A jester by E. Mohn after A. Lambron.


#1: Evolve’s Incompetence Was a Feature, Not a Bug

What happened?

Evolve keeps screwing up. Here’s the latest from Jason Mikula:

A Russia-linked ransomware group known as LockBit, which has conducted thousands of attacks in recent years, claimed on its site it had a cache of data from the US central bank, the Federal Reserve, that it would release if the ransom it demanded was not paid.

But when the data was released early Wednesday morning, it became clear it wasn’t the Federal Reserve’s, but rather Evolve Bank & Trust’s.

So what?     

33 terabytes of information stolen. Names, addresses, SSNs/EINs, pictures of identity docs, ACH and wire files, settlement files, card primary account numbers (PANs), card transaction records, internal bank emails, and god knows what else. All supposedly obtained through a compromised Microsoft Azure tenant.


As Jason pointed out yesterday, Evolve is arguably the most prolific partner bank supporting fintech programs in the U.S., including (at one time or another) Affirm, Bilt, Branch, Dave, Deserve, Earnin, Juno, Melio, Mercury, Rho, Stripe Treasury, Shopify, Step, and YieldStreet.

A natural question is why? Why would so many fintech companies choose to build on top of a bank that is so bad at being a bank? A bank that chose to tie its fortunes to a middleware platform as irresponsible as Synapse. A bank that is now operating under a breathtakingly comprehensive enforcement action from the Federal Reserve (which it should have been hit with a long time ago). Why?!?

Well, Mr. Mikula took a peak at some of the files that were released in the hack, and what he found gives us a good clue:

A cursory analysis of account details reviewed by Fintech Business Weekly with support from information security researchers and AML experts gives ample cause for concern.

Businesses are generally required and must be able to demonstrate an actual physical presence in the United States, not just a company with a P.O. Box or registered agent address, in order to access banking services in the country.

Yet Mercury and Evolve do not appear to have consistently enforced those requirements.

For example, this Mercury client claims to operate an e-commerce business selling animal, pet, and beauty supplies in the United States and lists a physical address of 984 Portland Avenue in Rochester, New York — but has an IP address, phone number, and mailing address in Pakistan

There’s your answer! 

Fintech companies chose to work with Evolve because it literally never said no to them. 

But here’s the thing – if you choose to work with a bank that never tells you no and that is cool onboarding new customers without even the most cursory KYC/KYB/AML checks, then you sure as shit better not be surprised when that bank’s systems get hacked, and all of your customers’ data gets stolen.

Evolve’s incompetence was a feature for its fintech partners, not a bug. No one should pretend otherwise.

The more important question is, what happens next?

A reasonable guess would be that BaaS will migrate up-market, to bigger banks that have the necessary budgets, in-house expertise, and common sense to minimize the risks of the types of compliance and information security failures that have been endemic at Evolve.

However, I don’t think that will happen. 

Fintech companies prefer working with smaller banks, and that preference isn’t solely about Durbin-exempt interchange. Small banks are generally easier to deal with. They can move fast. They are more flexible in the types of products they are willing to enable and the types of business models they are willing to sign up for.

So, how do you square that circle? 

How do you infuse big bank-level infosec and compliance (along with a more modern tech stack) into a community bank whose asset size would never ordinarily justify that type of investment?

We’ve seen some fintech executives attempt to do this by buying community banks and repurposing them for BaaS (Jackie Reses at Lead Bank, William Hockey at Column Bank, Brian Barnes at B2 Bank). We’ve also seen a few established BaaS banks raise additional outside capital in order to cross the chasm (Cross River Bank raising $620 million from Eldridge and Andreessen Horowitz in 2022 comes to mind).

I think we’ll have to see a lot more of this type of investment in community banks if BaaS, as it exists today, is going to survive.

#2: NaCL

What happened?

Chime scooped up employee benefits platform Salt Labs:

Jason Lee, the entrepreneur who cofounded the payroll service DailyPay, is selling his latest startup, Salt Labs, to neobank Chime Financial. Roughly all of Salt’s 22 employees will join Chime, including Lee, who will lead a new business unit. The deal, which is expected to close later this week, calls for Chime to provide an upfront payment of $14 million, according to people familiar with the deal.

The transaction also includes an earnout where the Salt team can earn over time an equity package of up to 0.9% of Chime stock if they achieve certain performance metrics, they said.

So what?     

There’s some history here that is important to be aware of.

