Revolut’s US payment flaws allowed thieves to steal €18.2m

More problems for fintech as it waits for UK banking licence

A flaw in Revolut’s payment system in the US allowed criminals to steal more than $20 million (€18.2 million) of its funds over several months last year before the company could close the loophole, according to multiple people with knowledge of the episode.

The incident, which has not yet been disclosed publicly, is likely to add further pressure to the highly valued fintech, which has faced a string of senior departures and a qualified audit from BDO while it awaits a banking licence in the UK.

The problem stemmed from differences between European and US payment systems, which meant that when certain transactions were declined Revolut would erroneously refund accounts, handing them its own money, according to three people with knowledge of the situation.

Although Revolut recouped part of the roughly $23 million stolen by pursuing some of those who had taken funds, the net loss was about $20 million — equal to almost two-thirds of its annual net profit in 2021, those people added.


The problem first appeared episodically in late 2021. Organised criminal groups then took advantage of the fault early in 2022, according to three people with knowledge of the situation, encouraging individuals to try to make expensive purchases that would go on to be declined. This would then be cashed out via ATMs.

The fraud affected Revolut’s own corporate funds rather than customer accounts, two of the people familiar with the situation said.

Revolut’s systems failed to pick up the mass fraud and the problem came to light when a partner bank in the US notified the fintech that it was holding less cash than expected, the people told the Financial Times.

This was followed by requests from Revolut’s US subsidiary for multimillion dollar cash injections from its parent, after which the company worked to eventually close the flaw around spring 2022.

Revolut declined to comment on the case.

The loss relating to the theft was not specifically disclosed in the delayed 2021 results.

The fintech is still awaiting its banking licence in the UK, more than two years after first announcing its application, far longer than the typical turnround time of less than a year.

The UK’s Financial Conduct Authority ordered an independent review of Revolut’s policies to prevent and detect financial crime in 2020.

Auditor BDO separately warned that Revolut’s revenues could have been “materially misstated” as it was unable to satisfy itself of the “completeness and occurrence” of about two-thirds of its revenues reported for 2021.

Revolut has also faced several high profile departures in recent months, including both the chief executive of its UK bank James Radford and chief financial officer Mikko Salovaara.

Joel Kass, chief of staff and head of banking products for the UK entity, is also due to leave. Before joining Revolut, Kass spent three years at the Bank of England, including a year as a supervisor for new banks.

Revolut scam: 'I watched the total go down by another €5,000'

Listen | 23:37

“Joel Kass is leaving Revolut after three successful years,” said Revolut. “He is moving on to a senior opportunity outside of the business and we wish him all the best on his next steps.”

Two investors, venture capital firm Molten Ventures and asset manager Schroders, have also slashed the valuation of their stakes in Revolut by 40 per cent and 46 per cent respectively.

Revolut was last valued externally at $33 million in July 2021, when it became the UK’s most valuable private tech group before’s $40bn valuation in January 2022. – Copyright The Financial Times Limited 2023