Feds Freeze $5m At Evolve in “Pig Butchering” Crypto Fraud, Money Laundering Case
Wise, Solid, Airwallex, Mercury & Relay Linked To "Large Fraud Conspiracy Ring," Secret Service Says
Hey all, Jason here.
Welcome to New York! I’ll be here through Friday, taking part in New York Fintech Week — including a happy hour/panel discussion on Tuesday with Current, Knot, and Visa, as well as hosting two masterclasses at the Empire Fintech conference, one with Neepa Patel of Themis and the other with Alex Johnson of Fintech Takes and Riaz Syed of Infinant.
I’m looking forward to an engaging and insightful week!
If you enjoy reading this newsletter each Sunday and find value in it, please consider supporting me (and finhealth non-profits!) by signing up for a paid subscription. It wouldn’t be possible to do what I do without the support of readers like you!
Oscilar Unveils An AI-Powered AML Risk Platform
Sponsored content: Introducing Oscilar’s cutting-edge AI-powered AML Risk Platform, a solution designed to tackle the most pressing compliance challenges in today's financial landscape.
As fintech innovation skyrockets, so does regulatory scrutiny. Oscilar offers a new way forward for fintechs and banks caught between the need for rapid growth, customer satisfaction, and the demands of stringent Anti-Money Laundering (AML) compliance. With global money laundering reaching an estimated $2 trillion annually, the stakes have never been higher.
Our platform provides unparalleled insights and control, featuring a 360-degree visibility dashboard, intelligent alert prioritization, transparent AML workflows, and advanced machine learning for detection and investigation. And, compliance operators can rely on our Gen AI Co-Pilot for assistance with investigation, reporting, and analytics.
Elevate your compliance strategy with Oscilar and join us in redefining AML compliance for the digital age.
Feds Freeze $5 Million At Evolve Bank & Trust in “Pig Butchering” Crypto Fraud, Money Laundering Case
Newly discovered court filings obtained exclusively by Fintech Business Weekly reveal the US Secret Service seized just over $5 million held at Evolve Bank & Trust.
The funds, held in the name of Bytechip LLC d/b/a Qbit and Gatcha Pictures LLC, the beneficial owners of which are both Chinese nationals, are the proceeds of various frauds, including crypto “pig butchering” scams, the US government’s filing says.
In a confusing twist, Bytechip is suing banking-as-a-service platform Solid and Evolve, seeking to recoup the funds — in a case filed the same day as the US government’s request for asset forfeiture, January 22, 2024.
Bytechip filed suit in California superior court, in a case that was subsequently removed to federal court, alleging breach of contract, conversion, and violations of California’s business and professions code.
Bytechip, operating as Qbit, purports to offer global banking services, including cash management, cross-border payments, foreign exchange, lines of credit, and merchant acquiring. The company is registered as a money services business (MSB) with FinCEN, but does not appear to hold any state money transmission licenses (MTLs), per a search of NMLS. Although incorporated in the US, the company appears to operate primarily out of mainland China and Hong Kong.
In addition to offering business accounts itself, Qbit purports to offer banking-as-a-service and cards-as-a-service, which would, in turn, enable other companies to build customer-facing offerings on top of Qbit’s APIs.
Qbit also offers overseas business incorporation in the US, Hong Kong, Singapore, and the Cayman Islands.
Bytechip began its relationship with Solid, and, through it, Evolve Bank & Trust, in September 2022.
The company’s contract with Solid states that “Solid will be responsible for all aspects of establishing and managing its relationships with the Banks and will enter into agreements with Banks to provide the Services contemplated,” suggesting that Bytechip had no contract or direct relationship with Evolve.
According to Bytechip’s suit, the company received an email from Solid on January 20, 2023, indicating Solid was terminating its relationship and that its accounts would be closed on February 17, 2023 — though Bytechip says that Solid never sent an official notice of termination.
However, Bytechip was unable to move funds from its accounts, as, according to the suit, “Evolve froze or instructed to freeze the funds in the 1162 account, citing an ongoing fraud investigation with the federal government into a high volume of transactions related to certain accounts, including the 1162 account.”
