bloomicon - stock.adobe.com
Monzo’s £21m fine highlights banks’ cyber security failures
Monzo’s recent fine over failings in its customer verification processes highlights wider security and privacy shortcomings in the personal finance world
Monzo’s recent £21m fine over customer verification failures highlights the cyber security and privacy shortcomings of popular personal finance apps and the importance of good cyber hygiene, experts have said.
The UK’s Financial Conduct Authority (FCA) recently determined that, between October 2018 and August 2020, the challenger bank lacked sufficient “anti-financial crime systems and controls” for signing up new customers, assessing any risks they posed and identifying fraudulent transactions.
While this fine wasn’t in relation to a single cyber security incident, it underscored vulnerabilities that could be exploited by criminals to commit acts of cyber crime and fraud. Namely, Monzo customers were able to create accounts using implausible details, such as putting Buckingham Palace as their address.
Meanwhile, insufficient risk assessments resulted in more than 34,000 high-risk customers joining the bank – a threat exacerbated by the lack of transaction monitoring systems, meaning financial crime could go unnoticed by the bank.
These failings by Monzo come as financial crime continues to increase in volume and sophistication. According to UK Finance figures, there were 3.31 million financial fraud cases in 2024, and £1.17bn was lost as a result.
And they should serve as a “reminder” that challenger banks, though more digitally inclined than traditional institutions, don’t always prioritise cyber security and data privacy, according to Jake Moore, global cyber security advisor at antivirus specialist ESET.
He said the bank made “serious internal errors” regarding its cyber security posture, such as failing to follow “Know Your Customer” principles. These comprise procedures to verify customer identity and identify associated risks, such as money laundering and other types of organised crime. “Monzo has arguably grown at scale whilst scaling back on areas to save money that traditional banking once strived in,” said Moore.
Santander fine
Of course, Monzo isn’t the only major bank that has come under scrutiny from regulators over compliance breaches. Three years ago, Santander was slapped with a £107.7m fine by the FCA over several years’ worth of anti-money laundering blunders. And, separately, just last year, it experienced a catastrophic data breach that impacted 30 million of its customers.
Breaches of this nature can be highly damaging to consumers as personal finance apps contain sensitive data such as bank account and credit card information, in addition to personally identifiable information such as full names, addresses, dates of birth and social security numbers, said Rajvardhan Oak, an applied scientist at Microsoft and a cyber security researcher at the University of California, Davis (UC Davis).
He said that by breaching personal finance apps and exploiting the sensitive customer data they hold, cyber criminals can go on to commit “identity theft, financial fraud, or even long-term credit damage”.
Risks of open banking
And even if banks employ robust cyber security protocols, customers’ data can still be at risk if it is shared with less rigorous service providers through open banking. The latter uses application programming interfaces (APIs) – software that facilitates data transfer between multiple apps – so that consumers’ financial information is shared across several providers, allowing them to access the best deals and different types of financial services.
For example, Moore said banks may offer integrations with third-party apps like tax management platforms so that all their customers’ transactions are automatically logged for expenses. But in doing so, banks “broaden the attack surface for cyber criminals hoping to exploit any given vulnerability” across the personal finance app ecosystem.
If hackers are able to gain unauthorised access to API keys, for instance, they can hijack sensitive financial information as it travels between these different services. Other common means of stealing personal data are phishing – fake emails and messages that seem legitimate but contain malware-spreading links and attachments – as well as “malicious consent screens” in which customers are fooled into granting hackers access rights to their accounts and data, said Moore.
Not all personal finance apps are what they seem, though. Oak warns that many “share user data with advertisers or analytics firms” and fail to disclose this dubious practice to their customers in what he describes as a “serious” violation of customer privacy.
As open banking services rise in popularity, cyber criminals may also see this as an opportunity to create Trojan horse open banking apps – which masquerade as genuine financial services but actually steal users’ information when inputted.
Therefore, it’s vital to download financial apps from genuine app stores – such as the Google Play Store or Apple App Store – and to read user reviews to determine whether an app is trustworthy or not.
With these risks in mind, good cyber hygiene is paramount. Oak said anyone using personal finance apps can protect themselves by regularly implementing software updates, setting strong and unique passwords, making use of in-app security features like two-factor authentication, and only using trusted fintech services.
Read more about security in financial services
- Security breaches via third parties increased by 25% at Europe’s largest finance firms, according to SecurityScorecard.
- Research from data backup provider Veeam indicates that vast majority of European financial services firms do not feel ready to meet the resiliency requirements of the EU’s Dora act.
- UBS and fellow Swiss bank Pictet have been affected by a cyber attack on a procurement service provider.
Junaid Afzal, commercial director of Haven Financial Planning, agreed with the pressing need for personal finance app users to strengthen their cyber defences amid rising levels of fraud and cyber crime.
As part of a “financial wellness plan” for mitigating cyber crime and fraud, he recommended that consumers refrain from using finance apps on insecure public Wi-Fi networks and review the device permissions granted to these apps. “Users need to be as disciplined in their app hygiene as they are committed to securing their financial goals,” said Afzal.
Moore, on the other hand, urged consumers to improve their understanding of common online threats like social engineering attacks’ manipulative tactics to trick users into sharing personal information with hackers, such as phishing emails and spam calls – in a bid to stop them in their tracks.
Fintech providers, too, must take cyber security seriously. Scarlett Sieber, chief growth and strategy officer at Money20/20 and author of Embedded Finance, said: “Any fintech company of any sort that is dealing with sensitive data should have the highest of cyber security standards or they won’t last long.”
Monzo was given the opportunity to comment on the links between its recent fine and cyber security but the challenger bank did not provide a response to that effect.
Santander, however, stated that it “takes its responsibilities regarding financial crime extremely seriously” in response to its 2022 anti-money laundering fine and its separate 2024 data breach.
“The FCA investigation focused on issues with Santander UK’s historical AML processes for Business Banking customers,” said a spokesperson for the bank. “We have since made significant changes to address this by overhauling our financial crime technology, systems and processes.”
Read more on IT for financial services
-
![]()
Remote purchase fraud surges 14%, says banking industry
By: Karl Flinders
-
![]()
Spirit of openness helps banks get serious about stopping scams
By: Karl Flinders
-
![]()
Banks to share fraud data with tech firms in cross-sector collaboration
By: Karl Flinders
-
![]()
UK fintech investment drops by almost double global average
By: Karl Flinders
