Revolut’s US payment flaws allowed thieves to steal $20mn
Receive free Fintech updates
We’ll send you a myFT Daily Digest email rounding up the latest Fintech news every morning.
A flaw in Revolut’s payment system in the US allowed criminals to steal more than $20mn of its funds over several months last year before the company could close the loophole, according to multiple people with knowledge of the episode.
The incident, which has not yet been disclosed publicly, is likely to add further pressure to the highly valued fintech, which has faced a string of senior departures and a qualified audit from BDO while it awaits a banking licence in the UK.
The problem stemmed from differences between European and US payment systems, which meant that when certain transactions were declined Revolut would erroneously refund accounts, handing them its own money, according to three people with knowledge of the situation.
Although the problem first appeared episodically in late 2021, organised criminal groups took advantage of the fault early in 2022, according to three people with knowledge of the situation, encouraging individuals to try to make expensive purchases that would go on to be declined. This would then be cashed out via ATMs.
Revolut’s systems failed to pick up the mass fraud and the problem came to light when a partner bank in the US notified the fintech that it was holding less cash than expected, the people with knowledge of the situation told the Financial Times.
This was followed by requests from Revolut’s US subsidiary for multimillion dollar cash injections from its parent, after which the company worked to eventually close the flaw around spring 2022.
Although Revolut recouped part of the roughly $23mn stolen by pursuing some of those who had taken funds, the net loss was about $20mn — equal to almost two-thirds of its annual profit in 2021, those people added.
Revolut declined to comment on the case.
The loss relating to the theft was not specifically disclosed in the delayed 2021 results.
The fintech is still awaiting its banking licence in the UK, more than two years after first announcing its application, far longer than the typical turnround time of less than a year.
The Financial Conduct Authority ordered an independent review of Revolut’s policies to prevent and detect financial crime in 2020.
Auditor BDO separately warned that Revolut’s revenues could have been “materially misstated” as it was unable to satisfy itself of the “completeness and occurrence” of about two-thirds of its revenues reported for 2021.
Revolut has also faced several high profile departures in recent months, including both the chief executive of its UK bank James Radford and chief financial officer Mikko Salovaara.
Joel Kass, chief of staff and head of banking products for the UK entity, is also due to leave. Before joining Revolut, Kass spent three years at the Bank of England, including a year as a supervisor for new banks.
“Joel Kass is leaving Revolut after three successful years,” said Revolut. “He is moving on to a senior opportunity outside of the business and we wish him all the best on his next steps.”
Two investors, venture capital firm Molten Ventures and asset manager Schroders, have also slashed the valuation of their stakes in Revolut by 40 per cent and 46 per cent respectively.
Revolut was last valued externally at $33bn in July 2021, when it became the UK’s most valuable private tech group before Checkout.com’s $40bn valuation in January 2022.
Additional reporting by Stefania Palma in Washington DC
Read the full article Here