This article critically examines Monzo’s seemingly outdated verification methods—requesting ID selfies via unencrypted email and obscure phone quizzes about forgotten “pots.” Despite presenting as a leading digital bank, these practices raise serious GDPR security concerns, frustrate legitimate customers, and potentially conflict with the FCA’s Consumer Duty. The piece outlines regulatory implications and user reactions for Monzo inadequate security mechanisms and dismissive cancelled culture.
Monzo, widely regarded as an innovative “challenger bank,” rose to prominence by offering real-time payments, budgeting tools (like “pots”), and a user-friendly mobile application. Historically, its technology-driven ethos and transparent marketing set it apart from traditional high-street banks. However, emerging accounts of outdated, insecure, or customer-unfriendly verification processes create a dissonance between Monzo’s self-portrayal and its actual practices. These issues include:
1.1. Unencrypted Email Requests:
1.2. Obscure Phone Questions:
1.3. Rigid and Unhelpful Service:
2. Introduction: Monzo’s Contradictory Reputation
2.1. Instant Notifications:
2.2. Fee-Free Spending Abroad:
2.3. Pots for Budgeting:
2.4. Transparent, Customer-Centric Branding:
3. Verification via Email: The Core Security Flaw
3.1. The Practice: Emailing Selfies with ID
3.2. Why This is Risky
3.2.1. Exposure to Interception
3.2.2. GDPR Requirements
3.2.3. Data Breach Liability
3.2.4. Inconsistent with Tech-Savvy Image
3.3. Customer Alarm
4. Phone Verification: Rigid Questions and Unhelpful Calls
4.1. Obscure “Pots” and Historical Trivia
4.2. Surprise Calls and Early Timing
4.3. Possible Breach of FCA Standards
4.4. Impact on Customer Trust
5. Regulatory and Compliance Overview
5.1. UK GDPR
5.2. FCA Consumer Duty and Complaints Handling
5.3. Potential Consequences
6. Consumer Feedback and Public Perception
6.1. Online Forums and Social Media
6.2. Frustration over Pot-Related Quizzes
6.3. Erosion of Trust
6.4. Media and Competitor Banks
7. Criticisms: “Old-Fashioned Waze” vs. Tech Claims
8. Recommendations for Improvement
8.1. Overhaul Email Verification
8.2. Streamline Phone Verification
8.3. Bolster Consumer Duty Compliance
8.4. Publicly Reassure and Recommit
9. Potential Consequences of Inaction
9.1. Regulatory Intervention
9.2. Reputational Erosion
9.3. Legal Risks
9.4. Undermining “Digital Bank” Credibility
10. Conclusion: Criticisms, Contradictions, and the Path Forward
Despite marketing itself as a cutting-edge fintech disrupter, Monzo has been criticised for employing verification practices that some customers describe as “pirate-level”—storing or transmitting sensitive information in insecure ways and locking out genuine users based on questionable phone quizzes. These issues highlight a stark contrast between the public image of a forward-thinking, technology-driven bank and the reality of outdated or inconvenient security measures.
10.1. Email Verification:
10.2. Phone Verification:
From a regulatory perspective, the bank risks running afoul of both data protection (UK GDPR) and financial conductrules (FCA Consumer Duty). From a consumer standpoint, these failures are breeding distrust and frustration, precisely the opposite of what a digital-first institution aims to foster.
Still, Monzo has the advantage of an advanced technological environment and a user base open to trying new solutions—if the bank chooses to address these lapses head-on.
By introducing secure document-upload systems, standardising phone questions, and training staff in a more empathetic approach, Monzo could realign its operations with the modern ideals it claims to uphold. Failure to do so, however, will continue fueling the perception that Monzo is “running with other people’s money” using questionable or old-fashioned processes.
For a bank that once proudly declared it was “built to change banking forever,” the immediate priority should be to stop forcing customers to compromise their personal data through insecure channels and to start verifying them in ways that are truly consistent with the spirit of a 21st-century digital bank. Only then will Monzo shed the accusations of being a “pirate” with subpar security and fully reclaim the trust and respect it initially earned in the fintech realm.
End of Report
Disclaimer: The above analysis is based on publicly available or commonly reported issues and commentary regarding Monzo’s verification processes. It does not constitute formal legal advice. Any regulatory implications are cited based on general references to GDPR, FCA rules, and industry best practices. For definitive guidance, consult qualified data protection or legal counsel for financial services.
This article critically examines Monzo's seemingly outdated verification methods—requesting ID selfies via unencrypted email and obscure phone quizzes about forgotten "pots." Despite presenting as a leading digital bank, these practices raise serious GDPR security concerns, frustrate legitimate customers, and potentially conflict with the FCA's Consumer Duty. The piece outlines regulatory implications, user reactions, and recommendations for Monzo to adopt modern and secure verification processes.
