UK’s Monzo Bank £21m warning: scale without control is not success

There’s something unsettling about how familiar this is. A fast-growing bank. Compliance controls that couldn’t keep up. A regulator forced to step in. Again. And a fine, large enough to grab headlines.

Monzo, a fast-growing neo-bank with over 12 million customers since its launch, was fined £21 million. The penalty is the tenth financial crime enforcement action against a UK bank in four years. That alone should be enough to make the industry pause. But the details are what really sting: 34,000 high-risk customers onboarded after the FCA told them to stop. Customer profiles using landmarks as addresses. And a financial crime framework so patchy it needed a full independent review.

You could call it a failure of process. Or governance. Or communication. It’s probably all of those. But if you’ve ever been inside a growing bank, especially one trying to scale fast, you’ll recognise it for what it really is: the moment where commercial urgency quietly overtakes common sense.

Most of us have seen it happen. Some of us have been the ones flagging the risks no one wants to hear about. And honestly? The line between “this is fine for now” and “how did this happen” is thinner than people think.

So no, this isn’t just about Monzo. And it isn’t new. But it is another reminder that growth without control doesn’t count as success. It just postpones the cost.

The tension at the heart of every startup bank

There’s a point early on when everything starts moving faster, where ambition and operational reality start to drift apart. You need to grow. You need to impress investors. You need to show momentum, win market share, launch the next product, and hire the next fifty people. 

Compliance? Of course, it matters. But it can start to feel like something that slows the whole machine down. So you postpone a decision. Or make a temporary exception. Or keep telling yourself you’ll “fix it properly” later.

It’s easy to judge from the outside. But anyone who’s been inside that kind of pressure cooker knows how easily that mindset takes hold. Especially when the team’s small, the targets are big, and the clock is always ticking.

I’ve been there.

Back in the early 2000s, I was working with one of the first internet banks. Our SaaS platform handled key parts of their onboarding flow. We were getting a high-reject rate for new applicants. We found that the system’s setup resulted in sub-optimal name and address matching. And one day, after explaining the problem and the time it would take to remedy, we were told to override the usual address-matching protocols, to push through unmatched records and assign a default credit score high enough to clear the approval threshold.

It didn’t sit right with me. I flagged the fraud risk. But the instruction had come from the top, and the message was clear: growth was the priority. So we followed the instructions.

And yes. The fraud followed, too.

I still think about that. Not because it was a unique failure (it wasn’t), but because the dynamics haven’t really changed. The speed. The pressure. The rationalisations. You tell yourself it’s temporary. You tell yourself you’ll fix it later. And then “later” becomes too late.

Which is why stories like Monzo’s feel so familiar. We’ve been here before.

The only question now is whether we’ve learned anything from it.

Monzo’s failings were predictable

I don’t take any satisfaction in seeing another bank go through this. If anything, it’s frustrating because so many of the warning signs were textbook. The kind of issues you see when controls get bolted on after the fact, instead of being built in from the start.

The FCA’s report about Monzo reads like a checklist of common failures: 

• Onboarding based on implausible information
• Risk assessments that didn’t reflect real-world exposure
• Transaction monitoring that couldn’t keep pace with the bank’s growth.

At one point, customers were being onboarded using London landmarks as their address. Think about that. A compliance process so out of step that it couldn’t tell the difference between a residential flat and, say, the Houses of Parliament.

But what really stood out, and what makes this more than just a “tech teething issue”, is what happened after the FCA got involved.

In 2020, the regulator told Monzo to stop onboarding high-risk customers. That should have been a line in the sand. A trigger for tightening everything up. Instead, they carried on. For another two years. Onboarded over 34,000 high-risk customers in that time.

I’ve seen that drift before. You become so focused on the growth story that you start downplaying the risk story. Not deliberately, but consistently enough that issues stop feeling like red flags and start looking like noise.

And once that mindset sets in, it’s very hard to reverse.

Why “more controls” isn’t the answer

It’s tempting, after a story like this, to fall back on the obvious fix. Add more controls. Hire more people. Buy another system. Build another checklist.

I get it, when something goes wrong, you want to show action. But the reality is, just doing more isn’t the same as doing it better. And it definitely isn’t the same as doing it in a way that actually scales. There are two issues at play here:

The first is that new Banks do not have the data to build empirically based controls. They fall back on expert knowledge and, where available, outside information to simulate what they think the customer base will look like. And in realit,y it never is what you originally anticipate.

Because scale is the issue here. Monzo’s customer base grew almost tenfold in four years. That’s not unusual in this space. But if your AML framework stays static while your customer base multiplies, you’ve got a time bomb.

Controls have to be appropriate from the outset and develop quickly as the bank grows. They need to reflect real risk, not just regulatory minimums. They need to help you make smarter decisions faster, not flood your teams with noise.

And maybe more importantly, they have to be usable. Explainable. Defensible. If analysts can’t tell you why something was flagged (or why it wasn’t) you have a liability waiting to happen.

So what does good AML look like?

If I had to boil it down, I’d say it starts with clarity. Clarity about where the risk really sits. And vitally culture. Where someone in a room can say, “This feels off,” and not get sidelined for slowing things down.

But you also need the right infrastructure underneath it. You need systems that triage risk in context, not just rules-based alerts that flood the queue and burn out your team. You need models that explain why something’s risky and that give you confidence in defending that decision to a regulator, not just trusting what has been built and hoping for the best.

And I’ll be honest: you need collaboration. No single bank has all the signals. Which is why I believe there’s so much potential in federated learning approaches that allow institutions to learn from each other’s patterns without sharing any sensitive data. That kind of shared intelligence is where AML needs to go next.

That’s what we focus on at Consilient. Helping institutions spot risk sooner, reduce false positives, and actually trust the models they’re using. 

Because the goal here is to build systems that can keep up.

What will we do differently this time?

Every time one of these stories hits the headlines, there’s a flurry of noise. Commentators weigh in. Banks issue statements. Consultants update their decks. Then, after a few weeks, things quiet down. And the uncomfortable truth is that not much changes.

Which is why I’m less interested in rehashing Monzo’s failures, and more interested in what we all take from it. 

The hard bit is being honest about whether the same dynamics exist in your own organisation and whether you’re actually doing anything about them.

That’s why I joined Consilient. The founders saw a better way. A solution that leverages the learning from the ecosystem. Not data sharing but model sharing. So that ALL banks can benefit from each other. To level the playing field when identifying financial crime. Where being new or in a hurry doesn’t mean weaker systems and controls. 

Consilient has developed models from shared identification of financial crime risks trained in collaboration with leading banks. Fully explainable. Quick to deploy. Designed to strengthen what you already have, not replace it. Or in the case of new banks, give you a data-based solution from the start that is resilient, optimized and ready to go.

It helps compliance teams triage faster, review smarter, and work through backlogs with actual risk in mind.

If that’s a conversation worth having, let’s talk.

The Monzo fine will fade from the headlines soon enough. But the challenges underneath it aren’t going anywhere.

So the real question — the only one that matters — is: what will we do differently this time?