Revolut Founder Fined £1M Over Crypto Compliance Lapse
Revolut Founder Fined £1M Over Crypto Compliance Lapse: What UK Founders Need to Know
Nikolay Storonsky, founder and CEO of Revolut, has been hit with a £1 million personal fine by the Financial Conduct Authority (FCA) over cryptocurrency compliance failures. The penalty isn't just a headline—it's a stark reminder of how seriously UK regulators now treat financial crime controls, even in fast-growing fintechs built on founder ambition and innovation velocity.
For UK startup founders operating in payments, crypto, or regulated financial services, the Revolut case offers critical lessons. It shows that rapid scaling, impressive user numbers, and investor backing don't exempt you from compliance rigour. In fact, the opposite is true: the bigger you grow, the sharper the regulatory spotlight becomes.
The FCA Fine: What Happened and Why It Matters
In late 2023, the FCA fined Revolut £36 million for serious failures in its anti-money laundering (AML) and know-your-customer (KYC) controls. That corporate fine was substantial. But in 2024, the regulator went further—directly penalising Storonsky personally with a £1 million fine and a prohibition order, preventing him from acting as a director or senior manager in any regulated firm for a set period.
The core failures centred on inadequate transaction monitoring, weak customer due diligence, and poor systems for detecting potentially suspicious activity. Between 2016 and 2019, Revolut's compliance infrastructure lagged behind its user acquisition. The company onboarded hundreds of thousands of customers but didn't invest proportionally in the people, processes, and technology needed to screen them properly.
This is the kind of compliance debt that catches up with you. Growth is intoxicating. Revenue is tangible. But a weak AML programme creates invisible legal and reputational risk that regulators eventually expose.
The FCA's decision to fine Storonsky personally is particularly significant. Under section 66D of the Financial Services and Markets Act (FSMA) 2000, the regulator can hold senior managers personally liable for breaches that occur on their watch. This means that as a founder-CEO, you can't simply hide behind corporate structure. If your firm fails to manage financial crime risk, you're personally exposed.
UK Regulatory Context: Why Crypto and Fintech Face Tighter Scrutiny
The Revolut case lands in a specific regulatory moment. The UK's approach to crypto and fintech oversight has hardened significantly since the 2020–2021 bull runs. Three drivers are worth understanding:
1. The Cryptoasset Regulation Push
Following the collapse of FTX and other crypto failures, the FCA and Treasury have accelerated efforts to bring crypto activity under formal regulatory supervision. The Financial Services and Markets Bill (now Act) introduced a new permission regime for cryptoasset activities. From January 2024 onwards, firms dealing in cryptoassets must seek FCA authorisation or operate under transitional relief—and only if they were already operating before that date and apply for permission.
Revolut's crypto services, launched during a period of lighter-touch supervision, now face a regulatory regime that didn't exist when the company pivoted into crypto trading. That regulatory gap is precisely what the FCA is trying to close.
2. Senior Manager Accountability Regime (SMCR)
The Senior Managers and Certification Regime, introduced in 2016 and tightened repeatedly, makes individual leaders personally accountable for breaches in their area of responsibility. The FCA now regularly fines senior managers, not just companies. This shifts accountability from the legal entity to the human being. If you're a founder-CEO, you need to understand that you're a "Senior Manager" under SMCR, and regulators can fine you, ban you, or prosecute you personally.
Storonsky's £1 million fine reflects this shift. It's not just a cost to Revolut; it's a cost to him personally, and it carries reputational weight that extends beyond the monetary penalty.
3. Financial Crime Risk Post-COVID
Post-pandemic, money-laundering and sanctions evasion risks have become live regulatory concerns. The war in Ukraine, for example, drove urgent action on sanctions screening. The Sanctions and Anti-Money Laundering Act 2018 gives the government power to impose strict liability on firms for sanctions breaches. This means even unintentional violations can result in criminal penalties.
For fintech founders, this changes the calculus. Compliance isn't a box to tick; it's foundational infrastructure that must scale with your user base and transaction volumes.
Why Revolut's Compliance Gaps Were So Serious
Revolut's breaches fell into distinct categories, each revealing common founder blind spots:
Inadequate Customer Due Diligence
The company failed to properly verify the identity, address, and source of funds for many customers. In a regulated payments business, this is foundational. You must know who you're dealing with—it's not optional. Revolut onboarded customers quickly but didn't invest sufficiently in verifying them. This created exposure to sanctions violations and money-laundering risk.
