FCA Fines Monzo £21m: What Went Wrong?
Monzo, one of the UK’s most well-known neobanks, was fined £21,091,300 by the Financial Conduct Authority (FCA) for serious failings in its financial crime controls and systems from October 2018 to August 2020. The enforcement action stems from a major investigation, which revealed systemic lapses in customer due diligence (CDD), risk assessment, and transaction monitoring. The bank also breached a requirement that barred it from opening accounts for high-risk customers between August 2020 and June 2022. Some of the lapses were so severe that customers were able to open accounts with bogus addresses including 10 Downing Street and Buckingham Palace.
This case underscores the careful balancing act for challenger banks between growth and regulatory compliance.
What Went Wrong at Monzo?
The neobank experienced massive growth from 2018 to 2022, growing from 600,000 customers to 5.8 million in 4 years. However, compliance did not scale with growth and insufficient internal controls left the door open for criminals.
One major gap noted by the FCA was the lax approach to customer address verification. In the review period, Monzo did not require proof of address when opening new accounts. This allowed customers to use addresses such as “10 Downing Street” and “Buckingham Palace”, without triggering alerts for follow-ups. The lack of verification also allowed users to register with addresses from mail forwarding services and foreign addresses disguised with UK postcodes, which allowed non-UK residents to bypass controls.
These onboarding weaknesses were magnified by inadequate risk assessment and ongoing monitoring. Customers could not be accurately risk-rated, and as a result very few were flagged as “high-risk”, resulting in them slipping through the cracks. Furthermore, transaction monitoring was lacklustre, with inexperienced and undertrained staff tasked with reviewing alerts. Backlogs developed for reviewing suspicious activity and in screening for Politically Exposed Persons (PEPs). Monzo’s compliance team was under resourced, and no amount of technology or automation could compensate for such a severe lack of human oversight.
The FCA intervened in 2020, with the UK regulator imposing a Voluntary Requirement (VREQ) that banned Monzo from onboarding any new high-risk customers until the issues were resolved. However, the bank continued to onboard thousands of high-risk customers, with 26,325 accounts for high-risk customers being opened between August 2020 and June 2022. Senior leadership has acknowledged the failings which occurred in a “historical period” and the fine effectively draws a line under the investigation.
Key Areas of Failure
The gaps in Monzo’s financial crime controls were not limited to isolated incidents, but rather reflected severe failings across departments. Below are the key failings identified in the FCA investigation.
- Inadequate customer due diligence (CDD)
The bank did not collect enough information to know who it was dealing with. Basic KYC protocols such as address verification were weak and critical information such as beneficial owners was not verified. This missing data allowed high-risk customers and fraudsters to enter the system without being flagged. Despite Monzo’s risk assessment policy only allowing UK residents to open accounts, it had no system to enforce this policy. These shocking CDD lapses impacted subsequent controls. - Poor customer risk assessment and onboarding processes
Monzo had poor systems for flagging customer risk, with very few customers being categorised with this rating. Risk scoring tools were misaligned or used improperly by staff. Multiple accounts could be registered at the same address, highlighting the failure of Monzo to identify red flags. The onboarding process at Monzo clearly prioritised a frictionless user experience over robust risk assessment, and lack of data meant that risk could not be assessed effectively. - Poor transaction monitoring and alert handling
Compliance gaps did not end at onboarding. The FCA noted Monzo “was unable effectively to assess whether transactions were consistent with expected activity or were suspicious” and that “there were weaknesses in Monzo’s transaction monitoring processes." Staff were insufficiently experienced and trained to investigate suspicious transactions and at times Monzo did not have enough staff to review alerts promptly. This meant that even when suspicious activity was flagged, the bank was either too slow to react or missed them completely. As a result, illicit transactions were able to flow freely through Monzo accounts. - Failures in governance and culture
The root of these deficiencies and failures came from the lax compliance culture at the bank. Leadership did not do enough to ensure that compliance kept pace with rapid expansion. Moreover, a frictionless onboarding experience was publicly promoted by Monzo as a key benefit. The fact that the bank failed to keep to the FCA requirement that barred it from onboarding high-risk customers further underlines the lack of effective governance.
Eventually, the bank did implement a financial crime change programme to remediate these failings, but only after regulators forced its hand. It was clear that during the years of fast growth, management had a reactive approach to compliance. Together, these issues compounded into systematic compliance failures. The bank was unaware of who its customers were, couldn’t detect obvious red flags, and even when suspicious activity was flagged, staff were not appropriately experienced or trained to escalate them effectively.
Key Lessons for Other Banks
These major failings serve as a key warning for banks and financial institutions as to what can go wrong when growth is prioritised over proactive compliance. Below are the key lessons that all financial institutions should be aware of.
- Growth should never come at the cost of effective compliance
Too often, disruptors in the financial services landscape see compliance as a burden or a cost centre. However, customer acquisition can grow rapidly alongside scalable compliance processes, especially when leveraging automation and new technologies. Cutting essential KYC steps in an attempt to streamline the onboarding experience is a dangerous trade-off that can clearly backfire with both severe enforcement actions and reputational damage. - There are no shortcuts to robust KYC and customer due diligence
Financial institutions must ensure they have complete information about their customers to build an accurate risk profile. There is no room for shortcuts and the onboarding process must involve verifying data that is collected. Incorporating technology into the onboarding process can help to streamline this verification and ensure robust customer due diligence, however it must be managed with adequate human oversight. Skipping onboarding steps may seem like a viable option to enhance customer experience, however this can cause friction in the future when data remediation exercises are required. When onboarding teams are able to utilise the right combination of technology and expertise, the process can be frictionless for customers while meeting regulator expectations. - Building a strong compliance culture is essential
The tone from senior leadership plays a huge role in compliance processes across an organisation. Monzo’s issues reflected a culture where compliance was not seen as a priority in comparison to commercial goals. Financial institutions must foster a culture where effective AML/CTF processes are not seen as optional. This involves regular training, support from senior management, clear responsibilities and accountability for the management of financial crime risk and empowering staff to act proactively. Compliance departments must also have sufficient staffing and resources to effectively manage the growing challenges that arise from fast growth. - Continuously test and strengthen financial crime controls
Financial crime threats are quickly evolving and so too are regulatory expectations. Banks cannot sit still in this environment and they cannot see KYC as a tick-box exercise. AML systems and controls must be consistently stress tested and audited to ensure they remain fit for purpose. Any identified weaknesses or gaps must be proactively addressed. Effective compliance can seem costly, but recent enforcement actions show that fines can no longer be seen as the cost of doing business. Banks form a critical line of defence in the fight against global financial crime and terrorist financing.
Conclusion
Monzo’s multi-million-pound fine is a clear wake-up call to all financial institutions. No one is immune to enforcement action. Fast growth and innovation can never come at the cost of effective compliance. This enforcement action isn’t an isolated incident. The FCA has increased scrutiny of financial institutions, with the £29m fine for fellow challenger bank Starling in 2024 a clear example.
There is a persistent perception in the industry that compliance is a hindrance to growth and a cost centre. However, creating scalable and effective compliance systems with the right blend of technology, process and resource, can become a competitive advantage and drive operational efficiency.
The KYC360 platform is an end-to-end solution offering slicker business processes with a streamlined, automated approach to Know Your Customer (KYC) compliance. This enables our customers to outperform commercially through operational efficiency gains whilst delivering improved customer experience and KYC data quality.
