VyStar Invested $20M Into “Dysfunctional” Nymbus; “Botched” Transition Led To Consent Order, $1.5M Penalty
VyStar Invested $20M Into “Dysfunctional” Nymbus; “Botched” Transition Led To Consent Order, $1.5M Penalty
Nymbus Is "Attempting To Extort" $1.5M From Former Customer TransPecos In Contract Dispute, Bank Argues In Court Filing
Hey all, Jason here.
I’m back home in the Netherlands, and it is the perfect fall Sunday — which I plan to head out and enjoy. Money2020 was a hectic, busy, informative experience, though four days in Las Vegas is entirely too long. If you’re looking for a summary of some highlights from the event, recommend Alex Johnson’s writeup here.
One more major event this year: American Fintech Council’s Policy Summit, at which I’ll be discussing (of course) BaaS, bank/fintech partnerships, brokered deposits, and so much more with some of my favorite panelists — more info on the event and tickets here.
I’ll be in DC Tuesday, November 19th through Friday, November 22nd. If you’re in town and would like to meet (on or off the record), let me know by replying to this email.
Last but not least… while I thoroughly enjoy arguing about policy, I try to avoid being overly political or partisan in this newsletter, as, lately, that makes it rather challenging if not impossible to have a coherent and civil discussion.
In a two-party system, it’s unlikely that you will ever entirely agree with the policy platform of a party or specific candidate — and that’s okay! I trust that the intelligent, highly engaged, and politically aware readers of this newsletter have strong enough principles, morals, and vision to prioritize country over party when they head into the voting booth this Tuesday (if you haven’t voted already!)
If you enjoy reading this newsletter each Sunday and find value in it, please consider supporting me (and finhealth non-profits!) by signing up for a paid subscription. It wouldn’t be possible to do what I do without the support of readers like you!VyStar Invested $20M Into “Dysfunctional” Nymbus; “Botched” Transition Led To Consent Order, $1.5M Penalty
Last week, the Consumer Financial Protection Bureau entered into a consent order with VyStar Credit Union.
With approximately $14.7 billion in assets, VyStar is the 13th largest credit union in the country. It serves just shy of one million members through nearly 100 branches located primarily in the Jacksonville, Florida area.
The CFPB consent order stems from what the Bureau describes as a “botched system switch” to “a new, dysfunctional online banking platform” that “left families in a lurch, unable to manage finances and facing fees.”
The Bureau has authority over VyStar as it is one of the few credit unions with assets over $10 billion. The action against VyStar stemmed from “close partnership” between the CFPB the National Credit Union Association, which is the independent federal agency that insures deposits held at credit unions.
According to the CFPB’s complaint, the failed tech transition to a new online banking platform, which took place in May 2022, “made it difficult for credit union members to perform basic banking functions for weeks, with some features unavailable for more than six months.”
While the complaint does not specify the “online banking platform,” reporting at the time of the outage indicates it is Nymbus, a core banking provider which has raised nearly $200 million in capital — including $20 million from VyStar itself into a credit union service organization (CUSO) subsidiary that Nymbus setup. VyStar’s SVP of Strategic Initiatives, Casey Callinsky, currently sits on Nymbus’ board of directors.
VyStar isn’t the only financial institution that invested in or partnered with Nymbus. According to its website, VyStar also counts Michigan State Federal Credit Union (MSUFCU), Gesa Credit Union, PeoplesBank, and ConnectOneBank as investors.
MSUFCU is a member of Nymbus’ CUSO and a customer, leveraging Nymbus to power its AlumniFi digital bank brand. Other clients include PeoplesBank, for its Zynlo digital offering, Citizens Bank of Edmond, for its ROGER neobank serving military members, and Locality Bank.
But the biggest investor by far is Insight Partners, which, per Crunchbase, has led or co-led rounds totaling about $135 million into the company.
“Collapse” Of Website, App Constitute “Unfair” Acts or Practices
The consent order alleges that the “collapse” of VyStar’s customer-facing website and mobile app capabilities were caused by the credit union’s “management and governance failures and its assumption of excessive risk throughout the conversion project.”
According to the consent order, actions that demonstrated gaps in governance and excessive risk taking include:
Not instituting project management “guardrails”
Adopting a “rushed, aggressive” project timeline
Ignoring red flags about problems with the platform
Choosing a vendor that was “inexperienced in projects with the complexity of this conversion”
The CFPB further alleges that VyStar selected the banking system vendor, unnamed in the consent order, outside of its normal procurement process and without its normal due diligence process after backing out from a tentative selection of an alternate vendor that had participated in a full request for proposal and due diligence process.
