On 7 July 2025, the Financial Conduct Authority (FCA) published a Final Notice in respect of Monzo Bank Limited (the firm), imposing a fine of £21,091,300 in respect of various inadequacies in its financial crime framework between October 2018 and August 2020 and failure to comply with a voluntary requirement (VREQ) which was designed to prevent it from opening accounts for high-risk customers between August 2020 and June 2022.
Key takeaways
- Consequences of breaching a voluntary requirement (VREQ): When considering the fine to impose on the firm, the FCA increased the figure by £10,000,000 to achieve credible deterrence in relation to repeated breaches of a VREQ which was imposed on the firm from 5 August 2020 to 26 February 2025. This underscores the importance of VREQs as a supervisory tool and sends a message to firms that adherence is imperative given the serious consequences of non-compliance, particularly given other recent cases involving VREQ breaches.
- Financial crime systems and controls keeping pace with growth: The FCA highlighted the rapid growth that the firm has had since obtaining full banking permissions in April 2017, with its customer base growing to 12 million by April 2025, and criticised the firm for not ensuring that key elements of its financial crime measures were equipped to keep up with its expansion, particularly in relation to customer risk assessment and the collection of customer information. The Final Notice serves as a reminder that the FCA expects firms to ensure their financial crime frameworks evolve with the scale of the risks they are facing and that the costs of non-compliance can significantly impact benefits gained through growth.
- Multiple weaknesses in financial crime systems and controls: The FCA highlighted a number of weaknesses in the firm’s financial crime systems and controls, including in its customer onboarding, customer risk assessment, enhanced due diligence, treatment of politically exposed persons and transaction monitoring systems. This emphasises the need for firms to ensure that their financial crime frameworks are robust from all angles and that they would not be open to similar criticism. Areas of focus include the collection and verification of customer data as part of the onboarding process and ensuring that high-risk customers are appropriately identified in line with the firm’s risk appetite and subjected to relevant enhanced customer due diligence.
Key findings
Firm | Monzo Bank Limited |
Related decisions | No related decisions. |
Sanction | Fine of £21,091,300 following a 30% settlement discount. In coming to this figure:
|
Provisions | Section 55L Financial Services and Markets Act 2000 (FSMA) Principle 3 |
Factual findings | The factual findings summarised below relate to:
August 2016: the firm was authorised. An external consultant reviewed the firm’s anti-money laundering policies and procedures, deeming them “adequate based on the size and complexity of the bank.” April 2017: the firm was granted full banking permissions. November 2017: the FCA reviewed the firm’s anti-money laundering and financial sanctions systems and controls. It set out the following areas for improvement in a supervisory letter:
18 January 2018: the firm responded to the FCA’s supervisory letter, confirming that appropriate action had been taken. Between 1 October 2018 and 4 August 2020: in the period preceding the imposition of a VREQ on the firm by the FCA, multiple issues with its financial crime framework were identified:
5 August 2020: a VREQ was imposed on the firm’s Part 4A permissions, which included that “[t]he firm must not accept or process any new or additional account applications (whether for personal use, business use or otherwise) from new or existing high risk customers.” The VREQ also included 19 sub-requirements describing certain activities and characteristics that the firm was required to treat as high-risk factors, and additional onboarding steps. Between 5 August 2020 and 30 June 2022: the firm repeatedly failed to comply with the terms of the VREQ, resulting in it opening 26,325 accounts for high-risk customers in breach of the VREQ as a result of technical flaws in its implementation of controls to comply with the VREQ as well as instances of human error when applying those controls. The breaches included accepting applications associated with addresses identified by the VREQ as high-risk and linked to devices already associated with at least two other customers. The firm also failed to comply with requirements regarding the documentation of onboarding decisions. 14 August 2020: the FCA required the firm to conduct a Skilled Person Review of its financial crime risk management, particularly covering:
Between 18 September 2020 and 14 December 2020: the Skilled Person provided reports that the firm’s customer risk assessment (CRA), CDD and EDD did not align with the MLRs and FCA guidance, and made recommendations to improve its transaction monitoring systems and controls. September 2021: following a ‘Dear CEO’ letter, the firm completed a gap analysis of its financial crime controls, leading to recommended enhancements to the firm’s CRA and EDD procedures to bring them in line with the MLRs. November 2024: all the Skilled Person’s recommendations had been met. 26 February 2025: the FCA agreed to lift all requirements of the VREQ. The FCA noted that the firm had made a significant effort to enhance its financial crime framework, including completing a financial crime change programme to address the Skilled Person’s recommendations, conducting a back-book customer remediation exercise to gather due diligence information from existing customers and investing in recruiting for financial crime roles across its first and second lines of defence. |
Failings | The FCA considered that the firm had breached Principle 3 by failing to take reasonable care to organise and control its systems and controls for managing the risk of financial crime effectively due to the following issues:
Furthermore, the FCA considered that, by breaching the VREQ, the firm had breached s55L FSMA:
|
Related content:
Notice in a nutshell: Donaldson and Arden
Notice in a nutshell: FSN - Direct Trading Technologies UK Ltd