FCA fines Monzo £21m for failing to ensure its financial crime systems and controls keep pace with its business growth

Monzo’s story is so similar to many others – a small firm experiences rapid and significant business growth but its processes, systems and controls fail to keep pace. The FCA's recent enforcement action against it is the latest in a slew of cases in which the FCA emphasises the importance of robust financial crime and AML controls.  Key lessons learned are below.  Particularly eye-catching: the FCA's £10m pre-settlement discount uplift - over 12x - to deter future VREQ breaches, with the FCA pointedly observing that firms should take VREQs as seriously as other requirements and should not consider the financial advantages of business growth to outweigh risks of breaching requirements.

 The FCA notes that Monzo placed significant emphasis on the customer experience being “streamlined and efficient”, acknowledging that challenger banks tend to use technology more innovatively than traditional high street banks and verify customers at speed, allowing for “quick and easy account openings”. Whilst this has its benefits in encouraging access to banking services, the UK’s 2020 National Risk Assessment of money laundering and terrorist financing highlighted the risk that criminals may be attracted to firms with faster account opening processes and look to take advantage of their lighter touch approach. As a result, for challenger banks, having robust processes and systems / controls is even more important.

The key takeaways

The FCA fined Monzo £21m for breaching Principle 3 of the FCA’s Principles of Business (the requirement to take reasonable care to organise and control the firm’s affairs responsibly and effectively, with adequate risk management systems). 

Firms should consider how their own setup fares against the FCA's findings  in this final notice and take steps to mitigate issues.

• Have robust information collection and assessment for CDD purposes and don't make assumptions: Monzo obtained insufficient information for CDD purposes or conducted an inadequate assessment of the information that was collected when onboarding clients, particularly information which would establish the purpose and nature of its customer relationships, instead making assumptions about the nature of Monzo’s products and clients.
• Verify that customers are within risk appetite when onboarding: Monzo only required customers to pass a selfie identification and verification procedure and did not verify the customer’s address as part of its onboarding review. This enabled customers to give implausible addresses and resulted in Monzo giving accounts to individuals who actually lived outside the UK (which exceeded Monzo’s own risk appetite).
• Verify information on ownership chain for business customers on an ongoing basis: Monzo did not verify the beneficial owners, and those with significant control, of business customers, nor did it conduct ongoing CDD for business customers or report to Companies House material discrepancies between the information on the Companies House register and that gathered by the firm.
• Have a robust customer risk assessment: Monzo applied a default risk category of “no identified risk” to all personal banking customers and had inadequate procedures outlining the factors relevant to the risk assessment. This contributed to a failure to conduct EDD or decline/exit the customer in some cases.
• Your transaction monitoring systems are only as good as the data you have: Monzo relied on transaction monitoring systems to mitigate risks in its onboarding process, but those systems were ineffective to identify suspicious / unusual activity given the lack of key customer information collected as part of the customer onboarding process.
• Have clear EDD procedures: Monzo did not adequately apply and document EDD on high-risk customers (excluding PEPs) as internal procedures did not specify when EDD was required, particularly in the case of personal banking customers.  And there was no internal definition of PEPs, leading to a lack of guidance for Monzo staff reviewing PEP assessments.
• Comply with VREQs: The findings were exacerbated by the fact that Monzo agreed to a VREQ preventing it from accepting any new or additional account applications from high-risk customers whilst it addressed weaknesses in its onboarding processes, but it breached that VREQ in over 33,000 instances and failed to apply certain of its VREQ controls correctly in over 34,000 instances.

A note on penalty

The FCA based its penalty upon Monzo's relevant revenue, but treated the pre-VREQ period and the VREQ period differently.  For the pre-VREQ period, the FCA took revenue earned from the relevant business.  For the VREQ period the FCA took a narrower approach: revenue earned from the population of accounts where Monzo failed to comply with the VREQ or failed to apply its VREQ controls correctly.

Yet this was cold comfort for Monzo.  After assessing level 4 seriousness and uplifting both limbs of the penalty by 30% for aggravating factors (prior FCA market-wide guidance and FCA feedback given to Monzo), the FCA imposed a substantial uplift for deterrence of £10m specifically for the VREQ breaches (over 12x).  Various reasons were given, among those that such breaches are difficult to detect; firms should consider that compliance with VREQs is as important as other requirements; and, essentially, that for growth businesses, non-compliance should never pay.

The usual 30% settlement discount was applied.