In a year of challenges for Evolve Bank & Trust of West Memphis, the financial institution finds itself navigating regulatory action, cybersecurity concerns and legal issues, including at least two lawsuits seeking class-action status.
The bank, which has expanded its presence in recent years, now faces federal scrutiny over its risk management practices and the fallout from a major data breach.
The bank has said action by the Federal Reserve Board “stemmed from a routine regulatory review” and doesn’t affect existing business, customers or deposits.
As for the data breach, the company’s website states that the bank is “in the process of further strengthening our security response protocols, policies and procedures and our ability to detect and respond to suspected incidents.”
Though Evolve agreed to respond by Sept. 20 to questions from Arkansas Business regarding how the bank is moving forward, the Federal Reserve action, data breach, banking as a service and other topics, the institution hadn’t responded to the questions before press deadline on Wednesday. However, a spokesman did provide a statement Wednesday morning.
“Moving past these instances means more than just addressing what happened — it means learning from them and continually evolving,” the statement said. “By investing in exceptional personnel, enhanced compliance tools, cutting-edge security systems, and modern due diligence processes, we’re ensuring Evolve is ready to lead for decades to come. Our loyal customers, clients, partners and employees have stood by us through thick and thin, and they continue to place their trust in us, even in the face of challenges. It’s that trust that fuels everything we do. We take it seriously, and we work relentlessly to uphold it.”
Evolve has seen rapid growth since 2019, particularly in its banking as a service, or BaaS, offerings. This growth has been driven by its partnerships with fintech companies, which use the bank to provide financial products and services to their customers.
Evolve was a community bank with assets of about $450 million and net income of less than $5 million in 2019. Three years later its net income ballooned to $25.5 million on assets that peaked at $1.75 billion. By the end of 2021, Evolve’s trust department overtook Simmons Bank of Pine Bluff to lead the state in trust assets under management: $9.75 billion.
Assets and net income then leveled off as trust assets began to decline. Then in June, two events disrupted the institution, the first involving an enforcement action by regulators and the second the bank’s disclosure that it was a victim of a cyberattack resulting in a significant data breach.
On June 11, the Federal Reserve Board issued an enforcement action against Evolve Bank & Trust and its parent company, Evolve Bancorp Inc., claiming the bank had deficiencies in its anti-money laundering, risk management and consumer compliance programs. The action was taken in conjunction with the Arkansas State Bank Department.
The Federal Reserve found that Evolve had “engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework” for its fintech partnerships. Those partnerships, part of Evolve’s open banking, have been a key part of the bank’s growth.
Open banking provides financial service providers access to data from banks and nonbank institutions through the use of application programming interfaces, commonly known as APIs. It carries higher risks for consumers, as their data is shared more widely, but also allows customers to securely share their financial data with other financial institutions.
The enforcement requires Evolve to improve its policies and programs in several areas. Notably, the bank is prohibited from entering into new fintech partnerships or establishing new products, programs, services or program managers related to open banking without prior approval from the Federal Reserve.
Evolve Bank & Trust by the Numbers
Year |
Net Income |
Assets |
Trust Assets Under Management |
Employees (FTE) |
2024* | $7.00 mil. | $1.68 bil. | $1.94 bil.** | 485 |
2023 | $24.67 mil. | $1.43 bil. | $5.58 bil. | 468 |
2022 | $25.54 mil. | $1.75 bil. | $8.14 bil. | 518 |
2021 | $12.95 mil. | $788.11 mil. | $9.75 bil. | 492 |
2020 | $10.99 mil. | $691.61 mil. | $2.65 bil. | 408 |
2019 | $4.70 mil. | $451.29 mil. | $1.49 bil. | 334 |
*Through June 30
**Non-managed custody and safekeeping account total declined from $5.08 billion to $1.4 billion between Dec. 31 and June 30
Locations
Arkansas |
4 full-service branches |
West Memphis, Jonesboro, Parkin, Wynne
|
3 loan production offices |
Jonesboro, Marion, Highland
|
|
Tennessee |
1 full-service branch | Memphis |
1 limited-service branch | Memphis | |
1 loan production office | Memphis | |
California |
2 home loan offices |
Newport Beach, Rancho Palos Verdes
|
Connecticut |
3 home loan offices |
Danbury, West Hartford, Old Saybrook
|
Delaware |
2 home loan offices |
Newark, Rehoboth Beach
|
Georgia |
1 home loan office | Roswell |
Massachusetts |
4 home loan offices |
Easthampton, North Andover, Westborough, Wilbraham
|
Maryland |
1 home loan office | Gaithersburg |
New York |
2 home loan offices |
East Setauket, Saratoga Springs
|
Oregon |
1 home loan office | Bend |
Source: Federal Deposit Insurance Corp. and Federal Financial Institutions Examination Council
The order required Evolve to submit a plan to strengthen board oversight and enhance risk management of its Open Banking Division within 90 days. Within 60 days of the action, Evolve was required to improve capital and liquidity risk management, enhance lending and credit risk management policies, improve interest rate risk management practices, correct information technology and information security deficiencies and enhance the internal audit program.
