An innovative, cloud native, model-driven content and archiving solution, with a transparent policy-based and attribute-based access control (ABAC), that scales effortlessly with your organization.
Content migration, integration and distribution
Robust, high-performance and secure platform that empowers organizations to distribute content across multiple systems and monitor information flows.
Available for all Documentum user interfaces, AmeXio myInsight is fully certified by OpenText and is a powerful add-on to help you generate custom dashboards and reports in a wide variety of formats.
AmeXio Cloud provides a multi-cloud IaaS, DaaS, PaaS and SaaS offering on 3 levels (public, private and hybrid), which is fully hosted and operated in the EU.
What the ECB’s restrictions on Revolut reveal for every financial institution
author: Alain van Hove
3–5 minutes
How supervisors have raised the bar from having controls to being able to prove they work, and why established institutions underestimate that shift.
TL;DR. The ECB didn’t restrict Revolut because controls were missing, but because the bank couldn’t show they worked. That bar has since been raised for the entire sector. And established institutions are often more vulnerable than neobanks, because their evidence is scattered across legacy systems, shared drives, and inboxes. The question that matters is simple. Can you close the accountability trail the moment a supervisor asks for it?
Last summer, the European Central Bank temporarily restricted neobank Revolut from launching new products. The exact reason only became public this month. Internal controls hadn’t kept pace with the speed at which the bank was rolling out new products. (source: VRT NWS)
The obvious reading is easy to make. A fintech that moved too fast. A warning for anyone who puts speed above diligence. Someone else’s story. And that’s exactly where the thinking goes wrong.
What the ECB actually asked
Anyone who reads the file sees no speed problem. The ECB didn’t just ask whether controls existed. They did. It wanted Revolut to demonstrate that those controls actually worked, and imposed an external review to verify it. This isn’t an incident. Supervision has been moving in this direction for years. The question is shifting from “do you have the right controls?” to “show us they work, when we ask.” That expectation isn’t buried in one single provision. It runs through the entire framework every financial institution operates in today.
ECB supervisory priorities have stressed governance and reliable, demonstrable risk data for years. (Check the current edition and quote directly in the final version.)
DORA (Digital Operational Resilience Act) has required institutions since early 2025 to be operationally resilient and to be able to show it.
BCBS 239, the Basel principles for risk data aggregation, has said as much for years. You must be able to reproduce your risk data accurately, completely, and on time. The principle isn’t new. The strictness with which it’s enforced is.
Closer to home, the National Bank (NBB) and the FSMA maintain the same expectation, in line with EBA guidelines on internal governance.
The pattern is the same everywhere. Being able to prove your controls work has become a baseline expectation, not a differentiator.
Why established institutions are vulnerable here
The reflex is understandable. This looks like a problem for young, fast-moving tech companies, and a bank or insurer with thirty years of procedures seems naturally compliant. In practice, we often see the opposite. At a fintech, most things live in one modern, searchable environment. At an established institution, the evidence is spread across legacy systems, shared drives, inboxes, and processes that are still partly manual. The control usually exists. The real test is whether you can reconstruct, within 24 hours, who was allowed to view, modify, retain, or delete what and when, and show that clearly. That test is being administered more frequently. Speed and innovation are no longer excuses. The question the Revolut case surfaces applies to everyone. Can you prove it?
Four questions for your risk and compliance team
For every sensitive document, can we show within one day who had access, who made changes, and when?
Do we know exactly where our most critical information sits, and where copies are circulating?
Can we not just formulate a retention and deletion policy, but demonstrably enforce it?
How much of our evidence currently depends on someone pulling it together manually?
If any of these give you pause, the problem is rarely a lack of controls. What’s missing is demonstrability. And that’s exactly what a supervisor notices first.
From control to provable control
This is the work we do at AMEXIO with banks and insurers: making governance demonstrable upon request, for an auditor, a regulator, or the board.
In practice, that means working where the evidence actually resides: in the documents and content themselves, not in a layer of reporting tacked on top. We help institutions control who can view, modify, retain, or delete a sensitive document, and maintain an audit trail that stands up to scrutiny, so that “who did what, and when” can be produced in hours rather than reconstructed manually over days. We map where critical information is stored and where copies are circulating, classify it, and turn a retention and deletion policy into something the system enforces, not a policy that exists only on paper.
The same logic extends beyond your own organization. Within a supply chain, it all comes down to one question: who is responsible for what, and can you prove it?
It always comes down to the same thing: a chain of accountability that is clear, verifiable, and readily available before anyone even asks for it.
