This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Norton Rose Fulbright logo
  • Global
  • About
    • Back
    • About
    • Our firm
      • Back
      • Our firm
      • Clients
      • Global coverage
      • Vision, culture and people
      • Governance structure
      • Risk management
      • NRF Transform
      • Alumni
    • Diversity, Equity & Inclusion
      • Back
      • Diversity, Equity & Inclusion
      • Our people
      • Recognition
      • Governance
    • Corporate responsibility
      • Back
      • Corporate responsibility
      • Pro bono
      • Volunteering
      • Fundraising
      • Sustainable practice
      • Global charitable initiatives
    • Photo montage
      RE:

      Read our magazine
  • People
  • Services
    • Back
    • Services
    • Services A-Z
    • Key industries
      • Back
      • Key industries
      • Consumer markets
      • Energy, infrastructure and resources
      • Financial institutions
      • Life sciences and healthcare
      • Technology
      • Transport
    • Practices
      • Back
      • Practices
      • Antitrust and competition
      • Banking and finance
      • Bankruptcy, financial restructuring and insolvency
      • Climate change and sustainability
      • Consulting
      • Corporate, M&A and securities
      • Employment and labor
      • Energy
      • Environmental, social and governance (ESG)
      • Financial services and regulation
      • Information governance, privacy and cybersecurity
      • Intellectual property
      • Litigation and disputes
      • Private equity and venture capital
      • Projects
      • Real estate
      • Regulation and investigations
      • Risk advisory
      • Tax
      • Banking and finance
      • Climate change and sustainability
      • Corporate, M&A and securities
      • Energy
      • Financial services and regulation
      • Intellectual property
      • Private equity and venture capital
      • Real estate
      • Risk advisory
    • NRF Transform
    • Transform image

      Find out more
  • Insights
    • Back
    • Insights
    • NRF InstituteProfessional developmentResources and tools
    • PublicationsBlogsVideos
    • EventsWebinarsPodcasts
    • colorful light particles
      Sustainability and ESG

      Visit the hub
  • News
    • Back
    • News
    • Press releases
    • Market recognitions
    • Media information
  • Locations
  • Careers
    • Back
    • Careers
    • Graduates and students
    • Search current vacancies
      • Back
      • Search current vacancies
  • Change
  • Global
    • Back
    • global site
    • North America
      • Canada (English)
      • Canada (Français)
      • United States
    • Latin America
      • Latin America
      • Brazil
      • Mexico
    • Europe
      • Belgium
      • Deutschland (Deutsch)
      • France
      • Germany (English)
      • Greece
      • Italy
      • Luxembourg
      • Poland
      • The Netherlands
      • Turkey
      • United Kingdom
    • Middle East
    • Africa
      • Africa
      • Burundi
      • Kenya
      • Morocco
      • South Africa
      • Uganda
      • Zimbabwe
    • Asia Pacific
      • Australia
      • China
      • Hong Kong SAR
      • Indonesia
      • Japan
      • Singapore
      • Thailand
    • Regional practices
      • India
      • Israel
      • Korea
      • Marshall Islands
      • Nordic region
      • Pakistan
      • Vietnam
Lake in the forest

Connections

Insights, perspectives and viewpoints from our lawyers on topical issues

All Posts Subscribe
print-logo
7/22/2025 3:33:52 PM | 7 minute read

Notice in a nutshell: Monzo Bank Limited

Cyber security network. Data protection concept. Businessman using laptop computer with digital padlock on internet technology networking with cloud computing and data management, cybersecurity
21

Get in touch

Avatar
Katie Stephen
Co-Head of the Contentious Financial Services Group
Avatar
Joe Smallshaw
Counsel
Avatar
Rebecca Dulieu
Senior Associate
Avatar
Zara Khan
Associate

+1 more...

Show less

Get in touch

Avatar
Katie Stephen
Co-Head of the Contentious Financial Services Group
Avatar
Joe Smallshaw
Counsel
Avatar
Rebecca Dulieu
Senior Associate
Avatar
Zara Khan
Associate
21

On 7 July 2025, the Financial Conduct Authority (FCA) published a Final Notice in respect of Monzo Bank Limited (the firm), imposing a fine of £21,091,300 in respect of various inadequacies in its financial crime framework between October 2018 and August 2020 and failure to comply with a voluntary requirement (VREQ) which was designed to prevent it from opening accounts for high-risk customers between August 2020 and June 2022.