The ad hoc review process resulted in VyStar staff ignoring aspects of normal RFP and due diligence processes, including by signing off on a proof of concept that “failed to provide a meaningful examination of the design and development challenges of the project” and by selecting a vendor that was not compatible with its core transaction processing system without additional customized software, the consent order says.
The consent order does mention the $20 million investment VyStar made in the vendor concurrent with its hiring of the firm, “in the hope that the virtual banking platform project would demonstrate the Vendor’s services to other financial institutions and lead to the creation of products and services that Respondent and the Vendor could sell to others.”
Despite the increased complexity of VyStar’s project and conversion plan, the credit union and its vendor attempted to stick to their original timeline for developing, testing, and releasing the virtual banking platform and failed to implement industry-standard project governance standards, such as formal statements of work, a centralized scoping document, risk-and-issue management logs, or enforceable benchmarks, the consent order says.
VyStar failed to sufficiently test the new platform and never performed testing that would simulate expected transaction volumes once live; the testing that was performed showed (emphasis added throughout) “significant, material issues,” per the consent order.
But, rather than delay the launch of the new platform, VyStar “became increasingly willing to accept the persistence of critical bugs and lower levels of functionality in the new virtual banking platform,” with VyStar management reclassifying at least 135 “critical” defects so that they wouldn’t block the launch, the consent order says.
Instead, VyStar would use a “fast follow” approach, the order says, “shift[ing] the timeframe for fixing bugs and improving functionality to after the new platform was released.”
In fact, VyStar’s internal quality assurance team refused to sign off on the release, and the project management team warned that the platform was not ready, “creating significant reputational risk and raising the real possibility that the outcome would lead to negative publicity,” but management decided to proceed anyway, according to the CFPB.
VyStar made the curious decision, the consent order says, to migrate from its prior systems in such a way the previous platform would be “irrevocably disabled,” making it impossible to revert to the older system if the transition wasn’t successful.
Part of the motivation to proceed with the conversion despite ample warnings may have been to avoid an additional $1 million in monthly fees VyStar would have had to pay to the platform it was migrating off of, if the project wasn’t completed by May 2022.
The consent order finds that the impacts of the outage of VyStar’s online banking platforms in the course of the transition constitute “unfair” acts and practices.
The order requires VyStar undertake an audit of its previously conducted refund process for customers impacted by the outage, including by identifying and providing redress to impacted customers who may have been eligible but did not request such refunds.
The order also requires VyStar to pay a $1.5 million civil money penalty.
Nymbus Has Faced Its Own Legal Challenges
The CFPB consent order doesn’t mention Nymbus, but the core banking startup has faced its own legal challenges, from matters dating as far back as 2015.
That year, the then-newly-founded company approached a group of affiliated firms that included First Baird Bancshares, First Bank Texas, First National Bank and Trust Company of Weatherford, and The First Security Bank about acquiring one of their affiliated companies, Sharp BancSystems, Inc.
According to court filings, Nymbus wanted to acquire Sharp BancSystems “[i]n order to accelerate the development of its core processing platform and enhance its capabilities” by purchasing or partnering “with a company that had an existing core processing platform, technical know-how, depth and breadth of experience with financial institutions and core processing, as well as banking clients.”
As part of the acquisition, which closed in January 2016, Scott Sharp, an employee and, along with family members, part owner of the four banks and Sharp BancSystems, joined Nymbus as its Chief Operating Officer.
The four banks and Sharp had spent years developing the software and building and operating the business, which, in addition to the plaintiffs, served numerous other banks as well, the companies say in an April 2017 lawsuit filed in Texas district court.
In that suit, filed by the banks against Nymbus, the banks sought to exercise their right to rescind the sale, alleging that Nymbus had breached the sale agreement by failing to transition Sharp BancSystems’ existing customers to the Nymbus platform by the agreed upon date of March 1, 2017.
The blocker to the migration, according to the banks’ suit, was that “the new, state-of-the-art software platform promised by Nymbus” didn’t actually exist.
According to the banks’ suit, “Nymbus promised in Section 5.12 of the [purchase agreement] that by March 1, 2017, it would complete development of a ‘functional core processing system’ with ‘all of the same features’ as Sharp’s and which ‘will be adequate and appropriate to operate a community bank platform,” but “[s]uch a system was not developed by March 1, 2017.”
