Not just a palace problem: what Monzo’s £21m fine says about broken address verification
Jaye Hackett
Monzo was fined £21 million last week for serious, repeated failings in its financial crime controls. Much of the media coverage focused on the attention-grabbing detail that some customers signed up with addresses like 10 Downing Street and Buckingham Palace.
That’s not the most interesting part.
The FCA’s final notice shows the real issue wasn’t a few jokers with royal addresses. It was a system that didn’t know (or perhaps care) where its customers lived. And it wasn’t just bad luck. It was design.
Address checks were deliberately dropped in 2019
In early 2019, Monzo decided to remove address verification from onboarding altogether. From that point, customers were only required to pass a selfie check. No proof of address was needed for most personal accounts, because too many people were failing.
“Monzo’s decision not to verify, or otherwise monitor, customer addresses also gave rise to other issues… [including] obviously implausible UK addresses, such as well-known London landmarks.
— Final Notice, 4.50
They didn’t just quietly remove the check, but actively marketed its absence.
“For most of the Pre-VREQ Period, Monzo had promoted the lack of address verification on its website and online media channels.”
— 4.51
The red flags were already there
Monzo knew this created risk. The FCA found that 47% of customers it considered high-risk had previously failed address checks:
“The Firm also found that ‘47%’ of current account customers considered at the time to be higher risk had failed address verification checks.”
— 4.48
Internally, Monzo even doubted its own regulatory reporting:
“Monzo held concerns that lack of address verification had impacted the number of customers accepted… intending to use the Firm for financial crime purposes.”
— 4.51
It got so bad they told the FCA they couldn’t confirm which customers were even based in the UK:
“Monzo accepted that it was unable to confirm that all customers were UK-based.”
— 2.7
Same-day use. No verified address
At the same time, Monzo allowed new customers to transact immediately — before receiving a card or confirming their address.
“Customers were able to transact before receiving their physical account card at the address provided at onboarding.”
— 4.51
This meant someone could open an account with “10 Downing Street”, move money instantly, and never be verified beyond a selfie video.
Address verification is a sector-wide weak spot
None of this will shock people who’ve worked in digital services at scale. My co-founder Chloe used to led user research on Universal Credit for three years. She saw the full spectrum: people reusing the same address across dozens of claims, tampering with tenancy letters, or finding ways around postcode validation. It’s easy to underestimate how creative people can be when systems rely on static, self-declared information.
The fallback options are too often still things like “send us a photo of you outside your house”. That’s not risk mitigation. That’s performance art.
Good verification doesn’t mean making people jump through hoops
This case is a reminder that verifying someone’s identity, and especially their address, needs more than outdated checks or good intentions. It needs systems that can handle real-world messiness, accept multiple forms of evidence, and adapt as people’s lives change.
We work with organisations that want to close the door on fraud without slamming it on the people they’re meant to serve. That means combining digital identity with real inclusion, and making sure the front door is more than just a photo of one.
We’re publishing a short compliance guide on inclusive identity verification later this month. If you’d like an early look, contact chloe@vouchsafe.id for a preview.