Key takeaways

  1. Consequences of breaching a voluntary requirement (VREQ): When considering the fine to impose on the firm, the FCA increased the figure by £10,000,000 to achieve credible deterrence in relation to repeated breaches of a VREQ which was imposed on the firm from 5 August 2020 to 26 February 2025. This underscores the importance of VREQs as a supervisory tool and sends a message to firms that adherence is imperative given the serious consequences of non-compliance, particularly given other recent cases involving VREQ breaches.
     
  2. Financial crime systems and controls keeping pace with growth: The FCA highlighted the rapid growth that the firm has had since obtaining full banking permissions in April 2017, with its customer base growing to 12 million by April 2025, and criticised the firm for not ensuring that key elements of its financial crime measures were equipped to keep up with its expansion, particularly in relation to customer risk assessment and the collection of customer information. The Final Notice serves as a reminder that the FCA expects firms to ensure their financial crime frameworks evolve with the scale of the risks they are facing and that the costs of non-compliance can significantly impact benefits gained through growth.
     
  3. Multiple weaknesses in financial crime systems and controls: The FCA highlighted a number of weaknesses in the firm’s financial crime systems and controls, including in its customer onboarding, customer risk assessment, enhanced due diligence, treatment of politically exposed persons and transaction monitoring systems. This emphasises the need for firms to ensure that their financial crime frameworks are robust from all angles and that they would not be open to similar criticism. Areas of focus include the collection and verification of customer data as part of the onboarding process and ensuring that high-risk customers are appropriately identified in line with the firm’s risk appetite and subjected to relevant enhanced customer due diligence.

Key findings

Firm

Monzo Bank Limited

Related decisions

No related decisions.

Sanction

Fine of £21,091,300 following a 30% settlement discount. In coming to this figure:

  • in terms of seriousness, the FCA considered the breaches to be level four and so the starting point was 15% of the firm’s revenue (comprising all revenue from the relevant business areas in the pre-VREQ period but, in the post-VREQ period, revenue from those accounts where Monzo failed to comply with the VREQ or failed to apply its VREQ controls correctly; 
  • the fine was increased by 20% to account for aggravating and mitigating factors including prior correspondence with the FCA (aggravating) and remedial action (mitigating); and
  • the FCA considered that the calculation for the post-VREQ period resulted in a figure (£805,250) which was insufficient to achieve credible deterrence and so should be uplifted by £10,000,000. 

Provisions

Section 55L Financial Services and Markets Act 2000 (FSMA)

Principle 3

Factual findings

The factual findings summarised below relate to: 

  • Inadequacies in the firm’s financial crime framework; and 
  • Breaches of a VREQ imposed by the FCA. 

August 2016: the firm was authorised. An external consultant reviewed the firm’s anti-money laundering policies and procedures, deeming them “adequate based on the size and complexity of the bank.”

April 2017: the firm was granted full banking permissions. 

November 2017: the FCA reviewed the firm’s anti-money laundering and financial sanctions systems and controls. It set out the following areas for improvement in a supervisory letter: 

  • Limited evidence of the firm seeking to understand customers’ expected activities at the point of onboarding; 
  • Lack of clarity on customer risk ratings and required levels of due diligence;
  • Lack of enhanced due diligence (EDD) provisions; and 
  • Evidence of customers transacting prior to the completion of the firm’s due diligence checks. 

18 January 2018: the firm responded to the FCA’s supervisory letter, confirming that appropriate action had been taken. 

Between 1 October 2018 and 4 August 2020: in the period preceding the imposition of a VREQ on the firm by the FCA, multiple issues with its financial crime framework were identified: 

  • Failure to gather sufficient customer data during customer due diligence (CDD);
  • Failure to verify the identity of all beneficial owners and persons of significant control (PSCs); 
  • Failure to verify the address for some personal banking customers (the FCA commented that this gave rise to a number of issues such as allowing customers to provide obviously implausible UK addresses such as Buckingham Palace and 10 Downing Street; customers using a UK address when opening an account but re-ordering a card to a non-UK address and multiple customers using the same address where the risk of criminal activity had not been fully addressed);
  • Lack of effective onboarding controls facilitated certain customers to open multiple accounts with the firm;
  • Inadequate EDD process which did not outline when or how to conduct and record EDD, resulting in EDD not being carried out on some higher risk customers; 
  • Failure to clearly define politically exposed persons (PEPs), which resulted some PEPs not being identified at the point of onboarding; and 
  • Weaknesses in transaction monitoring. 

