QUICK FACTS
Overview
The Financial Conduct Authority (FCA) has imposed a financial penalty of £21,091,300 on Monzo Bank Limited for significant failings in its financial crime systems and controls.
The enforcement action addresses breaches during two distinct periods: the "Pre-VREQ Period" (October 2018 to August 2020), where Monzo's controls failed to keep pace with its rapid growth , and the "Relevant VREQ Period" (August 2020 to June 2022) , during which Monzo breached a formal requirement designed to stop it from onboarding high-risk customers.
These failures led to the firm opening tens of thousands of accounts for high-risk customers in contravention of the FCA's requirements.
Details of the CASE
The FCA found that as Monzo's customer base grew from approximately 250,000 in 2017 to over 12 million by April 2025 , its financial crime framework did not develop adequately to manage the associated risks. The regulator identified failings that breached Principle 3, which requires firms to have adequate risk management systems.
PRE-VREQ PERIOD FAILINGS (1 OCTOBER 2018 – 4 AUGUST 2020):
Inadequate Customer Due Diligence (CDD)
For a significant part of the period, Monzo's onboarding process did not collect sufficient information to establish the purpose and intended nature of customer relationships. This was despite the FCA raising similar concerns in a 2017 supervisory letter. For business customers, the firm failed to verify the identity of all beneficial owners and Persons of Significant Control (PSCs) as required. A subsequent remediation exercise required identity verification for approximately 19,198 individuals that had been missed.
Insufficient Customer Risk Assessment (CRA)
Monzo's CRA was found to be inadequate, with the "default" risk category for all new personal banking customers being "No Identified Risk". The assessment process failed to properly use key risk indicators such as customer occupation or planned account usage. This approach was based on flawed assumptions that its product range was ordinary and that its transaction monitoring systems were sufficient to mitigate the lack of data gathered at onboarding.
Weak Transaction Monitoring
The firm placed significant reliance on its transaction monitoring systems to mitigate weak onboarding controls. However, these systems themselves had deficiencies, including a lack of clear guidance for staff on investigating alerts , and a high number of alerts being closed as "Undecided" (45% in the first half of 2019) without escalation. A third-party review found that insufficiently experienced staff were performing key monitoring tasks.
Flawed Enhanced Due Diligence (EDD)
Until August 2020, Monzo’s EDD processes for most personal banking customers did not specify the circumstances in which EDD was required, nor how it should be documented. A review by a Skilled Person found no evidence of EDD being performed on a sample of nine higher-risk personal customer files.
Breaches of the VREQ (5 August 2020 – 30 June 2022):
In August 2020, the FCA imposed a Voluntary Requirement (VREQ) on Monzo to prevent it from "accepting or processing any new or additional account applications" from high-risk customers while it remediated its controls.
Monzo did not have its own clear definition of what constituted a high-risk customer. To address this, the Voluntary Requirement (VREQ) imposed by the Financial Conduct Authority (FCA) included a detailed definition
However, Monzo failed to adhere to this requirement due to technical flaws and human error.
- Monzo opened 26,325 accounts for high-risk customers in direct breach of the VREQ.
- A further 6,714 accounts were opened without Monzo taking additional required steps and documenting its decisions.
- Separate instances where VREQ controls were not applied correctly were connected to 167,444 accounts, with an estimate that this may have led to onboarding an additional 34,262 high-risk customers.
- A 2021 internal review and a subsequent review by an independent legal firm identified the root cause as an "insufficiently robust governance framework to manage the implementation and operation of the VREQ".
WORKED EXAMPLES
- Address Verification
- Monzo’s policy was to only service UK-based customers, but for most of the Pre-VREQ period, it did not require address verification. This allowed customers to open accounts using implausible UK addresses, including "Buckingham Palace," "10 Downing Street," and even Monzo's own business address.
- Duplicate Users
- Controls to identify customers opening multiple accounts were ineffective. A Skilled Person identified two customers who had previously been closed due to financial crime concerns but had managed to open new, active accounts that were rated as "No Risk Identified".
- Delayed CIFAS Implementation
- In August 2018, a test screening of existing Monzo customers against the CIFAS database revealed a "high match rate" of 8.72%, indicating a significant portion posed a high financial crime risk. Despite knowing it would "significantly benefit" from membership, Monzo did not implement CIFAS checks as an onboarding control until July 2020.
fines and Penalties
The Authority determined that the appropriate penalty before any discount was £30,130,475. This figure included an increase of £10,000,000 at Step 4 to ensure the penalty for the VREQ breaches served as a credible deterrent
Monzo agreed to resolve the matter and qualified for a 30% discount.
The final financial penalty imposed is £21,091,300.
Key quotes
- On balancing growth and compliance: "rapid customer growth must not come at the detriment of compliance with the requirement to maintain adequate systems and controls to counter the risk that the firm might be used to further financial crime."
- On the cause of the VREQ breaches: "the overarching root cause of the VREQ breaches was that Monzo had applied an 'insufficiently robust governance framework to manage the implementation and operation of the VREQ.'"
- On the risk of weak initial risk assessments: "Monzo also considered that reliance on behavioural information in the absence of a robust CRA gave rise to operational challenges and risked the Firm being less effective at detecting certain crime types."
Sources:
