Banking

Sponsor-Bank Due Diligence Using Public Bank Data

By Deep Digital Ventures Editorial Team ·

Deep Digital Ventures publishes product education, research explainers, and data-driven articles related to its software tools. This article was prepared by our editorial team using the sources listed below and reviewed for factual accuracy before publication.

Last reviewed: 2026-04-23 | Updated: 2026-04-23 | Methodology: This guide uses public Call Reports, enforcement releases, regulatory guidance, and accounting-standard materials as screening sources. Verify the latest filings and orders before citing them in a credit memo, investor document, board package, or renewal file.

For fintech founders renewing or approving a sponsor-bank relationship, this review answers one operating question: can the sponsor bank keep supporting customer funds, payments, lending, and onboarding if funding tightens, credit quality worsens, or a regulatory order limits activity?

Also useful for credit analysts, bank directors, financial journalists, and vendor-risk teams that need a public-data screen before asking direct counterparty questions.

Executive summary: what public bank data can tell you

Public bank data can show whether a sponsor bank has visible pressure in capital ratios, commercial real estate exposure, deposit funding, problem loans, earnings, or public enforcement history. It cannot show CAMELS ratings, private examination findings, intraday liquidity, unpublished regulatory restrictions, or whether a fintech middleware ledger reconciles to bank records.

  • Confirm the legal bank: identify the charter, regulator, holding company, and exact role in the program before reading any ratios.
  • Read capital and concentration first: use regulatory capital ratios and commercial real estate screens to spot banks with less room for stress.
  • Review deposit mix: uninsured, brokered, reciprocal, and program deposits can behave differently from operating deposits during stress.
  • Watch problem-loan trends: rising nonaccrual loans, 90-day past-due loans, or charge-offs matter more when allowances and earnings do not move with them.
  • Search enforcement actions: active orders mentioning BSA/AML, third-party risk, consumer compliance, liquidity, capital, or technology controls should move the review beyond the business owner.

Keep recent failure examples targeted. The 2023 closures of Silicon Valley Bank and Signature Bank support one narrow diligence lesson: funding and concentration questions can become operational questions when a counterparty depends on one bank.[1][2] The Synapse bankruptcy supports a different lesson: public bank ratios do not prove that customer-funds records reconcile across a fintech, bank, processor, and middleware provider.[3]

Which bank actually supports the fintech program?

Start by identifying the legal bank, not the brand name in a pitch deck. A fintech may market the account, a processor may provide the ledger, and a bank may hold deposits or originate loans. Use FDIC BankFind[4] and the Federal Reserve’s National Information Center[5] to confirm the institution, charter, regulator, and holding-company structure.

  • Bank name and regulator: confirm the legal institution, charter type, and primary federal regulator before you search enforcement records.
  • Role in the relationship: identify whether the bank holds customer funds, originates loans, sponsors ACH or card activity, provides warehouse credit, acts as custodian, or only holds operating cash.
  • Exposure type: separate customer funds, unsettled payment flows, credit exposure, payroll cash, collateral, and operational dependency.
  • Exit path: name the backup bank or processor, the expected migration window, and the product that stops working if the current bank pauses onboarding or exits the program.

The Synapse matter shows why this first step matters. The CFPB said Synapse acted as a bridge between fintech platforms and banks, filed for Chapter 11 on April 22, 2024, and that partner banks later identified a consumer-funds shortfall between $60 million and $90 million.[3] That is not a claim about a bank’s capital condition. It is a warning that bank diligence must include customer-funds records, reconciliation rights, and who controls the ledger.

Which Call Report checks show sponsor-bank risk?

Pull the source filing from the FFIEC Central Data Repository[6] and use the FDIC current Call Report forms and instructions page[7] to confirm whether the bank files FFIEC 031, FFIEC 041, or FFIEC 051. Call Reports are quarterly regulatory filings. Their schedule names are shorthand: RC-R means capital ratios, RC-C means loans, RC-E means deposit mix, RC-O means deposit insurance and assessment data, RC-N means problem loans, RI means income, RI-B means charge-offs and recoveries, RI-C means allowances, and RC-K means average balances.

Timeliness matters. FDIC FIL-28-2020 announced a 30-day grace period for first quarter 2020 Call Reports during COVID-19, which is a reminder to check filing status before treating a quarter as final.[8]