In June, at Bytechip’s repeated requests, Solid sent the company a letter produced by Evolve stating that the accounts of Bytechip, along with Gatcha Pictures and Rinotech, were frozen “due to their involvement in unsatisfactory banking practices.”
In a subsequent email in July 2023, Solid’s head of operations told Bytechip that (emphasis added) “the bank is currently in the process of investigating a high volume of transactions related to the 3 accounts of Qbit, and they are working in conjunction with the federal government. Please note that the Program will be notified of the outcome of the investigation via Solid as soon as the bank is able to provide us with the necessary documentation & the final instructions to Solid on the balances of these 3 accounts… [P]lease understand, such investigations usually take time especially when the Feds are involved.”
Solid’s communications to Bytechip potentially could run afoul of “anti-tipping” regulations, which generally prohibit financial institutions from informing clients that they are the target of an investigation.
Secret Service Seized $5 Million From Accounts At Evolve Bank & Trust
In a separate filing also dated January 22, 2024, the US government sought — and was granted just three weeks later — the seizure of just over $5 million in accounts opened through Solid at Evolve Bank & Trust in the names of Gatcha Pictures LLC and Bytechip LLC.
According to an investigation by the US Secret Service, the funds were the proceeds of a wire fraud conspiracy and money laundering operation involving 26 Chinese nationals living in the US and mainland China, who opened shell companies in California, Wyoming, New York, and the United Kingdom.
Those shell companies, in turn, opened accounts at Evolve through Wise (formerly TransferWise), Solid, Airwallex, Relay, and Mercury. Although the case names Relay and Mercury, the majority of the activity appears to have taken place through Wise, Solid, and Airwallex.
According to the filing, the Secret Service began investigating in December 2022 in response to a complaint to the Internet Crimes Complaint Center (IC3) of an individual defrauded of $40,000, which was transferred through Evolve.
In investigating the case, a financial crimes investigator for Evolve told the agent that she was aware of the transaction, and believed total fraud exposure related to virtual accounts at Evolve was in excess of $15 million.
One scam detailed in the filing describes an individual being added to a random Telegram channel and, when he asked why, told of an “investment opportunity” — a Bitcoin/Tether trading pair option contract that purportedly would yield a 50-95% return in 30 to 600 seconds.
According to the filing, the fraudsters used numerous accounts at Evolve, through fintech partners Solid, Wise, Airwallex, Mercury, and Relay to move funds in an attempt to obfuscate their illicit origins, in a practice known as “layering.”
Relay previously partnered with Evolve, before moving to Thread Bank via BaaS platform Unit. Wise and Evolve abruptly ended their partnership last October; Wise now partners with CFSB and JPMorgan Chase.
There were clear signs the companies and their beneficial owners were higher risk.
In addition to the Chinese identity credentials the beneficial owners supplied, addresses associated with the companies had numerous prior fraud complaints associated with them.
The London address used for Gatch’s Airwallex account had 23 fraud complaints associated with it. Gatcha’s New York address, used on its Solid account, had seven fraud complaints associated with it. The firm never filed a US tax return with the IRS. And the IP address used to access multiple accounts indicated a location in Cambodia.
The Secret Service agent investigating the matter wrote in the government’s suit (spacing adjusted and emphasis added):
“Based on my training and experience, I know that Gatcha Solidfi vAccount **6272 and Bytechip Solidfi vAccount **1162 are used to provide money laundering infrastructure to a large wire fraud scheme perpetrated against numerous individuals.
Bytechip LLC, Gatcha Pictures, and Paralel Design are entities interconnected through IP addresses, outgoing debit transfers, and intrabank transfers of funds, each performing an important function in a large fraud conspiracy ring.
None of these entities bears any indicia of legitimacy in its operations.”
Latest Bad News For BaaS
The revelation of the Fed’s seizure of $5 million in illicit funds is the latest black eye for fintech and banking-as-a-service.
