Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The hack of a small community bank in Arkansas and a related fight over as much as $95mn in missing customer funds that has increasingly drawn the ire of bank regulators and lawmakers has ensnared a surprising, personally at least, victim: Me.
Last week, my wife got an email from Evolve Bank & Trust, which is based in West Memphis, Arkansas, saying a data breach at the bank had exposed our personal information to hackers, but that our funds remained safe.
Here’s the catch: We don’t have an account or any funds at Evolve Bank, at least I didn’t think so. I live in New York, which is about 1,000 miles from where Evolve Bank is based. I have one bank account, jointly with my wife, that we opened in person at a New York City branch of one of the nation’s largest banks nearly two decades ago. We have one bank credit card account.
Another email arrived with a picture of a $480 cheque made out to my wife. I have confirmed that this is legit, a payout that Copper, a fintech that had partnered with Evolve, believes we are owed — money missing from my non-existent, at least to my knowledge, account.
This is modern finance, or perhaps an indictment of it. How my personal data was stolen from a bank that I never was a client of and how my wife ended up with nearly $500 that I don’t think is hers is evidence of how interconnected and messy and vulnerable our current banking system is.
The small Arkansas bank’s troubles started in April when Synapse, a fintech, went bankrupt. Synapse wasn’t a typical fintech, offering say loans or savings accounts online. Instead, it specialised in connecting other fintechs to traditional banks, often small community lenders, in pass through relationships that are sometimes called rent-a-bank. The small banks want more customers but need a way to reach them. The start-ups have sleek apps, but no safe place to keep their clients’ funds. For dozens of apps and a handful of banks, Synapse became the matchmaker.
Synapse claimed that as many as 10mn accounts were managed through its platform. Much of the cash was deposited at Evolve Bank. That trove of client information made Evolve a prime target. Earlier this year, the Russian backed hacking group LockBit 3.0. claimed to have hacked the bank’s systems. Even though Evolve’s most recent regulatory filing says that it has just over 280,000 accounts, the bank says the hack exposed the customers’ names, bank info and social security numbers of as many as 7.6mn individuals.
Even before the hack was known, though, Synapse went bankrupt and turned off its systems. That left the fintechs with clients, but no money, and the banks with cash, but unreliable knowledge of who’s it was.
Worse, Synapse’s court appointed receiver, Jelena McWilliams, who was the head of the regulator Federal Deposit Insurance Corporation during the Trump administration, has said there is a gap between balances that the fintechs say their clients are owed and what Evolve and other banks say they were holding for Synapse. McWilliams says the shortfall between the two could be as large as $95mn.
That left most of the accounts frozen for weeks. Recently, Evolve and another bank been able to recruit some former Synapse employees to help the banks retrieve data that would identify who owns the accounts. Some of the money has started flowing back to customers, though it’s still not clear how much is missing.
I am still not exactly sure how my family and I get caught up in this. Synapse worked with dozens of fintechs, including Copper, which provided debit cards aimed at teens that my family used. In May, shortly after Synapse went bankrupt, Copper turned off my kids’ debit cards, and closed my family’s account. The company said it was no longer offering the product. We got an email saying there was $93 remaining in our Copper account, which we received in a few days.
A spokeswoman for Copper told me that the company had closed all of its accounts connected to Evolve long before Synapse went bankrupt, and that the company has not been notified by Evolve that any of the accounts Copper had at the bank had been breached.
A customer service representative at Evolve confirmed the data breach letter I received was real, but that, unlike what was said in it, I didn’t actually have an account at Evolve Bank. She said my information was likely passed to Evolve by one of the fintechs it worked with, but couldn’t say which one. As for the $480, my guess is that it is a small piece of the millions of dollars that have gone missing, but I can’t be sure. The lack of clarity on all of this is perhaps evidence that the much hyped world of fintech, and the banks that are willing to partner to them, need to pay a little more attention to its plumbing.
stephen.gandel@ft.com
