- Open Banker
- Posts
- The FDIC Still Has a Synapse-sized Problem
The FDIC Still Has a Synapse-sized Problem
Written by Alex Johnson

Alex Johnson is the founder of Fintech Takes, a newsletter and podcast that brings banking, fintech, and public policy analysis to more than 50,000 industry professionals. Alex has more than 20 years of experience in financial services, including stops at FICO, Cornerstone Advisors, and Zoot Enterprises.
Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.
Don’t miss the CEOs shaping the future of finance
Hear directly from the CEOs and founders driving the fintech industry forward at the FTA CEO Summit: Fintech as the Catalyst for Innovation. You won’t want to miss our conversations with the game-changing leaders shaping the future of finance.
It’s now been one year since the collapse of Synapse, perhaps the single most disruptive event in the history of fintech.
Thousands of customers of niche fintech apps with names like Yotta, Copper, and Juno were cut off from their funds. A Chapter 11 bankruptcy proceeding was initiated, with former FDIC Chair Jelena McWilliams eventually appointed Trustee. Evolve Bank & Trust, one of Synapse’s primary bank partners, suffered a data breach and was hit by an enforcement action from the Federal Reserve. The prudential bank regulators issued an RFI, seeking information on bank-fintech arrangements. The FDIC proposed a new rule on deposit insurance recordkeeping for banks’ third-party accounts. Evolve’s big fintech partners jumped ship, chaotically in some cases.
And after a year of work, we still don’t know exactly how much money end customers had trapped in the Synapse ecosystem, how much of that money has been returned, what caused the shortfalls in user funds in the first place, or if there was any criminal wrongdoing on the part of any of the companies or executives involved.
It’s all very bad, and while I deeply sympathize with the end customers who were impacted, I am also grateful that this happened.
The collapse of Synapse was the close-to-worst-case scenario for how bank-fintech arrangements can break. Almost everything that could have gone wrong went wrong. And, in so doing, it illuminated the single most important question for policymakers moving forward — In a digital-first world, how do financial services customers know who to trust?
Strangely, even after a year of introspection, discussion, reconciliation, rulemaking, and lawsuits, we still don’t have a good answer to this question.
The Many Jobs of the FDIC
From a regulatory perspective, the failure of Synapse and the impact on end customers was a total team failure. Everyone — the Federal Reserve, the OCC, the FDIC, the CFPB, and the state banking regulators (especially the Arkansas State Banking Department) — bears some responsibility.
However, for the purposes of this article, I am going to focus on the FDIC.
The FDIC is unique among all banking regulators in its role of establishing and maintaining trust in the U.S. banking system. To illustrate just how unique, here’s an analogy.
Imagine if there was a single organization dedicated to establishing and maintaining trust in the safety of housing in the U.S. This group would, simultaneously, act as the building inspectors (validating that the house was built and maintained in a safe and sound manner), neighborhood watch (discouraging property crime through vigilant supervision and enforcement), fire department (rushing onsite to extinguish any fires before there are any permanent losses), and home insurance carrier (reimbursing homeowners for any losses that do occur).
That’s a lot of jobs, right, Greg?
Well, the FDIC does all of those jobs!
It’s the building inspector (it examines banks, looking for weak capital ratios, faulty internal controls, risky lending, or other issues that could collapse under stress, and issuing supervisory orders to fix any deficiencies). It’s the neighborhood watch (it takes enforcement actions and imposes fines to discourage illegal or risky business practices). It’s the fire department (it resolves bank failures, usually over the weekend, with no interruption in customer account access). And it’s the insurance carrier (the deposit‑insurance fund, which is funded by banks, pays out up to $250,000 per depositor, per insured bank).
And, for the most part, it does all those jobs extremely well!
As the FDIC is fond of reminding people, no consumer has ever lost a penny of federally insured deposits since the FDIC was founded in 1933. Not during the savings‑and‑loan crisis, the Great Recession, the pandemic, or the 2023 regional bank crisis that brought down Silicon Valley Bank.1
That’s impressive.
However, I think one of the big-picture takeaways from the Synapse disaster is that the FDIC might have done its jobs too well.
Misplaced Trust
Customers of Yotta, Copper, Juno, and the other Synpase-enabled fintech companies were convinced that their money was safe because those fintech companies went out of their way to imply a government guarantee of safety:
“Funds are held with Evolve Bank & Trust, Member FDIC.”
