FCA’s Fine on Monzo – What Happened?

In July 2025, the UK Financial Conduct Authority (FCA) fined Monzo Bank approximately £21 million for serious anti-money laundering (AML) control failings. The fine – detailed in an FCA Final Notice – addressed Monzo’s inadequate customer due diligence (CDD), risk assessment, and monitoring systems between October 2018 and August 2020. It also penalized Monzo for repeatedly violating an FCA restriction that banned the bank from onboarding high-risk customers between August 2020 and June 2022. In total, Monzo opened accounts for over 34,000 high-risk customers in defiance of this order. Therese Chambers, the FCA’s Enforcement Director, noted Monzo “fell far short of what we, and society, expect” of a bank acting as a gatekeeper against financial crime.

The FCA found that Monzo’s rapid growth far outpaced its compliance capacity – exposing systemic weaknesses. For example, during 2018–2020 Monzo defaulted most new customers to “no identified risk” and streamlined onboarding at the expense of proper checks. Obvious red flags were missed: Monzo let users open accounts with implausible addresses (including well-known landmarks as their residence) without sufficient verification. It also failed to gather basic information about customers’ account purpose or source of funds in many cases. For business accounts, Monzo did not consistently verify all beneficial owners, as required by regulation. These CDD gaps meant Monzo could neither fully assess the financial crime risk of its customers nor monitor their transactions effectively. When the FCA intervened in 2020 – mandating an independent review and barring high-risk onboarding – Monzo still did not improve quickly enough, continuing to sign up high-risk clients despite the restrictions. The final £21 million penalty (which was originally calculated at £30 million before a settlement discount) underscores how serious these failings were.

Further Read: Monzo’s £21m FCA fine explained

A Forward-Looking Penalty – Regulators Expect Day-One Compliance

Notably, the FCA stressed that Monzo’s breaches, though occurring years ago, carry a very current message. Monzo’s leadership argued these problems were “historical” and have since been fixed. The regulator doesn’t disagree – indeed, Monzo implemented a remediation program and improved its controls – yet the scale of the fine and the FCA’s language make clear that regulators are being forward-looking with this enforcement. In other words, this case is about setting a precedent for all fintechs going forward. Rapid growth is no excuse for weak controls. The Final Notice explicitly reminds firms that financial crime frameworks must evolve in step with expansion. No matter how innovative or fast-growing a challenger bank is, it will be held to the same “adequate systems and controls” standard as any incumbent bank from day one.

The Monzo fine thus reads as a warning shot to the fintech sector. The FCA increased Monzo’s penalty by £10 million purely to deter breaches of a voluntary requirement (the high-risk onboarding ban) – sending a message that failing to comply with supervisory directions will have severe consequences. More broadly, the FCA criticized Monzo for not equipping its AML controls to keep pace with customer growth, reinforcing that compliance can’t lag behind scale. In regulators’ eyes, every fintech must build “scalable AML” controls from the start – waiting until millions of users are onboarded to beef up compliance is simply unacceptable. As one legal expert observed about these recent actions, the size of the fines is striking and reflects fundamental regulatory expectations. In short, the FCA’s punitive stance is forward-looking: it puts the industry on notice that scalable compliance infrastructure is expected as table stakes for any bank or fintech in 2026 and beyond.

What “Scalable AML” Means in Practice

Continuous AML control lifecycle

What do regulators mean by “scalable AML” in a fintech or challenger bank context? In practical terms, it means designing your financial crime compliance program such that it can handle not just today’s users and transactions, but 10x or 100x more, without compromising effectiveness. Key elements of a scalable AML framework include:

  • Real-Time Onboarding Gates: Implement verification and screening checks during customer onboarding that automatically pause or prevent account opening when risk indicators appear. For example, identity documents and addresses should be validated against reliable databases in real time, and any sign of false information or sanction/PEP hits should trigger review before an account is fully activated. Scalable compliance means catching issues at the front door – Monzo’s failings (e.g. accepting “Buckingham Palace” as an address) illustrate why instant, intelligent onboarding checks are crucial, even if they add a bit of friction. Fast-growing fintechs can still tout quick signup, but “fast” cannot equate to “no checks”.
  • Dynamic Risk Scoring: Rather than one-and-done risk assessments, use algorithms or rules that continuously update each customer’s risk profile based on their behavior and new data. A scalable AML system will automatically elevate a customer’s risk rating and required due diligence if their activity changes (e.g. a low-volume account suddenly starts moving large international wires). This ensures compliance teams focus on the truly high-risk cases as the business grows. As industry guidance notes, dynamic risk scoring lets firms allocate resources to higher-risk areas intelligently, applying enhanced scrutiny where needed while fast-tracking low-risk customers.
  • Rules-Based Transaction Monitoring: Deploy an automated monitoring engine with a library of risk rules and scenarios that can flag suspicious transactions in real time. As your customer base and transaction volumes expand, the system should be tunable and version-controlled – allowing new rules or threshold adjustments to be rolled out quickly in response to emerging threats. The goal is to detect patterns indicative of money laundering (e.g. structuring, rapid in/out flows, use of mule accounts) and generate alerts for investigation. Scalable AML means this monitoring runs continuously without being overwhelmed by scale. It also implies sufficient resources to promptly review and clear alerts; regulators frown upon huge backlogs or superficial “tick-box” monitoring that fails to catch issues.
  • Unified Fraud and AML Workflows: A scalable approach breaks down silos between fraud prevention and AML compliance. Fintechs should aim for a unified platform or workflow where fraud signals (e.g. stolen card attempts, account takeovers) and AML red flags (e.g. suspicious transactions, sanctions hits) are shared, and cases are managed in one system. This holistic view improves risk detection – for instance, seeing that a single customer triggered both fraud and AML alerts provides richer context to stop illicit activity. Integrated workflows also eliminate duplicated effort and ensure nothing “falls through the cracks” as volumes grow. A lean compliance team can work more efficiently when all financial crime alerts funnel through one coordinated process.
  • Continuous Assurance and Testing: “Set and forget” does not scale in compliance. Scalable AML programs include continuous assurance mechanisms – regular audits, control tests, and reviews to ensure the AML systems actually work and keep up with change. This might involve periodic re-validation of customer information (e.g. re-KYC every 1–2 years or upon certain events), routine back-testing of monitoring rules against historical data, and independent audits of the end-to-end controls. The FCA expects firms to actively prove their controls are effective, not just set them up. In practice, that means maintaining audit-ready records (so any decision or alert can be explained) and promptly fixing issues that internal testing reveals. A scalable framework treats compliance like a living system – continuously improving and self-correcting – rather than a one-time project.

In short, “scalable AML” means building a risk management infrastructure that grows in tandem with the business. It’s proactive, technology-powered, and comprehensive across the customer lifecycle (from onboarding to ongoing monitoring). Crucially, it also means planning for the worst – having the governance, documentation, and review processes in place such that if regulators examine your program, you can demonstrate its effectiveness at any scale.

A Pattern Across Regulators: AML is Now Table Stakes for Fintechs

Monzo is not alone – regulators across multiple jurisdictions are cracking down on fast-growing fintechs and digital banks for similar failings. The expectation of “scalable compliance from day one” is now global table stakes. Recent enforcement actions echo the Monzo case in key themes:

Starling Bank £29m AML fine by FCA in October 2024

In October 2024, the FCA fined Starling (another UK challenger bank) £29 million for “shockingly lax” financial crime controls. As with Monzo, Starling’s AML systems didn’t keep pace with its growth and it breached an FCA requirement not to open high-risk accounts. The FCA found Starling had opened more than 54,000 accounts for high-risk customers between 2021 and 2023 despite being ordered not to. It also discovered that Starling’s sanctions screening system had been misconfigured for years, leaving the bank “wide open to criminals” until a 2023 internal review exposed the issue. The fine (originally £41m before discount) underscored that failing to fix known AML weaknesses promptly will draw heavy penalties, no matter a bank’s fintech status.

Revolut (UK) £3.5m AML fine by Bank of Lithuania in April 2025

In April 2025, Revolut – the UK-based fintech operating under a Lithuanian banking license – was fined €3.5 million by the Bank of Lithuania for AML process failures. Regulators found “violations and shortcomings in the monitoring of business relationships and transactions”, which meant Revolut “did not always properly identify suspicious transactions”. This was Revolut’s largest regulatory penalty to date, reflecting growing scrutiny on pan-European fintechs. Notably, Revolut’s expansion outpaced its compliance such that its UK banking license application was delayed for years amid concerns about its internal controls. The Revolut case signaled that EU regulators (and the upcoming EU AML Authority) will enforce AML standards firmly, even for highly valued fintech unicorns.

