Evolve Bank & Trust: $11.85M Settlement After BaaS Supply Chain Breach — The DORA Subcontracting Warning

The Subcontracting Chain Problem

The Evolve Bank breach illuminates a structural pattern that DORA's subcontracting provisions were explicitly designed to address: multi-layered ICT service chains where the financial entity's risk exposure extends far beyond its direct contractual relationships.

The BaaS chain anatomy. The Evolve/Synapse chain operated as follows: End consumers held accounts through fintech applications (the user-facing layer). These fintech apps relied on Synapse Financial Technologies as a middleware platform that provided API connectivity, ledger management, and compliance tools. Synapse, in turn, relied on Evolve Bank & Trust as the chartered bank providing deposit-holding, payment processing, and regulatory coverage. Customer data flowed through all three layers, but the security posture of the entire chain was only as strong as its weakest link.

The subcontracting visibility gap. From the perspective of the end consumer, they had a relationship with a fintech app. From the perspective of the fintech app, they had a relationship with Synapse. From Synapse's perspective, they had a relationship with Evolve. But from a security perspective, the customer's data was stored at and processed by Evolve — an entity that the end consumer had never heard of and the fintech app may not have directly assessed for cybersecurity posture. This multi-layered opacity is the defining characteristic of subcontracting chains, and it is precisely what DORA's subcontracting RTS (Delegated Regulation 2025/532) addresses.

Synapse's collapse. The situation was compounded by the fact that Synapse Financial Technologies filed for bankruptcy in April 2024 — before the Evolve breach was fully resolved. The BaaS middleware provider's collapse created a crisis for the fintech apps that depended on it, with some customers reporting difficulty accessing their funds. The intersection of a cybersecurity breach at the chartered bank and a business failure at the middleware provider created a compound crisis that tested the entire BaaS ecosystem's resilience.

The 18-million-person impact. The scale of the data exposure — 18 million individuals — reflects the aggregation effect of BaaS chains. Because Evolve served as the banking infrastructure for multiple fintech platforms through Synapse, a single breach at the bank layer exposed the customer data of all connected fintech platforms simultaneously. This amplification effect is the supply chain version of concentration risk: one bank, one middleware provider, multiple fintech apps, millions of customers.

Regulatory response. The Federal Reserve issued a consent order against Evolve Bank in June 2024, citing deficiencies in the bank's risk management, compliance, and anti-money laundering practices related to its fintech partnerships. The consent order predated the full scope of the data breach becoming public and signaled that regulators were already concerned about the risk management practices within BaaS relationships.

The BaaS Chain Reaction

The Evolve Bank & Trust breach represents one of the most consequential demonstrations of supply chain risk in modern banking — not because of the initial attack vector, but because of the layered intermediary chain that amplified a single ransomware event into an 18-million-person data exposure.

Evolve Bank & Trust, a Memphis-based FDIC-insured bank, had positioned itself as a Banking-as-a-Service (BaaS) provider — offering its banking charter and regulatory licenses to fintech companies that wanted to offer financial products without obtaining their own banking licenses. This BaaS model, which grew explosively during the 2020-2024 fintech boom, creates a multi-layered supply chain: the end consumer interacts with a fintech app, the fintech app relies on a middleware platform (in this case, Synapse Financial Technologies), and the middleware platform connects to the chartered bank (Evolve) that holds the actual deposits and provides the regulatory umbrella.

When the LockBit ransomware group — one of the most prolific and destructive ransomware operations globally — compromised Evolve Bank's systems, the blast radius extended through the entire BaaS chain. According to breach notification filings and press coverage by American Banker, the Wall Street Journal, and other outlets, approximately 18 million individuals had their personal data exposed. The exfiltrated data included personally identifiable information, financial account details, and transaction records — data that had been aggregated across the multiple fintech platforms connected to Evolve through the Synapse middleware layer.

The financial resolution was substantial. Evolve Bank agreed to a settlement of $11.85 million — with final court approval granted on December 15, 2025. This figure represents the direct settlement cost; the total financial impact including legal fees, remediation costs, regulatory engagement, and business disruption was significantly higher.

The timing of the breach and its resolution coincided with a critical DORA development: the European Commission adopted the DORA subcontracting Regulatory Technical Standard (Delegated Regulation 2025/532) on March 24, 2025. This RTS specifically addresses the risk of subcontracting chains in ICT service delivery — precisely the structural vulnerability that the Evolve/Synapse breach demonstrated.

DORA's Subcontracting Framework: Built for This Scenario

The Evolve/Synapse breach is a near-perfect case study for DORA's subcontracting provisions, which were adopted by the European Commission as Delegated Regulation 2025/532 on March 24, 2025 — less than a year before the breach's full implications were publicly understood.

Art. 28(8) — Subcontracting Provisions

DORA Art. 28(8) requires that financial entities' contractual arrangements with ICT third-party providers address the conditions under which the provider may subcontract, including requirements for the subcontractor to meet the same security and resilience standards as the primary provider. The Evolve/Synapse chain is precisely the scenario this provision targets: Synapse (the direct provider to fintech apps) subcontracted banking infrastructure to Evolve, but the security assessment of Evolve may not have been conducted with the same rigor as the assessment of Synapse itself.

