Corporate report

Register of breaches of the CMA's markets and merger remedies

Updated 21 October 2024

Name of business	Remedy that has been breached	Summary of breach	Duration of breach	Date breach was notified to the CMA	Action taken by business	Action taken by the CMA
Starling Bank	Retail Banking Market Investigation Order 2017	Starling Bank breached Part 3 of the Order by failing to provide the market research company which carries out Service Quality Information surveys with data on holders of the Starling Sole Trader Account	Surveys published between August 2021 and February 2025 are affected	26 June 2024	Starling Bank has: revised its template submission to the market research company that carries out the surveys to include sole traders. Reviewed the data requirements for the surveys more widely to ensure there are no further omissions. Improved its processes and controls relating to all requirements of the CMA’s Order. Provided further training and guidance on all relevant parts of the Order. Paid for a survey ‘boost’ which will involve additional Starling Sole Trader Account customers being surveyed in advance of the next publication of the survey results in February 2025	Public letter
HSBC UK Bank plc	Retail Banking Market Investigation Order 2017	1) HSBC breached Article 12 in Part 2 of the Order by releasing out-of-date branch information. Two branches were missing and 167 branches had not been removed from its Open banking releases since they had closed. 2) HSBC breached Part 8 of the Order twice by publishing incorrect rates for SME loans and overdrafts for its Kinetic brand	19 July 2022 to 7 October 2023 and 24 June 2023 to 10 August 2023	28 September 2023 and 24 August 2023	HSBC has: commenced the process of enhancing procedures and controls relating to compliance with Part 2 of the Order. Put in place a plan to improve training and awareness of Part 2 of the Order. Started to develop an automated solution to updating APIs related to Branch data. Completed a review of its Part 8 control Environment. Carried out a read-across of this issue to other areas where compliance with Part 8 is required. Strengthened the existing control framework for publication of rates for SME lending products. Developed targeted training related to Part 8. Started to develop an automated solution to update rates and contextual information on its public website	Directions
Barclays Bank UK plc	Retail Banking Market Investigation Order 2017	Barclays failed to provide 1,648 Payment Transaction Histories to customers with a further 659 Payment Transaction Histories sent, but after the 40-day deadline	June to August 2023	1 February 2024	Barclays has: started to write to all former customers who should have received a Payment Transaction History but did not, with an explanation of how to access one. Started carrying out a detailed end-to-end review of the processes and controls relating to delivering Payment Transaction Histories. Started reviewing and updating the support and resources provided to colleagues	Public letter
Santander UK plc	Retail Banking Market Investigation Order 2017	Santander failed to 1) keep information published under Article 12 up to date and 2) publish some information under Article 12 at all, as required under Part 2 of the Order	Up to 7 years	1 March 2024	Santander has: simplified the way it presents information through Open Banking. Introduce enhancements to its processes and controls to prevent a recurrence	Public letter
TSB Bank plc	Retail Banking Market Investigation Order 2017	TSB failed to 1) disclose the level of the Monthly Maximum Charge (MMC) next to the relevant charges in Spend and Save Plus customers’ monthly statements and 2) disclose the level of the MMC within its mobile app journey for new to bank customers when mentioning overdraft charges. TSB failed to notify the CMA of breach 1) within the 14 days required by the Order.  Breach 2) was notified within the required 14 day period	1) Between February 2021 and January 2024 and 2) January 2022 and February 2024. TSB became aware of breach 1) on 1 August 2023. However, it only notified the CMA on 1 September 2023	Breach 1): 1 September 2023. Breach 2): 6 October 2023	TSB has: put in place a process to ensure that PCA and Overdraft Legal, Regulatory and Mandatory communications will be reviewed for content accuracy at least annually. Sent reminders to relevant teams and delivered refresher training on the requirements of Article 56	Public letter
AIB Group UK	Retail Banking Market Investigation Order 2017	AIB breached Part 8 of the Order by: (1) publishing the incorrect Equivalent Annual Rate (EAR) on two webpages for its Business Current Account (BCA) product; and (2) publishing the incorrect Annual Percentage Rate (APR) on two webpages for one of its loan products. AIB  breached Part 2, Article 12.3 of the Order through failing to keep the same information as above up to date on its Open Banking channel. AIB failed to notify the CMA of the breach within the 14 days required by the Order	The longest breaches of Parts 2 and 8 lasted between 1 July 2022 and 7 November 2023. AIB became aware of breaches on 11 August 2023. However, it only notified the CMA on 9 October 2023	9 October 2023	AIB has: enhanced staff training. Enhanced procedural oversight of compliance. Reviewed risk controls relating to obligations under the Order. Reviewed and enhanced its compliance procedures. Written to affected customers with an apology and a £30 goodwill gesture	Public letter
Lloyds Banking Group plc	Retail Banking Market Investigation Order 2017	Lloyds breached Article 12 in Part 2 of the Order through failing to publish the location of 363 ATMs through Open Banking APIs	7 December 2023 to 12 January 2024	24 January 2024	Lloyds has: introduced an additional process step to manually add ATMs to the API data feed in the short term until a change to a new database was completed. Improved control descriptions to avoid misunderstandings. Implemented an additional ATM volume check. Completed a review of its change process to ensure any changes to its processes in future are properly risk assessed	Public letter