bunq (Netherlands) £2.6m AML fine by De Nederlandsche Bank in 2025

Dutch authorities likewise took action against Bunq, a prominent neobank. In 2025, De Nederlandsche Bank (DNB) fined Bunq €2.6 million for persistent AML control lapses between 2021 and 2022. DNB found that Bunq’s systems flagged suspicious transactions but compliance staff failed to investigate many alerts in depth or file timely suspicious activity reports (SARs), allowing potential illicit flows to go unreported. This enforcement came after years of DNB warnings and even a prior fine – which Bunq had not adequately heeded. Examinations from 2018 to 2023 repeatedly flagged serious CDD and monitoring deficiencies, but Bunq’s remedial efforts fell short. The regulator explicitly noted that earlier enforcement “did not result in sustained compliance,” necessitating a harsher penalty. The Bunq case exemplifies a broader European trend: even smaller challenger banks are now expected to meet the same rigorous AML standards as large banks, and regulators will escalate actions if problems persist.

coinbase £21.5m AML fine by Central Bank of Ireland in 2025

In late 2025, the Central Bank of Ireland fined Coinbase’s European arm €21.5 million for AML failures in its crypto services – specifically for not properly monitoring €173 billion in transactions and delaying thousands of suspicious transaction reports. This was Ireland’s largest AML fine to date and underscores that the fintech/crypto sector faces heightened AML enforcement in multiple jurisdictions. Germany’s BaFin has likewise intervened with N26, imposing customer growth caps in 2021 and fines for AML failings. Across the board, regulators (and even prosecutors) are increasingly aggressive: from the UK to the EU to Singapore, the message is consistent that innovative fintechs must not be weak links in the financial crime defenses. As the FCA’s Therese Chambers put it, banks – traditional or digital – are “vital lines of defense” against crime and are expected to act accordingly.

The pattern is clear. Regulatory expectations have converged: robust AML controls are non-negotiable. Fintech challengers are no longer given leeway for being new or tech-focused. On the contrary, their very growth and novelty are seen as potential risk factors that demand more vigilant controls. Enforcement themes from the UK, EU, and other markets all point to the same conclusion: scalable compliance is now a baseline requirement, not a competitive disadvantage. Fintechs that ignore this do so at their peril – and the hefty fines and public reprimands are likely to continue in 2026.

How Fast-Growing Fintechs Can Meet Compliance Expectations Early

For founders, product leads, and compliance heads at fast-growing payment service providers (PSPs) and fintechs, the Monzo saga and similar cases offer a blueprint of what not to do – and thus insight into what proactive steps to take. Building scalable AML from the start may seem daunting, but it can be distilled into practical measures:

  • Segmented, Risk-Based Onboarding: Rather than a one-size-fits-all onboarding, design your customer sign-up process with risk segmentation. Low-risk customers can be onboarded swiftly with basic due diligence, while higher-risk profiles (e.g. foreign residents, high-net-worth individuals, crypto-related clients) are funneled into enhanced onboarding workflows. In practice, this means collecting and verifying additional information for higher-risk customers – proof of address, source of funds, purpose of account, etc. – before fully activating their accounts. Monzo’s mistake was simplifying onboarding to boost growth, without adequate checks. A better approach is to embed risk controls into the onboarding pipeline: if certain risk flags are present (high-risk country, PEP status, anomalies in ID documents), the system should automatically route that applicant for manual review or extra checks (this is the “gate” function). By segmenting onboarding flows, fintechs can both enable fast sign-ups for the majority and apply necessary friction for the risky minority.
  • Automated Triggers for EDD: Set predefined triggers that automatically invoke Enhanced Due Diligence (EDD) procedures for high-risk customers or activities. For example, if a customer’s profile hits on a sanctions or politically exposed person list, if they provide inconsistent information, or if they intend to use complex products, your system should flag it for EDD – meaning deeper identity verification, gathering source of wealth, senior management approval, etc.. These triggers should also apply after onboarding: significant changes in a customer’s behavior or profile should prompt an EDD review (for instance, a dormant account suddenly receiving large wires). Automation is key – you don’t want to rely on an overstretched analyst to notice the need for EDD. Monzo’s failure to apply EDD unless a customer was explicitly labeled a PEP shows why relying on manual or case-by-case elevation is insufficient. Instead, codify EDD triggers in your policies and technology: whenever X risk factor arises, the system creates an EDD task. This ensures no high-risk situation slips by without the scrutiny it warrants.
  • Four-Eyes Principle for High-Risk Decisions: Introduce a “four-eyes” approval on all high-risk client onboarding and any critical compliance decision. In practice, this means at least two authorized people must review and sign off before: a) accepting a high-risk customer, b) overriding a red-flag alert, or c) closing an investigation on a material issue. For example, if an algorithm flags an applicant as high risk (say, due to adverse media hits or complex company structure), that case might require sign-off from both the compliance officer and one other senior manager before the customer can be onboarded. This dual control reduces the chance of one individual’s oversight (or bias) leading to a bad decision. It also creates accountability and a documented trail of who approved what. Many fintechs implement four-eyes approval via their case management workflow – an analyst can recommend an action, but a manager must approve it for high-risk cases. Especially in early-stage startups, where teams are small, this practice forces deliberation on risky matters and helps instill a culture that compliance is a shared responsibility, not a unilateral checkbox.
  • Rules- and Risk-Based Transaction Monitoring from Day One: Don’t wait until you have thousands of customers to set up transaction monitoring – deploy it early, and calibrate it as you grow. Start with a rules-based monitoring system using known typologies (e.g. large cash deposits followed by international transfers, multiple rapid transactions just under reporting thresholds, use of known risky intermediaries). Even simple threshold rules can catch basic suspicious patterns and serve as a safety net. The key is to tailor the rules to your business model and adjust thresholds over time. Make sure alerts are meaningfully reviewed and not ignored. As volumes increase, invest in refining these scenarios (adding complexity or machine-learning models to reduce false positives). Monzo and others initially relied on basic post-event transaction monitoring that wasn’t effective – for instance, Monzo’s team often couldn’t even identify which transaction had triggered a given alert in their old system. Learn from that by implementing a robust monitoring tool with clear alert rationale and the ability to evolve. Crucially, allocate enough analysts to handle alerts promptly. Regulators expect fintechs to avoid the trap of growing faster than their monitoring capacity – a backlog of unreviewed alerts is a red flag in itself. Begin with manageable rule sets and expand, but always ensure you’re keeping up with the alert volume through automation or hiring.
  • Consolidate AML/Fraud Case Management: As a best practice, merge your fraud detection and AML compliance operations into a unified case management process. Fast-growing fintechs often face fraud (account takeovers, card fraud, social engineering scams) alongside money laundering risks – and the two can be interconnected. Using a single platform or dashboard to track all suspect activity gives a complete view of a customer’s risk profile. For example, if one customer triggers a fraud alert for a stolen card and separately flags in AML screening for unusual transactions, a unified system will correlate these events. This helps your team see the bigger picture (perhaps the fraud attempt is linked to money mule activity). It also eliminates duplication – you won’t have one team closing an account for fraud while another team investigates it for AML. By unifying workflows, fintechs can do more with limited resources, which is critical in early stages. Regulators, too, appreciate a well-documented, integrated approach because it shows the firm has enterprise-wide oversight of financial crime risk.
  • Invest in Continuous Training and Independent Reviews: People and processes must scale along with technology. Early on, instill a practice of regular training for staff on AML red flags, so everyone (not just compliance officers) knows how to spot and escalate suspicious behavior. As you grow, ensure your compliance team size increases in proportion to customer growth and alert volume. Additionally, schedule independent audits or skilled person reviews of your AML program every so often – before a regulator forces you to. Monzo only underwent a comprehensive review after the FCA insisted on it; proactive fintechs can hire external experts to assess their controls and suggest improvements while issues are still fixable in-house. Treat these like health check-ups for your program. Regular control testing (for example, sampling accounts to see if CDD data is complete, or simulating suspicious transactions to see if monitoring rules catch them) should be part of your compliance plan. This kind of ongoing assurance not only strengthens your defenses, it also prepares you to readily demonstrate compliance effectiveness to regulators, investors, or banking partners.

By implementing measures like the above early, fintechs and PSPs can avoid the scrambling, backfilling, and costly remediation that comes with an enforcement action. The mantra to follow is: build a compliance program for the company you will be next year, not just what you are today. As Monzo’s case showed, trying to retrofit controls under regulatory pressure is exponentially harder than scaling them proactively.

Unified Platforms and the Flagright Perspective

Technology can be a powerful ally in achieving scalable compliance. Increasingly, fintechs are turning to unified financial crime compliance platforms to help launch robust AML programs from day one. The idea is to use a single, scalable solution that integrates all key functions – risk scoring, customer due diligence, transaction monitoring, sanctions screening, case management, and fraud detection – in one place. Flagright, for example, provides an all-in-one platform that consolidates these capabilities so that fintechs don’t need to stitch together multiple tools or worry about gaps between systems. Adopting such a platform can significantly shorten the time needed to get enterprise-grade compliance controls up and running.

A unified approach offers several advantages for fast-scaling companies. First, it ensures consistency: all departments and products feed into the same risk engine and alerting framework, enforcing a common standard. Second, it improves efficiency: teams have a single dashboard to monitor, and risk signals from different sources inform one another (as mentioned, anti-fraud and AML data can be combined to better detect complex schemes). Third, it is inherently scalable: modern compliance platforms are built on cloud infrastructure, meaning they can handle growing transaction volumes and data without major re-engineering. For instance, Flagright’s platform is designed to process transactions in real time with sub-second response, allowing fintechs to screen and score every payment as it happens without delaying customers. This kind of real-time, API-driven architecture is crucial for fintechs operating on instant payments and high-frequency transactions.

