ARTICLE
7 August 2025

AML Update: Key Takeaways From The FCA's Monzo Fine For Failures In Financial Crime Controls

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
Reducing and preventing financial crime remains high on the agenda for the FCA Enforcement team; the latest annual enforcement data, published in July 2025, indicated that 75 of 130 open cases relate to this area...
United Kingdom Finance and Banking
Elizabeth Head,Ian Thomas, and Kathryn Boyd
Your Author LinkedIn Connections

Reducing and preventing financial crime remains high on the agenda for the FCA Enforcement team; the latest annual enforcement data, published in July 2025, indicated that 75 of 130 open cases relate to this area, including 17 of the 23 cases opened in 2024/25.

July 2025 saw the publication of three Final Notices by the FCA in relation to firms' financial crime risk management. This briefing relates to the first of those, a fine of £21,091,300 issued on 7 July 2025 to Monzo Bank Ltd ("Monzo") for:

  • having inadequate anti-financial crime systems and controls between October 2018 and August 2020; and
  • failing to implement the underlying requirements of a voluntary requirement ("VREQ") between August 2020 and June 2022.

The focus of the Final Notice is on anti-money laundering ("AML") systems and controls, and this post summarises the findings and key takeaways arising from the Final Notice.

Background and timeline

The FCA describes Monzo as a 'digital challenger bank' - primarily offering personal current accounts, operating without a branch network, and providing financial services through smartphone apps. The Final Notice addresses Monzo's controls in relation to both retail and business banking customers.

The 'relevant period' covered by the enforcement action was 1 October 2018 to 30 June 2022, during which Monzo's customer base had substantially increased; it had approximately 250,000 customers in early 2017 and over 12 million personal and business customers by April 2025.

Monzo's AML policies and procedures had been assessed by an external consultant as being adequate in 2016, prior to the launch of its current account services. However, since then Monzo's customer base and range of products had grown substantially, and concerns were identified on a number of occasions:

  • in November 2017 the FCA's financial crime supervision team reviewed Monzo's AML systems and controls and wrote to Monzo identifying a number of areas of concern, which Monzo committed to address;
  • in early 2020, Monzo's second line of defence produced an initial report which concluded that Monzo's financial crime framework was not fully effective;
  • in August 2020 the FCA:
    • required Monzo to appoint a Skilled Person to undertake a full review of the Firm's financial crime risk management; and
    • requested that Monzo apply for a VREQ (which remained in force until February 2025), principally to prevent it from accepting or processing new or additional account applications for high-risk customers.

The Skilled Person reported in late 2020, first on Monzo's approach to customer risk assessment ("CRA"), customer due diligence ("CDD") and enhanced due diligence ("EDD"), and subsequently its transaction monitoring ("TM") systems and controls.

Thereafter, Monzo took steps to address the identified weaknesses. In parallel to this remediation, however, during the course of 2021 Monzo found a series of breaches of the VREQ. These were reported to the FCA, and by late 2021 Monzo had instructed a legal firm to review the root causes and implementation issues.

Also in 2021, the FCA undertook a multi-firm review of challenger banks, informing a sector-wide 'Dear CEO' letter in May 2021 and reporting publicly in mid-2022. Monzo's gap analysis of the Dear CEO letter identified further relevant enhancements.

The Skilled Person produced a series of reports on Monzo's progress, and all recommendations were addressed by November 2024.

Key areas of AML control failings

The FCA's Final Notice highlights the following key findings, in particular in relation to the pre-VREQ period:

  • Limited CDD information collected: Monzo collected limited CDD information to facilitate quicker customer onboarding. The FCA highlights the following in particular as data points identified by the MLR which Monzo did not collect:
    • The purpose of an account, transaction or business relationship;
    • The level of assets to be deposited by a customer or the size of the transactions undertaken by the customer; and
    • The regularity and duration of the business relationship.

      The Notice states that Monzo assumed that customers used its products in the same way – but that it became increasingly apparent that customers were, in fact, using their products differently – for example, as salary accounts, secondary accounts and travel accounts. Monzo's internal reviews identified that information about customer occupation and planned account usage could help CRA and inform the assessment of TM alerts.
  • Inadequate CRA: The FCA emphasises that CRA should be a "fundamental part" of a firm's business-wide risk assessment, and of the treatment of individual customers. We note that the FCA's emphasis on (a) the inputs to CRAs, (b) the nature/purpose of business relationships (noted below), and (c) the CRA's quality, has been an increasing focus of both supervisory statements and enforcement actions in recent years.

    Monzo's CRAs were insufficient to adequately determine the risks its customers posed and the appropriate level of monitoring and due diligence and did not consider the factors prescribed by the MLRs. For personal banking customers, the FCA attributes this primarily to Monzo's failure to collect relevant data points and its failure to provide adequate guidance or methodology for assessing relevant risk factors. The only risk factors initially stipulated for the purpose of risk-rating personal banking customers at onboarding were PEP exposure and adverse media concerns – and adverse media hits were not always reviewed. Information on occupation, expected transactional activity and geographic location, did not feed into the CRA. For business customers, insufficient information was assessed in regard to the customer's exposure to high-risk geographies and industries/sectors. Relevant data which Monzo did gather at onboarding (e.g. tax residency, ID type, IP address and adverse media) was not utilised when making decisions about customer risk.

