Licence Granted, Work Begins: Revolut's UK Banking Approval

On 11 March 2026, the Prudential Regulation Authority (PRA) lifted the restrictions on Revolut's UK banking licence, granting Revolut Bank UK Ltd full authorisation to operate as a bank in its home market. The announcement ended an application process that had begun in January 2021 and had, over the intervening five years, become a case study in the regulatory difficulty of licensing a global-scale neobank. Yet the granting of the licence does not draw a line under Revolut's relationship with financial crime compliance. It opens a new and considerably more demanding chapter.

Revolut now serves 13 million UK customers and over 70 million globally. Its 2024 figures show £3.1 billion in revenue, £1.089 billion in profit before tax, and £1 trillion in transaction volume. It is, by any measure, a systemically significant payments and banking platform. The PRA's decision to grant full authorisation signals confidence that Revolut's risk infrastructure has reached an acceptable standard. It also signals that Revolut is now subject to the full weight of UK banking supervision, including the financial crime obligations that come with it.

A licence deferred: the compliance backdrop

The application history is instructive. Revolut first applied for a UK banking licence in January 2021. The PRA granted a restricted licence in July 2024, placing the firm in a mobilisation phase during which it could hold no more than £50,000 in total customer deposits across its restricted banking entity. The mobilisation phase, which the PRA describes as typically lasting around 12 months, stretched to over 18 months for Revolut: the longest such period for a newly licensed UK bank. The extension was not routine.

According to reporting by the Financial Times and corroborated by multiple industry sources, the PRA sought stronger assurances from Revolut on risk controls, capital management, information technology infrastructure, and AML compliance, both within the UK and across the 40-plus markets in which it operates. The scale of Revolut's global footprint made this the most complex mobilisation the PRA had ever overseen. Regulators were also acutely aware that a full UK authorisation would carry international signal value: approval from the UK's central authority would likely accelerate licensing decisions in other jurisdictions, raising the stakes for getting the assessment right.

The AML dimension was not incidental. The FCA had previously engaged with Revolut over reported failures to prevent funds from leaving accounts flagged as suspicious by the National Crime Agency (NCA). According to Financial Times reporting based on sources familiar with the matter, approximately £1.7 million passed through those accounts during a two-month window in the summer of 2023. Revolut self-reported the matter to the FCA and disputed the figure, claiming the sum was closer to £500,000. Neither the FCA, the NCA, nor Revolut confirmed the position on the record. Separately, in April 2025, Lithuania's central bank, which supervises Revolut's EU banking entity, issued the firm a €3.5 million fine for deficiencies in AML monitoring: the largest AML-related penalty ever imposed in Lithuania. Regulators found that Revolut's systems were insufficient to consistently identify suspicious transactions, though no confirmed money laundering cases were established. The fine reflected procedural and systemic weaknesses rather than deliberate conduct.

The growth-compliance imbalance

Revolut's regulatory journey mirrors a broader pattern in the neobank sector. Challenger banks built their competitive advantage on speed: rapid onboarding, instant account opening, frictionless cross-border payments. That speed created structural pressure on compliance functions. The FCA signalled the problem as early as 2022, warning that rising suspicious activity reports to the NCA reflected inadequacies in how some neobanks were vetting new customers during the onboarding process.

Revolut is not an isolated example. Starling Bank, a UK challenger bank that similarly expanded rapidly, was fined £28,959,426 by the FCA in September 2024 for financial crime controls described by the regulator as shockingly lax. The FCA found that since 2017, Starling's automated screening system had been checking customers against only a fraction of the names on the UK's Consolidated List of financial sanctions, rather than the list in full. When Starling eventually reran its full customer base against the complete list, it generated 48,000 alerts in a single pass. The FCA also found that Starling had opened over 54,000 accounts for 49,000 high-risk customers in breach of a requirement not to do so. The parallels with Revolut's own experience are difficult to miss.

Revolut's leadership has acknowledged the mismatch. At the opening of the firm's Canary Wharf headquarters in October 2025, chief executive Nik Storonsky reflected on the firm's early approach: the company had, in his words, tried to short-cut banking licences by applying for lighter regulatory permissions, including e-money, foreign exchange, and payment licences, and had found this produced an inferior product. That candour matters. It also raises the question of whether the compliance infrastructure built out during the mobilisation period is genuinely fit for purpose or whether it has been built to satisfy the immediate licensing threshold.

What full authorisation changes for Revolut

The granting of a full banking licence does not simply expand Revolut's product range. It fundamentally changes its regulatory position. Revolut Bank UK Ltd is now authorised and supervised by both the PRA and the FCA, placing it within the same prudential and conduct regime as established high-street lenders. That supervision carries specific financial crime obligations.

As a fully licensed bank, Revolut is subject to the UK's Money Laundering Regulations 2017 (as amended), the Proceeds of Crime Act 2002, and the Terrorism Act 2000. It is required to maintain a risk-based AML programme that includes robust customer due diligence, ongoing monitoring of customer relationships and transactions, suspicious activity reporting to the NCA, and adequate internal controls and governance. The FCA's expectations for banks are considerably more rigorous than those applied to e-money institutions, where Revolut previously operated in the UK. The volume of Suspicious Activity Reports a bank of Revolut's scale is expected to generate, and the quality of those reports, is itself a supervisory metric. The NCA and FCA monitor both: a bank that files too few SARs relative to its customer base and transaction volumes invites scrutiny of whether its monitoring systems are functioning as intended.

Customer due diligence obligations are also substantially elevated. Revolut's existing model relies heavily on automated KYC checks at onboarding and machine-learning-based transaction monitoring. Those tools are not inherently inadequate, but the Bank of Lithuania's April 2025 fine identified precisely this reliance as a source of risk: automated systems that were not adaptive enough to detect evolving patterns of suspicious activity. The FCA and PRA will expect Revolut's UK bank to demonstrate that its transaction monitoring is calibrated to UK-specific risk typologies, updated regularly, and subject to meaningful human oversight.

The expansion into credit and lending, which the full licence now enables, adds a further compliance dimension. Credit products introduce new money laundering typologies, including loan-back schemes and the placement of illicit funds through mortgage repayments. The more immediate challenge, however, is operational. Credit onboarding requires a significantly more granular customer risk assessment than payment onboarding. Revolut's existing model has been built around rapid, lightweight onboarding; credit products require it to revisit risk classifications across an existing base of 13 million UK customers. Revolut will need to ensure that its credit risk frameworks incorporate AML considerations from the outset, not as a downstream compliance overlay.

The crypto dimension

Revolut's product range includes a cryptoasset buying and selling service through which customers hold digital assets on the platform rather than through a conventional exchange. That model creates an additional layer of financial crime risk that sits alongside its core payments and banking operations. The FCA granted Revolut full cryptoasset firm registration in September 2022, subject to a number of directions designed to ensure its systems and controls met the requirements of the money laundering regulations. That registration did not represent a clean bill of compliance; it reflected a continuing obligation to demonstrate adequacy, and the conditions attached made that expectation explicit.

Cryptoasset transactions present a distinctive challenge for AML monitoring. The pseudonymous nature of blockchain activity, the availability of mixing services, and the speed at which funds can move across chains create conditions that standard transaction monitoring tools are not always equipped to address. Revolut's combined position as a licensed bank and a registered cryptoasset firm means that its compliance function must maintain effective controls across both fiat and digital asset rails simultaneously. The FCA's expectations in this area are evolving rapidly. The UK's approach to cryptoasset regulation is moving from a registration-based model toward a more comprehensive authorisation regime, with financial crime controls at the centre of that transition.

Implications for firms

For compliance professionals, the Revolut licence decision carries a clear message. Regulatory authorisation is not a validation of past conduct; it is a commitment about future standards. The PRA's extended scrutiny of Revolut during the mobilisation phase demonstrates that size and complexity do not accelerate regulatory approval: they intensify it. Firms operating at scale, or planning to scale, should treat the Revolut experience as a data point about what UK regulators regard as a minimum acceptable standard for financial crime compliance.

There is also a sector-wide implication. The neobank model, built on automated onboarding and algorithmic risk management, has proven structurally vulnerable to financial crime risks that emerge at scale. The FCA's enforcement actions against Starling and its scrutiny of Revolut reflect a regulatory posture that is moving away from permissive oversight of digital banks toward active and demanding supervision. Firms that have not conducted a rigorous review of their automated compliance tools against the full population of risks they carry should treat this as a matter of urgency.

For firms that hold or are seeking banking licences, the Revolut case also illustrates the international dimension of domestic compliance obligations. The PRA's concerns about Revolut's risk infrastructure were not limited to its UK operations; they extended to its global footprint. Compliance standards established in the UK have implications for how a firm manages risk across every market in which it operates. The principle of consolidated AML supervision is not new, but the Revolut case gives it concrete operational meaning.

A new compliance threshold

Revolut's full UK banking authorisation is a significant commercial and regulatory milestone. It reflects five years of sustained effort to bring a global-scale neobank into the UK's most demanding regulatory regime. It also marks the beginning of a supervisory relationship that will be scrutinised more closely than any the firm has previously experienced.

The AML and financial crime challenges that characterised Revolut's licensing journey have not been resolved by the grant of a licence. They have been acknowledged, partly addressed, and placed under more intensive ongoing oversight. The mobilisation period required Revolut to demonstrate that its compliance infrastructure was adequate at a point in time. The test now is whether that infrastructure can sustain adequacy as the firm migrates 13 million customers to its new banking entity, scales its lending products, and continues its international expansion.

Compliance infrastructure must scale with commercial ambition. Every scaling neobank with a banking licence in its sights will now be measured against what Revolut was required to demonstrate before it received one.

Do you need to assess whether your AML controls are calibrated to the standards now expected of licensed banks operating at scale?

OpusDatum supports financial services firms navigating the intersection of growth, regulatory change, and financial crime compliance. Our analysis covers AML programme design, sanctions screening and controls, and the compliance implications of regulatory authorisation across UK and international markets. We work with firms seeking to understand what evolving regulatory expectations mean for their operations in practice.

To find out how we can help you, contact us today.