A fintech founder showed me his app’s cash screen and asked, with some pride, whether the line he had written under the balance was strong enough. It read, in clean sans-serif: “Your funds are FDIC insured up to $250,000.” He thought he was being conservative — he had a real partner bank, the cash really did sit there, and the number was right. I had to tell him the sentence was a problem in three different ways at once, and that the version of it a regulator would not flag looked almost nothing like what he had on the screen.
The gap between what fintechs say about FDIC insurance and what the rules actually permit is one of the most common and most dangerous drafting failures in the consumer-fintech stack. It is dangerous because the mistake lives in marketing and UI, where it is most visible, and because the recent wave of fintech-middleware failures has made both the FDIC and the public acutely sensitive to the difference between “your money is insured” and the considerably more complicated truth. If your product holds customer cash at a partner bank, you need to understand pass-through coverage precisely, because the disclosures can say less than founders assume and the marketing can say even less.
A non-bank does not insure anything
Start with the structural fact the screen obscured. A non-bank fintech that holds customer cash at a partner bank in a “for-benefit-of” account — an FBO account, where the fintech is the named accountholder holding for its customers — does not itself provide deposit insurance. It cannot. FDIC insurance attaches to deposits at an insured depository institution and responds to the failure of that institution. The fintech is not a bank and does not fail in the way the FDIC fund covers. What the fintech can offer, if the conditions are met, is pass-through coverage: the insurance flows through the FBO account to the underlying customers as if each held their share directly at the bank.
That word — pass-through — is doing enormous work, and it comes with conditions that the typical disclosure ignores. Pass-through is not automatic. It is available only when specific recordkeeping requirements are satisfied, and if they are not satisfied, the coverage that founders are advertising may simply not exist when it is needed. The screen that says “your funds are FDIC insured” asserts as a present fact something that is, at best, conditional and contingent.
The two prongs everyone forgets
Pass-through coverage rests on two conditions, and both are required; satisfying one without the other fails. Under the FDIC’s rules on recognition of deposit ownership, the first prong is that the bank’s deposit-account records must disclose the custodial or fiduciary nature of the account — this is the account titling, the way the FBO relationship is named on the bank’s books. The second prong is that records must identify each beneficial owner and the amount of that owner’s interest, whether those records are kept by the bank or by the custodian on the bank’s behalf. The operative recognition rule for these arrangements is found in the FDIC’s deposit-insurance regulations at 12 C.F.R. Part 330, with § 330.5 setting the records-and-recognition condition and § 330.7 supplying the coverage rule for accounts held by an agent, custodian, or nominee. They work together, and counsel should cite them together rather than treating either as the whole answer.
The practical lesson is that pass-through is a recordkeeping achievement, not a contractual promise. You do not get coverage because your terms of service say the word “insured.” You get it because the bank’s records correctly reflect the custodial nature of the account and because someone — the bank or you — can produce an accurate ledger of who owns what. The recent fintech-middleware failures, where customers could not get their money because no one could reconcile the ledgers, are the case study in what happens when the second prong is theoretically satisfied but operationally broken. A proposed FDIC rule on custodial-account recordkeeping would push exactly here, requiring daily reconciliation and specific controls for custodial accounts with transactional features. The direction of travel is toward more recordkeeping rigor, not less.
The titling detail that quietly defeats coverage
There is a failure mode inside the first prong that deserves its own attention, because it is mundane and catastrophic at once. Pass-through depends on the bank’s records correctly identifying the custodian, and that identification runs through the exact legal name and details of your entity as they appear across the account title, the signature card, and any side letters. Inconsistent names or spellings, an abbreviation in one document and the full name in another, or — a real one I have seen — the wrong state of incorporation listed somewhere in the stack, can introduce exactly the kind of ambiguity that undermines the records condition. The coverage that depends on the bank knowing who holds the account in a custodial capacity is only as good as the consistency of the paperwork that establishes it. The entity-level housekeeping that founders treat as a formality is, here, load-bearing.
What the marketing rule lets you say
Even when pass-through is properly set up, there are hard limits on how you may talk about it, and they come from the FDIC’s rule against misrepresentation of insured status, at 12 C.F.R. Part 328 — § 328.102 in particular. The rule governs how you can reference the FDIC. You may not imply that the non-bank itself is insured. You must make clear that insurance covers only the failure of the insured bank, not the failure of the fintech, not the loss of funds for any other reason. A statement that funds are passed through must disclose that conditions apply. And you must not imply that crypto or other non-deposit products are insured — a point that matters enormously for any platform displaying an insured cash balance next to an uninsured digital-asset balance.
The safe posture follows directly. Rather than “your funds are FDIC insured,” the defensible language is conditional and scoped: customer funds may be eligible for pass-through insurance provided the conditions are satisfied, with no guarantee, and with the coverage tied expressly to the failure of the insured bank. Alongside it, for any platform that also holds crypto, a clear and separate statement that digital assets are not deposits, are not FDIC-insured, and may lose value. The thing you do not do is market FDIC coverage as a product feature — a benefit you are offering — because that framing is precisely what the misrepresentation rule is built to stop.
The risk is in the UI, not the terms
Here is the part that surprises founders most. The enforcement risk concentrates not in the dense terms-of-service language their lawyers fought over, but in the marketing and the interface — the screens, the onboarding copy, the push notification that says “your money is safe.” A terms-of-service section can be careful and complete and still be undercut by a home screen that displays an insured cash figure and an uninsured crypto figure in close proximity without clearly differentiating them. The two numbers sitting next to each other, in the same visual treatment, can imply to a reasonable user that both are protected — which is the implication the rule forbids.
So the drafting work has to extend past the contract. The cash and the crypto must be visually and verbally differentiated wherever they appear together. The insured balance carries the conditional, bank-failure-scoped language; the crypto balance carries the not-a-deposit, not-insured, may-lose-value language; and the proximity of the two is itself a design decision with legal consequences. For a platform that mixes fiat and digital assets, the FDIC disclosure problem is as much a product-design problem as a contract-drafting one, and the lawyer who reviews only the terms and never opens the app has reviewed half the exposure.
The honest summary
Pass-through FDIC coverage is real and valuable, and there is nothing wrong with offering it. What is wrong is describing it as something it is not — a promise the fintech makes, a feature the fintech provides, a present and unconditional fact about the safety of customer funds. The accurate story is narrower and more honest: coverage may pass through to customers if the bank’s records reflect the custodial nature of the account and identify each owner’s interest, it responds only to the failure of the insured bank, and it does not touch crypto or swept funds at all. A fintech that builds that story into both its terms and its interface — conditional language, bank-failure scope, clean separation of insured and uninsured balances, and entity details that match across every bank document — is one that can talk about FDIC insurance without inviting the regulator who reads the home screen. The recognition rules reward accurate recordkeeping, and the disclosure rules reward accurate description; the founder’s instinct to reassure is exactly the instinct that gets both wrong.
If you are building a fintech or crypto product that holds customer cash at a partner bank and want your FDIC disclosures and UI reviewed before they go live, feel free to reach out to my firm manager, Magda, at Magda@montague.law, or fill out our contact form. Mention you read this post.
— John
