Got funds on your Revolut card? If you do, you may wish to know what do the firm’s recent accounting problems say about the safety of its clients’ money. Read on to discover some alarming holes in the UK financial regulator’s safeguarding regime.
Revolut’s qualified accounts
Last week payment card giant Revolut published its 2021 accounts three months late, likely as a result of wrangling between the fintech firm and its auditor, BDO Hamlyn.
In the end, BDO raised a red flag by qualifying the accounts. The auditor said it could not satisfy itself concerning the “completeness and occurrence of revenue” totalling £477m—three quarters of Revolut’s reported income for the year.
Explaining its decision, BDO said in its auditor’s report that it had not been able to find reliable documentary evidence of these revenue streams outside of Revolut’s own IT system.
Like other financial technology (“fintech”) firms, Revolut’s dramatic growth path seems to have hit the buffers in the last couple of years.
But since then, fintech valuations have slid, including Revolut’s. Last week, the UK’s Daily Telegraph reported that one investor, US venture firm Triplepoint, had cut its internal valuation of Revolut by 15 percent.
Most press headlines in recent days have focused on Revolut’s revenue problems, profitability and market valuation. But another important question remains uncovered. Are its users’ funds safe?
Revolut is an electronic money institution (EMI), a category of financial firm covered by a different set of rules to banks.
As an EMI, Revolut cannot reuse client deposits, for example as the foundation for a lending business. Instead, it has to earn its income from fees and commissions, such as the interchange fees paid on debit card transactions.
EMI clients are far less protected
There’s another big difference between EMIs and banks: EMI clients are far less protected if the firm they use gets into trouble.
Depositors at a UK bank are protected by government insurance—called the Financial Services Compensation Scheme, or ‘FSCS’—up to a maximum of £85,000 per institution. If your bank goes bust, the government should refund your deposit within seven days.
To mitigate the risk that clients lose money, the UK’s Financial Conduct Authority (FCA) requires EMIs and payment service providers (PSPs) to follow a so-called “safeguarding” policy. This means that they have to keep their own money separate from client money or protect client funds with an insurance policy.
In 2020, following the dramatic collapse of German payments giant Wirecard after a massive fraud, the FCA beefed up its safeguarding rules.
Wirecard’s failure had caused a number of payment cards that were clients of Wirecard’s UK subsidiary to stop working. To unblock the cards, the FCA swiftly reversed an earlier decision to freeze the activities of that UK Wirecard entity.
Under the new, 2020 safeguarding rules, said the FCA, e-money and payment firms would have to undertake a number of extra steps to ensure that customer funds are kept separate from those of the service provider.
In particular, the FCA said, firms should be able to identify what relevant client funds the firm holds, ‘at any time and without delay’.
57 percent did not have adequate wind-down plans
But fintech firms’ practices have in the past fallen short of this goal.
In a 2021 webinar, FCA executive Peter Charles said that spot checks conducted by the regulator on a sample of payments firms and EMIs had shown that 57 percent did not have adequate wind-down plans, which would enable insolvency practitioners to identify quickly where customer funds are held and how to return them.
And if a payment firm or EMI were to fail, any costs of administration would be paid by customers from their safeguarded funds, the FCA confirmed.
In the 2020 failure of an EMI called Supercapital, which provided FX and international payments services, the insolvency firm deducted 10.5 percent of clients’ e-money balances to cover the costs of administration, while clients had to wait several months to get the remaining 89.5 percent of their funds back.
Revolut’s revenues a safeguarding problem?
In the auditor’s report that was published last week, BDO said it hadn’t been able to establish with sufficient certainty that Revolut’s reported revenues actually existed.
Shouldn’t this raise concerns over the payment firm’s safeguarding practices?
Not necessarily, said an auditor I interviewed for this article, who requested anonymity.
“There’s no obvious link to say that just because there’s a potential limitation about a company’s revenues, there’s also a concern about safeguarded funds,” said the auditor.
Revolut’s own auditor, BDO, would likely have checked debtor balances and cash positions before signing the accounts, this person said. Plus, he added, Revolut’s 31 December 2021 balance sheet does distinguish the firm’s own cash from restricted funds held on behalf of customers.
But BDO’s report of inadequate revenue accounting at Revolut doesn’t inspire confidence that the firm had a real-time check on its own and its customers’ balances.
“Normally for a fintech, revenue numbers would be passed in real time or as a batch into an accounting platform,” said a former Fintech CEO, who also requested anonymity.
shouldn’t fintechs be able to keep funds properly segregated?
“That needs to be done at a fairly atomised level. My understanding is that at Revolut there was just a single number aggregating all fund movements into the accounting ledger,” said the ex-CEO.
“The problem they then had was confirming that number against transactions,” he said.
If these practices had occurred, they would indeed create a risk of company and client funds getting mixed up, the ex-CEO said.
But shouldn’t fintechs be able to keep funds properly segregated during the working day? After all, they are supposed to be better at technology than banks and traditional financial firms, who usually reconcile funds only once a day.