    The FCA found that internal documents evidenced an awareness within the firm that the shortcomings of its risk assessment process risked Monzo onboarding customers that it did not know enough about and could not effectively risk-assess. Following a 2022 remediation exercise to identify customers exhibiting specific risk factors, Monzo exited just under 1% of its entire banking population.

    Ultimately, the CRA weaknesses meant Monzo could not accurately articulate how many of its customers were high-risk and determine appropriate actions.
  • Nature and purpose of relationship: Monzo did not identify sufficient information to establish the intended nature and purpose of accounts, transactions and customer relationships, making it difficult to assess financial crime risks and monitor for unusual transactions.
  • Address verification: Monzo failed to adequately verify customer addresses. Although customers were required to have a UK postcode, their approach resulted in customers being able to provide implausible false addresses such as "Buckingham Palace" and "10 Downing Street". Monzo relied almost exclusively on a selfie identification and verification procedure for onboarding, which it had concluded was more reliable than address verification, despite having found that 47% of its higher-risk customers had failed address verification checks (as opposed to 20% of the overall population).

    Of particular interest,the FCA noted that this was not contrary to applicable guidance on the MLRs – ie the JMLSG Guidance – but observed that "Monzo's policy, upon which its financial crime risk appetite was based, was only to service customers based in the UK. In the absence of address verification, it was unable to ensure that its customer base was within its risk appetite". In other words, reliance on the JMLSG Guidance is not necessarily a 'safe harbour' if a firm's risk-based approach is predicated on serving only a particular customer segment, and controls are not effective to ensure this is the case.

    The position was exacerbated by Monzo having promoted the lack of address verification on its website and online media channels, and for part of the period offering a "Same day Monzo" service whereby customers were able to transact before receiving their physical account card at the address provided at onboarding.
  • Verification of beneficial owners: Monzo's procedures did not require, until late 2020, the verification of the identity of all beneficial owners ("UBOs") and Persons with Significant Control ("PSCs") of business customers. The procedures also did not require Monzo to report material discrepancies between the identification and verification information it obtained and Companies House filings. A remediation exercise carried out by Monzo necessitated the identity verification of over 19,000 beneficial owners / PSCs which had not previously been completed.

    Again, this is interesting as the MLR, whilst requiring that firms identify UBOs and "take reasonable measures to verify the identity of the [UBO] so that the relevant person is satisfied that it knows who the [UBO] is", do not require identity verification of PSCs. Further, in relation to UBOs the JMLSG guidance expressly draws a distinction between verification methods for customers and UBOs (Part I paragraph 5.3.14), and recognises that verification of UBO identity will be carried out on a risk-based approach (Part I, paragraph 5.2.127). The Notice does not discuss these issues at all, and it is not clear whether Monzo had determined that verification of all UBOs and PSCs was required on a risk-based approach (hence the lack of verification was a breach) or whether the point was simply not addressed in the enforcement action.
  • CIFAS checks: CIFAS screening was not added as an onboarding control until July 2020, and the Notice implicitly criticises Monzo for not introducing this sooner despite recognising its potential benefits.

    The FCA's interest in this area is in line with its recent multi-firm review of 'Firms' use of the National Fraud Database (NFD) and money mule account detection tools'. Whilst that review notes that CIFAS membership is voluntary, it also emphasises the importance of data-sharing in disrupting mule activity to protect the public and build trust and confidence in financial markets. For firms in relevant sectors, this is clearly an area of evolving regulatory expectations, where the FCA may be ahead of the JMLSG guidance.
  • Multiple accounts: Monzo failed to implement effective controls to identify instances where customers were able to open multiple accounts, including two customers whose accounts had previously been closed due to financial crime concerns. An internal review conducted by Monzo in 2020 noted concerns regarding its manual process and lack of QA in this area.
  • Enhanced Due Diligence ("EDD"): some procedures did not prescribe when and how EDD should be applied (including some of the MLR-prescribed EDD categories) meaning some high-risk customers were onboarded without it. In particular there was no clear trigger for applying EDD other than PEP-status.
  • Definition and onboarding of Politically Exposed Persons ("PEPs"): there was no clear internal definition of a PEP which, although not a regulatory breach, led to inconsistent decisions at onboarding. The FCA also noted that there was a backlog in relation to PEP reviews and concerns that staff were performing such reviews without sufficient guidance. Further, PEPs were permitted to provide source of wealth and source of funds information after they had begun transacting.
  • Transaction monitoring ("TM"): Monzo relied on TM to mitigate some of the recognised limits of its onboarding controls, meaning that customer risk was predominantly considered in response to post-onboarding events, such as TM alerts. There were weaknesses in Monzo's TM processes, including:
    • challenges in alert review arising from the lack of data collected at onboarding;
    • inadequate guidance for alert-review staff on assigning revised risk-ratings following assert review;
    • a lack of guidance to staff on how to investigate TM alerts, including the weighting given to different data points, use of data external sources, and maintaining audit trails;
    • a failure by relevant systems to identify the transaction/activity which had generated the TM alert, complicating alert review; and
    • the (over-) use of an "undecided" category to resolve alerts, where a staff member was unable to articulate clear suspicion but could identify unusual activity or cause for concern.
  • Customer reviews: Monzo's procedures did not prescribe regular reviews of existing customers' CDD information on a risk-based approach.

