Regulators worry the fintech’s risk controls aren’t scaling as fast as its overseas empire — and that London’s decision will echo far beyond Britain

LONDON —Revolut’s years‑long campaign to become a fully licensed UK bank faced fresh headwinds as the Prudential Regulation Authority (PRA) pressed for stronger proof that the fintech’s controls can keep pace with its blistering expansion overseas. The message, according to multiple reports, is less about one missing checklist item than a broader concern: whether Revolut’s global risk apparatus is sufficiently mature for an institution with tens of millions of customers spanning dozens of markets.

The stakes are high. A full licence would let the London‑based group take insured retail deposits at scale, broaden credit products, and—critically—cement UK supervision as an anchor for regulators elsewhere who watch Britain’s decision as a signal. That shadow of extraterritorial influence is one reason the PRA has been painstaking, people familiar with the process say. If London signs off, supervisors from Vilnius to Mexico City—and potentially Washington—may take comfort that Revolut’s core risk engines have passed muster in its home jurisdiction.

Revolut’s trajectory helps explain the caution. What began as a travel card has morphed into a financial super‑app, spanning payments, foreign exchange, savings, share dealing, crypto, and small‑business services. User numbers have surged into the tens of millions, revenues have climbed, and the company has stitched together a patchwork of permissions across the European Union and Latin America. As those permissions multiplied, so did the complexity of operating controls—from anti‑financial crime and sanctions screening to operational resilience and governance.

Inside Threadneedle Street, officials have zeroed in on a deceptively simple question: are the controls that work in London just as reliable in Lagos, Lima or Lisbon? For a bank, risk doesn’t recognise borders—money moves instantly and data flows continuously. Supervisors therefore want to see consistent, real‑time visibility across business lines and jurisdictions, alongside escalation paths that trigger action before problems metastasize.

For Revolut, that translates into expectations around enterprise‑wide risk frameworks and tooling: unified customer and transaction monitoring; tested playbooks for outages and cyber stress; documented model governance; robust three‑lines‑of‑defence roles; and an independent audit function that can challenge management. The company has touted significant investments in these areas over the past two years and says it is working “constructively” with regulators while in the UK’s mobilisation phase—a status that confers limited permissions while a would‑be bank builds systems to the required standard.

The PRA’s caution is informed by recent history. Revolut’s former auditor raised questions in 2023 over the reliability of certain historical revenues, prompting a wider rethink of internal controls. Revolut subsequently overhauled finance processes and, this summer, appointed a Big Four auditor to take over from 2026, a move seen as part of its bid to reassure supervisors that oversight has matured alongside growth. Yet in 2025 the regulatory spotlight has shifted from past accounting quirks to forward‑looking operational risk: can an app adding new countries, products and partners at speed maintain the same risk posture everywhere, every day?

This is where cross‑border scale collides with prudential orthodoxy. In a traditional bank, product launches tend to be gated by lengthy risk sign‑offs; in a hyper‑growth fintech, iteration is a competitive necessity. Reconciling those cultures requires more than policy documents—it demands telemetry, standardised controls, and an organisational habit of pausing growth when risk signals flash amber. Revolut insists that it has built precisely that discipline into its global operations, but the PRA wants to see the evidence operate under stress, not just on a slide deck.

The regulator’s scrutiny also reflects the potential signalling effect of a UK decision. A full domestic licence would likely be read in Brussels and Washington as a green light on core risk hygiene—useful as Revolut pursues deeper permissions in the EU and pushes on a U.S. path. Conversely, a drawn‑out approval or prescriptive conditions could become a reference point for others, nudging foreign supervisors to ask tougher questions about cross‑border controls, outsourcing chains, and data localisation.

Investors, for their part, are weighing the timing risk. A 2025 licence would have given the company a cleaner runway to expand UK lending and re‑engage with public‑market ambitions. The delay doesn’t dent the customer franchise today—Revolut continues to operate widely under existing permissions—but it does restrain some balance‑sheet economics in the UK and complicates capital planning. In the background, the funding environment for late‑stage fintechs remains selective; clarity on the licence could lift the cost of capital and widen strategic options.

What would satisfy the PRA? People familiar with recent interactions point to evidence of ‘global consistency’: not merely policies written in London, but dashboards showing control performance by market and product; independent testing that validates those metrics; and remediation programmes with deadlines and accountable owners. Expect emphasis on financial crime controls—especially around cross‑border payments—along with rigorous outage reporting, disaster‑recovery drills, and board‑level challenge of expansion plans.

None of this means a UK licence is out of reach. If anything, the direction of travel is clear: British supervisors want the global infrastructure to look like that of a bank that already operates in multiple jurisdictions. That is a higher bar than a single‑market playbook, but not an impossible one for a company that built a global consumer footprint in less than a decade.

The next few months will be a test of execution. Revolut can keep adding customers and markets. Or it can prove, to the PRA’s satisfaction, that its risk controls are scaling even faster. If it does both, the fintech may yet secure the authorisation that has eluded it—unlocking a new phase of growth in its home market and a powerful endorsement for its global model. If it doesn’t, the licence will remain a moving target, and Britain’s caution will echo across the regulators’ network that increasingly shapes the future of cross‑border finance.