The news comes on the heels of two additional consent orders for BaaS banks, Piermont and Sutton, and The Information’s reporting on Mercury’s dubious AML compliance practices. Solid remains embroiled in a lawsuit with its lead investor, FTV, and Mercury’s dispute with Synapse remains ongoing.
Many banks operating BaaS business models have been derisking by offboarding higher-risk and lower-value programs, and the future for fintechs that depend on Evolve seems more unclear than ever. What this latest news may mean for Evolve fintech clients — especially those named in the case — is unclear, but certainly isn’t positive.
A representative for Evolve Bank & Trust declined to comment.
A representative for Wise said via email, “We are not a named defendant in this litigation so cannot discuss this further.”
A representative for Airwallex said via email, “As a regulated financial institution, we are unable to comment on specific users or transactions.”
FDIC’s Consumer Compliance Report Highlights Third-Party Risks
The FDIC recently released its 2023 consumer compliance highlights, which provides an anonymized look at the most commonly found issues during banks’ consumer compliance examinations.
The bulletin also touches on recent regulatory guidance, including guidance on overdraft fees for “authorize positive, settle negative” transactions, multiple re-present NSF fees, interagency guidance on third-party risk management, and the FDIC’s final rule on FDIC signage and advertising requirements.
Finally, the bulletin provides data on trends in consumer complaints by product type over time.
While the report isn’t focused specifically on banking-as-a-service or fintech partnerships, the risks it highlights are certainly worth taking note of, especially in light of Piermont’s recently released consent order, which include EFTA/Reg E issues, and Unit’s widespread issues with overseeing marketing materials in its bank/fintech partnerships.
The top five most frequently cited infractions related to:
Truth In Lending Act (TILA) / Reg Z, which regulates disclosures, marketing, and periodic statements related to consumer credit products, including requiring “the creditor to accurately disclose certain closing cost information on the Closing Disclosure,” which accounted for 9% of TILA violations cited.
Flood Disaster Protection Act (FDPA), which, among other things, “requires that adequate flood insurance be in place at the time a covered loan is made, increased, extended, or renewed.”
Electronic Funds Transfer Act (EFTA) / Reg E, which is intended to protect consumers engaged in electronic funds transfers and “requires a financial institution to investigate allegations of electronic fund transfer errors, determine whether an error occurred, report the results to the consumer, and correct the error within certain timeframes.”
Truth In Savings Act (TISA) / Reg DD, which defines the content and timing requirements for disclosures related to deposit accounts.
Section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices (UDAPs).
With the exception of the FDPA, all of these are relevant considerations for bank/fintech partnerships, specifically those offering deposit accounts, payments services, and credit products covered by TILA.
During 2023, the FDIC undertook 16 formal enforcement actions and 16 informal enforcement actions related to consumer compliance examination findings.
Bank Oversight of Third-Party Partners, Including BaaS/Fintech Programs
In an implicit nod to the number of FDIC-supervised banks that have received consent orders related to their BaaS or fintech activities, the report also includes observations of issues from consumer compliance examinations that stem from “deficiencies” in banks’ oversight of their third-party relationships.
The report flagged misuse of FDIC logo/language, saying:
[T]he FDIC identified instances where a number of third parties represented or implied that uninsured f inancial products were insured by the FDIC. Certain instances involved false or misleading representations about FDIC deposit insurance, including the omission of material information that prevented consumers from understanding the extent or manner of deposit insurance provided, in violation of Part 328. In some cases, these third parties had relationships with FDIC-insured banks and in other cases they did not have a banking relationship.
Specifically, FDIC examiners identified weakness in banks’ compliance management systems, the large volume of activity, and some banks’ reliance on third-party providers to implement controls as contributing to the violations.
The report’s recommendation for mitigating risk of misuse include:
Ensuring board and management involvement during the lifecycle of the third-party relationship.
Collecting and maintaining thorough documentation related to due diligence conducted prior to entering into a relationship, demonstrating that the board and management considered and accepted consumer compliance risks.
Developing policies and procedures that adequately guide and support activities and the related risks, including consumer compliance risks related to Part 328.