5 August 2020: a VREQ was imposed on the firm’s Part 4A permissions, which included that “[t]he firm must not accept or process any new or additional account applications (whether for personal use, business use or otherwise) from new or existing high risk customers.” The VREQ also included 19 sub-requirements describing certain activities and characteristics that the firm was required to treat as high-risk factors, and additional onboarding steps.

Between 5 August 2020 and 30 June 2022: the firm repeatedly failed to comply with the terms of the VREQ, resulting in it opening 26,325 accounts for high-risk customers in breach of the VREQ as a result of technical flaws in its implementation of controls to comply with the VREQ as well as instances of human error when applying those controls. The breaches included accepting applications associated with addresses identified by the VREQ as high-risk and linked to devices already associated with at least two other customers. The firm also failed to comply with requirements regarding the documentation of onboarding decisions.

14 August 2020: the FCA required the firm to conduct a Skilled Person Review of its financial crime risk management, particularly covering: 

  • The adequacy of the firm’s financial crime systems and controls and CDD against the Money Laundering Regulations 2017 (MLRs) and the FCA’s rules; 
  • Recommendations for improvements to the firm’s financial crime systems and controls;
  • Quality assurance testing of the firm’s remediation exercise for impacted customer files; 
  • The firm’s plans to address weaknesses in its financial crime systems and controls; and
  • Evaluation of the firm’s remediation work. 

Between 18 September 2020 and 14 December 2020: the Skilled Person provided reports that the firm’s customer risk assessment (CRA), CDD and EDD did not align with the MLRs and FCA guidance, and made recommendations to improve its transaction monitoring systems and controls.

September 2021: following a ‘Dear CEO’ letter, the firm completed a gap analysis of its financial crime controls, leading to recommended enhancements to the firm’s CRA and EDD procedures to bring them in line with the MLRs.

November 2024: all the Skilled Person’s recommendations had been met.

26 February 2025: the FCA agreed to lift all requirements of the VREQ. 

The FCA noted that the firm had made a significant effort to enhance its financial crime framework, including completing a financial crime change programme to address the Skilled Person’s recommendations, conducting a back-book customer remediation exercise to gather due diligence information from existing customers and investing in recruiting for financial crime roles across its first and second lines of defence.

Failings

The FCA considered that the firm had breached Principle 3 by failing to take reasonable care to organise and control its systems and controls for managing the risk of financial crime effectively due to the following issues:

  • Assessment of money laundering risk: while the firm had completed a financial crime risk assessment, which recorded numerous actual and potential risks associated with customer activity, its financial crime controls were not operating effectively to mitigate these risks. The FCA considered that if the firm’s controls functioned as intended, the risk of potential money laundering would have been reduced. 
  • CDD: the FCA considered that the firm’s CDD processes prior to the imposition of the VREQ were inadequate. The firm failed to take steps to understand the purpose and intended nature of its customer relationships. The firm’s CDD measures were also non-compliant with the MLRs in numerous respects, including making no provision for the notification of material discrepancies between Companies House records and information gathered by the firm. 
  • Managing risk appetite: the firm’s failure to verify addresses prior to the imposition of the VREQ, while not contrary to the MLRs at the time, impacted its ability to ensure its business aligned with its risk appetite, namely only providing services to individuals residing in the UK. The lack of address verification also potentially attracted customers who wished to use the firm for the purposes of financial crime. Additionally, prior to the imposition of the VREQ, the firm’s CRA was noted to be non-compliant with the MLRs and its own risk appetite. As such, the firm could not determine the risk posed by its customers or apply the appropriate level of ongoing monitoring and due diligence. The firm had been aware of the limitations of its CRA processes.
  • Poor transaction monitoring: while the firm relied on transaction monitoring to manage customer risk and mitigate some of the gaps in its CDD and CRA, failing to collect key customer information at the outset (e.g. source of funds and occupation) impeded the firm’s ability to accurately determine unusual or suspicious transactions. Again, the firm was aware of some of the weaknesses in its transaction monitoring systems following a third-party review in late 2019. 
  • EDD: the firm’s EDD procedure did not provide for when EDD was required or its documentation, and PEPs were not properly handled. 

