On 7 July 2025, the Financial Conduct Authority (FCA) issued Monzo Bank Limited with a Final Notice, imposing a financial penalty of £21,091,300 for breaches of Principle 3 of the FCA’s Principles for Businesses. The FCA found that Monzo had failed to implement and maintain adequate anti-money laundering (AML) systems and controls between October 2018 and June 2022. Monzo agreed to resolve the case at an early stage and qualified for a 30% discount on the penalty. Without this discount, the FCA would have imposed a financial penalty of £30,130,475.
Background
Founded in 2016, Monzo is one of the UK’s leading digital challenger banks. The firm was granted full banking permissions in April 2017 and experienced rapid growth in its customer base and product offering over subsequent years. By 2025, Monzo served over 12 million personal and business customers.
As Monzo scaled, its product range expanded. However, the FCA found that Monzo’s related AML framework did not keep pace with its rapid expansion. Key deficiencies were identified in customer onboarding, risk assessment and transaction monitoring processes, exposing the bank to a heightened risk of being used to facilitate financial crime.
In November 2017, shortly after Monzo obtained its full banking licence, the FCA conducted a supervisory review of Monzo’s AML systems. A December 2017 letter from the regulator highlighted significant areas for improvement, including insufficient data collection at onboarding, inadequate risk assessment processes, and weaknesses in enhanced due diligence (EDD). Although Monzo responded in early 2018 with commitments to address these concerns, the FCA found that many of the identified shortcomings remained unremedied.
In 2018, Monzo’s MLRO left the firm, and the role was held on an interim basis until 2020. An internal report from early 2020 found that Monzo had onboarded too many customers without sufficient information, creating operational burdens and exposing the firm to financial crime risk.
Imposition of voluntary requirements ("VREQ") in August 2020
At the request of the FCA, Monzo voluntarily applied for requirements to be imposed upon how it carried out its business, with a particular focus on its onboarding of new customers. In August 2020, the FCA imposed a Voluntary Requirement (VREQ) on Monzo, preventing it from accepting or processing new or additional account applications from high-risk customers. In the absence of Monzo having a clear definition of high-risk customers, the VREQ included 19 sub-requirements defining specific activities and characteristics that Monzo was required to consider as high-risk factors. At the same time, the FCA required the appointment of a Skilled Person to conduct an independent review of the firm’s financial crime systems and controls.
The VREQ remained in place until February 2025. While Monzo made significant improvements in the intervening period, the FCA’s investigation concluded that Monzo had breached the VREQ on numerous occasions and continued to operate with serious deficiencies in its AML framework.
Findings
The FCA’s investigation identified extensive and systemic failings in Monzo’s approach to AML compliance during the period from 1 October 2018 to 30 June 2022.
Deficient customer due diligence (CDD)
Throughout the Pre-VREQ Period, Monzo did not collect adequate information to assess customer risk effectively. Its CDD procedures failed to gather key data such as the purpose and intended use of customer accounts; the nature of business relationships; the expected size and frequency of transactions; and customer's occupation or source of wealth. Business accounts were onboarded without full verification of beneficial owners or persons of significant control.
Inadequate customer risk assessments
Monzo’s customer risk assessment (CRA) framework was underdeveloped and defaulted most personal customers to a "No Identified Risk" rating. Key risk indicators – such as geographic location, business sector involvement, or adverse media reports – were either omitted or not systematically assessed. By the end of the Pre-VREQ Period, an internal document referred to external data suggesting that Monzo had a disproportionately high volume of inbound fraudulent transactions compared to its share of the UK current account market.
Transaction monitoring weaknesses
Monzo's systems and processes to detect suspicious activity post client-onboarding were inadequate. The FCA found that poorly trained and under-resourced staff were responsible for reviewing alerts; alerts had been closed as "undecided" in nearly half of cases, increasing the risk of missed suspicious activity; and there was an inability to identify or link transaction alerts to specific transactions.
Enhanced due diligence and PEP failures
Monzo lacked clear policies for identifying and managing higher-risk customers. Until August 2020, there was no consistent process for when EDD was required or how it should be documented. In multiple instances, customers identified as high-risk – including politically exposed persons (PEPs) – were onboarded without EDD, or permitted to transact before their status had been reviewed. Monzo had no clear internal definition of what constituted a PEP, meaning that indicators were not consistently applied and in other instances, some PEPs were not identified at onboarding.
Address verification and duplicate accounts
For most of the Pre-VREQ Period, Monzo did not verify customer addresses, despite its stated risk appetite to serve only UK-based customers. This allowed applicants to use clearly implausible UK addresses such as "10 Downing Street" or "Buckingham Palace." The firm was unable to confirm how many of its customers were genuinely UK-resident. Monzo also failed to prevent individuals from opening multiple accounts. A Skilled Person review found over 4,000 duplicate accounts, including multiple instances of individuals rejoining after being removed for financial crime concerns.
Breaches of the VREQ
Between August 2020 and June 2022, Monzo failed to implement and monitor controls required under the VREQ. The FCA found that, in breach of the VREQ conditions:
- Monzo opened 33,039 accounts, of which 26,325 were for high-risk customers.
- A further 167,444 accounts were affected by misapplication or non-application of VREQ controls, potentially leading to the onboarding of 34,262 additional high-risk customers.
These breaches were attributed to both technical failures and inadequate governance. An independent legal review commissioned by Monzo found that the firm had applied an “insufficiently robust governance framework” to the implementation of the VREQ and that responsibilities were unclear, with key staff unaware of the VREQ’s scope or regulatory importance.
By early 2023, Monzo had completed seven management actions recommended by the legal review and enhanced its governance, compliance oversight and staff training. The FCA lifted the VREQ in February 2025 after determining that the firm had made significant improvements to its financial crime framework.
Comment
The FCA's Final Notice underscores the fact that Monzo failed to comply with even the most basic customer due diligence obligations. The FCA’s decision to impose a substantial financial penalty on Monzo is unsurprising and underscores the regulator’s expectation that fast-growing firms must ensure their compliance infrastructure evolves in step with their business. Rapid growth and innovation do not excuse weak controls, particularly where the risk of financial crime is heightened.
The FCA’s findings point to deep-rooted issues in Monzo’s AML framework that persisted over several years, despite early supervisory feedback and regulatory intervention. Indeed, Therese Chambers, the FCA's joint executive director of enforcement and market oversight, said in a press release:
"Banks are a vital line of defence in the collective fight against financial crime. They must have the systems in place to prevent the flow of ill-gotten gains into the financial system. Monzo fell far short of what we, and society, expect."
While the FCA acknowledged Monzo’s cooperation and its recent remediation efforts, the decision serves as a clear warning to other challenger banks and fintech firms that robust AML systems and governance frameworks are non-negotiable. As challenger banks and other innovative financial services firms continue to reshape the UK’s financial landscape, this case stands as a reminder that innovation must not come at the cost of compliance.