Below is an in-depth report highlighting criticisms of Monzo's older-style verification methods—particularly unencrypted email and obscure phone checks—despite its branding as a top-tier digital bank. This document addresses specific shortcomings, contrasts them with regulatory expectations (UK GDPR, FCA Consumer Duty), and proposes improvements.
Examining Monzo's insecure email requests and challenging phone quizzes, their impact on GDPR compliance, and recommended improvements.
1.1. Introduction
Despite the inherent risks, sending personal data over unencrypted email remains a surprisingly common practice. In its original form, email was never designed for secure file transmission; it typically lacks robust end-to-end encryption and can be intercepted at various points. In today's data-driven world, where identity theft and cyber-attacks are rising, unprotected email exposes individuals and organizations to significant vulnerabilities. This section explores why unencrypted emails is insecure, the potential legal and financial repercussions, and how more secure alternatives better align with modern data protection standards.
1.2. Email's Inherent Vulnerabilities
Email traffic generally passes through multiple servers without guaranteed encryption. Any malicious actor accessing a compromised network can intercept messages that are not encrypted. Stored emails might remain in plain text on mail servers, making them accessible if hackers breach those systems. In addition, phishing campaigns frequently target email accounts; once compromised, the attacker can exploit all the sensitive data in a user's inbox or sent folder. These vulnerabilities underscore that email was not designed to transmit highly confidential documents such as passports, driver's licenses, financial statements, or medical records.
1.3. Common Types of Data at Risk
Unencrypted emails often contain government-issued identification details and sensitive financial information. Passports, driver's licenses, and confidential statements are especially valuable to cybercriminals, who can use them to open unauthorised lines of credit or carry out fraudulent transactions. When combined and sold on the dark web, personally identifiable information like full names, addresses, and birthdates can have devastating consequences. Even more troubling is the possibility of exposing medical or insurance data, which has financial implications and can infringe on a person's right to privacy.
1.4. Consequences of Email-Based Data Exposure
When personal data is sent unencrypted, identity theft becomes significantly easier for criminals when personal data is sent unencryptedIdentity. Victims may spend years correcting their credit records, dealing with fraudulent charges, and restoring their financial integrity. Organisations responsible for the leak face legal liability, mainly if regulators conclude that insufficient security measures were in place. Beyond lawsuits and potential fines, a public data breach severely harms an institution's reputation. Customers often lose faith in entities that fail to protect their data, resulting in cancelled accounts and negative publicity. Over time, the cumulative damage can far exceed the cost of implementing secure alternatives in the first place.
1.5. Regulatory Context and Non-Compliance Risks
In many jurisdictions, transmitting personal data via unencrypted email likely violates data
protection rules. Under UK GDPR, for instance, organisations must demonstrate that they have taken appropriate measures to protect personal information. Article 5(1)(f) explicitly requires safeguarding data against unauthorised access or accidental loss, and Article 32 outlines the necessity for encryption and other technical measures. A single interception of sensitive data might trigger investigations by the Information Commissioner's Office, potentially resulting in hefty fines. Financial services organisations additionally face scrutiny from the Financial Conduct Authority (FCA), where insecure data handling can bring further regulatory action.
1.6. Attack Vectors in Unencrypted Email TransmissionCriminals use various techniques to exploit plain-text email data. Man-in-the-middle (MitM) attacks enable cybercriminals to intercept or alter emails during transmission, especially on public Wi-Fi networks or compromised routers. Mailbox compromise is also a primary concern: once hackers gain access to a user's email account, they effectively acquire a treasure trove of personal information, from which they can launch more sophisticated schemes like spear phishing. Even if the immediate sender and recipient are reliable, forwarded copies and email backups create multiple weak links where data can be leaked or stolen.
1.7. Real-World Examples of Data Exposure
Numerous high-profile cases illustrate the dangers of sending sensitive information via unencrypted channels. Organisations have been fined after their email systems were hacked, exposing thousands of customers' data. In some instances, attackers gather small fragments of PII from intercepted emails, then target individuals or customer service agents to reveal additional details. Large-scale leaks have also occurred when employees inadvertently emailed spreadsheets or documents with confidential information to unauthorised recipients. These scenarios demonstrate that unencrypted email is not merely a theoretical threat but a genuine hazard with real victims and reputational fallout.
1.8. Best Practices for Secure Communication
Companies and individuals should opt for end-to-end encrypted services when transmitting sensitive documents. A dedicated secure portal, for instance, allows users to upload confidential files under strict encryption, with access logs and time-bound links to minimise long-term risks. If email remains the only option, password-protected attachments represent a more secure fallback. The password should be conveyed separately, for instance, by phone or text message, to avoid a single point of failure. Two-factor authentication on both the sender's and the receiver's email accounts adds another layer of protection against unauthorised access. Modern banks and fintech companies rely on in-app verification processes or websites secured via HTTPS and additional encryption, reflecting industry best practices.
