Firm

Monzo Bank Limited

Related decisions

No related decisions.

Sanction

Fine of £21,091,300 following a 30% settlement discount. In coming to this figure:

• in terms of seriousness, the FCA considered the breaches to be level four and so the starting point was 15% of the firm’s revenue (comprising all revenue from the relevant business areas in the pre-VREQ period but, in the post-VREQ period, revenue from those accounts where Monzo failed to comply with the VREQ or failed to apply its VREQ controls correctly; 
• the fine was increased by 20% to account for aggravating and mitigating factors including prior correspondence with the FCA (aggravating) and remedial action (mitigating); and
• the FCA considered that the calculation for the post-VREQ period resulted in a figure (£805,250) which was insufficient to achieve credible deterrence and so should be uplifted by £10,000,000. 

Provisions

Section 55L Financial Services and Markets Act 2000 (FSMA)

Principle 3

Factual findings

The factual findings summarised below relate to: 

• Inadequacies in the firm’s financial crime framework; and 
• Breaches of a VREQ imposed by the FCA. 

August 2016: the firm was authorised. An external consultant reviewed the firm’s anti-money laundering policies and procedures, deeming them “adequate based on the size and complexity of the bank.”

April 2017: the firm was granted full banking permissions. 

November 2017: the FCA reviewed the firm’s anti-money laundering and financial sanctions systems and controls. It set out the following areas for improvement in a supervisory letter: 

• Limited evidence of the firm seeking to understand customers’ expected activities at the point of onboarding; 
• Lack of clarity on customer risk ratings and required levels of due diligence;
• Lack of enhanced due diligence (EDD) provisions; and 
• Evidence of customers transacting prior to the completion of the firm’s due diligence checks. 

18 January 2018: the firm responded to the FCA’s supervisory letter, confirming that appropriate action had been taken. 

Between 1 October 2018 and 4 August 2020: in the period preceding the imposition of a VREQ on the firm by the FCA, multiple issues with its financial crime framework were identified: 

• Failure to gather sufficient customer data during customer due diligence (CDD);
• Failure to verify the identity of all beneficial owners and persons of significant control (PSCs); 
• Failure to verify the address for some personal banking customers (the FCA commented that this gave rise to a number of issues such as allowing customers to provide obviously implausible UK addresses such as Buckingham Palace and 10 Downing Street; customers using a UK address when opening an account but re-ordering a card to a non-UK address and multiple customers using the same address where the risk of criminal activity had not been fully addressed);
• Lack of effective onboarding controls facilitated certain customers to open multiple accounts with the firm;
• Inadequate EDD process which did not outline when or how to conduct and record EDD, resulting in EDD not being carried out on some higher risk customers; 
• Failure to clearly define politically exposed persons (PEPs), which resulted some PEPs not being identified at the point of onboarding; and 
• Weaknesses in transaction monitoring. 

5 August 2020: a VREQ was imposed on the firm’s Part 4A permissions, which included that “[t]he firm must not accept or process any new or additional account applications (whether for personal use, business use or otherwise) from new or existing high risk customers.” The VREQ also included 19 sub-requirements describing certain activities and characteristics that the firm was required to treat as high-risk factors, and additional onboarding steps.

Between 5 August 2020 and 30 June 2022: the firm repeatedly failed to comply with the terms of the VREQ, resulting in it opening 26,325 accounts for high-risk customers in breach of the VREQ as a result of technical flaws in its implementation of controls to comply with the VREQ as well as instances of human error when applying those controls. The breaches included accepting applications associated with addresses identified by the VREQ as high-risk and linked to devices already associated with at least two other customers. The firm also failed to comply with requirements regarding the documentation of onboarding decisions.

14 August 2020: the FCA required the firm to conduct a Skilled Person Review of its financial crime risk management, particularly covering: 

• The adequacy of the firm’s financial crime systems and controls and CDD against the Money Laundering Regulations 2017 (MLRs) and the FCA’s rules; 
• Recommendations for improvements to the firm’s financial crime systems and controls;
• Quality assurance testing of the firm’s remediation exercise for impacted customer files; 
• The firm’s plans to address weaknesses in its financial crime systems and controls; and
• Evaluation of the firm’s remediation work. 

Between 18 September 2020 and 14 December 2020: the Skilled Person provided reports that the firm’s customer risk assessment (CRA), CDD and EDD did not align with the MLRs and FCA guidance, and made recommendations to improve its transaction monitoring systems and controls.

September 2021: following a ‘Dear CEO’ letter, the firm completed a gap analysis of its financial crime controls, leading to recommended enhancements to the firm’s CRA and EDD procedures to bring them in line with the MLRs.

November 2024: all the Skilled Person’s recommendations had been met.

26 February 2025: the FCA agreed to lift all requirements of the VREQ. 

The FCA noted that the firm had made a significant effort to enhance its financial crime framework, including completing a financial crime change programme to address the Skilled Person’s recommendations, conducting a back-book customer remediation exercise to gather due diligence information from existing customers and investing in recruiting for financial crime roles across its first and second lines of defence.

Failings

The FCA considered that the firm had breached Principle 3 by failing to take reasonable care to organise and control its systems and controls for managing the risk of financial crime effectively due to the following issues:

• Assessment of money laundering risk: while the firm had completed a financial crime risk assessment, which recorded numerous actual and potential risks associated with customer activity, its financial crime controls were not operating effectively to mitigate these risks. The FCA considered that if the firm’s controls functioned as intended, the risk of potential money laundering would have been reduced. 
• CDD: the FCA considered that the firm’s CDD processes prior to the imposition of the VREQ were inadequate. The firm failed to take steps to understand the purpose and intended nature of its customer relationships. The firm’s CDD measures were also non-compliant with the MLRs in numerous respects, including making no provision for the notification of material discrepancies between Companies House records and information gathered by the firm. 
• Managing risk appetite: the firm’s failure to verify addresses prior to the imposition of the VREQ, while not contrary to the MLRs at the time, impacted its ability to ensure its business aligned with its risk appetite, namely only providing services to individuals residing in the UK. The lack of address verification also potentially attracted customers who wished to use the firm for the purposes of financial crime. Additionally, prior to the imposition of the VREQ, the firm’s CRA was noted to be non-compliant with the MLRs and its own risk appetite. As such, the firm could not determine the risk posed by its customers or apply the appropriate level of ongoing monitoring and due diligence. The firm had been aware of the limitations of its CRA processes.
• Poor transaction monitoring: while the firm relied on transaction monitoring to manage customer risk and mitigate some of the gaps in its CDD and CRA, failing to collect key customer information at the outset (e.g. source of funds and occupation) impeded the firm’s ability to accurately determine unusual or suspicious transactions. Again, the firm was aware of some of the weaknesses in its transaction monitoring systems following a third-party review in late 2019. 
• EDD: the firm’s EDD procedure did not provide for when EDD was required or its documentation, and PEPs were not properly handled. 

Furthermore, the FCA considered that, by breaching the VREQ, the firm had breached s55L FSMA:

• High-risk accounts: the firm opened 26,325 accounts for high-risk customers through its failure to comply with the VREQ.
• Analysis of breaches: following a review by an external law firm, the root cause for the firm having breached the VREQ was identified as the absence of a sufficiently “robust framework to manage the implementation and operation of the VREQ” and it was unclear who at the firm was accountable for various aspects of the VREQ.