Digital bank’s anti-money laundering controls deemed ‘inadequate’ by regulator after onboarding tens of thousands of high-risk customers despite restrictions
The Financial Conduct Authority (FCA) has fined Monzo Bank $28.5 million (£21.1m) for serious failings in its financial crime controls, following a period of rapid customer growth that significantly outpaced its compliance capabilities.
The penalty relates to breaches that occurred between October 2018 and August 2020, when the challenger bank failed to implement adequate systems for onboarding, monitoring and risk-assessing customers.
Monzo also breached a formal regulatory requirement by continuing to open accounts for high-risk customers between August 2020 and June 2022, despite restrictions imposed to prevent exactly that.
In a statement today (July 8), the FCA said Monzo’s controls were so lacking that the bank onboarded customers using “limited, and in some cases, obviously implausible information – such as customers using well known London landmarks as an address”monzo-bank-limited.
“Banks are a vital line of defence in the collective fight against financial crime,” said Therese Chambers, joint executive director of enforcement and market oversight at the FCA.
“They must have the systems in place to prevent the flow of ill-gotten gains into the financial system. Monzo fell far short of what we, and society, expect.”
A fast-growing bank, underprepared for risk
Founded in 2015 and granted full banking permissions in 2017, Monzo has been at the forefront of the UK’s wave of digital challenger banks.
The firm’s customer base expanded from approximately 250,000 in early 2017 to over 12 million by April 2025. Customer deposits rose from £71 million in 2018 to £6 billion in 2023.
However, the FCA’s investigation found that this rapid expansion had not been matched by commensurate investment in financial crime risk controls.
Monzo’s systems failed to gather sufficient customer information at onboarding, leaving the bank unable to properly assess or monitor whether customer behaviour aligned with its risk appetite. In some cases, customers used PO Boxes or foreign addresses with UK postcodes, and the bank lacked procedures to verify whether such details were legitimate.
The firm also lacked adequate policies for identifying politically exposed persons (PEPs) and failed to apply enhanced due diligence in many high-risk cases. Transaction monitoring alerts were frequently handled by untrained or inexperienced staff, with limited guidance on investigation procedures.
By 2020, Monzo’s own internal data showed it was receiving a disproportionate share of fraudulent payments relative to its market sizemonzo-bank-limited.
Regulatory restrictions breached
In August 2020, the FCA required Monzo to appoint a Skilled Person to conduct an independent review of its financial crime risk framework.
At the same time, the regulator imposed a Voluntary Requirement (VREQ) on the firm’s permissions under section 55L of the Financial Services and Markets Act. This restriction prohibited Monzo from opening accounts for new high-risk customers, defined through a detailed risk matrix.
Despite these controls, the FCA found that Monzo failed to properly implement or monitor compliance with the VREQ. Over the period from August 2020 to June 2022, the bank opened more than 33,000 accounts in breach of the restriction, of which at least 26,325 were classified as high-risk. An estimated further 7,937 accounts may also have been incorrectly onboarded due to misapplied controls.
The FCA said Monzo had failed to test its compliance with the VREQ and did not take adequate steps to identify and rectify breaches as they occurred.
From fintech to full accountability
The penalty against Monzo is the tenth such enforcement action against a UK bank for financial crime control failings in the past four years. It comes as the FCA continues to tighten expectations on retail banks, particularly digital-first institutions, as part of its 2025 supervisory strategy.
The regulator has highlighted financial crime and fraud as a key priority, warning that challenger banks’ reliance on speed, automation and thin compliance layers can leave them especially vulnerable to misuse.
In Monzo’s case, the FCA concluded the firm had breached Principle 3 of its Principles for Businesses, which requires firms to organise their affairs responsibly and with adequate risk management systems.
The bank qualified for a 30% discount under the FCA’s settlement procedures, reducing its fine from a potential £30.1 million to £21.1 million.
Monzo’s response and remediation
In a statement accompanying the Final Notice, the FCA acknowledged that Monzo had cooperated fully throughout the investigation and had taken steps to improve its systems.
The bank has now completed a financial crime change programme and enhanced its onboarding and transaction monitoring frameworks. The VREQ was lifted in February 2025 after the FCA was satisfied that improvements had been implemented.
The Skilled Person review and follow-up investigations also led to broader improvements in how Monzo verifies customer identity, assesses risk and documents due diligence processes.
A warning for the sector?
The case underscores a wider dilemma facing the UK’s digital banking sector: how to balance rapid growth with regulatory compliance in a space where innovation often runs ahead of governance.
The FCA’s 2022 multi-firm review of challenger banks found that many had underdeveloped financial crime controls, with some relying too heavily on automated onboarding and inadequate CDD measures.
For Monzo, the fine represents a significant reputational blow, but one the bank may weather given its high customer engagement and brand loyalty. The longer-term impact may depend on whether the episode is seen as a one-off legacy issue or indicative of deeper structural gaps in digital-first banking models.
As Chambers put it, “This case illustrates how lacking Monzo’s financial crime controls were. This was compounded by its inability to properly comply with the requirement not to onboard high-risk customers.”