Tom Hambrett, Group General Counsel at Revolut: The customer at the center of Revolut’s strategy

Revolut’s Group General Counsel discusses the benefits that the PSD2 brought to the FinTech companies globally, Revolut’s plan for Brexit, as well as the first formal legal panel announced by the company earlier this year.


By way of introduction to our readers, could you tell us a bit about yourself and the work you do for Revolut?

I started as a corporate lawyer that did private equity and corporate M&A. I worked at Herbert Smith Freehills for 5 years and, before that, I worked for a year for a judge at the Supreme Court.

Back in 2017 when I joined as the sole legal counsel, Revolut was a relatively small company. I was probably the 60th employee globally – now the company has 2.400 employees and, in the legal department, there are about 70 employees that sit across 8 different offices.

My responsibility, as the company’s General Counsel is on a group level. Revolut has around 20 subsidiaries/companies within the group, each providing different services to other companies or customers in different locations.

I sit on the executive committee and I have a number of heads of legal in different markets reporting to me. Furthermore, I am responsible for the regulatory and licensing strategy and implementation on a global level, as well as the legal and regulatory direction, risk ownership and mitigation over everything that may arise as a result of the regulated activities that Revolut performs.

Could you tell us a few words about the regulatory framework governing FinTech companies and what are the key legal issues to consider?

The framework governing FinTech companies is not different to that which governs any financial institution. The challenge for a FinTech company applying a framework that is being applied non-discriminatorily to financial services is that it may not have the depth of knowledge in-house, the experience or capabilities to provide all services internally.

A FinTech may need to apply a regulatory framework indirectly through a third-party relationship. For example, in a lot of FinTech companies, office clerks are provided through third parties.

Therefore, the key legal questions for FinTech companies are “Why do we want to be regulated in this way? Do we have to be regulated and, if so, what is the best way to satisfy our regulatory obligations and market expectations?”.

Regulations provide us with a guideline, but at the same time it is a challenge for us to message internally, to different business stakeholders, the impact of such regulations.

As a General Counsel you must be able to translate opaque, complicated, non-commercial legislation and regulation and then you have to negotiate it with the company’s business department in such a manner as to serve the company’s business needs – you don’t want to be “Dr. No” all the time.

What was the effect of PSD2 to Revolut’s business?

The effect of PSD2 on Revolut was that it made us think about the customer experience from a regulatory perspective

PSD2 has demonstrated that there are clear guidelines, deliverables and timelines, standard obligations. The effect of PSD2 on Revolut was that it made us think about the customer experience from a regulatory perspective.

A great example of what we did, which is very different from what any other FinTech or start-up has done, is with the requirement for strong customer authentication (SCA), and the very unique and “clean” way in which we engage with the customer to re-authenticate their identity and allowing a reset of their limit, to avoid being caught short at the ATM or the point of sale. For us that’s the top of innovation and a great example of how our payment lawyers that set this process, can be product-focused and mindful of the customer experience.

Another important aspect is open banking, under which we are authorized. Open banking has led to a number of different ways that businesses can think about how they can service the customer. I think it is quite a cool initiative to open your Revolut App and see all your joint accounts.

Therefore, I believe that PSD2 has had a positive impact and I think that long-term, if not for anything else, the benefits come from transparency and the very clear-cut processes introduced by the Directive.

What is the impact of Brexit on Revolut’s business and what is the biggest legal & business challenge faced by Revolut as a result of Brexit?

Revolut’s focus with regard to Brexit is to ensure continuity of our products and services for our 11.000.000 customers, the majority of which are European

I would say that Brexit is quite the opposite of open banking: it is a complete waste of time and resources for us.

Among the legal issues that “troubled” us I would highlight the following: Where do we become authorized? When do we start moving or migrating customers across? For Revolut, a lot of the legal and business challenges have been around ensuring continuity of business services, replicating existing authorizations and licenses where needed in Europe and guiding the customer around to who will be providing what service and when.

The rest are more administrative issues – for example the replication of the key arrangements that we have with our suppliers with Revolut UK. In my view, the strategy for Brexit can be distinguished in three phases:

  • Identify the structure with respect to how you want to continue with your business
  • Implement that structure
  • Customer migration

In 2018 we obtained a banking license from the ECB for a new regulated European entity, “Revolut Payments UAB”. That banking entity is currently operational and will also service Eastern European customers. Customer migration will probably occur later this year, prior to the Brexit. In Western European countries customers will be serviced via an Irish entity.

A few months ago, you announced the first formal legal panel to reduce the use of over 35 firms you worked with and had on call. Could you tell our readers a bit more about this? What was the role of legal technology in this process?

Our first formal legal panel was quite an important process for us, which took about 6-7 weeks and involved reaching out to the top law firms with a global presence (e.g. Herbert Smith Freehills, Baker & McKenzie, Freshfields, Linklaters etc.), as well as specialized law firms (e.g. payments & regulatory lawyers).

We interviewed them, assessed them, received materials and gave each firm an individual score, which we would then weigh on technical requirements, their experience, the discounts they were offering us (including special rates for a high volume of work), who they service in the market, if they work with competitors etc. It all comes down to a very clear RFP, with specific billing guidelines and expectations around deliverables.

As a result of the above process, we concluded to three global Tier 1 firms and three Tier 2 firms, which we then on-boarded and treated as Revolut employees. We also have what we call a “black cat review”, i.e. a process through which we can rate internally the firms that we are using. My responsibility is to manage costs and oversee the work that has been delivered.

My objective was to centralize the engagement process, to ensure greater visibility. I wanted to know what my lawyers were doing and to make sure that the labor costs were paying out and that the company money was being used responsibly. I also wanted my team to develop relationships with law firms and have conversations directly with specialized partners and external counsels.

With regard to the role of legal technology in the above project, it has enabled us to optimize the process by which we selected the legal panel and by the which we can get the best out of the lawyers on that panel. At Revolut we consider legal software very important and we use it extensively in-house – for example, dashboards that are tracking our KPIs real-time, software that allows us to manage the entire department on an agile basis etc. We have also conducted a six-month review of the existing contract management software we are using.

What are the main challenges you encountered when the GDPR entered into force and how has it affected the way that Revolut does business?

The implementation of the GDPR took about 12 months and it was run by a dedicated lawyer. It was a cross-functional process, which involved working with a lot of different people from the business.

One of the most important challenges we faced was the fact that the level of interest in the GDPR implementation was not equal across the company. We had to educate our people to get them involved in the privacy issues, explain to them why it is important to protect the interest of our customers.

We obviously deal with a lot of sensitive personal information – to get on board to our services you need to share with us personal information – so it is very important for us to ensure that we are handling customer data in an appropriate way.

Any firm that is relatively young will need good processes, good systems to track data breaches and respond to incidents within the designated timeframes. If anything, the good thing about the GDPR is that it brought forward the importance of protecting customer data and the proper handling of personal information.