The bank told Arkansas Business in June that it had agreed to “take certain measures to further bolster our compliance oversight and enterprise risk management functions,” and that the Fed’s action “stemmed from a routine regulatory review.”
Though the Arkansas Bank Department declined to comment specifically on the Federal Reserve action or whether Evolve had submitted its required 60- and 90-day updates, there is typically a stringent followup process to Fed actions.
Evolve’s Response
Just days after the Federal Reserve’s enforcement action, Evolve disclosed on June 18 that it had fallen victim to a cyberattack resulting in a significant data breach.
In response to the breach, Evolve’s website says the bank has taken steps to enhance its security measures. These include resetting passwords, reconstructing identity management components, hardening firewall and dynamic security appliances and deploying additional security tools.
The bank has also committed to notifying affected individuals and offering two years of free credit monitoring and identity theft protection services. Evolve began sending out individual notifications on July 8.
Evolve is no longer No. 1 in trust assets but remains a significant player. It will be No. 2 behind traditional trust powerhouse Simmons when Arkansas Business ranks trust departments by Dec. 31, 2023, assets under management next month. But that total of $5.58 billion from almost nine months ago does not reflect what has happened this year.
As of June 30, total trust assets under management had dropped below $2 billion, primarily in the category of non-managed custody and safekeeping accounts, according to call reports filed with the Federal Financial Institutions Examination Council. The balance in that category declined from $5.08 billion to $1.4 billion in the first six months of this year. Curiously, the bank had more custody clients as of June 30 — 1,120 accounts — than the 1,053 reports on Dec. 31, suggesting the loss of a very large client or clients.
Founded in 1925, Evolve will celebrate its centennial in 2025. The bank also recently announced an expansion into northwest Arkansas with the opening of a loan center in Rogers.
Data Breach Challenges
According to Evolve’s website, the bank identified in late May that some of its systems were not functioning properly. Initially believed to be a hardware failure, it was subsequently discovered to be unauthorized activity. The bank reported that a “known cybercriminal organization” had stolen customers’ data and personal information, potentially affecting millions of individuals.
The cybercriminals, identified as the ransomware group LockBit, gained access to Evolve’s systems when an employee inadvertently clicked on a malicious internet link. The hackers accessed and downloaded customer information in February and May of this year.
LockBit is a ransomware-as-a-service gang that leases its technical tools to affiliates and demands a cut of any extortion payments.
The compromised information includes names, Social Security numbers, birth dates and account information of retail bank customers and fintech partners’ customers. Evolve has stated that debit cards and online and digital banking credentials did not appear to be affected.
After Evolve refused to pay the ransom demanded by the group, LockBit leaked the downloaded data. It also mistakenly attributed the source of the data to the Federal Reserve Bank.
Evolve’s website says an investigation into the breach is ongoing.
“We engaged cybersecurity specialists to investigate and determined that unauthorized activity may have been the cause,” the website’s cybersecurity page states.
It also states the bank “promptly initiated” an incident response process, engaged outside specialists to investigate, hired a firm to help restore services and reported the incident to law enforcement.
Lawsuits Filed
The data breach has resulted in legal action against Evolve.
Chris Jennings, a lawyer with Jennings PLLC in Little Rock, filed a 50-page class-action lawsuit Aug. 7, alleging that the bank failed to adequately protect customers’ personally identifiable information.
Another client initiated a 40-page class-action lawsuit against the financial institution Sept. 13 through the Poynter Law Group of Little Rock.
“The chief allegation is that Evolve didn’t do enough to protect their clients’ information,” Jennings said. “This could be either through the security systems that they have set up, how they monitor those systems or how they train their employees to deal with these types of threats.”
The lawsuit alleges multiple causes of action, including negligence, breach of fiduciary duty, breach of confidence and intrusion of privacy.