For founders: rapid onboarding is attractive to investors and users. But every day you operate without proper KYC in place, you're building compliance debt.
Weak Transaction Monitoring
The FCA found that Revolut failed to monitor customer transactions for suspicious patterns. Money-laundering often involves rapid transfers, unusual amounts, or activity inconsistent with a customer's profile. Without proper monitoring systems, you can't detect this. Revolut's systems were, in the FCA's view, not sophisticated enough for the volume and type of activity flowing through the platform.
This failure illustrates the scaling challenge many fintechs face. Early on, a founder can manually review suspicious activity. But once you hit thousands of transactions per hour, you need automated systems. Many founders delay investing in this because the costs are high and the ROI isn't obvious until the regulator arrives.
Poor Record-Keeping and Governance
The FCA also cited failures in how Revolut documented its AML controls and reported suspicious activity to the National Crime Agency (NCA). Record-keeping sounds tedious, but it's legally critical. If a regulator asks, "Can you prove you had this control in place?", your answer must be evidenced, detailed, and contemporaneous.
Revolut's records were insufficient. This is a classic fast-growth problem: processes exist in people's heads or informal systems, not in documented, auditable procedures.
Inadequate AML Staffing and Governance
The company didn't have enough people dedicated to AML compliance, and leadership oversight was weak. In a regulated firm, you need a Chief Compliance Officer or equivalent with direct line to the board and protected independence. Revolut's governance didn't meet this standard during the period in question.
For founders, this is a cultural inflection point. Early on, compliance might be your job on a part-time basis. But once you hit a certain size or regulatory footprint, you need a professional compliance function. This is not optional if you want to scale sustainably.
Lessons for UK Founders Operating in Fintech and Crypto
The Revolut case offers five concrete takeaways for founders:
Build Compliance in from Day One
The regulator's view is clear: compliance is not a layer you add on top of growth. It's foundational. If you're building a payments app, a crypto trading platform, or any regulated financial service, you need to embed AML and KYC controls from launch, not retrofit them later. This means budgeting for compliance technology, hiring a compliance officer early, and designing customer onboarding with regulatory requirements in mind—not as an afterthought.
Many founders underestimate this cost. Proper KYC infrastructure can cost £100,000–£500,000 annually for a small fintech, depending on customer volume. But the alternative—a regulatory fine and personal liability—is far more expensive.
Understand Your Personal Liability
If you're a founder-CEO, you're a Senior Manager under the SMCR. The FCA can fine you personally, ban you, and even refer you for criminal prosecution. This isn't theoretical. Storonsky's experience proves it. Protect yourself by:
- Getting professional legal and compliance advice before launch, not after a complaint.
- Documenting board discussions about AML and financial crime risk—this shows you took it seriously.
- Insisting on regular compliance reviews and audits, even when cash is tight.
- Having a clear escalation path: if your compliance officer flags a risk, you hear about it and act.
The cost of prevention is far lower than the cost of enforcement action.
Invest in Compliance Technology
Manual processes don't scale. Once you're handling thousands of transactions per day, you need automated tools for customer screening, transaction monitoring, and suspicious activity reporting. This is expensive upfront, but it's essential. The FCA expects you to use modern technology to manage financial crime risk proportionate to your scale.
Options include subscribing to AML software platforms (Sanction Scanner, ComplyAdvantage, Socure, and others), integrating with third-party KYC providers, or building in-house. For most early-stage founders, partnering with a specialist provider is more cost-effective than building yourself.
Plan for Regulatory Expansion
If you're operating crypto services, be aware that the regulatory environment is tightening. The FCA's new permission regime for cryptoasset activities means you'll eventually need formal authorisation. Plan for this now, not in an emergency dash:
- Document your current controls and processes—you'll need these in an application.
- Hire or engage a regulatory consultant early; applications are complex and costly.
- Budget for legal and compliance costs; an FCA authorisation application can cost £50,000–£150,000+ depending on complexity.
- Build relationships with the FCA's Innovation Hub or Regulatory Sandbox if you want to test new propositions; this gives you early feedback and de-risks regulatory risk.
