SoFi, Galileo and the recent BaaS events and impacts
Quite a few things happened recently in the BaaS market
For those of you who are not aware, quite a few things happened over the last few weeks in the BaaS space, here is a short summary. You can follow all these updates through tweets of Jason Mikula who reported on it in the end of last year and has been constantly updating on new things, you can also check his Substack for more information. So what happened?
Synapse, a BaaS company, has recently went bankrupt after mismanagement of transactions. This mismanagement caused problems between Synapse and the bank they use (unlike Galileo who allow clients to pick a bank, Synapse seem to not provide such an option), Evolve Bank & Trust, where it ended with Evolve telling Synapse it will cut the partnership and then froze the end customers funds due to owed money.
Evolve Bank (yes, the same one from above) got hacked and 33 TB (33,000 GB) of data was stolen. That data includes SSNs, card PAN (based on my understanding, it might also be unencrypted numbers and not just encrypted), transaction information of people who use Evolve (this includes FinTechs who use them as sponsors) and more.
Thread Bank enforcement action which includes BaaS risk supervision.
These three are massive shockwaves for the BaaS space.
I will not get into everything that is currently known about these three things, because our subject isn’t them directly but the impact they will have on the BaaS space, and on Galileo.
So Synapse’s bankruptcy left the end customers of their clients with absolutely no way to access their funds as no bank is in any danger, so no banking regulator seems to want to step in. This poses a massive problem for FinTechs. Questions about the risk to SoFi from this are even brought by SoFi members on Reddit which further strengthens the existence of this fear for FinTechs who aren’t chartered banks.
BaaS was already getting scrutiny from regulators, we know that already at least from SoFi’s new-ish risk disclosure that showed up in Q4 2023:
So these new events will bring even more scrutiny to the BaaS space. More scrutiny means the barrier of entry is higher due to more expenses on regulations on BaaS players. This will limit, to some extent, the future competition, at least in the US.
It also gives Galileo an edge, as a BaaS company that is also a subsidiary of a bank holding company, meaning regulations already exist for their parent company. Wouldn’t you consider it is safer for FinTechs to sign with a BaaS company whose parent is a bank holding company and uses those same services? I would definitely consider them safer.
While writing this post I happen to start catching up on some Galileo videos I put off and Galileo’s VP of Revenue, Scott Johnson, happen to talk few weeks ago exactly about this aspect, of being a subsidiary of a bank holding company:1
When we were acquired in 2020 by SoFi, they didn’t have a bank charter at that time. They’ve now since got a bank charter, it’s really focused on, SoFi does a lot of lending, student loan refinancing, that’s really kind of their core business.
What’s been so interesting, Andrew [Lambert from Cross River Bank], as you kind of think about regulatory, our view of it, has certainly changed as we’re part of a bank holding company now so ultimately the Federal Reserve can cascade through SoFi bank holding company to any part of that, and that includes Galileo.
So that is my take on the Synapse issue and the impact on Galileo.
On to the Evolve hack.
While the full extent is not yet known, we already know of some FinTechs who were impacted. Dave is one. While Dave avoided the Synapse issues (they moved to Galileo in 2020), they still elected to use Evolve as their bank. Meaning some of the leaked transaction information and card PAN belong to Dave, and as such also to Galileo. The impact to Galileo is larger with Wise also being one of the FinTechs to use Evolve and also use Galileo.
This is not a security risk on Galileo’s side and doesn’t impact Galileo clients that were not using Evolve. But what it does is provide an opportunity for Galileo to take a proactive action. Dave and Wise (perhaps others) will probably need to reissue cards, they will also need a new bank, at least to reissue. It just so happens that SoFi Bank can be a debit and credit card issuer. If Galileo approaches the impacted clients and offers to help them by offering SoFi Bank and the card reissuance at a discount, it could be a very big opportunity to anchor Galileo’s clients further and also gain additional revenue and deposits (assuming these clients used Evolve for more than just card issuance).
Galileo should also, if it doesn’t already exist, add scanning the dark web for credit card numbers and compare against their own numbers to the Payment Risk Platform. This would help them block leaked cards or at least warn their clients when their cards were leaked. I am not sure how possible or easy it would be to create something like this, I know there are sites that allow scanning the dark web for different things, Google for example allows scanning for an email address.
This, however, shows how important cybersecurity is and that even regulated banks are not safe. Hackers will try to aim for the weakest link that gives them the best result for the least amount of effort (it only makes sense). Evolve handled the cards of multiple different FinTechs and this would be another risk sponsor banks have to take into account, as being a sponsor bank makes them more attractive to hackers.
And the final point, Thread Bank enforcement action and BaaS supervision.
This enforcement action was issued by the FDIC (search for Thread Bank in the bank name).
There are many new risks that Thread Bank has to assess for this. This long list would require a lot more work for them on the risks of their partners. It is fair to assume that such oversight might end up being required by all banks.
If Galileo could offer an API to get all those risks for the banks that are used by them, Galileo could be a more preferrable BaaS partner for banks and might pull FinTech clients more towards Galileo. Galileo already offers some of the things banks might need2 like transactions history over a period, but Galileo could also get their clients to input what risks they already check for and make it easier and perhaps cheaper for the banks.
Another likely missed aspect of these potential regulations is that these banks will have to decide whether it is even worth the trouble to be a sponsor bank for a FinTech, making the barrier of entry here possibly higher as well. It will reduce the competition for SoFi Bank in this space as well.
Disclaimer:
I have a position in SoFi and this isn’t a financial advice and all that. Remember to always do your own due diligence, I can be wrong just as much as everyone else on the internet can be wrong. Doing your own research is important.
Thanks for covering this. I heard it mentioned, but that's about it.
Btw, do you know what is Galileos recurring revenue model? I am assuming there is rate-limit based flat fee for APIs but I am just guessing. My theory is that they earn interchange fees only if they are the issuing bank as well.