Records

• When beneficial ownership records are maintained by a third party, IDIs would be required to have “direct, continuous, and unrestricted access” in the form prescribed in Appendix A (discussed below).⁷  
• Although the NPR suggests “this could be accomplished, for example” by the secure real-time exchange of data, it is not immediately apparent what mechanism besides an API would satisfy the requirements of “direct, continuous, and unrestricted access.”⁸  
• However access is operationalized, such access must be provided “in the event of business interruption, insolvency, or bankruptcy of the third party.” This raises several issues, including (i) will institutions be penalized if, notwithstanding business continuity plans (BCPs), access is not “continuous” due to a disaster, and (ii) how the reference to bankruptcy should be read in the context of the automatic stay that would apply in the event of the bankruptcy of the account holder or other intermediary holding beneficial ownership records.

Content and Format of Records

• Beneficial ownership records are required to be provided in a standardized pipe-delimited file format set forth in Appendix A of the NPR. Presumably this would require systems modifications to prepare and receive.
• Even though some of the content is unexceptional — for instance, name, address, account type, and account balance — there are specific field size requirement that may not be consistent with existing systems.
• A tax ID is required. It is not immediately apparent what the consequences would be when that information is not collected for certain accounts, but a null value is not allowed.  

Other Compliance Obligations

• IDIs would also be required to do the following:

1. Maintain BCPs, including backup recordkeeping and technical capabilities.⁹ This begs the question how this BCP obligation would apply when the records are actually maintained by a third party. Presumably the intermediary would need to commit to provide BCPs, which the IDI would then want to audit. However, the FDIC specifically directs IDIs to consider “storing copies of prior daily or weekly account balances and beneficial ownerships balances internally at the IDI, or at another location independent of the third party.”
2. Implement internal controls appropriate to (i) accurately determine respective beneficial ownership information and (ii) conduct reconciliation no less frequently than close of business daily.¹⁰  
3. Maintain policies and procedures to achieve compliance.¹¹  
4. Annually certify compliance with the NPR.¹²  
5. Provide reports at least annually to the FDIC, including “a description of any material changes to the institution’s information technology systems since the prior annual report that are relevant to compliance with this part.”¹³ It is unclear whether changes at fintech partners would fall within this reference.

• IDIs would be specifically required to contractually bind third parties to certain requirements of the NPR (e.g., having the controls referenced above) and require an annual independent validation of recordkeeping.¹⁴ This would likely require additional compliance measures as well as amendments to agreements with bank partners.
• Note also that if records are outsourced to a third-party service provider, the FDIC would require IDIs to have a direct agreement with that service provider. It is not clear, however, whether this language is intended to apply if, for example, the account holder itself has engaged a third party to maintain balance records on its behalf.

---