Nymbus filed its own suit in April 2017 in US District Court in Florida, seeking declaratory and injunctive relief blocking the banks’ attempt to rescind the sale.
In its suit, Nymbus accused the banks of failing “to make commercially reasonable good faith efforts to successfully transition all of the [Sharp BancSystems] Business” to Nymbus and of committing material breaches of the purchase agreement.
In a separate lawsuit and countersuit between Nymbus and Scott Sharp personally, Sharp alleges that, though Nymbus demoed its product during acquisition negotiations in July 2015, he later learned that what Nymbus “demonstrated to SBS and Sharp was not a product at all, but was a ‘wireframe’ model of the product that could not actually perform the functions being demonstrated.”
During due diligence between Nymbus and the banks, Nymbus represented that the first clients would be able to migrate to the new platform by July 2016, about six months after the deal closed, per Sharp’s suit. When Sharp expressed concern this timeline was unrealistic, “Nymbus responded that the timeline was feasible because of Nymbus’s ‘rapid application development’ process and the alleged fact that Nymbus would use ‘hundreds of developers’ on the project,” Sharp’s complaint says.
The disputes between Nymbus, the four banks, and Scott Sharp personally were dismissed following what appear to be out-of-court settlements.
Nymbus “Was Not Functional Software,” Credit Union Customer Alleges In Legal Dispute
Nymbus’ early dispute with the banks from which it acquired some of its core tech appear to have been a harbinger for more legal challenges that would come.
In December 2018, Nymbus filed suit against one of its clients, Chrome Federal Credit Union, with Chrome filing a countersuit.
In its countersuit, Chrome accused Nymbus of breach of contract, fraudulent and negligent misrepresentation, violation of Florida’s Deceptive and Unfair Trade Practices Act, and sought a refund of approximately $3.3 million in prepayments it had made to Nymbus.
Chrome alleges that Nymbus breached its agreement “by failing to provide Chrome with an operational and available version of the SmartCore software products and services as required by” the contract.
Chrome further argues that when the credit union was evaluating Nymbus’ platform, the “software being ‘demonstrated’ was not functional software, but rather was intended to induce Chrome to believe that SmartCore was a functional software package that was capable of implementation within a reasonable amount of time.”
Rather, Chrome argues in its filing, “SmartCore did not exist as functional software in May 2016, did not exist at the time Chrome and Nymbus executed the Master Agreement in October 2016, and still did not exist as functional software in May 2018, which is when Chrome provided Nymbus notice that Nymbus had committed an event of default under the Master Agreement.”
Chrome Federal Credit Union’s suit says key capabilities Nymbus had promised didn’t work, including:
any functional integration with MeridianLink, the credit union’s online account and loan-opening provider;
any functional integration with PSCU, the credit union’s credit card provider and processor;
any functional integration with Chrome’s debit processor, First Data/STAR Network, with Nymbus instead “pressuring” Chrome to switch to Pulse;
any functional integration with Chrome’s cash recycling machines;
accurate personalization of a wide array of customer forms detailing information on loans, accounts, and mortgages;
back office operations for remote deposit capture, including how check images would be processed and stored;
among other issues.
Ultimately, no “conversion date” was ever selected, as “Nymbus was never able to demonstrate a functional version of SmartCore, let alone provide SmartCore to Chrome as a completed and functional package of products and services,” the credit union’s suit states.
The parties jointly agreed to dismiss the case with prejudice nearly three years later, in August 2021, presumably pursuant to an out-of-court settlement agreement.
Surety Bank Could “No Longer Tolerate” Nymbus’ “Failure To Deliver” Basic Core Services
Chrome Federal Credit Union isn’t the only customer to sue Nymbus, however.
In 2023, approximately $205 million asset Surety Bank, based in DeLand, Florida, sought a court declaration that Nymbus had breached its 2017 master services agreement, thereby allowing Surety to terminate the agreement for cause and avoid paying a combined $1.3 million in early termination and deconversion fees.
Nymbus was unable to meet the original go-live timeline, Surety says, and has had “repeated problems with providing the core service,” requiring Nymbus to “to find what it describes as ‘work-arounds’ for these failures.”
In Surety’s suit, the bank said it could “no longer tolerate the Defendant’s repeated failure to deliver the basic core services in a commercially reasonable manner,” alleging that Nymbus had “been completely unable in the six years since the Agreement was executed to provide a number of the services required under the Agreement.”
