top of page
ComplyStream Logo.png

The Post-Alert Files: Inside the £65M+ fines that hit Starling, Monzo, Vocalink and Wise

  • Writer: Ani Petrova
    Ani Petrova
  • Jul 29
  • 6 min read

Updated: Jul 30


The Post-Alert Files is ComplyStream’s ongoing series unpacking real-world enforcement cases to understand where compliance systems broke down and what they reveal about post-alert operations. Because detection isn’t enough. Response is what regulators expect, and where many teams still fall short.


In this edition:



Starling. Monzo. Vocalink. Wise. Four fintech and infrastructure heavyweights. Four major enforcement actions. More than £65 million in fines across two continents in under 12 months.


And this time, it wasn’t for lack of systems or tooling.


It was, predominantly, a failure in how alerts were handled. And a deeper failure to integrate risk controls across teams, tools and triage workflows.


In every case, gaps weren’t just missed. They were known but uncoordinated. Fragmented signals. Delayed escalations. No shared infrastructure to detect, act and improve in real-time.


The cost of compliance fragmentation


These weren’t isolated missteps. They reveal a systemic flaw that persists across many modern compliance programs: a breakdown in the post-alert phase – the 95% of the workload that starts once a red flag is raised.


It’s the gap between what an alert says… and what your team does next. And when first-line operations, second-line oversight, and detection infrastructure don’t coordinate, risk gets lost in the cracks.


But what if this phase was integrated


Imagine a system where alerts from transaction monitoring, onboarding checks, and sanctions screening flow into a unified case view. Where triage rules are configured centrally and enforced consistently.Where analysts don’t scramble across Slack, spreadsheets and inboxes, but act through a shared, auditable workflow.Where critical gaps are flagged at first line and escalated instantly, with second line oversight – not days or weeks later, but in real time.


That’s what post-alert infrastructure is supposed to do.


But these cases (and many like them) show that most firms still operate without it.


Case 1: Starling Bank fined £28.9M – “Lax” sanctions controls and high-risk account openings


Regulator: UK Financial Conduct Authority (FCA)

Date: October 2024

Fine: £28.9 million

Failings:

  • Starling failed to screen against the UK Government’s full sanctions list for an extended period.

  • The bank continued onboarding ~54,000 high-risk customers after the FCA imposed a voluntary restriction on new account openings.

  • It lacked documented policies for ongoing transaction monitoring and failed to assess sanctions screening coverage as standard.

‘Starling’s financial sanction screening controls were shockingly lax. It left the financial system wide open to criminals and those subject to sanctions. It compounded this by failing to properly comply with FCA requirements it had agreed to, which were put in place to lower the risk of Starling facilitating financial crime.' - Therese Chambers, FCA’s joint executive director of enforcement and market oversight

The enforcement marks a major turning point for digital banks transitioning from high-growth scale-ups to mature regulated institutions.


Case 2: Monzo hit with £21M penalty for systemic AML failures, including repeated breaches of FCA restrictions


Regulator: FCA

Date: July 2025

Fine: £21 million

Failings:

  • Monzo failed to design, implement and maintain adequate customer onboarding, risk assessment and transaction monitoring systems to mitigate financial crime risk.

  • Despite rapid customer growth — from 600,000 in 2018 to over 5.8 million in 2022 — its controls did not scale accordingly.

  • In August 2020, the FCA imposed a requirement (VREQ) barring Monzo from opening new accounts for high-risk customers. But Monzo breached that repeatedly, onboarding over 34,000 high-risk customers between August 2020 and June 2022.

  • The firm accepted implausible and obviously inaccurate onboarding data, including customers listing “Buckingham Palace” and “10 Downing Street” as home addresses.

  • A comprehensive independent review of Monzo’s financial crime framework was required by the FCA due to the scale of these failings.