Furthermore, the FCA considered that, by breaching the VREQ, the firm had breached s55L FSMA:

  • High-risk accounts: the firm opened 26,325 accounts for high-risk customers through its failure to comply with the VREQ.
  • Analysis of breaches: following a review by an external law firm, the root cause for the firm having breached the VREQ was identified as the absence of a sufficiently “robust framework to manage the implementation and operation of the VREQ” and it was unclear who at the firm was accountable for various aspects of the VREQ.

Related content:

Notice in a nutshell: Donaldson and Arden

Notice in a nutshell: FSN - Direct Trading Technologies UK Ltd

Subscribe to our Connections insights Sign-up now

Tags

financial crime, financial institutions, banking and finance, corporate m&a and securities, regulation and investigations

Get in touch

Avatar
Katie Stephen
Co-Head of the Contentious Financial Services Group
Avatar
Joe Smallshaw
Counsel
Avatar
Rebecca Dulieu
Senior Associate
Avatar
Zara Khan
Associate

+1 more...

Show less

Get in touch

Avatar
Katie Stephen
Co-Head of the Contentious Financial Services Group
Avatar
Joe Smallshaw
Counsel
Avatar
Rebecca Dulieu
Senior Associate
Avatar
Zara Khan
Associate
FCA publishes final UK prospectus rules: Key takeaways for equity issuers
7/15/2025 11:38:20 AM

FCA publishes final UK prospectus rules: Key takeaways for equity issuers

By Fiona Millington Richard Sheen Clementine Hogarth Thomas Vita Alexander Green +2 more...

Show less

The Financial Conduct Authority (FCA) has today published its final rules in relation to reform of the UK prospectus regime in PS 25/9:...
90
90

Latest Insights

Notice in a nutshell: Sigma Broking Limited
8/28/2025 8:54:45 AM

Notice in a nutshell: Sigma Broking Limited

By Katie Stephen
2
2
Patching up the past: Law Commission consults on chancel repair liability reformations
8/27/2025 12:40:55 PM

Patching up the past: Law Commission consults on chancel repair liability reformations

By Charles Pinkerton
28
28
Szpitale pod lupą: nowe zasady programów naprawczych
8/21/2025 9:36:46 AM

Szpitale pod lupą: nowe zasady programów naprawczych

By Krzysztof Jasinski
1
13
13

Explore our site

  • About
  • Careers
  • Diversity, equity and inclusion
  • People
  • Services
  • Insights
  • News

Key industries

  • Consumer markets
  • Energy, infrastructure and resources
  • Financial institutions
  • Life sciences and healthcare
  • Technology
  • Transport

Locations

  • Global coverage

Norton Rose Fulbright © 2024. All Rights Reserved.