Ensuring that monitoring and audit programs are commensurate with the size and complexity of activities to allow for timely identification and correction of consumer compliance concerns, including any marketing efforts related to the product or service offered by the institution or third party…
Implementing a comprehensive complaint management program that provides for the identification of consumer complaints of consumer confusion regarding deposit insurance, timely corrective action, tracking, and trend analysis for all complaints, including those received by third parties.
The FDIC report also specifically flagged UDAP risk in banks’ and banks’ third-party partners’ marketing of credit builder products, saying in part (spacing adjusted and emphasis added):
Examiners identified instances in which credit building was advertised as a benefit tied to other credit products, such as credit cards and consumer loans.
In some cases, banks used these credit-building claims to sell products that had no features or functions to improve the consumer’s credit. Examiners also identified products advertised as credit building that had no positive impact on the consumer’s credit score or resulted in lowering a consumer’s credit score.
For example, one institution advertised a product to improve a consumer’s credit score, but the institution did not furnish credit information to credit reporting agencies.
In order to mitigate risk, especially around the marketing of credit building products, the report emphasizes that “it is important that institutions and third parties support claims about improvements in credit reports and score increases, and are clear about the potential for negative credit reporting. Credit building should be tangible and meaningful, and not merely a marketing ploy.”
Risk mitigation strategies that can help banks and their third parties stay compliant with relevant regulation include:
Ensuring disclosures and agreements clearly, conspicuously, and accurately describe the product, risks, and consumer rights in a way that promotes transparency and informed decision making
Ensuring a product’s marketing and onboarding process accurately match the actual benefits it delivers
Structuring contracts to allow for sufficient board involvement and oversight, including of third-party relationships
Undertaking initial and ongoing reviews of marketing material, including websites, mobile apps, and social media sites/posts
Having evidence to support claims in advertisements, including monitoring evidence to ensure claims are still supported
The FDIC also flagged bank oversight of third parties handling EFTA/Reg E disputes or offering credit products on a bank’s behalf.
In its examinations, the FDIC found examples of Reg E violations related to “failing to conduct investigations, failing to report the results of the investigation to consumers, and failing to correct the errors,” including in cases where error resolution had been outsourced to a third-party provider.
Suggested approaches for mitigating such risk include implementing an effective compliance management system with adequate third-party oversight and verifying bank employees and those of relevant third parties have adequate training and understanding of Reg E’s requirements.
Finally, the report highlights potential risks in bank/fintech partnerships for delivering consumer credit, citing an example of an FDIC-supervised institution which “engaged in unsafe or unsound banking practices by failing to establish and maintain internal controls, information systems, and prudent credit underwriting practices,” including through its third-party relationships.
Recommendations to mitigate said risks include:
Performing periodic risk assessment to identify fair lending risks, including those associated with activities performed by third-party service providers
Institute policies and procedures to address fair lending risks involving the use of third-party service providers
Institute satisfactory processes to analyze lending and borrower data, including from third parties, to ensure compliance with anti-discrimination measures of federal fair lending laws
Perform appropriate fair lending training for relevant staff
Ensure banks’ agreements with third parties include data access rights for the information necessary to carry out fair lending analysis and compliance
Ensure banks’ agreements with third parties include right to review and approve changes in third-parties’ process and systems before implementation
Consumer Compliance Trends: Credit Reporting Issues Top The List
By product category, credit cards drove the largest share of complaints, accounting for 30% of consumer complaints. Credit reporting disputes were the top issue, accounting for 15% of consumer complaints about FDIC-supervised institutions.
Since 2019, the share of complaints related to credit cards has grown by 50%, from 20% of complaints to 30%. Checking accounts and residential real estate have both seen their relative share of complaints decline over the same time period.
Other Good Reads
CFPB’s 1033 regulation could be a boon for small banks (American Banker, paywalled)
Announcing Fintech Fund II (This Week In Fintech)
Who Is BaaS For? (Fintech Takes)
About Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Vendor, partner & investment opportunity advice and due diligence
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion — reach me on Signal at +1-316-512-1571