Skip to content

Growth Over Compliance: Monzo's Costly Failures

11 July 2025

Growth Over Compliance: Monzo's Costly Failures

Less than a year ago, CBPL was fined £3.5m for not complying with the terms of Voluntary Requirements (VREQ) agreed with the FCA. A few months later, it was Starling Bank (£29M). Now, it's Monzo Bank (£21.1M).

 

 

VREQs are serious. They are the result of significant control failures and mean you are under the FCA's spotlight. Why make matters worse by breaching their terms?

⚠️ Growth must not come at the expense of Compliance. With a 50x increase in customers in 8 years, systems and controls had to keep pace, but they didn't.

Key failings include:

➡️ During the pre-VREQ period, the Firm did not obtain key information, like the nature and purpose of the business relationship. It also failed to verify the identity of beneficial owners and PSC of business customers, or require the periodic update of customer records. At least three internal reports during the period highlighted concerns, but these were not acted upon.

➡️ Address verification checks were eliminated despite almost half of high-risk customers having failed them, resulting in customers entering foreign addresses with UK postcodes, or implausible addresses like "Buckingham Palace " or "10 Downing Street" without any issue being raised.

➡️ CIFAS checks were only implemented in mid-2020, and resulted in 50K accounts failing them and being considered for exit.

➡️ Lack of controls to identify customers opening multiple accounts

➡️ CRA conducted with limited information: no review of adverse media hits, limited assessment of exposure to high-risk countries, no guidance on weightings applied, "no identified risk" rating applied by default...

➡️ Transaction monitoring was heavily relied upon, but suffered from insufficient data captured during onboarding and CRA deficiencies. Alerts did not identify the transactions at the source of the alert, and almost half of them were closed as "Undecided".

➡️ The Firm opened 26K high-risk accounts while under a VREQ prohibiting from doing so. This was due to controls not being applied consistently (e.g. excluding reopened accounts, on applications in progress at the time of the VREQ), but also weak governance (no clarity on who did what), and erroneous self-interpretation of the requirements.