Have You Heard of the New Proposed Recordkeeping Requirements for Custodial Accounts?

On September 17, 2024, the FDIC issued a Notice of Proposed Rulemaking (“NPRM”) on Requirements for Custodial Deposit Account with Transactional Features and Prompt Payment of Deposit Insurance to Depositors. The NPRM has a 60-day comment period.

The rule focuses on ensuring prompt and accurate payment of deposit insurance in the event of an IDI’s failure and consumer access to funds at an IDI (FDIC-insured depository institutions) in the event of third-party failures. It also touches briefly on concerns that third party advertisements for these types of accounts may misrepresent the third party as FDIC-insured or may otherwise mislead consumers about FDIC insurance. The NPRM specifically discusses the Synapse bankruptcy as an example of “severe hardship” that has been “devastating” for consumers and “deeply troubling” to the FDIC. The proposed rule would require non-exempt custodial accounts to meet a variety of requirements designed to prevent future Synapse-like issues.

The rule would define a covered custodial account as an account 1) established for the benefit of beneficial owners, 2) containing commingled deposits of multiple beneficial owners, and 3) allowing beneficial owners to authorize or direct a transfer through the account holder to a party other than the account holder or beneficial owner. It does contain several exemptions such as IOLTA accounts, real estate broker accounts, escrow accounts, etc.

The proposed rule would contain file format specifications that IDIs would be required to use to maintain current and accurate data on covered custodial accounts. IDIs would have to maintain internal controls that would ensure accurate deposit account balances and daily reconciliations against the bank’s beneficial ownership records.

For IDIs that use a third party to meet the recordkeeping requirements, the IDI would be required to have direct, continuous, and unrestricted access to records in the standardized file format. The IDI would also need to have a continuity plan in place that would provide for uninterrupted compliance with the rule in the event of the third party’s failure.

IDIs would be required to have a direct contractual relationship with third parties maintaining these records, with the contract including defined roles and responsibilities for recordkeeping, including an assignment of rights to the IDI (for any rights that are necessary to access data held by other parties), a requirement for the third party to implement adequate controls to comply with the rule, and a requirement for periodic validation of compliance with the recordkeeping requirements. The third party would not be able to complete these validations internally, so they would have to be done by an external auditor or the IDI.

Each IDI holding covered custodial deposits would be required to annually submit to the FDIC and its own regulator a certification signed by the IDI’s CEO, COO, or highest-ranking official stating that the IDI has implemented and tested its implementation of the recordkeeping requirements within the last 12 months. IDIs would also be required to notify their regulator and the FDIC of any material changes to their information technology systems that are relevant to compliance with the rule, a list of account holders maintaining covered custodial deposit accounts, the results of implementation testing, and the results of any independent validation of records maintained by third parties.