1.9. Why Some Organizations Persist with Insecure Email
Despite explicit warnings, certain institutions continue using unencrypted email because of convenience, established routines, and resistance to changing legacy systems. Staff may find it faster to email directly than implement more complex solutions, and the misconception that a small volume of transmissions poses minimal implementation risk persists. Meanwhile, fully transitioning to safer methods can require retraining personnel and investing in encryption infrastructure or secure cloud services. Unfortunately, these short-term cost savings or time benefits are overshadowed by the massive potential liabilities should a security breach occur.
1.10. Consequences of Ignoring Security
Organisations that fail to address email-based vulnerabilities will likely face increased scrutiny from regulators as data protection laws evolve and become more strictly enforced. Data breaches can drive away customers, attract unwanted media attention, and bring legal challenges that are expensive and time-consuming to defend against. After a security lapse, regaining consumer and partner trust is often an uphill struggle, as many people prefer to move their business to providers with robust, clearly articulated safety measures. The reputational fallout can take years to mend, overshadowing any initial convenience of using unencrypted email.
1.11. Conclusion
Sending personal data over unencrypted email is fundamentally insecure, exposing sensitive information to interception, mailbox compromise, and other cyberattacks. Individuals become vulnerable to identity theft, and organisations risk legal action, regulatory fines, and reputational damage. In an era where data privacy is paramount, entities that handle confidential information—particularly in banking, healthcare, or legal services—must adopt secure communication methods. By implementing encrypted channels, password-protected file transfers, and authentication safeguards, individuals and businesses can uphold data protection principles, demonstrate compliance, and significantly reduce the likelihood of devastating breaches.
The UK GDPR is the core data protection law in the UK, setting out principles for how personal data must be handled. Key provisions relevant to Monzo’s verification practices include:
1. UK GDPR (UK GENERAL DATA PROTECTION REGULATION)
1.1. Data Security (Integrity and Confidentiality – Article 5(1)(f)):
1.2. Lawful and Fair Processing:
1.3. Encryption and Security Measures (Article 32):
1.4. Subject Access Requests (SARs):
2. Data Protection Act 2018 (DPA 2018)
3. Privacy and Electronic Communications Regulations (PECR)
3.1. Electronic Communications Security:
3.2. Applicability to Monzo:
4. Financial Conduct Authority (FCA) Guidelines and Rules
4.1. Consumer Duty:
4.2. Treating Customers Fairly (TCF):
4.3. DISP – Dispute Resolution and Complaint Handling:
5. Handling of Sensitive Customer Data (FCA Expectations):
5. Computer Misuse Act 1990
It seems deeply paradoxical for a fintech giant, celebrated for disrupting the banking industry, to rely on something as insecure as unencrypted email for identity verification. Despite lofty claims of innovation and safety, some customers are being asked by Monzo to send highly sensitive personal information—like selfies with IDs—through plain-text email. Even more confounding is the bank’s reaction when users point out the potential risks: rather than acknowledging a legitimate concern, Monzo has sometimes dismissed or belittled these warnings, making customers feel “bizarre” for wanting essential data protection. This article explores the troubling gap between Monzo’s modern image and insistence on an old-fashioned, insecure process.
Monzo revolutionized British banking by introducing instant spending notifications, easy sub-accounts (“pots”), and real-time budgeting insights. It positions itself as a leader in fintech, touting “safe and smart” technology as a core feature. However, the practice of requesting unencrypted email for confidential documents contradicts this persona in striking ways:
Tech-Savvy Image vs. Unsecured Emails
A tech-savvy financial institution would use secure portals, in-app uploads, or password-protected attachments for sensitive data. Relying on plain-text emails—an inherently insecure channel—directly conflicts with the advanced, user-centric philosophy Monzo claims to champion.
Emphasis on Security Yet Disregarding Encryption
Monzo openly states it has sophisticated fraud-detection mechanisms and prides itself on robust security measures. Encryption is a basic standard in modern cybersecurity, so refusing to offer it when collecting highly sensitive information is a glaring omission, especially for a digital-only platform.
Dismissing Legitimate Concerns
Customers who question the wisdom of sending passports and driver’s licenses via insecure email often find themselves at odds with Monzo’s support team. The resulting frustration is twofold:
Lack of Empathy
When users point out potential dangers—interception, data breaches, identity theft—they expect a responsible bank to consider safer alternatives. Instead, some customers say they were effectively told, “That’s our process. If you don’t trust it, there’s nothing more we can do.” This stance implies that the bank either does not understand or chooses to ignore basic encryption best practices.
