When Does a Challenger Bank Stop Challenging? The AML Fine as Rite of Passage

For more than a decade, challenger banks have styled themselves as the antidote to a stagnant, fee-ridden and tech-deficient banking sector. Born in the ashes of the global financial crisis and bolstered by open banking initiatives and regulatory encouragement, firms like Starling, Monzo, and Revolut promised a better way. Yet as the sector matures, a question that once seemed philosophical is becoming increasingly practical: when does a challenger bank stop being a challenger?

Is it when it gains a banking licence? When it turns a profit? When it reaches a million customers? Or is it, more provocatively, when it receives its first anti-money laundering (AML) fine? Recent enforcement actions by the Financial Conduct Authority (FCA) suggest that some challengers may now be undergoing the same rites of passage as the legacy institutions they once sought to displace.

The Fine Line Between Innovation & Negligence

In October 2024, the FCA imposed a £28.96 million fine on Starling Bank for “serious and prolonged” weaknesses in its AML controls. The regulator found that between September 2021 and November 2023, Starling onboarded over 54,000 high-risk customers while under an agreement not to do so. Worse, the bank’s sanctions screening tool had only assessed part of the list for years. The FCA’s critique was scathing. Starling had outgrown its controls, prioritising rapid expansion over risk management.

Just a month later, Metro Bank, another firm once touted as a disruptor, was fined £16.7 million for similar failings. Between 2016 and 2020, its automated transaction monitoring system failed to flag over 60 million transactions worth £51 billion. Internal whistleblowing went unheeded for years.

Neither of these fines occurred in isolation. They follow the FCA’s 2022 review into financial crime controls at challenger banks, which revealed widespread weaknesses in customer due diligence, risk assessments, and transaction monitoring. The conclusion was clear. Innovation is no excuse for regulatory non-compliance.

Monzo Joins the Ranks

In July 2025, Monzo became the latest challenger bank to face regulatory censure, receiving a £21.1 million fine from the FCA for systemic failures in its financial crime controls. Between October 2018 and August 2020, Monzo's rapid growth outpaced its compliance infrastructure, leading to inadequate customer onboarding, risk assessment, and transaction monitoring systems. Notably, the bank accepted applications with implausible addresses, including Buckingham Palace and 10 Downing Street, highlighting significant lapses in its verification processes .

Furthermore, despite a regulatory restriction imposed in August 2020 prohibiting the onboarding of high-risk customers, Monzo continued to open over 34,000 such accounts until June 2022. This breach underscored the bank's failure to implement and adhere to effective compliance measures during a period of substantial customer growth .

Monzo's chief executive, TS Anil, acknowledged the historical nature of these issues and emphasised the bank's efforts to strengthen its systems. He stated that the FCA's findings relate to a period that ended three years ago and that substantial improvements have since been made to the bank's controls .

Is an AML Fine a Milestone or a Millstone?

In the realm of corporate development, penalties are often interpreted in two ways. They are seen either as an embarrassing lapse or as an inevitable growing pain. For incumbent banks, fines have become grimly routine. HSBC, Standard Chartered, and Barclays have each faced financial crime penalties running into the hundreds of millions. Yet they endure, shored up by capital, experience, and compliance teams larger than some start-ups’ entire workforce.

When a challenger bank receives its first AML fine, it can signal a pivotal shift. It is no longer viewed as a nimble outsider punching up at Goliaths. Instead, it is treated as part of the establishment. It is expected to meet the same standards, absorb the same scrutiny, and suffer the same consequences.

There is a certain irony here. In seeking legitimacy and scale, challenger banks eventually become the very thing they once defined themselves against. They are no longer too small to notice. They are too big to excuse.

Cultural Lag: Regulation Outpaces the Narrative

Despite their branding, many challenger banks remain culturally resistant to regulation. The 'move fast and break things' ethos that powered early fintech success sits uncomfortably with the methodical nature of compliance. In some institutions, AML is seen less as a public duty and more as a cost centre. It becomes a box to be ticked en route to the next funding round or product launch.

But AML compliance is not optional. It is foundational to a bank’s social licence to operate. The UK's regulatory regime, particularly under the Money Laundering Regulations 2017 and subsequent amendments, demands that financial institutions not only detect and report suspicious activity but also proactively prevent financial crime through risk-based approaches. Weakness in this area can leave institutions exposed not only to regulatory action but also to exploitation by serious organised crime, terrorism financiers, and sanctioned entities.

Starling’s case illustrates how even a tech-savvy, well-capitalised firm can falter when compliance infrastructure lags behind growth. The lesson is that robust risk management must be built in from the start. It cannot be retrofitted under regulatory pressure.

Challengers, Grown Up

So, when does a challenger stop being a challenger? The moment it can no longer claim novelty as a defence. The moment it is expected to get it right the first time. And perhaps, the moment it receives its first AML fine.

But that milestone need not be fatal. It can also be transformative. The fine may mark the point at which a bank recognises its new status and responsibilities as an established player. The key is whether the institution uses the experience as a wake-up call or a warning sign.

The FCA is signalling that the honeymoon is over. Regulatory expectations apply evenly, whether a bank was founded in 1690 or 2015. Innovation in products must be matched by innovation in compliance. Anything less is not disruption. It is dereliction.

Conclusion: A New Maturity Test

The age of indulgence for challenger banks is ending. Their evolution is not measured in customer growth alone, but in the rigour of their controls and the resilience of their risk management frameworks. AML fines, far from being anomalies, may become the baptism by fire that separates the viable challengers from the unready.

What defines a true disruptor is not the speed of growth, but the ability to sustain it responsibly. That means confronting the unglamorous reality of compliance not just as a regulatory obligation, but as a core component of sustainable banking.