According to regulatory consultant Bovill, the answer to that question should be yes. Real-time reconciliations of client and internal funds “can work in the more agile and technologically developed infrastructure payment service providers and EMIs operate in”, says Bovill.
The ex-CEO I spoke to said that, indeed, at his previous firm he had been able to view a second-by-second summary of his company’s balance sheet.
No transparency on safeguarding audit
There are other ways of checking how well Revolut was looking after its clients’ money. An obvious one would be to read the firm’s safeguarding audit, a separate form of financial report that’s been mandatory for EMIs and larger payment firms since 2020.
“We expect the firm to arrange specific annual audits of its compliance with the safeguarding requirements under the Payment Services Regulations/Electronic Money Regulations, if it is required to arrange an audit of its annual accounts under the Companies Act 2006,” the FCA wrote in 2020.
But this rule has not been enforced—and, amazingly, there is no mechanism for enforcing it.
“There’s not even a requirement for the safeguarding audit to be reported to the FCA,” the auditor I interviewed told me.
And even if it exists, the safeguarding audit is not made public.
I asked the FCA how many safeguarding audits it had received in the last two years, how many firms received clean audits in each year, why it didn’t require safeguarding audits to be published and what it did in the case of firms not meeting the safeguarding standards. The regulator didn’t reply.
I asked Revolut when its latest safeguarding audit had been conducted and by whom. I also asked if I could see the audit, but the firm didn’t reply.
Revolut also failed to answer other questions. I had asked it what changes it was making to its internal controls in order to give its auditor the necessary comfort over revenues. I asked it at which banks its client funds were held. And I asked Revolut whether it had submitted a “SUP15” notification form to the FCA in connection with the qualification in its audited annual accounts (firms receiving a qualification in their accounts are supposed to do so).
I contacted BDO to ask a straightforward question: does it conduct Revolut’s safeguarding audit, as well as its financial audit? It didn’t respond either.
It’s quite possible that communications on safeguarding have been going on behind the scenes between Revolut, its auditor and the regulator.
“Very few firms have an absolutely clean bill of health on safeguarding”
“If a firm can’t reconcile its safeguarded funds there is an indication that the firm should self-notify this to the FCA,” the auditor I interviewed told me.
“And if our safeguarding audit opinion of a firm contains exceptional findings that we think need to be brought to the attention of the regulator, we will send a copy to the FCA. But we are aware of firms out there that have kicked the can down the road and not done a safeguarding audit.”
There are other apparent causes for concern.
“Very few firms have an absolutely clean bill of health on safeguarding,” said another fintech consultant, who also requested anonymity.
Reckoning ahead for fintechs
According to payments veteran Grant Halverson, there’s a reckoning ahead for fintech firms that have expanded too much, too fast and are now contending with rising interest rates and a tougher compliance burden.
“Revolut is very aggressive and is following the Facebook playbook: ‘Rules don’t apply to us, we’re going to break everything and just bust through’,” Halverson told me.
“Rules don’t apply to us, we’re going to break everything and just bust through”
“That only takes you so far—until the regulators pop up.”
“Revolut’s cash burn is still high, with the firm getting two external loans, rather than going back to venture capital investors,” Halverson said, referring to the absence of an external funding round since 2021.
Private equity and venture capital-backed firms are loath to do a ‘down round’ (a fundraising at a lower valuation than the last one) because it can ruin the prospects of an eventual flotation on the public equity market.
There’s another, more fundamental problem facing Revolut, Halverson went on.
“Unless you can get a banking licence, how can you broaden out your revenue stream?” he queried.
Mikko Salovaara, Revolut’s chief financial officer, told the Guardian last week that the company was on the brink of getting a banking licence from the UK regulators.
“I think we’re at the very last stages. Really at the finish line,” he said.
Becoming a UK bank would undoubtedly relieve Revolut of a major headache. It would give the firm access to the UK deposit insurance scheme and remove all concerns over the safety of client funds—at least for smaller depositors.
Can BDO’s qualification of Revolut’s accounts have helped its licence application? It’s hard to see it as a positive.
But while Revolut remains an EMI, the UK’s shaky safeguarding regime cannot reassure those holding funds with the firm.
Revolut contacted me after the publication of this article to point out that its auditor had said in its report that it had been able to verify 100 percent of clients’ cash balances held with third parties as at year-end, as well as 99.99 percent of Revolut’s own cash balances at the same date.
Revolut said it had “remediated the limited functionality in its IT systems” (which had resulted in the auditor’s qualified opinion on revenues) during 2021.
In response to my question on where its clients’ cash was held, Revolut referred to a blog it had written on safeguarding but declined to give banks’ names. Revolut also declined to comment on whether and when it had conducted a safeguarding audit and whether it had submitted a SUP15 form to the regulator in connection with its qualified accounts. However, it said it had been in regular conduct with the FCA ahead of the publication of its accounts.
Sign up here for the New Money Review newsletter
Click here for a full list of episodes of the New Money Review podcast: the future of money in 30 minutes
Related content from New Money Review