The collapse of SaaS provider Synapse plunged $265 million of customer deposits into uncertainty, with a staggering $96 million still unaccounted for. Synapse left a vortex in its wake, dragging as many as 100 ecosystem players into the chaos. While 10 million consumers grapple for missing funds, regulators are tightening the reins.
Let’s examine where Synapse went wrong. These are four fatal mistakes that should never have occurred.
As Bloomberg frankly puts it, “The reason customer deposits are in limbo is that Synapse was bad at record-keeping”. Instead of outsourcing, upgrading, or leaving it to the regulated bank, Synapse created its own in-house ledger. It wasn’t up to the job. The results proved disastrous, leaving account holders unable to even access records of their lost funds.
Even for the few scraps of records that were available, the other parties had “very limited visibility”, according to one Juno blog post. “The only information made available to Juno to date concerning end-user balances was shared by Synapse via the trial balance report”, it continues.
Inadequate record-keeping is inexcusable because it is entirely avoidable. The technology to give all parties – licensed banks, third parties, and end users – full visibility already exists. For example, treXis offers this service, which works interoperably across different banking systems.
End-to-end data visibility is something that the *treXis Data Hub* is specifically designed to address. With treXis, clients retain full ownership of their data, ensuring that critical information is always accessible and under their control. The Data Hub provides powerful tools that offer real-time, comprehensive visibility across the entire ecosystem, allowing all parties—whether front-facing platforms, SaaS providers, or licensed banks—to have accurate insights into customer deposits and transactions.
In a joint statement, the Federal Reserve, FDIC, and Office of the Comptroller of the Currency condemned this “lack of access to records” as a significant risk. The “lack of sufficient access by a bank to the deposit and transaction system of record and other crucial information and data maintained by a third party can impair the bank’s ability to determine its deposit obligations”.
More stringent access controls, providing each client secure keys to their- data records could have spared the 10M customers from being unable to trace their “lost” money. When Synapse lost the keys, everyone was – and still is – completely locked out. Granting secure key access would have been a relatively simple way to prevent much of this disaster from unfolding.
The treXis platform ensures that all partners have secure, role-based access to their data through encrypted keys, granting them the control they need while safeguarding sensitive information. Each party in the ecosystem has access to the data relevant to their operations, without compromising security or risking lockouts.
Data from fintechs like Mercury, Dave, and Yotta should have been stored separately. Neglecting this critical safeguard was a major failure. Not only did it blur the lines between client ledgers, but it also increased the risk of exposure across the board. If one fintech’s data were compromised, it would create a ripple effect, making all others more vulnerable. A breach in one could quickly lead to a breach in all.
Since the fallout, at least one major cyber-attack has been confirmed, resulting in data breaches across multiple Synapse partnerships. Sensitive customer and business information, including Social Security numbers, is now in the hands of criminals.
Again, multi-tenancy data segmentation tools already exist to prevent this. In the same way that most ships or submarines can shut down access in one part to prevent a leak from flooding the entire vessel, technology can do the same for SaaS providers. Our experts at treXis can install this quickly and efficiently. For Synapse, it was an avoidable error.
*treXis Entitlements* ensures that each client’s data is securely isolated, preventing cross-contamination between different fintech partners. Additionally, treXis offers robust entitlement support that allows you to enable or disable features for specific segments, ensuring that each partner has tailored access to only the functionalities they need.
A significant failure across the ecosystem was the lack of a business continuity plan, leaving customers vulnerable when disaster struck.
Due to Synapse’s bankruptcy, account holders were not eligible for FDIC protection. Misleading marketing practices further complicated the situation, as customers believed they were covered by deposit insurance when they were not. Poor marketing compliance and inadequate planning only worsened the frustration among already distressed customers.
*treXis* utilizes modern technologies like Kubernetes and managed services ensuring high availability and resilience through containerized deployments. This offers automated scaling, self-healing, and seamless failover capabilities. Additionally, treXis integrates managed services that handle infrastructure maintenance, backups, and disaster recovery processes, ensuring that your applications remain operational even in the face of disruptions.
Synapse’s avoidable errors triggered a storm across the entire industry, prompting increased regulatory scrutiny. The FDIC is amending its rules in the wake of the disaster to better protect customers, with revisions expected to come into force as early as January 2025.
Critical technologies require comprehensive security, accessibility permissions, and controls to safeguard data across the entire enterprise.