Accusations of Being “Bizarre”
The more galling scenario is the suggestion that customers who resist sending ID documents unencrypted are the ones acting strangely. A modern, security-conscious consumer is well within their rights to question whether a bank meets legal and ethical obligations to safeguard personal data. Labelling them “bizarre” or over-cautious undermines the trust and open dialogue one would expect from a customer-centric institution.
Why Customers Are Right to Raise These Concerns
In an era where cybercrime is rampant, voicing alarm over the possibility of identity theft or a data breach is rational and necessary. There is nothing paranoid about safeguarding passports and financial details. The following points illustrate that customers have every reason to be vigilant:
The Broader Implications
The irony of Monzo’s approach may have repercussions beyond individual frustration:
Conclusion
It is profoundly ironic that a bank acclaimed for embracing the digital future relies on unencrypted emails to transmit highly personal documents. Even more troubling is the suggestion that customers who challenge this risky approach somehow overreact.
In reality, these users advocate for a fundamental aspect of digital security: ensuring sensitive information is protected with the same rigour the bank claims to provide.
By dismissing or belittling these concerns, Monzo not only diminishes its credibility but risks violating the trust that propelled it into the mainstream. True innovation does not mean ignoring basic encryption; it means constantly updating and improving systems to align with ever-evolving data protection standards.
Until Monzo implements a secure, modern method for ID verification, the gap between its marketed image and its actual practices will remain glaringly—and ironically—expansive.
6. ICO Guidance and Enforcement (Data Security & Encryption)
The Information Commissioner’s Office (ICO) oversees data protection compliance in the UK and guides procuring the secure using personal data. Key points from ICO guidance, especially relevant to encryption and Monzo’s situation, include:
Expectations of Secure Processing & Encryption:
The ICO has repeatedly stressed that sensitive personal data should be encrypted when stored or transmitted electronically. Encryption is considered a “simple and widely used security measure” that can prevent unauthorised access to data. In practice, if Monzo emails verification links that grant access to an account or contain personal info, those emails should be protected (for instance, sent via encrypted channels or containing encrypted content) to avoid interception. ICO guidance advises that personal information transmitted over networks or held on portable devices should be encrypted and handled per the organisation’s security policies. Failing to do so could be seen as a breach of the GDPR’s security principle. Monzo should ensure it uses up-to-date encryption standards for all customer data flows – this could involve using TLS (Transport Layer Security) for emails, offering in-app or SMS verification as more secure alternatives, and never sending passwords or full security details over email. The ICO’s focus on encryption is directly applicable to Monzo’s email verification: unencrypted emails could be accessed by the wrong parties, violating the principle of confidentiality. By following ICO best practices (encryption, data minimisation in communications, etc.), Monzo can demonstrate it is handling customer authentication data responsibly.
ICO Enforcement Actions on Insecure Data Handling: The ICO has the power to investigate and fine organisations for failing to protect personal data. There is a precedent where the ICO took action for unencrypted communications. For example, the ICO fined a UK council £120,000 after a solicitor emailed highly sensitive information to the wrong recipient without encryption. The ICO deemed this a serious data protection breach and noted that if the data had been encrypted, it would likely have remained secure even if sent in error. This case underscores that regulators view unencrypted sensitive data as a significant risk. In Monzo’s context, while a verification email might not contain as sensitive information as a child protection case, it still could provide access to financial data or accounts. If such an email were intercepted and abused, and Monzo had not taken appropriate security measures, the ICO could investigate and potentially issue penalties for failing to protect customers’ data. The ICO’s guidance explicitly warns that it may take regulatory action in cases where personal data is lost or stolen and “encryption software has not been used to protect the data” Thus, Monzo faces not only customer ire but also regulatory consequences if its security checks are found deficient. To avoid enforcement action, Monzo should heed ICO guidance: for instance, use encryption and robust authentication, and limit what data is exposed during verification.Additionally, maintaining audit logs and breach response plans is crucial – should an incident occur, demonstrating a swift and adequate response can influence the ICO’s enforcement decisions. In summary, the ICO expects banks to get security right the first time; failing that, past enforcement shows that organisations can and will be penalised for preventable data security lapses. Monzo can use these regulatory pointers to bolster its verification process, ensuring that both email and phone-based security checks meet the high standards of UK data protection laws.
TFACF - A Tech4Good Project
71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
#Tech4GoodNot4Spoof
TRANSPARENCY AND ACCOUNTABILITY ARE THE CORNERSTONES OF JUSTICE. LET'S ENSURE THAT THEY ARE UPHELD BY EVERYONE AND IN EVERY SITUATION! Copyright © 2024 TFACF - A Tech4Good Project. All rights reserved. Registration on or use of this site constitutes acceptance of our Terms of Service and Privacy Policy. THE FAIR AND CORRECT FOUNDATION, an initiative funded by the Conectid® Group.
Copyright © 2025 TFACF - A Tech4Good Project