In relation to the VREQ, the Notice contains an interesting summary (at paragraphs 4.115-4.122) of the identified root causes of the VREQ breaches, which include at an overarching level an "insufficiently robust governance framework to manage the implementation and operation of the VREQ". Firms who are implementing similar requirements may find it helpful to refer to these identified issues.

Consequences

Monzo was found to have breached Principle 3 of the FCA's Principles for Businesses during the Pre-VREQ Period. This is the requirement for a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

In addition, despite the requirements of the VREQ, Monzo onboarded 34,262 high-risk customers between August 2020 and June 2022.

Monzo was fined £21,091,300 by the FCA. The FCA's starting point for the calculation was revenue earned from the relevant business areas in respect of the Pre-VREQ Period and all revenue earned during the Relevant VREQ Period from the population of accounts where Monzo did not correctly comply with te VREQ.

Although the firm qualified for a 30% early settlement discount under the FCA's processes, the penalty calculation is notable for the inclusion of an additional £10m uplift in respect of the VREQ non-compliance; the FCA concluded that the previous penalty figure relating to this element of Monzo's conduct was insufficient to meet the objective of credible deterrence with the risk that, in the absence of an increase, similar breaches would be committed by Monzo or other firms in the future.

As noted above, the Final Notice confirms that all relevant remediation had been completed by November 2024.

Key takeaways

Challenger Bank Controls

The adequacy of financial crime controls at challenger banks remains a key focus for the FCA, following its 2022 review and was highlighted as a priority in the FCA's 2025 supervisory strategy for retail banks.

Challenger banks must ensure that their financial crime controls keep pace with their rapid growth and expansion. Those controls must be proportionate to the nature, scale and complexity of a firm's activities, and compliance frameworks should be designed with future growth in mind. Firms should also be cautious about relying on external reviews of controls to confirm their adequacy, where the business has changed materially since those reviews were conducted.

Reading Regulatory Warning Signs

In the November 2017 FCA financial crime review of Monzo's controls, alongside some positive comments, a number of weaknesses similar to those later referenced in the Final Notice were highlighted. These included a lack of evidence of Monzo seeking to understand the nature of its customer relationships, no EDD provision for high-risk customers other than PEPs or those having high-risk third-party links, and customers being able to transact prior to the completion of due diligence checks.

While the FCA has signalled that it is increasingly seeking to use tools other than Enforcement to tackle potential customer harm, it clearly remains willing to use its Enforcement powers in its priority areas, particularly where its Supervisory interventions appear not to have achieved the desired change in outcome. A failure to take appropriate action to rectify issues flagged by the FCA leaves firms in a significantly weaker position when it comes to defending any subsequent Enforcement action.

Areas of enforcement focus – and growing divergence from the JMLSG guidance

As noted above, the FCA's areas of interest in this Final Notice are closely aligned with its recent supervisory activity and other recent enforcement cases. These include customer risk assessment, the 'nature and purpose' business relationships, and transaction monitoring controls (including alert review). Whilst a more detailed discussion of the specific findings is set out above, at a more general level these points underline the importance of a focus on the FCA's published expectations as opposed to simply the JMSLG guidance. In some areas the two remain in-step (particularly after the JMLSG's update to its transaction monitoring guidance). However, it is clear that reliance on the guidance is not necessarily a 'safe harbour' and that the FCA continues, in some cases, to take enforcement action in respect of points which are not addressed by, or where a firm might consider it is compliant with, the JMLSG guidance.

VREQ Compliance

The £10m uplift applied to the £805,250 element of Monzo's fine relating to VREQ non-compliance demonstrates the increasing importance the FCA places on these measures. This is almost certainly linked to the FCA increased use of VREQs and other supervisory tools in lieu of enforcement, and designed to ensure that firms are dedicating an appropriate degree of attention and resource to such matters. Firms who do find themselves subject to VREQs, and in particular the relevant Senior Managers, should give careful thought to how they are going to monitor compliance within an appropriate oversight and governance framework.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Elizabeth Head
Elizabeth Head
Photo of Ian Thomas
Ian Thomas
Photo of Kathryn Boyd
Kathryn Boyd
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More