Evolve is, indeed, FDIC insured. However, the message that many customers took from those types of statements was that the fintech apps built on top of the bank were also safe, as a Juno customer’s story illustrates:
When Rick Davies, a 46-year-old lead engineer for a men’s clothing company that owns online brands including Taylor Stitch, signed up for an account with crypto app Juno, he says he “distinctly remembers” being comforted by seeing the FDIC logo of Evolve.
“It was front and center on their website,” Davies said. “They made it clear that it was Evolve doing the banking, which I knew as a fintech provider. The whole package seemed legit to me.”
Mr. Davies’ misunderstanding is entirely reasonable. To return to the housing analogy, if someone tells you, “The house you are buying is built on a solid foundation and is insured,” your natural assumption would be that the house is well-built and insured if anything happens to it. Imagine that six months later, the house burns to the ground due to faulty wiring, and the person clarifies, “No, we meant that the concrete foundation of the house was insured. We never vouched for the rest of it.”
You would, rightfully, be pissed.
And then imagine that they added this: “Ohh, and about that foundation, which we said was insured. We actually can’t tell you, for sure, whether it is insured or not until after it cracks and we get in to take a look at it.”
Here’s the FDIC’s explanation, published in a consumer-facing newsletter after the Synapse failure, of how pass-through insurance works (emphasis mine):
If the nonbank company deposited your funds in a bank, then, in the unlikely event of the bank’s failure, you may be eligible for what is referred to as “pass-through” FDIC-deposit insurance coverage. However, the nonbank company must take certain actions for your funds to be eligible for FDIC insurance.
For example, after the nonbank places your funds on deposit at a bank, records must be kept to identify who owns the money and the specific amount that each person owns. Ownership of the money is important and is typically determined by the applicable deposit account agreements and state law. There are other requirements as well. It is important to make sure you read the disclosures and terms of service carefully to understand if the account may be eligible for FDIC insurance.
This advice is useless because there is no way for a fintech company’s customer to independently verify that the fintech company’s bank partner is meeting the recordkeeping requirements necessary for pass-through insurance to apply. So, even if a consumer understands what pass-through insurance is and wants to verify its applicability to their chosen fintech service providers (which is a tiny fraction of the overall consumer population … though likely a large percentage of Open Banker readers), they can’t.
The simple truth is that if someone sees the FDIC’s logo, used anywhere by anyone, they will assume that the account or service associated with it is safe.
Now, to be fair to the FDIC, they have been working on fixes for some of these issues.
As mentioned above, the FDIC proposed a new rule on deposit insurance recordkeeping for banks’ third-party accounts. This rule would, among other things, impose stricter compliance obligations on banks that maintain custodial accounts covered by the rule, requiring enhanced recordkeeping, strengthened contractual requirements between banks and their third parties (i.e., fintech companies and BaaS platforms), and an annual certification of compliance and report on custodial deposit account activities.
Additionally, the FDIC has been working for the past few years to update its official signs and advertising requirements, which govern how insured depository institutions (IDIs) can communicate their FDIC insurance coverage to customers. Two requirements under that rule are relevant to this discussion:
A stronger ban on misrepresentation. The rule bans displaying FDIC‑related terms or images unless the claim is 100 % accurate, plainly stated, and not misleading. The prohibition applies across all media, from branch posters to TikTok videos and AI‑generated chatbots. IDIs must take reasonable steps to keep their own marketing — and that of their agents, fintech partners, and third‑party publishers — free of false implications. The FDIC can also directly investigate and intervene to stop egregious misrepresentations on its own, in addition to relying on the banks to enforce.
New digital badge requirements. The rule creates a new badge, essentially the digital equivalent of the navy-blue-and-black teller window placard that banks display in their branches. IDIs must display this digital badge continuously and near the top of the homepage or initial screen of every public website and mobile app, login page, landing page, and any page where customers can transact with deposits. It may not sit in the footer or disappear after login. And fintech partners and white‑label apps are expressly forbidden from pasting it on their own sites unless the entire domain is owned by the bank.
The portion of the rule covering misrepresentations went into effect at the beginning of this year, but the compliance deadline for the new digital badge has been pushed back to March 1, 2026, due to a wave of questions and complaints from banks relating to technical and UX challenges.
I think the delay on the digital signage requirements is actually a blessing in disguise, because it gives the FDIC an opportunity to consider a bolder approach, one that better addresses the essential trust problem revealed by the failure of Synapse.
A Bolder Approach
The problem with the FDIC’s approach to regulating the use of its logo and promises of deposit insurance coverage is that it is based on the limitations inherent to physical distribution channels. It’s feasible to monitor and enforce signage requirements when the signs are physical placards placed in bank branch windows. The risk of fraud or misrepresentation is low because it would be prohibitively expensive for a fraudster to set up a realistic-looking fake bank branch to fool consumers into handing over their deposits.
However, extending that baseline assumption into the digital world is a mistake. It is already trivially easy and inexpensive to spin up a legitimate-looking financial services website or app, and generative AI will lower the barriers even further. Now that financial services has become a digital-first (and often digital-only) business, it’s not feasible to expect banks and the FDIC to manually monitor and enforce the FDIC’s misrepresentation ban. That’s a game of Whack-a-Mole that they simply cannot win.
Instead, the FDIC should copy the approach we already use to foster trust on the internet — Transport Layer Security (TLS).
Have you ever visited a website and been informed by your web browser that “your connection to this site is not secure”? This happens because, behind the scenes, your computer asks a trusted Certificate Authority (CA), “Does this site really own this address and can I trust the connection?” If the CA’s cryptographic answer is “yes,” then everything proceeds as usual (you might even see a little padlock icon appear); if the certificate is expired or revoked, the browser pops up a warning. This simple handshake underpins nearly every secure transaction online.
Why not apply the same idea to deposit insurance, while tapping the data the FDIC will collect under its new record‑keeping rule?
Picture the FDIC acting as a purpose‑built CA. Instead of vouching for encrypted traffic, it would vouch that “Yes, this domain belongs to an FDIC‑insured bank (or to a fintech domain explicitly sponsored by that bank) and the deposits you place here are protected.” When the cryptographic check passes, a dynamic FDIC seal pops into view. Copy‑and‑paste images can’t fake it; they carry no signature and simply won’t render.
The FDIC (or a tightly supervised contractor) would keep an offline root signing key and issue short‑lived “intermediate” keys. A bank — or an approved fintech partner — would prove domain control by dropping in a challenge file (or DNS record). The FDIC would then sign a 90‑day digital‑seal certificate listing the bank’s legal name, FDIC number, and the specific domains allowed to display the badge.
A lightweight script (or mobile SDK) lives near the top of every page that touches deposits. On load, it validates the certificate chain and pings an endpoint for real‑time status. If everything checks out, it paints an un‑editable SVG badge; click it and a pop‑up reveals the bank’s name, FDIC number, and the time‑stamp of the latest validation. For partner apps, the panel also says, “Deposits held at: GoodBank, N.A.”
If a bank merges, loses insurance, or slips on compliance, the FDIC can refuse the next renewal or flag the certification as revoked. The badge disappears — or flips red — on the very next page load. Every certificate also lands in public Certificate‑Transparency logs, giving watchdogs (and nerds like me!) an open ledger of legitimate seals.
The beauty of the model is that it dovetails with the FDIC’s proposed custodial‑account record‑keeping rule. That rule requires banks to maintain detailed, machine‑readable records of who owns the money in custodial (fintech) accounts and how much belongs to each customer, precisely the data needed to confirm whether pass‑through insurance will apply in a failure.
By embedding a unique custodial‑account identifier (or a real‑time API link) inside each digital‑seal certificate, the FDIC could let the badge do double duty:
Surface‑level trust: Am I on a domain tied to an insured bank?
Back‑office clarity: Behind the scenes, does the bank’s record‑keeping system show my balance and ownership in a way that satisfies pass‑through requirements?
If the answer to either question turns “no,” the badge fails gracefully, alerting the consumer before money moves.
A New Trust Signal
The FDIC does a tremendous amount of work establishing and maintaining trust in the U.S. banking system. To ensure that work isn’t wasted, it needs to solve for the last-mile problem created by digital distribution channels and third-party fintech arrangements. And that doesn’t mean trying to cram the square peg of a physical sign into the round hole of every bank web page.
By marrying the same cryptographic plumbing we use to create trust on the internet to the FDIC’s forthcoming record‑keeping data, a digitally signed FDIC badge can become the 21st‑century symbol of deposit safety, finally giving customers the trust signal Synapse showed we desperately need.
The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.
[1] SVB customers actually had their losses covered well above FDIC insured limits, though that was not without controversy.
Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.
If an idea matters, you’ll find it here. If you find an idea here, it matters.
Interested in contributing to Open Banker? Send us an email at [email protected].