Delegated Regulation 2025/532 — Subcontracting RTS

The DORA subcontracting RTS, adopted March 24, 2025, establishes specific requirements for managing subcontracting chains in ICT service delivery. Key provisions relevant to the Evolve case include:

Monitoring the full chain: The RTS requires financial entities to maintain visibility into the full subcontracting chain — not just their direct ICT provider, but the providers that their provider relies upon. In the BaaS context, this means a fintech operating under DORA scope would need visibility into Synapse's dependency on Evolve, and Evolve's own cybersecurity posture.

Security assessment propagation: The RTS requires that security standards propagate down the subcontracting chain. The security requirements imposed on the direct provider must be contractually extended to subcontractors. Had this requirement been in place and enforced, the LockBit vulnerability at Evolve would have been within the scope of the fintech's (or bank's) vendor risk assessment.

Notification obligations: The RTS requires subcontracting chains to maintain incident notification pathways that ensure the financial entity is informed of security incidents at any layer of the chain, within timelines consistent with DORA Art. 19's reporting requirements.

Art. 30 — Key Contractual Provisions

Art. 30(2) specifies mandatory contractual elements for agreements with ICT third-party providers supporting critical or important functions. In the BaaS context, these provisions should flow through the entire chain:

• Data protection: Contractual requirements for data security must extend through Synapse to Evolve, covering the full lifecycle of customer data.
• Audit rights: The financial entity (or its direct provider) must have the contractual right to audit security at all layers of the subcontracting chain.
• Incident notification: Contractual timelines for breach notification must be consistent with DORA's 4-hour major incident classification window.
• Exit strategies: If a subcontractor (Evolve) is compromised, the financial entity needs a documented path to migrate to an alternative banking infrastructure provider.

Art. 17-23 — Incident Management Across the Supply Chain

The multi-layered nature of the Evolve breach created incident management complexity that DORA's framework explicitly anticipates. The financial entity's incident classification and reporting obligations (Art. 17-19) apply regardless of where in the supply chain the breach originated. The challenge is obtaining timely, accurate information from subcontractors to enable classification within DORA's timelines.

Settlement, Regulatory Action, and Structural Implications

The Evolve Bank breach resulted in one of the largest banking breach settlements of 2025 and triggered regulatory actions that signal a fundamental shift in how BaaS risk is supervised.

The $11.85M Settlement

The settlement, approved December 15, 2025, covered direct compensation to affected individuals, credit monitoring services, and remediation costs. The per-individual settlement amount was modest given the 18 million affected — approximately $0.66 per person — reflecting the class action dynamics where settlement funds are distributed across a very large class. However, the total institutional cost was significantly higher when including legal fees (estimated at several million dollars), system remediation costs, enhanced monitoring obligations, and the ongoing business impact of reputational damage and regulatory scrutiny.

Federal Reserve Consent Order

The Federal Reserve's June 2024 consent order against Evolve Bank was remarkable for its scope. It cited deficiencies in:

• Risk management practices related to fintech partnerships
• Compliance frameworks for BaaS operations
• Anti-money laundering controls in the fintech channel
• Board oversight of third-party risk

The consent order effectively validated the regulatory concern that BaaS operations create risk management challenges that many banks had not adequately addressed. For DORA observers, the consent order reads as a US regulatory parallel to DORA's third-party risk management framework — identifying the same structural vulnerabilities that DORA Art. 28-30 addresses through mandatory contractual provisions and ongoing monitoring requirements.

Implications for DORA Implementation

1. BaaS chains are subcontracting chains. Under DORA's subcontracting RTS (Delegated Regulation 2025/532), a BaaS relationship where a fintech app relies on a middleware provider that relies on a chartered bank constitutes a subcontracting chain that must be documented, assessed, and monitored end-to-end. European fintechs operating under DORA scope that use BaaS infrastructure must map their full supply chain and ensure security requirements propagate to every layer.

2. The middleware layer is the critical vulnerability. Synapse's role as middleware between fintechs and Evolve created both a data aggregation point and a risk management gap. The middleware provider had access to customer data from all connected fintechs but may not have been subject to the same level of security scrutiny as the bank itself. DORA's approach — requiring security assessment of the full chain — addresses this by eliminating the assumption that an entity's security posture can be inferred from its position in the chain.

3. Settlement costs are the tip of the iceberg. The $11.85M settlement represents direct compensation. The full cost — including the Federal Reserve consent order, enhanced compliance obligations, system remediation, reputational damage, and lost business — is likely several multiples of the settlement figure. Under DORA's penalty framework (Art. 50-64), additional regulatory fines would apply, making the total cost of inadequate subcontracting oversight substantially higher.

4. Subcontractor failure is not an excuse. Under DORA, the financial entity remains responsible for its operational resilience regardless of where in the subcontracting chain a failure occurs. The Evolve breach originated at the bank layer, but the fintechs — and their customers — bore the consequences. DORA's framework ensures that the entity with the regulatory obligation (the financial entity) cannot outsource its accountability.