Chime attempted to acquire DailyPay in 2022, right around the time Jason Lee left to found Salt Labs. DailyPay’s Board rejected the offer (which was reported to have ended up at $2 billion) in the hopes that a better offer would eventually appear.

That hasn’t happened, and it seems unlikely to happen anytime soon, given the direction that most later-stage fintech companies’ valuations have trended in the last two years.

Instead, Chime (which is preparing for an IPO) snags Salt for $14 million (up to $173 if all the performance incentives are hit) and Jason Lee, who will stay on to run the newly created Chime Enterprise business unit, which will be focused on continuing Salt’s work selling fintech-as-a-benefit to employers.

This makes a lot of sense to me.

The Salt Labs product – a rewards platform where hourly employees can earn financial products (like stock or a savings bond) and experiences (like concert tickets or a trip to Disneyland) – is a natural complement to Chime’s business generally and to its earned wage access (EWA) product, which it announced earlier this year, specifically. That product – MyPay – does not have any mandatory fees (nor does it ask for tips, because tipping in fintech is bullshit), and it wasn’t really intended to be a big moneymaker for Chime (according to the company’s CEO).

A much better way to make money in EWA is to get employees’ employers to pay for it as a workplace benefit. The trouble is that selling fintech-as-a-benefit to large companies is incredibly difficult (think big bank-like sales cycles but with much, much smaller budgets).

Jason Lee is uniquely good at selling to employers. Now Chime has him selling for them.  

#3: Every Big Bank is Going to Want a Hyperplane

What happened?

Nubank, which always seems to be 12 steps ahead of everyone else, acquired Hyperplane:

Just seven months after announcing a $6 million seed funding round, Hyperplane, a San Francisco-based data intelligence startup that is building foundation models for banks, announced Wednesday that it has been acquired by Brazil’s Nubank.

Hyperplane was founded in 2022 by Daniel Silva, Felipe Lamounier, Rohan Ramanath and Felipe Meneses.

So what?

Rohan Ramanath came on the Fintech Takes podcast a while back, so if you’re curious about the full story of what Hyperplane does and why it’s very different than other AI companies, you should take a listen.

Here are the Cliff Notes:

  • Hyperplane builds foundation models, similar to those built by OpenAI and Anthropic. The difference is that Hyperplane’s models are built on the much smaller first-party datasets of individual banks, rather than datasets scraped from the entire internet.
  • The reason for this approach is that Hyperplane isn’t interested in generative AI for its content generation capabilities (which require massive multimodal datasets). It’s interested in generative AI for its ability to efficiently find predictive patterns within unstructured datasets.
  • The genius of Hyperplane confining themselves to the unstructured datasets of individual banks is that it sidesteps almost all of the big regulatory and risk management concerns with generative AI in financial services. You’re only using your own data for training, so no need to defend to regulators why you’re using data from random subreddits to power your wealth advisor chatbot. And the outputs of Hyperplane’s foundation models are predictive insights and attributes, which can be used to build standard ML models and decisioning rulesets. This completely eliminates the risk of hallucination and makes model governance and explainability much easier.

To be honest, I’m a bit surprised that Hyperplane agreed to the acquisition. The terms of the deal were not disclosed, so it’s hard to judge from the outside.

What I can say is that every big bank in the world is going to want a Hyperplane at some point. 

Nubank just got theirs and made it harder for their competitors to follow suit. Smart.    


#1: The Regulatory Philosophy of Rohit Chopra (by Capitol Account) 📚

A Q&A with Rohit Chopra, Director of the CFPB, on his regulatory philosophy.

Read this and then subscribe to Capital Account, which is an excellent newsletter on financial regulation and policy that I somehow hadn’t been reading. 

#2: How Apple Pay Changed Payments (by Matt Jones, Payments Culture) 📚 

A good reminder from Matt that Apple, which is often criticized (occasionally by me) for the slowness with which it has advanced its financial services ambitions, has played a huge role in moving digital payments, as an industry, forward. That behavioral shift is no easy feat. 


If you could wave a magic wand and create whatever novel federal financial services charters you wanted (a national MTL, a fintech charter, etc.), what would you create and why?

Alex Johnson
Alex Johnson
Join Fintech Takes, Your One-Stop-Shop for Navigating the Fintech Universe.

Over 36,000 professionals get free emails every Monday & Thursday with highly-informed, easy-to-read analysis & insights.

This field is for validation purposes and should be left unchanged.

No spam. Unsubscribe any time.