Moreover, unified solutions often come with built-in best practices that benefit young companies. They may offer pre-configured rule sets (based on typologies seen across the industry), dynamic risk scoring models, and AI-driven analytics that small teams can leverage out of the box. For example, a fintech could integrate a platform and immediately gain the ability to automatically flag multiple accounts using the same address, or detect rapid “smurfing” transactions – scenarios it might not have coded itself. Case studies have shown that fintechs can implement a full compliance stack in weeks by using such platforms, rather than spending months developing in-house tools. This means a startup can launch new products or expand markets without outpacing its compliance capabilities. In one case, a UK payments fintech integrated an AI-driven monitoring and risk scoring solution that drastically reduced false positive alerts and improved its detection of suspicious activity as it grew, all with minimal added headcount.

The Flagright perspective – shared by many in the RegTech space – is that technology can flatten the learning curve for compliance. By providing fintechs with a scalable “plug-and-play” compliance infrastructure, unified platforms let even small teams meet regulatory expectations from the beginning. This positions compliance as an enabler of growth: instead of fearing that strong AML controls will slow down onboarding or expansion, fintechs equipped with the right tools can actually move faster (since they won’t hit regulatory roadblocks or have to pause growth to fix issues). In essence, leveraging advanced compliance technology early on helps a fintech to “build it right” and build trust – with regulators, banking partners, and customers – which in turn allows the company to scale safely. Flagright and similar providers advocate this proactive approach, where compliance infrastructure is seen not as a cost center, but as a foundational layer that scales like any microservice in the product stack. It’s a shift in mindset: compliance-by-design, using modern platforms, so that a fintech can focus on innovation and customer acquisition without constantly worrying that its risk controls will break under strain.

Book a demo

Conclusion: A Call to Action for Fintech Leadership

The FCA’s enforcement against Monzo is a watershed moment for fintech compliance. It signals that founders, CEOs, and compliance leaders must treat scalable AML not as a regulatory box-tick, but as a core business mandate integral to long-term success. Challenger banks and fintechs should see this not merely as punishment of past mistakes, but as a directive for the future. As the FCA bluntly put it, there is no “startup pass” for AML – being new or innovative won’t exempt you from the standards applied to established banks. Therefore, leadership teams need to ask themselves tough questions: Are our risk controls keeping up with our growth? If an inspector came tomorrow, could we demonstrate robust control over financial crime risk?

The good news is that fintechs’ hallmark agility can be channeled into compliance improvements. Just as these companies iterate rapidly on product features, they can rapidly shore up compliance gaps – but it requires will and investment from the top. Embedding a culture where compliance is seen as a growth enabler, not a hindrance, is crucial. This means leadership allocating adequate budget and resources to compliance as the company scales, and promoting the message that preventing financial crime is part of the fintech’s mission to serve customers responsibly. In the long run, strong compliance is not at odds with growth; in fact, “it enables secure growth.” A fintech that can proactively manage risks will be more sustainable and appealing – to regulators, to banking partners, and to customers who value trust.

Monzo’s fine should ultimately be viewed as a leadership lesson. It underscores that scalable compliance isn’t just a nice-to-have; it’s a prerequisite for going from startup to established player. Fintech founders and executives would be wise to seize this moment as an opportunity: by investing early in the right people, processes, and technology, they can turn regulatory expectations into a competitive advantage. A company that builds a reputation for robust compliance can expand into new markets or products with far fewer friction points. Conversely, those that neglect it may find growth coming to a screeching halt when regulators step in. As one industry commentary noted, fintechs that integrate advanced AML tools and sound risk governance into their operations “will not only avoid penalties but also foster greater trust, transparency, and resilience – turning regulatory challenges into opportunities for long-term growth and credibility.”

The takeaway for fintech leaders in 2026 is clear: scalable compliance is your responsibility and your ally. Embrace it early, treat it as non-negotiable, and it will safeguard your company’s journey upward. Far from being a tradeoff, a strong compliance framework multiplies growth by enabling you to scale with integrity. The regulators have delivered their message – now it’s up to fintech CEOs and compliance heads to respond decisively, ensuring that the Monzo case becomes a positive turning point for the entire industry’s approach to financial crime risk. The fintech revolution can continue “going from strength to strength”, but only if it pairs innovation with robust controls at every step. The leaders who recognize this will drive not just rapid growth, but responsible and resilient growth, in the years ahead.