  • Amsterdam
  • ●
  • Athens
  • ●
  • Austin
  • ●
  • Bangkok
  • ●
  • Beijing
  • ●
  • Brisbane
  • ●
  • Brussels
  • ●
  • Bujumbura**
  • ●
  • Calgary
  • ●
  • Canberra
  • ●
  • Cape Town
  • ●
  • Casablanca
  • ●
  • Dallas
  • ●
  • Denver
  • ●
  • Dubai
  • ●
  • Durban
  • ●
  • Düsseldorf
  • ●
  • Frankfurt
  • ●
  • Hamburg
  • ●
  • Harare**
  • ●
  • Hong Kong SAR
  • ●
  • Houston
  • ●
  • Istanbul
  • ●
  • Jakarta*
  • ●
  • Johannesburg
  • ●
  • Kampala**
  • ●
  • London
  • ●
  • Los Angeles
  • ●
  • Luxembourg
  • ●
  • Melbourne
  • ●
  • Mexico City
  • ●
  • Milan
  • ●
  • Minneapolis
  • ●
  • Monaco
  • ●
  • Montréal
  • ●
  • Munich
  • ●
  • Newcastle
  • ●
  • New York
  • ●
  • Nairobi**
  • ●
  • Ottawa
  • ●
  • Paris
  • ●
  • Perth
  • ●
  • Piraeus
  • ●
  • Québec
  • ●
  • Riyadh*
  • ●
  • San Antonio
  • ●
  • San Francisco
  • ●
  • São Paulo
  • ●
  • Shanghai
  • ●
  • Singapore
  • ●
  • St. Louis
  • ●
  • Sydney
  • ●
  • Tokyo
  • ●
  • Toronto
  • ●
  • Vancouver
  • ●
  • Warsaw
  • ●
  • Washington DC *associate office **alliance
  • Legal notices and disclaimers
  • Impressum
  • Standard terms
  • Blog network terms and conditions
  • Cookies policy
  • Privacy notice
  • Website access conditions
  • Fraud alerts
  • Modern Slavery Statements
  • Health plan machine readable files
  • Anti-Facilitation of Tax Evasion Statement
  • Suppliers
  • History
  • Remote access
  • Sitemap
Offices and locations

Norton Rose Fulbright © 2024. All Rights Reserved.

  • Amsterdam
  • ●
  • Athens
  • ●
  • Austin
  • ●
  • Bangkok
  • ●
  • Beijing
  • ●
  • Brisbane
  • ●
  • Brussels
  • ●
  • Bujumbura**
  • ●
  • Calgary
  • ●
  • Canberra
  • ●
  • Cape Town
  • ●
  • Casablanca
  • ●
  • Dallas
  • ●
  • Denver
  • ●
  • Dubai
  • ●
  • Durban
  • ●
  • Düsseldorf
  • ●
  • Frankfurt
  • ●
  • Hamburg
  • ●
  • Harare**
  • ●
  • Hong Kong SAR
  • ●
  • Houston
  • ●
  • Istanbul
  • ●
  • Jakarta*
  • ●
  • Johannesburg
  • ●
  • Kampala**
  • ●
  • London
  • ●
  • Los Angeles
  • ●
  • Luxembourg
  • ●
  • Melbourne
  • ●
  • Mexico City
  • ●
  • Milan
  • ●
  • Minneapolis
  • ●
  • Monaco
  • ●
  • Montréal
  • ●
  • Munich
  • ●
  • Newcastle
  • ●
  • New York
  • ●
  • Nairobi**
  • ●
  • Ottawa
  • ●
  • Paris
  • ●
  • Perth
  • ●
  • Piraeus
  • ●
  • Québec
  • ●
  • Riyadh*
  • ●
  • San Antonio
  • ●
  • San Francisco
  • ●
  • São Paulo
  • ●
  • Shanghai
  • ●
  • Singapore
  • ●
  • St. Louis
  • ●
  • Sydney
  • ●
  • Tokyo
  • ●
  • Toronto
  • ●
  • Vancouver
  • ●
  • Warsaw
  • ●
  • Washington DC *associate office **alliance
Policies and disclaimers
  • Legal notices and disclaimers
  • Impressum
  • Standard terms
  • Blog network terms and conditions
  • Cookies policy
  • Privacy notice
  • Website access conditions
  • Fraud alerts
  • Modern Slavery Statements
  • Health plan machine readable files
  • Anti-Facilitation of Tax Evasion Statement
  • Suppliers
  • History
  • Remote access
  • Sitemap
Visit our global site, or select a location
North America
  • Canada (English)
  • Canada (Français)
  • United States
Latin America
  • Brazil
  • Mexico
Europe
  • Belgium
  • Deutschland (Deutsch)
  • France
  • Germany (English)
  • Greece
  • Italy
  • Luxembourg
  • Poland
  • The Netherlands
  • Turkey
  • United Kingdom
Middle East
Africa
  • Burundi
  • Kenya
  • Morocco
  • South Africa
  • Uganda
  • Zimbabwe
Asia Pacific
  • Australia
  • China
  • Hong Kong SAR
  • Indonesia
  • Japan
  • Singapore
  • Thailand
Regional practices
  • India
  • Israel
  • Korea
  • Marshall Islands
  • Nordic region
  • Pakistan
  • Vietnam