The Real Lesson from the Monzo Fine? Our Industry’s Approach to Money Laundering Risk Assessment Is Broken 

Written By Stefania Cirignano

On 7 July 2025, the FCA issued a Final Notice to Monzo Bank Limited, imposing a £21 million fine for systemic financial crime control failings. Most commentary since has focused on Monzo’s meteoric growth, resource constraints, or its handling of high-risk relationships. But those responses miss the point. 

This isn’t just a Monzo problem, it’s a methodology problem. Specifically, this is a problem with the industry’s flawed approach to the Business-Wide Risk Assessment (BWRA), or, in Monzo’s case, the Financial Crime Risk Assessment (FCRA). If we look closely, the FCA has handed us a blueprint of what’s wrong with the prevailing compliance orthodoxy, as well as an urgent call to fix it. 

The Illusion of Control: When the BWRA Becomes a Box-Ticking Exercise 

Monzo had an FCRA. It included a scenario register, a controls library, and individual risk assessments. It stated a low financial crime risk appetite. But behind this polished artefact was apparently a gaping disconnect between policy and practice. 

The FCRA assumed that key controls, like Customer Risk Assessment (CRA), CDD, EDD, and PEP screening, were functioning effectively. But these controls were either non-existent, inconsistently applied, or completely ineffective. For example: 

  • Most customers were defaulted to a “No Identified Risk” category. 

  • EDD was not applied to high-risk customers unless they were flagged as politically exposed persons (PEPs). 

  • Beneficial ownership verification for business clients was skipped altogether until 2020. 

In short, Monzo’s FCRA did what most BWRAs still do today: declare that a control exists, assume it works, and move on. This is not risk assessment, it’s compliance theatre. 

What the FCA Really Found: A BWRA That Failed at Its Core Purpose 

The Monzo enforcement notice reads like a catalogue of BWRA design failures: 

1. Controls assumed effective without validation 

The FCRA leaned heavily on post-event transaction monitoring to mitigate onboarding weaknesses. But the FCA found that transaction monitoring: 

  • Lacked adequate procedural guidance, 

  • Was operated by untrained staff, and 

  • Couldn’t even identify which transactions triggered alerts in many cases. 

The BWRA failed to detect that this “key control” was not mitigating risk, but masking it. 

2. Failure to translate known risks into targeted control design 

Monzo’s FCRA failed at one of the most critical tasks of a business-wide risk assessment: ensuring that known or foreseeable financial crime typologies (such as account misuse by non-UK residents, synthetic identities, or multiple account openings) were clearly linked to the specific controls designed to mitigate them. 

Instead of driving the design of onboarding, CDD, and customer profiling controls based on the mechanics of these risk events, the FCRA relied on generic, policy-level descriptions of control coverage. Key information, such as the nature and purpose of accounts, expected transactional behaviour, and address verification, was neither consistently required nor validated. 

This was not a failure of implementation alone. It reflects a structural breakdown in how risk intelligence informed control design, allowing critical gaps to persist undetected. The result was a framework that appeared complete on paper but left material exposures unaddressed in practice. 

3. Disconnect between stated risk appetite and operational outcomes 

Monzo’s FCRA declared a low tolerance for financial crime and a customer base confined to the UK. Yet in practice, the bank routinely onboarded customers who provided PO boxes, iconic UK landmarks as addresses, or triggered CIFAS fraud alerts, all while bypassing effective screening or verification. 

The issue wasn’t just that these exposures occurred, it’s that the BWRA failed to detect them. A functioning risk assessment process would have monitored the alignment between declared risk appetite and actual customer behaviour, surfacing indicators like repeated address anomalies or high fraud match rates as systemic breaches of appetite. 

Instead, Monzo’s FCRA remained disconnected from operational risk signals and failed to trigger corrective action until large-scale remediation was required, forcing the bank to exit over 44,000 personal and 326 business customers. This is a clear example of a risk appetite framework that existed in theory but was not enforced in practice. 

This Isn’t Just About Monzo: It’s About a Broken Industry Framework 

We could easily frame Monzo as an isolated case of tech growing faster than compliance. But that would let the rest of the industry off the hook. 

The FCA’s 2022 review of challenger banks already concluded that the sector’s financial crime controls were significantly weaker than those of traditional banks. In parallel, many traditional firms are just as guilty of operating BWRAs that are backwards-looking, non-iterative, and divorced from operational control data. 

The regulatory expectation is clear: the BWRA must be a living framework that informs and is informed by actual control performance, risk data, and customer behaviour. It should act as the operating system for a firm’s financial crime programme, not a static Word document or an annual workshop. 

But today’s reality is different. Most BWRAs: 

  • Are retrospective rather than forward-looking, 

  • Prioritise “coverage” over diagnostic insight, 

  • Rely on policy checklists instead of dynamic risk data, and 

  • Serve the regulator, not the business (albeit in many  cases, apparently serving neither). 

This approach is no longer fit for purpose, if it ever was. 

A Different Way Forward: Rethinking What a BWRA Is For 

Monzo’s fine must be an inflection point. We need to stop treating the BWRA as a compliance document and start treating it as a strategic intelligence product. 

That means: 

  • Testing assumptions about control effectiveness rather than assuming controls work. 

  • Designing risk models that reflect how criminals actually exploit weak points, not just how policy is written. 

  • Closing the feedback loop between frontline risk data (onboarding, monitoring, and remediation) and a more strategic BWRA. 

A next-generation BWRA doesn’t just describe risks. It maps how criminals exploit systemic weaknesses and helps institutions decide where to act. That requires embedded intelligence, real-time control assurance, and a living understanding of how risk evolves across products, geographies, customer types, and channels. 

Final Thought: Regulators Are Watching, But So Should the Board  

The FCA has sent a clear signal: risk assessments cannot be aspirational documents. They must reflect the true operational state of play, and drive action.  The BWRA must be a critical strategic tool understood and engaged with by the most senior stakeholders in any organisation. 

Monzo isn’t the only firm with glossy policies and invisible cracks. It’s just the latest one to get caught. 

For firms still relying on traditional BWRA methods, the question is not whether they will be scrutinised, but when. And when that day comes, will your BWRA tell a story of robust control, or hollow compliance? 

Related post: Regulatory gap analysis: Monzo fined £21m — Avyse Partners

Stefania Cirignano
Next

The UK Payments Sector: Innovation, Regulation, and the Road Ahead