In May 2024, the FCA handed neobank Monzo a £21.1 million fine for systemic AML failings. The penalty followed a six-year investigation and exposed how Monzo’s rapid growth far outpaced its ability to manage financial crime risks. Customers were able to open accounts using obviously false or suspicious information, including addresses listed as 10 Downing Street and Buckingham Palace — without triggering any red flags. In another case, more than 100 accounts were linked to the same address, yet no enhanced checks were conducted. These weren’t isolated lapses — they revealed systemic weaknesses in how Monzo handled onboarding, risk assessments, and due diligence.
From missed customer risk assessments to delayed suspicious activity reports and ignored AML alerts, the failures at Monzo weren’t isolated mistakes: they reflected systemic breakdowns in process, oversight, and resourcing. The case sends a clear message: rapid growth is no excuse for letting core financial crime controls fall behind. The basics must scale with the business, or the regulator will step in.
Why are regulators cracking down on neobanks?
Monzo’s £21 million fine didn’t come out of nowhere. In 2022, the FCA conducted a wide-ranging review of neobanks and challenger banks, triggered by the UK’s National Risk Assessment on money laundering and terrorist financing. The findings were stark: many digital-first banks lacked risk-based AML frameworks, rushed customer onboarding with minimal due diligence, and filed disproportionately high volumes of SARs — often of poor quality — suggesting weak initial screening.
The FCA’s recommendations were clear: implement enhanced customer risk assessments, strengthen CDD and EDD, improve alert management, and ensure SARs are accurate and timely. Critically, the regulator stressed that compliance systems must scale with growth — something many challenger banks, including Monzo, failed to do.
And the stakes aren’t just regulatory. In a sector where brand reputation and customer trust are core assets, links to financial crime can do lasting damage.
What the FCA found
Monzo was fined for breaching Principle 3 of the FCA Handbook: failure to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems, as detailed in the FCA’s Final Notice.
Here’s what that meant in practice:
- Customer risk assessments were not being completed properly—some were missed altogether.
- Ongoing monitoring of existing customers was deficient, despite known red flags.
- AML alerts were ignored or not followed up. Even when alerts were triggered, they were often closed without proper investigation.
- Backlogs in financial crime reviews were allowed to grow, while resourcing remained insufficient.
- SARs (Suspicious Activity Reports) were delayed or missed entirely.
The FCA’s Final Notice also flagged weaknesses in how Monzo identified and managed high-risk customers, including PEPs — a timely issue, given the regulator’s recently published final guidance on the treatment of Politically Exposed Persons for AML purposes.
Rapid growth, weak controls
Monzo grew fast. Too fast, in some ways. Between 2018 and 2020, its customer base jumped from under 1 million to over 3 million. But the systems, staff and culture didn’t scale with the same rigour. The FCA made clear that Monzo’s compliance infrastructure wasn’t “commensurate with the size and complexity of its business.”
And this wasn’t about criminal intent—it was about neglect. The heart of the matter is this: Monzo’s failures weren’t about bad intentions. There was no suggestion the bank deliberately ignored its AML obligations. The problem was structural — weak systems, poor oversight, and a failure to act on known gaps. In the eyes of the regulator, good intentions count for little when the fundamentals aren’t in place.
Practical takeaways
Whether you’re in a fintech, law firm, real estate agency or accounting practice, the Monzo case offers several concrete takeaways:
1. Don’t delay resourcing decisions
Monzo’s controls didn’t scale with its growth. The FCA pointed to weak oversight and slow responses to known risks. Delayed action on financial crime systems contributed directly to the £21M fine.
2. Customer risk assessments aren’t optional
The FCA expects firms to complete risk assessments—not just have a framework for them. Missed or partial assessments are compliance failures.
3. You’re still responsible—even when outsourcing
Monzo delegated onboarding checks to third parties. But the FCA was clear: the bank remained ultimately responsible for the adequacy of those checks.
4. Ongoing monitoring is where most firms fall down
The FCA pointed out multiple failures around reviewing and refreshing customer risk profiles. Too many firms still treat AML as a “point-in-time” obligation. It’s not.
5. Backlogs = red flags
Backlogs in SARs, alerts, or risk reviews aren’t just operational inefficiencies. They’re indicators of systemic weakness, and the regulator will interpret them as such.
Good tech does not equal good compliance
Monzo built a sleek digital product that disrupted UK banking. But in the compliance world, being digital doesn’t make you bulletproof.
Digital onboarding, automation, and slick UX mean nothing if the underlying due diligence is weak. If anything, speed and scale demand more rigour, not less.
Monzo is hardly alone. But its case will likely be cited in AML training and enforcement guidance for years to come.
