Synapse Program Was "Nightmare Fuel" Due To Control Gaps, Ex-Employee Says
Synapse Program Was "Nightmare Fuel" Due To Control Gaps, Ex-Employee Says
Mercury Had Evolve "Whitelist" Some Higher-Risk Accounts, Evolve Failed To Properly Run OFAC Checks For Seven Years, Sources Say
Hey all, Jason here.
When this arrives in your inbox, I should be somewhere over the Atlantic Ocean, en route to spend some time with friends and (attempt to) unplug.
Looking forward to my first time attending fintech devcon in August in a couple weeks — more detail on that event below.
If you enjoy reading this newsletter each Sunday and find value in it, please consider supporting me (and finhealth non-profits!) by signing up for a paid subscription. It wouldn’t be possible to do what I do without the support of readers like you!Finally, a fintech conference without sales pitches.
Sponsored content: fintech_devcon is a fintech developer event focused on education, not marketing. Speakers are actual developers, engineers, product leaders, and innovators, all willing to share their ups, downs, uh-ohs, and ooh-la-las while building fintech.
Sessions will cover how-tos and best practices for topics like data management, compliance and security, open source, product management, architecture and infrastructure, system performance, and more.
🔥Check out this year’s speaker lineup, featuring THE Kelsey Hightower as a keynote.⌛️ Tickets and rooms are running out, so book before it's too late!
August 7-9, 2024 • Austin, TX • See our full agenda
Synapse Program Was “Nightmare Fuel” Due To Control Gaps, Ex-Employee Says
Middleware platforms like Synapse are supposed to serve as a bridge between customer-facing fintechs and banks, often small community banks, in a business model that is win-win: banks get cheap deposits and generate fee revenue, while fintechs are able to concentrate on where they excel, like creating polished user experiences, innovative product formulations, and novel distribution channels.
But, as should be crystal clear by now, the increased complexity in these operating models risks obscuring responsibility and accountability for meeting regulatory requirements, including with the Bank Secrecy and PATRIOT Acts, which define key anti-money laundering requirements banks are expected to meet.
For example, Section 326 of the PATRIOT Act requires most financial institutions to implement a customer identification program (CIP) with risk-based “reasonable procedures” for verifying the identity of any person seeking to open an account, to maintain records of the information used to verify the person’s identity, including name and address, and to determine if the person appears on any lists of known or suspected terrorists or terrorist organizations.
An institution’s procedures must enable it to form a “reasonable belief” that it knows the true identity of its customers. At a minimum, institutions need to collect:
Name
Physical address (not a P.O. box or registered agent address)
Identification number, which must be an SSN if a person has one
Date of birth, for individuals
For businesses, institutions should generally collect and verify:
the company’s legal name
the company’s operating address
business registration status and licensing documentation, if applicable
identification and verification of ultimate beneficial owners (UBOs) who own or control a significant share of the company’s stock — thresholds vary, but generally equal to or greater than 10% or 25%
Financial institutions also have an obligation to monitor and report suspicious transactions, including those that involve potential sanctions violations.
While sanctions screening might seem straightforward — can’t one just check Treasury Department’s Specially Designated Nationals list? — in practice, it is quite complicated. Individuals, businesses, sectors, entire countries, even specific shipping vessels can carry varying degrees of sanctions. This can make it a challenging task to ensure an institution’s customers aren’t themselves sanctioned or attempting to transact with a sanctioned party.
Ensuring compliance in the layered relationships common in banking-as-a-service is even more difficult. And penalties for non-compliance can be steep, with OFAC issuing a total of $1.2 billion in fines and penalties for sanction screening failures in 2019 alone.
Like other components of BSA/AML compliance, there are vendors who specialize in providing sanctions screening capabilities: names like Lexis-Nexis, Dow Jones, and ComplyAdvantage.
This reporting is based on conversations with more than 20 sources, including former Synapse employees, current and former employees of Synapse fintech programs, and current and former employees of Synapse partner banks.
Sources were granted anonymity given the sensitivity of the information and out of fear of retribution.
Synapse’s Sanctions Screening Was “Broken,” Former Compliance VP Says
Though industry-standard sanctions screening solutions exist, Synapse chose not to use them, instead building its own sanctions screening capability. The only problem? It didn’t work.
