UK’s CMA says Lloyds Bank, TSB, AIB and HSBC breached Retail Banking Order
Four UK high street banks – Lloyds Bank, TSB, Allied Irish Bank (AIB) and HSBC – have been issued with public letters by the country’s Competition and Markets Authority (CMA) for allegedly presenting mismatched information regarding their products and services.
The CMA says the firms “failed to comply with banking rules put in place by the CMA to help their customers”.
Any bank or building society operating in the UK must adhere to the Retail Banking Investigation Order, a legislative measure introduced by the CMA in 2017 to ensure that market participants correctly inform consumers with up-to-date data regarding their products and services.
This includes displaying the correct interest rates for loans and the right location of bank branches and ATMs. The ascent of the order also set into motion the rise of open banking as a means to power transparent and secure data sharing for all retail banking services.
At its core however, the order seeks to maintain a healthy level of competition across the market, being one of the primary pillars of the CMA’s remit as a regulator.
Lloyds Bank
Starting with Lloyds, the regulator alleges that the bank failed to correctly publish the location of 363 ATMs in the UK through its open banking APIs between 7 December 2023 and 12 January this year.
It says this failure occurred when Lloyds conducted a pilot exercise to transfer data concerning its ATM coverage to a new internal management system.
While doing so, the bank was found not to have put “sufficient safeguards in place to ensure that the open banking data was correct during the pilot”, according to a public letter delivered by the CMA.
The CMA says Lloyds self-reported the breach and “has taken steps to end the breach and to prevent a recurrence”.
The CMA adds it will now “monitor Lloyds’ future compliance closely”, but also states that it “does not consider it appropriate to take further formal enforcement action in relation to this breach at present”.
When contacted by FinTech Futures, a spokesperson for Lloyds said: “There was no evidence of detriment to customers at any point, as they remained able to find the information through our websites and LINK’s ATM locator, alongside open banking continuing to show information about our branches and alternative ATMs at these locations.”
TSB
With regard to TSB, a former division of Lloyds, the bank was found to have incorrectly disclosed the monthly maximum charge (MMC) for unarranged overdrafts throughout the monthly statements of its Spend and Save Plus customers between February 2021 and January 2024.
It was also found to have made the same error for new customers using its mobile app between January 2022 and February 2024, meaning that customers would have been unaware of the true cost of dipping into their overdraft.
TSB is said to have become aware of this failure on 1 August 2023, however, did not inform the regulator until exactly one month later, thereby also breaching a 14-day reporting requirement.
The CMA says the bank “has now fixed both breaches and has taken some additional steps to prevent a recurrence”, including a traceability exercise “to ensure that project requirements deliver compliance with the relevant regulation”.
A spokesperson from the bank told FinTech Futures: “We have co-operated fully with the CMA on this matter and apologise for any inconvenience caused to customers.”
AIB
Meanwhile, the CMA claims that AIB presented the wrong equivalent annual rate (EAR) online for its business current account between 1 July 2022 and 28 August 2023.
The regulator also claims the bank made the same error concerning the annual percentage rate (APR) for an undisclosed loan product between 1 January 2023 and 28/29 September 2023.
“In each case, the published incorrect representative rate was lower than the correct representative rate,” the regulator’s notice to AIB states.
Furthermore, the CMA says the same information was found to be incorrect for the bank’s open banking API, while the failure was not reported to the regulator until 59 days after it was first flagged through a customer query.
To prevent a reoccurrence of these failures, AIB has promised the regulator that it has introduced staff training with a “full review of UK credit products”, as well as “enhanced procedural oversight with evidence of the outputs on quarterly CMA assurance exercise to be reviewed and signed-off by senior management”.
When contacted by FinTech Futures, a spokesperson said: “No customers were placed on an incorrect rate as a result and none were overcharged.
“The bank has apologised to all customers who applied for one of these loans during that time and provided a goodwill gesture in recognition of the fact that the incorrect information was on our website and API channels during the time of their application.”
HSBC
For HSBC, the CMA says the bank has “breached the order more extensively in this instance”, and therefore, “added measures are needed to prevent future breaches”.
The regulator’s open letter to the bank outlines the extent of these failures, which include “publishing an incorrect value for its MMC on some of its multi-function devices”.
The bank has introduced these devices as an alternative to ATMs, allowing consumers to withdraw cash.
However, the CMA states that between 27 October 2023 and 28 February 2024, “310 devices displayed the MMC as £35 instead of the actual value of £20 when users attempted to make a cash withdrawal that would have taken them into an unarranged overdraft”.
The origins of this fault, the CMA goes on to explain, lay with an unnamed third-party contractor, which it alleges entered the wrong value for the MMC on a new batch of HSBC devices.
“As a result, some HSBC customers may have switched away from HSBC to another bank, on the incorrect belief that the other bank offered a better MMC than HSBC, but would not have done had they been aware of the correct MMC,” the letter states.
Elsewhere, the CMA also claims the bank displayed incorrect information regarding the status of its branches, having listed 167 closed branches as still being open, while two open branches were not listed at all.
Additionally, the CMA says HSBC “failed to keep some of its annual rates for business loans and overdrafts accurate and up to date on its website”.
Corrective measures for HSBC include improving its user acceptance testing and the capture and assimilation of failure learnings across the organisation, a measure which is to include “a greater focus on ensuring the work of third-party contractors is tested with regulatory requirements in mind”, the CMA says.
Speaking to FinTech Futures, a HSBC UK spokesperson said: “We are sorry for errors on our part which caused these breaches. We have taken steps to avoid a repeat of these issues in the future.”
‘Disappointing’
In all the above instances, the failures were self-reported by the banks in question.
Reflecting on the revelations, Dan Turnbull, senior director at the CMA, comments: “People deserve banks they can trust to serve them well. Having correct information is essential when making important decisions about our finances. Banks handling our hard-earned money should have adequate processes in place to ensure this happens.
“It’s disappointing that seven years on, we have to put in place formal enforcement measures to secure better compliance from a major bank like HSBC which, yet again, is in breach of the rules.
“The CMA will continue to closely monitor all banks’ compliance to ensure customers can clearly and confidently manage their finances.”