i’ve found out at GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER PSD2 
In designing, developing and providing payment services, PSPs should ensure that segregation of duties and ‘least privilege’ principles are applied. PSPs should pay special attention to the segregation of IT environments, in particular to the development, testing and production environments.
My question is whether Monzo uses dev/test/prod environments (a typical banking/telco approach) or something more like testing in production approach  e.g. automatic tests at during CI, then deploy to production and phase rollout.