“Monzo fell far short of what we, and society, expect... This illustrates how lacking Monzo's financial crime controls were.” - Therese Chambers, FCA Joint Executive Director of Enforcement and Market Oversight

Case 3: Vocalink fined £11.9M by Bank of England — first ever fine against a UK payment infrastructure provider


Regulator: Bank of England

Date of Final Notice: July 2025

Fine: £11.9 million (reduced from £20 million for cooperation and early resolution)

Failings:

  • Vocalink, a core payment infrastructure provider regulated as a Financial Market Infrastructure (FMI) firm since 2018, failed to comply with a legally binding Direction issued by the Bank of England.

  • The Direction required Vocalink to remediate serious issues in its risk, control, and governance framework by a set deadline. It failed to meet that obligation.

  • An ineffective risk management framework, along with poor governance and weak escalation practices, led to critical risks not being identified, monitored, or elevated appropriately.

  • Key failures included a lack of integration across the three lines of defence and inadequate sharing of risk information with senior committees.

“Vocalink fell short of its obligation to have adequate risk management and governance arrangements… Its failure to comply… has resulted in a significant fine.” - Sarah Breeden, Deputy Governor for Financial Stability, Bank of England

The enforcement highlights growing regulatory scrutiny on infrastructure providers that support systemic payment flows, not just traditional banks.


Case 4: Wise fined $4.2M by six U.S. states for anti-money laundering deficiencies


Regulators: Multi-State MSB Examination Taskforce (MMET) — including New York, Massachusetts, Texas, California, Minnesota, and Nebraska

Date: July 2025

Fine: $4.2 million (~£3.2M)

Failings:

  • Wise was found to have significant weaknesses in its anti-money laundering (AML) and counter-terrorist financing (CFT) controls, including:

  • Inadequate procedures for suspicious activity reporting

  • Insufficient due diligence for high-risk customers

  • Poor data integrity around customer accounts and transaction histories

  • The firm has been ordered to:

    • Conduct a comprehensive lookback on previously closed accounts

    • Engage an independent third party to verify improvements

    • Submit quarterly progress reports for two years to state regulators


Wise has stated that it fully cooperated with regulators and is investing heavily in strengthening its compliance framework.


What unites all 4 cases? The post-alert gap


Each firm had systems to detect financial crime risks, whether through onboarding checks, sanctions screening, or transaction monitoring.


But what failed was what came next.


Compliance Breakdown

Operational Consequence

Ineffective triage

Alerts were not prioritised, reviewed, or escalated in a timely manner.

Siloed data and workflows

Analysts operated across disconnected systems, increasing investigation delays.

Poor documentation

Cases lacked audit trails, rationale for decisions, and supporting evidence.

Broken feedback loops

Issues found in alerts were not reflected in updated policies or detection logic.


These are not rare edge cases. They reflect how many financial crime teams operate today — under pressure, with incomplete tooling, and without scalable, integrated workflows.


Why post-alert operations are now a regulatory priority


Regulators are no longer satisfied with knowing that firms are screening customers or monitoring transactions. They want evidence of how teams responded, what data informed their decisions, and how those responses were documented and escalated.


This shift elevates the importance of post-alert infrastructure, from case triage and contextual investigation to decision logging and audit readiness.


Fines are increasingly issued not because an alert was missed, but because the response to it was fragmented, undocumented, or out of step with policy.


ComplyStream: Built for the post-alert era


ComplyStream helps financial crime teams move from reactive, manual processes to modern, integrated workflows.


We provide a unified platform for the full post-alert lifecycle:


Core capabilities

  • Unified case view: Bring together alert data, customer context, transaction history, and documents.

  • Intelligent triage: Prioritise high-risk cases using AI and contextual signals.

  • Embedded workflows: Standardise investigations, escalation, approvals, and evidence gathering.

  • Audit-ready trails: Automatically log decisions with time stamps, rationale, and user attribution.


We don’t replace your existing systems — we aggregate them. Our focus is not just on detection, but on reducing time to decision and enabling effective response, transparency, and continuous improvement.


The lesson: Detection isn't enough. Response is what counts.


Each of these firms had tools to surface risk.


But when asked to prove what happened next — how teams responded, what data they used, and whether decisions aligned with policy — the evidence wasn’t there.


That’s what regulators are now prioritising. And that’s where modern compliance must focus.



If you’re ready for the future of compliance, let’s talk. Book a demo here



bottom of page