Sejal Patel, who was vice president of compliance at Synapse from March 2022 to November 2023 told Fintech Business Weekly that “[t]he reality was Synapse’s sanctions screening process was home grown and the code didn’t work. Multiple BSA audits revealed the model was broken.”
Synapse isn’t the only party involved, of course. Its bank partners that processed transactions, including domestic and international wires, ultimately bear responsibility for ensuring compliance with applicable laws, including those regarding money laundering and sanctions screening.
Lineage, which began cutting ties with Synapse after a board room coup ousted the executive team responsible for the relationship, was so concerned about the inadequacy of Synapse’s sanctions screening and the company’s refusal to provide independent audits of its model that it decided to build its own screening program, according to a source familiar with the matter.
One former Synapse compliance worker described Lineage as a “stickler” that frequently stopped outgoing wires for additional verification.
On the other hand, the same compliance employee couldn’t recall Evolve flagging a wire for review — ever.
Another source familiar with Evolve’s screening practices says that auditors discovered the bank hadn’t correctly screened international wires for any of its fintech partners for a period of around seven years, due to a “coding error” by Evolve’s then-chief technology officer, Hank Ward. Ward is currently the president of Evolve’s Open Banking Division, which houses the bank’s troubled BaaS operations.
It shouldn’t be too surprising, then, that both Evolve’s and Lineage’s recent consent orders, which tend to be backward looking and stem from historic activity, require the banks to assess and remediate gaps in their BSA/AML controls, including as they relate to third-party fintech programs.
Evolve’s consent order further requires the bank to submit a written plan to its regulator to address its compliance with OFAC regulations.
Juno Was “Nightmare Fuel,” Former Synapse Employee Says
Another former Synapse worker clarified that the worst OFAC issues were in 2022 or earlier, prior to Synapse hiring numerous compliance staffers in an attempt to remediate its widespread issues.
But, despite the hiring, major problems remained, including one program the ex-employee described as “nightmare fuel” — Juno.
Juno offers an “on-ramp” to more than 20 blockchains and associated cryptocurrencies alongside a traditional “fiat” bank account that was provided by Evolve Bank & Trust via Juno’s relationship with Synapse.
The former employee described Juno as a “preferred haven for Nigerian scammers,” who used the accounts to carry out scams that “varied but spanned the entire scammer world” — “[d]rop accounts (money mules), business email compromise scams, tax scams, romance scams (often the money mules), payroll intercept scams, Zelle, all of it.”
Records of Juno accounts released as part of the recent Russia-linked hack of Evolve reveal obvious signs of higher-risk accounts and likely compliance failures, including 70 accounts that list 1390 Market Street in San Francisco — Juno’s US office — as their physical address. Of the 70 accounts, only eight have an SSN/ITIN identifier, with two of those eight being obviously fake.
The phone numbers of the 70 accounts, with only one exception, all begin with the country code for India, suggesting the accountholders do not actually reside at the 1390 Market Street address.
A former Synapse employee suggested these were probably test accounts for Juno employees, many of which are located in India, including the company’s cofounder and CEO Varun Deshpande.
Most all of the accounts reflected balances of less than $1 at the time the report was generated, which appears to have been January 2024. Still, even if these were test accounts for employees, they were in production — they were real, live accounts.
The financial crime issues with Juno were so severe and persistent that, for an extended period, Synapse held weekly tri-party meetings with Evolve and the company to attempt to address the situation, according to the former Synapse employee.
The same former employee remarked that, while much attention has been paid to platforms like Mercury and Yotta, Juno “[has] flown under the radar somehow.”
Representatives for Juno declined to provide any comment for publication.
a16z-Backed Mercury Pressured Evolve To Approve, “Whitelist” Higher-Risk Accounts, Former Staffers Say
Perhaps the highest profile example of apparent control failures at Synapse and Evolve is business banking startup Mercury.
The Information profiled compliance challenges at the startup that appear to have contributed to one of its bank partners, Choice Bank, receiving an enforcement action from its regulator, the FDIC. Mercury even allowed a transaction in Cuba via its Patriot Bank-issued cards and reportedly failed to file a SAR for it. (This paragraph has been revised from the originally published version to clarify the Cuba transaction was not associated with Choice Bank.)
