On November 29, the United Kingdom Competition and Markets Authority (CMA) announced that it was directing global banks HSBC and Santander to refund money to customers for multiple breaches of Part 6 of the CMA’s Retail Banking Market Investigation Order (Order).
In 2018, after the CMA’s retail banking market investigation “identified a number of competition problems in both the personal current account (PCA) and small and medium-sized enterprise (SME) banking markets,” the CMA Order came into force. Part 6 of that Order, as the CMA stated, “ensures customers receive text alerts before banks charge them for going into an unarranged overdraft, giving them time to take action to avoid any charges.”
Starting in February 2018, however, both HSBC and Santander “failed to send alerts in all of the circumstances required by the CMA.” HSBC reportedly breached the Part 6 requirements twice:
- Breach One: The CMA’s Directions to HSBC explained that its first breach stemmed from HSBC’s commitment “to implementing its ‘unsociable hours’ policy to minimize disturbance to customers.” That meant, according to the CMA, that HSBC “did not contact customers between 10:45pm and 7:30am on weekdays and 10:45pm and 10am on weekends and bank holidays.” As a result, HSBC did not send alerts to customers during those specified hours
even though HSBC continued to charge customers for using an unarranged overdraft. This meant that customers who triggered an Alert between 10:45pm and 11:45pm (when balances were calculated) did not get an Alert that complied with the Order and continued to be charged by HSBC. Most customers received an Alert the next day after incurring the charge, which is in breach of the Order.
- Breach Two: The CMA’s Directions stated that
HSBC’s systems for storing the mobile phone numbers of customers that applied for PCAs through certain application methods (including its digital current account, digital credit card and digital loans applications) stored numbers in a format that was incompatible with the text alert system used to comply with Part 6 of the Order. As a result, HSBC did not process these Alerts and some customers were not notified before incurring charges related to unarranged overdrafts.
Santander reportedly breached the Part 6 requirements six times:
- Breach One: Santander failed to enroll some customers’ mobile phone numbers into its system of Alerts in two specific situations: (1) “where a customer previously registered for email Alerts has added a mobile phone number for Alerts to be sent to, their mobile phone number has not been registered”; and (2) “when a customer updates the mobile phone number registered for Alerts, Santander has de-registered the old number, but has not been registering the new number.”
- Breach Two: Santander “Santander failed to issue an Alert to each customer who at the start of the day (10.00) was in an arranged overdraft position at the end of the previous day (22.00) and a direct debit (but no other payment) is processed overnight (between 22:00 and 05:00) that puts them into an unarranged position.”
- Breach Three: Santander “failed to provide an Alert where the amount authorised and withheld on an account exactly matches the value of a single direct debit amount being processed and no other payments are made.”
- Breach Four: Santander “On 72 occasions, Santander failed to send Alerts to customers until later in the day (after 10.00) due to high volumes of overnight batch payment processing.”
- Breach Five: “Certain of Santander’s retail platforms that capture new customer data allow a customer’s mobile telephone number to be stored in data fields that are not specific to mobile telephones. This means that such numbers are not enrolled for mobile alerts, because Santander’s alerts system only uses numbers stored in the mobile field. As a consequence of Santander not enrolling some of their customers into its system, these customers have not received Alerts when required by the Order.”
- Breach Six: The CMA noted that there were “limited instances where three categories of error message were generated within Santander’s alerts system resulting in alerts not being sent.”
In both HSBC’s and Santander’s case, the CMA deemed their failure to issue the alerts a serious matter. With regard to HSBC, it stated that to date (November 29), approximately 115,754 of HSBC’s customers have been affected. HSBC committed to refunding all affected customers and has already started to refund those customers, with an estimated total of £8 million in refunds. With regard to Santander, it stated that Santander “has been unable to provide figures for the numbers of customers affected or the value of refunds to be made for each of the six breaches.”
N.B.: These cases generally indicate the importance of companies’ making timely preparations for full implementation of compliance requirements and measures by the time that those requirements come into force. They also indicate the importance of banks’ paying attention to even small details that, whether or not inadvertently overlooked, cause needless hardship for customers and needless cost and reputational damage to the banks.