Due diligence questionPublic sourceEscalation signal
Is the bank comfortably capitalized?Schedule RC-R, meaning regulatory capital ratios, and the well-capitalized thresholds in 12 CFR 324.403[9]Escalate if any reported ratio is below the well-capitalized thresholds: total risk-based capital 10.0%, tier 1 risk-based capital 8.0%, common equity tier 1 capital 6.5%, or leverage ratio 5.0%.
Is the loan book concentrated in commercial real estate?Schedule RC-C for loan categories, Schedule RC-R for capital, and the December 2006 Interagency CRE Concentration Guidance[10]Escalate if construction, land development, and other land loans are at least 100% of total capital, or if total CRE loans are at least 300% of total capital and CRE loans grew at least 50% during the prior 36 months.
Are deposits stable enough for the counterparty’s use case?Schedule RC-E for deposit mix and Schedule RC-O for deposit insurance and assessment dataAsk for a treasury review if uninsured, brokered, reciprocal, or program deposits fund activity that the counterparty treats as always available.
Is credit quality moving against the bank?Schedule RC-N for past due and nonaccrual loans, Schedule RI-B for charge-offs and recoveries, and Schedule RI-C for allowancesEscalate if nonaccrual loans, 90-day past-due loans, or net charge-offs rise for two consecutive quarters while allowance coverage does not move with them.
Is profitability absorbing stress?Schedule RI for income and Schedule RC-K for average balancesAsk whether earnings can absorb losses if return on average assets turns negative or net interest income falls while credit costs rise.
Is there a public enforcement issue?FDIC enforcement decisions and orders, OCC enforcement actions, and Federal Reserve enforcement actions[11][12][13]Escalate any active consent order, written agreement, cease-and-desist order, or capital directive that mentions BSA/AML, capital, liquidity, third-party risk, consumer compliance, or information technology controls.

Do not read a single ratio in isolation. A bank can clear the capital screen and still deserve review if problem loans are rising, deposit funding is getting less stable, earnings are weakening, or an enforcement order limits growth, new products, or third-party activity.

For bank-fintech arrangements, read the public numbers next to the Interagency Guidance on Third-Party Relationships: Risk Management, issued June 6, 2023.[14] The guidance covers planning, due diligence, contract negotiation, ongoing monitoring, and termination, which are the same stages a vendor reviewer should ask the counterparty to document.

For deposit products distributed through third parties, FDIC FIL-45-2024 is directly relevant because it discusses risks in bank arrangements with third parties that deliver deposit products.[15] For BSA/AML program expectations, FDIC FIL-42-2024 announced an AML/CFT program notice of proposed rulemaking and an interagency statement.[16]

Enforcement history should be treated as a workflow issue, not just a headline issue. On June 14, 2024, the Federal Reserve issued an enforcement action against Evolve Bancorp, Inc. and Evolve Bank & Trust for deficiencies in AML, risk management, and consumer compliance programs, including fintech partnership oversight.[17] A counterparty using any bank with a similar order should be able to explain what activity is restricted, whether new partners or products require approval, and how customer records are reconciled.

For national banks subject to OCC heightened standards, 12 CFR Part 30 Appendix D gives useful diligence language: concentration limits, risk appetite, risk data aggregation, front-line risk limits, independent risk management, internal audit, and board oversight.[18] Use those terms when asking a large-bank counterparty how a program is monitored.

Allowance review also changed after CECL, the current expected credit losses accounting model. FASB ASU 2016-13, Topic 326 introduced CECL, and the banking agencies maintain supervisory FAQs.[19][20] If allowances do not move when problem loans move, that is a question for the counterparty’s credit team, not a conclusion by itself.

How to run a sponsor-bank renewal screen

Use this renewal workflow before approving a fintech, payment processor, card program manager, lending platform, or embedded-finance vendor that depends on one bank.

  1. Confirm the legal bank in FDIC BankFind and NIC, then identify the primary federal regulator.
  2. Download the last four Call Reports from FFIEC CDR and record the filing form: FFIEC 031, FFIEC 041, or FFIEC 051.
  3. Check Schedule RC-R, the capital schedule, against the well-capitalized thresholds: total risk-based capital 10.0%, tier 1 risk-based capital 8.0%, common equity tier 1 capital 6.5%, and leverage ratio 5.0%.
  4. Compute the CRE screens from Schedule RC-C and Schedule RC-R: construction, land development, and other land loans divided by total capital; total CRE loans divided by total capital; and CRE loan growth over the prior 36 months.
  5. Review Schedule RC-E and RC-O for deposit mix, Schedule RC-N for past due and nonaccrual loans, Schedule RI-B for charge-offs and recoveries, Schedule RI-C for allowances, and Schedule RI with RC-K for earnings on average assets.
  6. Search FDIC, OCC, and Federal Reserve enforcement pages for the bank, the holding company, and any predecessor legal name.
  7. Send the counterparty only the questions that match the public signal: capital plan, liquidity backup, customer-funds reconciliation, third-party oversight, credit quality, or exit plan.
ResultDecision rulePractical action
No active enforcement action, capital ratios above well-capitalized thresholds, no CRE screen, and no two-quarter deterioration in problem loans or charge-offs.Standard renewal can proceed if contract, compliance, and operations reviews are also clean.Set quarterly monitoring and require notice before the counterparty changes sponsor bank, ledger provider, processor, or settlement flow.
Active order mentions BSA/AML, third-party risk, consumer compliance, liquidity, capital, or information technology controls.Do not approve at business-owner level only.Route to legal, risk, treasury, and finance; ask whether the order restricts new partners, new products, transaction volume, or customer onboarding.
A capital ratio is below a well-capitalized threshold or the CRE concentration screen is triggered.Treat the bank relationship as a financial dependency, not just a vendor detail.Cap exposure, require a second-bank plan, and add a termination or migration trigger tied to future filings or enforcement updates.
Customer funds depend on a nonbank ledger or reconciliation process.Public bank data is not enough.Require daily reconciliation evidence, ownership of records, audit rights, and a written plan for customer access if the middleware provider fails.

