The FCA’s £21m penalty against digital bank Monzo is more than a rebuke of past compliance failures. It is a case study in what happens when rapid scale, weak governance and misplaced assumptions collide.

For risk managers, the decision offers stark lessons on embedding financial crime controls into fast-growing operations.

Rapid growth, weak foundations

Monzo’s rise was meteoric, from fewer than 600,000 customers in 2018 to over 12 million by 2025.

But the FCA found that Monzo’s financial crime systems did not keep pace. Key elements of the bank’s framework, including customer due diligence (CDD), enhanced due diligence (EDD), risk assessment, onboarding controls and transaction monitoring, were “inadequate to counter actual and potential financial crime risks effectively” during a critical two-year period.

In pursuit of a frictionless customer experience, Monzo stripped away controls such as address verification, despite its own policy to serve only UK-based users.

The FCA found customers using “obviously implausible UK addresses, such as well-known London landmarks,” including Buckingham Palace, 10 Downing Street and Monzo’s own headquarters.

Crucially, Monzo failed to gather sufficient information to understand the intended purpose or nature of customer accounts. Without such context, its transaction monitoring system struggled to distinguish between legitimate use and suspicious activity.

The FCA concluded that “Monzo was unable effectively to assess whether transactions were consistent with expected activity or were suspicious.”

Breach of formal requirements

Monzo’s compliance failings extended beyond weak controls.

In August 2020, following growing concerns, the FCA imposed a Voluntary Requirement (VREQ) that prohibited the bank from opening accounts for customers it had categorised as high risk. This was designed to reduce exposure to money laundering and other financial crime while Monzo addressed systemic weaknesses.

Despite this, Monzo breached the VREQ by opening more than 33,000 accounts in violation of the restriction. Of these, 26,325 were confirmed to be high-risk customers. A further 167,000 accounts were impacted by technical flaws, and Monzo estimates that up to 34,262 of those may also have been high risk.

“It was unclear at times who within Monzo was accountable for different aspects of the VREQ’s implementation”

Failures included not applying VREQ controls to accounts already in progress, reopening accounts that should have been closed, and misidentifying devices associated with repeat or suspicious sign-ups. The FCA was clear: when a requirement is imposed, “the firm must correctly implement all necessary changes… immediately and on an ongoing basis.”

Monzo’s internal review and a subsequent legal investigation found a lack of clarity over roles, responsibilities and escalation routes. “It was unclear at times who within Monzo was accountable for different aspects of the VREQ’s implementation,” the final notice states.

Key staff were unaware of the VREQ’s terms or its regulatory significance, and assurance testing was undermined by inconsistent understanding.

Risk culture under pressure

The Monzo case demonstrates how culture, governance and technology must evolve together, especially during hypergrowth.

The FCA found that Monzo’s internal assumptions about customer behaviour and product usage shaped its risk posture, leading to blind spots. Monzo assumed most customers were low risk, yet internal documents flagged that its monitoring systems were catching a high number of suspicious transactions.

Monzo’s controls had “onboarded too many customers about whom it had insufficient information”

In early 2020, Monzo’s second line of defence produced an initial report which concluded that Monzo’s financial crime framework was not fully effective. The report noted that Monzo’s controls had “onboarded too many customers about whom it had insufficient information,” driving up downstream compliance work, investigations and customer exits.

The FCA said the bank relied heavily on behavioural data, such as transaction monitoring, to mitigate onboarding risks, yet this was compromised by limited training, weak documentation and inconsistent escalation of alerts.

In one sample tested by the FCA-appointed Skilled Person, nearly half the alerts that had been dismissed as non-suspicious should have been escalated or required further review. In some cases, transaction reviewers failed to examine the very transaction that had triggered the alert.

Remediation and regulatory cooperation

Since 2020, Monzo has overhauled its financial crime controls. A Skilled Person review led to a multi-year remediation programme, including:

• A Financial Crime Change Programme covering CDD, CRA and transaction monitoring
• Recruitment across its compliance and first-line risk functions
• Introduction of CIFAS checks to flag known fraudsters
• Removal of duplicate users and account holders previously exited for financial crime
• Closure of over 44,000 customer accounts that fell outside of Monzo’s risk appetite

The FCA acknowledged that Monzo “cooperated fully” and that “significant progress had been made” in addressing the deficiencies. The fine was reduced from over £30 million to just over £21 million as a result of early settlement.

What risk managers can learn

The FCA’s action against Monzo is the tenth financial crime control fine imposed on UK banks in just four years. It reinforces growing regulatory intolerance of firms that allow financial crime defences to lag behind commercial ambition.

For risk managers, the takeaways are clear:

• Growth must be matched by investment in controls: As customer volumes or product complexity increase, so too must the systems, data quality and staffing behind the controls.
• Do not confuse tech with capability: Monzo’s use of digital onboarding and monitoring systems was cutting-edge, but without robust governance, verification and assurance, technology alone does not mitigate risk.
• Be wary of default assumptions: Monzo categorised most personal customers as “No Identified Risk” by default, a designation that masked significant underlying exposure and limited monitoring effectiveness.
• Remediation is costly and public: Monzo ultimately exited tens of thousands of customers, some of whom may have been legitimate, as part of a massive back-book review. The reputational damage and compliance burden far outweighed any short-term benefits of leniency during onboarding.
• Own the implementation: The breach of the VREQ highlights a common issue. Controls are designed, but not embedded or tested effectively. Risk managers must ensure that changes to permissions or restrictions are fully understood and implemented across the business.

As Therese Chambers, the FCA’s joint executive director of enforcement and market oversight, warned: “Banks are a vital line of defence in the collective fight against financial crime… Monzo fell far short of what we, and society, expect.”