Get Independent Audit and Board Oversight
Before you scale significantly, commission an independent compliance audit. An external auditor can identify gaps that you, as a founder deep in the business, might miss. Use that audit to inform your board and guide investment in controls.
Regulators look favourably on firms that proactively audit themselves and fix issues before they become enforcement problems. Revolut didn't do this early; the FCA had to do it for them.
The Crypto Angle: What's Changed Since Revolut Launched
Revolut's crypto offering was launched in a regulatory grey zone. The company offered crypto trading and withdrawals to users in some jurisdictions without explicit FCA authorisation—because, at the time, there was no specific permission regime for crypto activities.
That's no longer true. Since January 2024, the FCA's new regime requires firms to seek permission to provide certain cryptoasset services, including operating a cryptoasset exchange, safeguarding customer assets, and more. This doesn't mean crypto is banned; it means it's formally regulated, like banking.
For founders building crypto products in the UK, this is a critical inflection point. You must now:
- Determine whether you're providing a regulated cryptoasset activity.
- Apply for FCA permission, operate under transitional relief (if eligible), or cease the activity.
- Implement full AML and KYC controls consistent with financial services standards, not the lighter-touch approach some crypto firms used historically.
- Report to the FCA and relevant authorities on suspicious activity and sanctions breaches.
The days of "move fast and break things" in crypto regulation are over. Founders need to move fast and stay compliant.
Practical Steps for Founders Now
If you're running a fintech or crypto startup, here's a simple action list:
Immediate (Next 30 Days)
- Engage a financial services compliance lawyer to review your business model against FCA rules. If you're in scope of regulation, you need clarity.
- Document your current AML and KYC processes. Where are the gaps?
- Assess your staffing: do you have a dedicated compliance function, or is it buried in ops?
Short-Term (3–6 Months)
- Commission an independent compliance audit.
- Develop a business case for compliance technology investment. What tools will you need as you scale?
- Create a compliance policy handbook covering AML, KYC, sanctions screening, and suspicious activity reporting.
- Establish board-level oversight: quarterly compliance reporting to your board.
Medium-Term (6–12 Months)
- If you're in scope of FCA regulation, begin preparing for formal permission applications.
- Implement automated transaction monitoring and customer screening tools.
- Hire a Chief Compliance Officer or engage a fractional compliance consultant if budget doesn't allow a full-time hire.
- Conduct staff training on AML, sanctions, and data protection.
These steps require investment. They're not as exciting as a new product feature or marketing campaign. But they protect your personal liability, reduce your regulatory risk, and—critically—make your business more attractive to institutional investors, who increasingly diligence compliance maturity as part of due diligence.
Conclusion: Compliance as Competitive Advantage
The Revolut fine is uncomfortable for the UK fintech ecosystem. It shows that even successful, well-funded companies can face serious enforcement action. But it's also clarifying. Regulators are serious. The FCA has teeth, and it will use them.
For founders, the lesson isn't to abandon ambition or growth. It's to recognise that in financial services and crypto, compliance isn't a constraint on growth—it's a foundation for sustainable growth. Companies that treat compliance as foundational infrastructure, not a necessary evil, are better positioned to scale, raise capital, and stay out of regulatory trouble.
Revolut is still a valuable company. But Storonsky now carries a £1 million fine and a prohibition order. Both are costly. Both were avoidable with earlier, more serious investment in compliance controls.
If you're building a fintech or crypto business, don't repeat that path. Build compliance in from day one. Your future self—and your lawyers—will thank you.
Further Reading
Related Articles
SoftBank's Graphcore Bid: What Bristol's AI Exit Means for UK Tech
SoftBank's reported interest in Graphcore raises questions about UK AI chip talent, IP protection, and founder exit strategies amid US-China competition.
Serve First Raises £5m to Turn Retail Feedback into AI Actions
Cover Serve First's £5m from Pembroke VCT and Mercia Ventures, totaling £9.6m raised, with new clients like The Body Shop and European pharmacy expansion. Fe
Anthropic's Legal Setback: Impact on UK AI Startup Ecosystem
Cover Anthropic's recent legal setback amid $30B run rate discussions, as noted in business news roundups. Assess ripple effects on UK AI founders relying on
Y Combinator's 2026 Cohort: What UK Founders Need to Know
Y Combinator's latest batch brings fresh opportunities for UK retail and supply chain startups. Here's what founders should understand about YC's application process and funding m…