When public bank data is not enough

Public data is good at showing whether a bank deserves follow-up. It is weaker at proving how a specific fintech program is controlled inside the bank, processor, and middleware stack. The most common false positive is a ratio that looks alarming without context, such as temporary quarter-end deposit movement, a seasonal loan category, or one acquired portfolio that changes trends. The most common false negative is a clean bank ratio set paired with weak customer-funds reconciliation.

When a signal trips, the follow-up question should be specific. Ask what changed, whether the bank has a written plan, whether the regulator has restricted growth or onboarding, who owns the daily customer balance record, who can produce transaction-level support, and what happens to customers if the processor, ledger provider, or sponsor bank exits. A vague assurance that the bank is well capitalized does not answer those questions.

What escalation rules should vendor owners document?

Due diligence should define who owns each public-data trigger. Legal should own contract rights and enforcement-order language. Treasury should own deposit exposure, uninsured balances, backup accounts, and liquidity movement. Finance should own counterparty credit exposure. Risk or compliance should own third-party oversight, BSA/AML, consumer compliance, and customer-funds reconciliation.

A practical escalation rule is simple: if a public filing or enforcement source changes the answer to "can this bank keep supporting the relationship under stress," the vendor owner cannot approve alone. The issue should move to the internal owner who can change exposure, require a control, or stop the renewal.

  • Capital trigger: any capital ratio below the well-capitalized level, or an order requiring the bank to meet and maintain a specific capital level.
  • CRE trigger: construction, land development, and other land loans at least 100% of total capital, or total CRE loans at least 300% of total capital with at least 50% CRE growth over 36 months.
  • Asset-quality trigger: two consecutive quarters of higher nonaccrual, 90-day past-due, or net charge-off pressure.
  • Deposit trigger: reliance on uninsured, brokered, reciprocal, program, or other non-core deposits that the counterparty treats as operating liquidity.
  • Third-party trigger: an enforcement action, consent order, written agreement, or public supervisory statement that addresses third-party risk, BSA/AML, consumer compliance, recordkeeping, or fintech partner oversight.
  • Recordkeeping trigger: any customer-funds model where the bank, processor, fintech, and middleware provider do not share the same daily balance record.

Public data should create questions, not final verdicts. The right output is a short issue log: source, schedule or order, date, ratio or trigger, counterparty response, owner, and decision. That log is what a founder can show investors, what a credit analyst can put behind a memo, what a journalist can use to avoid overclaiming, and what a bank board can use to ask management better questions.

FAQ

Is public bank data enough to approve a sponsor bank? No. It is a screening layer. Approval still depends on contracts, controls, compliance testing, settlement mechanics, insurance analysis, reconciliation evidence, and direct answers from the counterparty.

Which Call Report schedules matter most for vendor diligence? Start with RC for the balance sheet, RC-R for capital ratios, RC-C for loans, RC-N for past due and nonaccrual loans, RC-E and RC-O for deposits, RI for income, RI-B for charge-offs and recoveries, RI-C for allowances, and RC-K for average balances.

Should every active enforcement action stop a deal? No. The question is fit. An order about BSA/AML, third-party risk, capital, liquidity, consumer compliance, or information technology controls matters more for a fintech or payments relationship than an unrelated legacy issue.

How often should the file be refreshed? Refresh the Call Report review quarterly and rerun enforcement searches before signing, renewal, material volume increases, or a new product launch. For high-exposure relationships, monitor enforcement pages more often because orders can appear between Call Report cycles.

CTA: For a faster starting point, use the Banking Deep Digital Ventures bank search and individual bank profiles or Banking Deep Digital Ventures to turn public metrics into a focused escalation file before sponsor-bank questions move to legal, treasury, finance, risk, or the board.

Sources

  1. FDIC failed-bank page for Silicon Valley Bank: https://www.fdic.gov/resources/resolutions/bank-failures/failed-bank-list/silicon-valley.html
  2. FDIC failed-bank page for Signature Bank: https://www.fdic.gov/resources/resolutions/bank-failures/failed-bank-list/signature-ny.html
  3. CFPB enforcement page for Synapse Financial Technologies: https://www.consumerfinance.gov/enforcement/actions/synapse-financial-technologies-inc/
  4. FDIC BankFind institution lookup: https://banks.data.fdic.gov/bankfind-suite/bankfind
  5. Federal Reserve National Information Center institution and holding-company lookup: https://nic.federalreserve.gov/
  6. FFIEC Central Data Repository for public Call Reports: https://cdr.ffiec.gov/public/
  7. FDIC current Call Report forms, instructions, and related materials: https://www.fdic.gov/bank-financial-reports/current-quarter-call-report-forms-instructions-and-related-materials