Revolut, a prominent fintech company, experienced a significant security breach in its US payment system, resulting in criminals stealing more than $20 million over several months in 2022. The incident has been reported by Financial Times (FT), but Revolut hasn’t publicly disclosed the incident yet. The incident has further exacerbated the challenges faced by Revolut, including senior departures, a qualified audit, and delays in obtaining a banking license in the UK.Â
The Breach and its Consequences:
According to sources familiar with the matter, a flaw in Revolut’s payment system allowed criminals to exploit the differences between European and US payment systems. When certain transactions were declined, Revolut mistakenly refunded accounts, inadvertently transferring its funds to the fraudsters. The problem initially emerged in late 2021 but escalated when organized criminal groups exploited the flaw in early 2022. These groups encouraged individuals to make expensive purchases that would be declined, subsequently enabling them to cash out the refunds through ATMs.
Revolut was only alerted to the issue when a partner bank in the US notified the company of a discrepancy in its cash holdings. As a result, Revolut’s US subsidiary requested multimillion-dollar cash injections from the parent company to mitigate the situation. The flaw was eventually resolved in the spring of 2022. However, the theft incurred a net loss of approximately $20 million, equivalent to nearly two-thirds of Revolut’s annual net profit in 2021. It is worth noting that the stolen funds belonged to Revolut’s corporate accounts rather than its customers’ accounts.
Revolut’s Challenges and Fallout:
The theft incident comes at a challenging time for Revolut, as the company faces various difficulties. Notably, Revolut’s banking license application in the UK, initially submitted in 2021, remains pending, far exceeding the usual turnaround time. The UK’s Financial Conduct Authority had previously ordered an independent review of Revolut’s policies to prevent and detect financial crime. In addition, the company recently underwent a qualified audit by BDO, raising concerns about the accuracy of its reported revenues for 2021.
Furthermore, Revolut has witnessed the departure of key personnel, including the chief executive of its UK bank and the chief financial officer. Joel Kass, the chief of staff and head of banking products for the UK entity, is also set to leave. Alongside these challenges, Revolut’s valuation has been downgraded by venture capital firm Molten Ventures and asset manager Schroders, indicating a loss of confidence in the company’s prospects.
Revolut’s Response and Future Outlook:
Revolut has refrained from commenting on the specific case but will likely face increased pressure and scrutiny due to the security breach. As it awaits its UK banking license, the company must address the issues raised by the qualified audit and implement robust measures to prevent similar incidents in the future. Revolut’s expansion efforts in the US, including introducing the Shops feature and the robo-advisor tool, indicate its commitment to growth despite these setbacks.
Conclusion:
The security breach and subsequent theft of over $20 million from Revolut’s corporate funds have exposed the company’s US payment system vulnerabilities. This incident adds to the challenges faced by Revolut, including regulatory scrutiny, senior departures, and a downgraded valuation. To regain trust and safeguard its operations, Revolut must address the flaws in its payment system, enhance its security measures, and demonstrate transparency and accountability in its financial reporting.