But the problems don’t seem to have been limited to Choice, which did not partner with Synapse.
A review of Mercury account records, also part of the Evolve data leak, show an astounding 5,393 accounts that list the same address of 30 N. Gould Street in Sheridan, Wyoming, a known scam nexus. The address is for a registered agent, rather than the physical address of the businesses claiming to be located at it.
1309 Coffeen Street, in the same small Wyoming town, was listed as the address for another 2,729 Mercury accounts.
And an additional 1,835 Mercury accounts listed 651 N. Broad Street in Middletown, Delaware, 1,679 listed 8 The Green Street in Dover (many written as “8 The Grn” for some reason), and 1,445 accounts listed 16192 Coastal Highway in Lewes — all of which are registered agents.
For context, the combined 13,081 accounts at just those five addresses appear to represent nearly 20% of all Mercury accounts on Evolve when the file was generated, which looks to be from October 2022. In aggregate, the accounts that listed these addresses held over $430 million at the time.
Previous analysis of some of these accounts by Fintech Business Weekly demonstrated that, while they listed registered agent addresses in the US, a material number of accounts listed phone numbers or had IP addresses in higher-risk jurisdictions, like Russia, Pakistan, and the UAE.
In some regards, the large proportion of foreign actors opening accounts with Mercury using registered agent addresses shouldn’t be a surprise — the company intentionally pursued the strategy that led to this, by partnering with and paying commissions to firms like LLC University and Firstbase, as reported by The Information earlier this year. The services help those outside the country set up companies in the US — and then referred them to Mercury to open a bank account.
A former Mercury compliance employee estimated that, at the time they worked at the company, more than a third of all customers and deposits were from foreign sources, most of which made use of registered agent address in the US.
Asked about the use of registered agent addresses, a Mercury spokesperson said, “In 2023, we updated our risk tolerance and now require all customers who use an RA to also provide a verifiable physical address.” While Mercury’s “risk tolerance” may have changed, the rules did not: use of only a registered agent address was not considered acceptable practice to meet CIP and KYB requirements before or after 2023.
The spokesperson added that Mercury “also embarked on a remediation plan to bring existing customers into alignment with our updated policies.”
A former Synapse staffer describes a culture of bending the rules, if not outright breaking them, to keep Mercury, Synapse’s largest customer, happy.
They painted a picture of “contentious” conversations with Mercury over user onboarding processes, with the startup seeking to minimize friction in order to grow its user and transaction volumes.
Synapse pushed for video verifications of Mercury customers or at least a “selfie,” with the former staffer telling Fintech Business Weekly that, “It was wild how much pushback we would get” on those requests. They described Mercury as “one of the worst offenders” when it came to processes to verify users’ information was legitimate.
Asked about its onboarding practices, a Mercury spokesperson stated that it currently “require[s] selfies for onboarding verification for every single account and leverage industry-standard tools for ID verification to do so.”
In some cases, when Synapse wouldn’t meet Mercury’s demands, the company would escalate them directly to Evolve, the former employee said. For example, Synapse had concerns about higher-risk jurisdictions, like Turkey, or those with sanctions in place, like Russia.
But Mercury wanted to facilitate users and transactions in those countries, and, when Synapse wasn’t sufficiently cooperative, Mercury sought Evolve’s signoff on adding certain users to a so-called “whitelist,” former Synapse staffers said. Being added to the whitelist would enable those accountholders to make transactions in amounts and with counterparties that they otherwise would not be able to make.
Despite higher risk ratings for certain countries or accounts, some users would be “grandfathered in” to enable them to continue using their accounts without interruption, the former Synapse employees said. For example, some users who had opened an account before sanctions were put in place in a given jurisdiction would be whitelisted and allowed to continue using their accounts, the staffers said.
The risk of allowing users in higher-risk jurisdictions was exacerbated by what the former Mercury compliance staffer described as no transaction monitoring “at all.”
When Mercury did deploy a transaction monitoring vendor, the system “started throwing off a bunch of alerts. It created so much noise… they shut it off,” the former Mercury staffer said.