Surety cited a litany of services it says Nymbus was contractually obligated but failed to provide, including: ACH Origination, Positive Pay, Reverse Positive Pay, Interest Rate Rise Shock Analysis, Asset Liability Management, Bank/Holding Company Projections, Account To GL Reconciliation Engine, ATM Balancing, Customer Account Profitability Analysis, FNMA/GNMA Loan Servicing Reporting, Personal Financial Management, Two-Factor Authentication, and Account Aggregation.
Because Nymbus didn’t deliver the capabilities it promised, Surety was forced to obtain core and non-core services from other third-party providers and suffered “material service failures,” requiring additional work and expsense.
Nymbus disputed Surety’s claims and made affirmative defenses that Surety was estopped from asserting claims against Nymbus because it “accepted and utilized Nymbus’s software and services.”
Nymbus further made a counterclaim seeking that the court make a declaration that Surety voluntarily terminated the contract and thus owed the early termination fee.
Surety ultimately moved to dismiss the case with prejudice in May 2024, presumably following an out-of-court settlement.
Nymbus Is “Attempting To Extort” $1.5M From It, TransPecos Alleges In Court Filings
In Nymbus’ most recent legal dispute with a client, $840-million-asset TransPecos describes Nymbus as “attempting to extort $1,500,000 from” it, going so far as to threaten to contact the bank’s regulators “to ask the regulators’ advice for the best path to wind down [TransPecos]’s services with minimal risk to the banking system, as [TransPecos] is no longer a paying customer.”
The current dispute stems from TransPecos’ attempt to wind down the relationship it entered into with Nymbus in August 2018.
According to TransPecos’ complaint in the case, filed in July 2024, the bank sought to terminate its contract with Nymbus for cause “[d]ue to significant performance issues with [Nymbus]’s services.”
TransPecos and Nymbus reached a settlement agreement regarding the early termination, in which TransPecos would pay Nymbus $1.75 million, Nymbus would grant TransPecos equity in its Series D round worth $1.75 million and options to purchase an additional 1.5 million shares at $0.27 per share, and Nymbus would continue providing core banking services to TransPecos through June 30, 2024, with TransPecos having the option to extend service through December 1, 2024.
But Nymbus argues that TransPecos failed “to give Nymbus written notice pursuant to the terms of the Commercial Agreement Amendment,” which specifies that TransPecos could extend the agreement through December 1 “by providing at least thirty (30) days prior written notice to Nymbus.”
In its suit, TransPecos argues that the operative clause lacks a specific trigger date for the 30 day period and thus contains a patent or latent ambiguity, rendering it unenforceable or at least in need of interpretation by the court.
Further, TransPecos argues that email communication with Nymbus’ VP of project management, attached as an exhibit, makes clear both parties understood service would continue beyond the original June 30 deadline.
Nymbus, according to the filings, has taken the position that the contract terminated on June 30, 2024, and that it only continued to provide service to TransPecos “because it does not want to cause [TransPecos]’s customers hardship in the short term.”
TransPecos argues that Nymbus is “attempting to extort $1,500,000 from [TransPecos] (in addition to the $1,450,000 that [TransPecos] paid to enter into the Settlement Agreement),” as Nymbus ceasing to provide core services “would wreak immeasurable damage not only on the [TransPecos], but on all of [TransPecos]’s customers (public, private, individual and business) who would be unable to access their accounts, process checks or conduct normal banking transactions.”
In the ongoing suit, TransPecos is asking the court to require Nymbus to meet the obligations of the core services agreement and settlement agreement the companies entered into, as well as seeking a temporary injunction that would maintain the status quo while the matter is litigated.
A representative for Nymbus did not provide an official response to a request for comment on these matters sent outside of normal business hours.
Other Good Reads
The cautionary tale of Goldman and Apple’s credit card (FT)
Why Everyone’s Wrong About Stablecoins (Christian Catalini/Forbes)
Why did Stripe spend $1.1bn on a Series A Stablecoin startup? (Fintech Brainfood)
Wisconsin’s Biggest Bank Is Worried (MacIver Institute)
About Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Pre-order my book, Banking as a Service: Opportunities, Challenges and Risks of New Banking Business Models, here
Vendor, partner & investment opportunity advice and due diligence
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion — reach me on Signal at +1-316-512-1571