San Francisco-based digital bank Mercury, a popular banking partner for African startups, has announced the closure of accounts in thirteen African countries by August 22, 2024. This decision comes in the wake of a series of challenges faced by the bank, including a recent cybersecurity attack on partner bank Evolve Bank & Trust, increased regulatory scrutiny of fintechs, and ongoing concerns regarding money laundering and terrorism financing regulations.
The thirteen African countries affected by Mercury’s account closure restrictions are: Burundi, Cameroon, Central African Republic, Democratic Republic of Congo, Republic of Congo, Liberia, Mali, Mozambique, Nigeria, Somalia, South Sudan, Sudan, and Zimbabwe.
Cybersecurity Incident and Data Breach at Evolve Bank & Trust
In late May 2024, Evolve Bank & Trust, a key partner of Mercury, suffered a ransomware attack by the criminal organization LockBit. The attack was initiated when an employee inadvertently clicked on a malicious link, granting unauthorized access to Evolve’s systems. While customer funds remained secure, the attackers downloaded sensitive customer information, including names, social security numbers, bank account numbers, and contact information.
Evolve has taken swift action to mitigate the damage and enhance security, including resetting passwords, reconstructing critical identity access management components, and deploying additional security tools. They have also refused to pay the ransom demanded by LockBit, resulting in the leaked data being mistakenly attributed to the Federal Reserve Bank. Evolve has started notifying affected customers and offering credit monitoring and identity theft protection services.
Regulatory Crackdown and Compliance Concerns
The closure of Mercury accounts in African countries also follows increased regulatory scrutiny of fintechs in the wake of insolvency and ledger issues at Silicon Valley Bank and Synapse. Choice, one of Mercury’s banking-as-a-service providers, recently overhauled its KYC (Know Your Customer) process due to concerns regarding lax user onboarding and potential breaches of money laundering or terrorism financing laws.
Additionally, some of the affected African countries have been placed on the Financial Action Task Force (FATF) Greylist, subjecting them to additional scrutiny due to deficiencies in their anti-money laundering and counter-terrorism financing regulations. This greylisting further complicates operations for businesses operating in these regions, as they are perceived as high-risk for financial crimes.
Impact on African Startups and Alternatives
The closure of Mercury accounts will significantly impact African startups, particularly those in Nigeria, that rely on the platform for receiving dollar funding from investors and managing their finances. While Mercury has not explicitly cited the FATF greylisting as a reason for the closures, experts believe it plays a role in the decision. Internal communications from Mercury suggest a “zero tolerance” policy on banking companies in sanctioned regions.
Affected startups are now exploring alternative options, such as Brex, Ramp, Wise, or fintechs like Leatherback, Raenest, and Graph. These alternatives offer similar services and may provide a lifeline for startups navigating this challenging situation. Some startups are also considering moving their operations to countries not affected by the restrictions.
Looking Ahead
The closure of Mercury accounts in African countries highlights the complex interplay of cybersecurity risks, regulatory compliance, and geopolitical factors in the fintech industry. As startups grapple with the fallout, the incident underscores the importance of robust security measures, stringent compliance procedures, and diversified banking partnerships.
While Mercury’s decision presents a setback for African startups, it also serves as a catalyst for exploring innovative financial solutions and fostering a more resilient fintech ecosystem in the region.