Mercury’s spokesperson declined to answer if the company had escalated issues to Evolve when it disagreed with Synapse’s risk assessments or about use of a “whitelist,” including for users in higher-risk jurisdictions.
A former fraud prevention employee at Synapse said Mercury wasn’t the only company to make use of such a whitelist, but that, they estimated, it accounted for about 90% of whitelisted accounts. Rho and Relay, other business bank account platforms that have since moved to Webster Bank and Thread Bank, respectively, also had whitelisted accounts, they said.
Earlier this year, Mercury informed customers with Evolve-issued cards that they could no longer use them for transactions in 41 countries, running the gamut from Cuba and Iran to Ukraine, Vietnam, and Turkey.
In a statement Mercury made at the time, it claimed that “[t]his [had] always been Mercury’s policy, but as part of recent system updates you will now see debit transactions in these countries or with merchants located in these countries being declined.”
Perhaps it shouldn’t be a surprise that Mercury has run into repeated compliance issues — the company has seemingly prioritized a “frictionless user experience” over regulatory, legal, or compliance considerations.
When unpleasant compliance issues were raised internally, there was a sense that “no one really wanted to deal with it,” including Mercury cofounder and CEO Immad Akhund, the former Mercury compliance employee said. The former staffer continued, “He couldn’t care less about risk and compliance.”
More Shoes Yet To Drop
The consent orders reached by Synapse partners Evolve and Lineage, as well as Choice Bank, which was not a Synapse partner, require the banks to do a “lookback review” of transactions, including transactions by customers onboarded through third-parties, like Mercury and Juno.
The results of those lookback reviews, if they have been completed, are not publicly known, but could, if issues are uncovered, form the basis for further regulatory actions or even criminal cases.
In last week’s hearing in the still-ongoing Synapse bankruptcy, a distinct but somewhat overlapping situation, the Chapter 11 trustee, former FDIC Chair Jelena McWilliams, said she couldn’t discuss if the trustee had made any referrals to law enforcement agencies, and that, if the trustee doesn’t have the tools she needs and “needed to get law enforcement involved,” that she would.
The regulatory and public policy repercussions from Evolve’s apparent failures to adequately supervise its fintech partners, including the fallout from the Synapse bankruptcy, will take time to fully come into focus.
Regulators have kept an arms-length from directly supervising or examining most fintechs, even though they have the legal authority to do so, leading to the situation the industry currently finds itself in.
Some banking and fintech industry sources have suggested on Office of the Inspector General investigation into the St. Louis Federal Reserve’s oversight of Evolve could help shed light on what went wrong and how to avoid similar situations in the future.
Asked about what lessons regulators could learn from the Evolve and Synapse situation, Sarah Beth Felix, CEO of AML and sanctions advisory firm Palmera Consulting, told Fintech Business Weekly, “One of the biggest changes we can hope to see out of this debacle is to have a change in regulatory oversight – from both an AML and consumer protection side.”
Felix further emphasized the impracticality of banks taking on all the risk and being deputized to supervise third-, fourth-, and fifth-party risk, adding, “The US needs to get started on crafting our own fintech regulatory framework and in the meantime, updating the legal loopholes from FinCEN’s administrative rulings will provide a temporary relief… Updating the legal loopholes will help to ensure that these older rulings are fit for current day innovation.”
Representatives for Evolve Bank & Trust did not respond to multiple requests for comment.
Representatives for Choice Bank declined to provide any comment for publication.
Other Good Reads
Banks, fintechs tackle the complexity of KYB with AI and other tech (American Banker)
Liquidity, Supervision, and Regulatory Reform (Fed Governor Michelle Bowman)
Financial Literacy, Risk Tolerance, and Cryptocurrency Ownership in the United States (Federal Reserve Bank of Kansas City)
Size, Complexity, and Polarization in Banking (Acting Comptroller Michael Hsu)
About Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Pre-order my book, Banking as a Service: Opportunities, Challenges and Risks of New Banking Business Models, here
Vendor, partner & investment opportunity advice and due diligence
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion — reach me on Signal at +1-316-512-1571