HSBC UK Bank plc	Retail Banking Market Investigation Order 2017	HSBC breached Part 7 of the Order by displaying an incorrect value for its Monthly Maximum Charge (MMC) on some of its multi-function devices (MFDs)	27 October 2023 to 28 February 2024	21 February 2024	HSBC has: ensured that all MFDs and ATMs now display the correct MMC value. Improved its User Acceptance Testing. Captured learnings from this breach and shared them across the organisation	Public letter
The Hospital of St John and St Elizabeth	Private Healthcare Market Investigation Order 2014	The Hospital of St John and St Elizabeth breached Part 3 of the Order. Part 3 states that private hospital operators have a duty not to provide referring clinicians incentives to refer patients to that hospital. The Hospital did not offer high value services, including office rental, consultation rooms and medical secretarial services, in a non-discriminatory way or at fair market value. These can reasonably be seen as an incentive for a referring clinician	At least since 2018	7 February 2024	The Hospital has: restructured costing arrangements for outpatient consulting rooms in January 2023. Formalised the process for office rentals, with written licenses to occupy. Engaged with the consultants who use medical secretarial services. Undertaken additional work to ensure compliance with Part 4 of the Order	Public Letter and Action Plan
Metro Bank plc	Retail Banking Market Investigation Order 2017	Metro Bank failed to publish Service Quality Indicators in three of its branches. This was due to a failure in the routers used to transmit information to its digital displays	16 February 2024 to 29 February 2024	29 February 2024	Metro Bank has: replaced affected routers and put in place provisions for paper posters in the event of future problems with its digital displays	Private letter
Nationwide Building Society	PPI Market Investigation Order 2011	131 customers holding Mortgage PPI policies with Nationwide were given incorrect information in their Annual Review Statements. The monthly payment shown only contained the Mortgage element of cover. Any additional cover the customer held was not included in that figure	April 2012 to December 2023	23 January 2024	Nationwide has written to 13 former policyholders who may have taken a decision to end their PPI policy on the basis of the incorrect information. Unconnected to this incident, Nationwide had already begun exiting the PPI market when the issue was discovered. The exit programme began in December 2021 with final closure completed in March 2024	Public letter
Calor Gas Limited	Domestic Bulk LPG Market Investigation Order and Domestic Bulk LPG Market Investigation (Metered Estates) Order	Calor Gas Limited failed to notify customers in writing that they were nearing the end of their exclusive supply contracts. 5,045 customers had their own supply of LPG (and so each failure to supply was a breach of the Domestic Bulk Order) and 878 lived on metered estates (and so each failure to supply was a breach of the Metered Estates Order).	20 July 2023 to 31 October 2023	30 October 2023	Calor Gas Limited: re-started sending reminders from 1 November 2023. Permitted any customer to switch who had not been sent a reminder. Wrote to affected customers explaining the breach. Reduced the length of the contract so that their next renewal date in 2025 will still be the same as if they had received the reminder when they should have done. Put in place processes and procedures to prevent a recurrence.	Public leter
3XD Limited	Payment Protection Insurance Market Investigation Order 2011	The Order prohibits PPI Providers from charging administration fees. 3XD Limited charged an administration fee to 3,142 policyholders, totalling £31,256.	Between 19 October 2022 and 10 March 2023	25 August 2023	3XD has refunded all affected policyholders and has committed to; provide annual consumer compliance training to the 3XD board and relevant staff; introduce an approval process for any new PPI product or amendments to existing PPI products; introduce a PPI Compliance Checklist which must be completed for new PPI products or amendments to existing PPI products.	Public letter
Marks and Spencer plc	Groceries Market Investigation (Controlled Land) Order 2010	10 breaches of the Order concerning land agreements in; Pontarddulais; Guiseley; Glasgow (Uddingston); London (Imperial Wharf); Ilkeston; Leith (Ocean Terminal); Kingston upon Thames (on three occasions); Harrogate.	The earliest breach began on 12 May 2015. 5 of the breaches are still in the process of being resolved.	24 November 2021 and 5 April 2023	Marks and Spencer is amending its processes and procedures to ensure that it is compliant with the Order and to prevent a recurrence of the breaches which have been identified. It has; identified high-risk agreements which could breach the Order in the future for close attention; implemented additional training to staff regarding the requirements of the Order; created additional guidance to reflect the outcomes of this exercise and agreed to ensure that any external parties which advise it in relation to its land transactions expressly confirm compliance with the Order.	Letter published on the CMA’s website
Wm Morrison Supermarkets Limited	Groceries Market Investigation (Controlled Land) Order 2010	55 breaches of the Order concerning land agreements in; Swindon; Wisbech; Harrow; Congleton; Barry; Victoria Barracks, Beverley; Idle, Bradford (on three separate occasions); Coalville; Kendal; Kirkstall Retail Park, Leeds; Speke Boulevard, Liverpool; Canvey Island; Stamford; Newquay; Croydon; Thornton Road, Bradford (on two separate occasions); Morecambe; Stockport; Harrogate; Hunslet; Sheffield; Green Oaks Way, Widnes; Milton Keynes; Grantham; West Denton Way, Newcastle upon Tyne; Morley, Leeds; Hoddesdon; Darlington; Littlehampton; Lincoln; Kettering; Preston; Kingsbury; Willenhall, West Midlands; Acocks Green, Birmingham; Dumfries; Westerhouse Road, Glasgow; High Wycombe; Bognor Regis (on two separate occasions); Chatham, Kent; Chelmsford; Cheltenham; Crumpsall; Gosport, Hampshire; Gravesend, Kent; Waterlooville; Ramsgate, Kent; Southampton; Upton Rocks, Widnes; Sheppey; Leamington Spa	The earliest breach began on 15 August 2011. 41 of the breaches are still in the process of being resolved	30 September 2021 and 24 March 2023	Morrisons is amending the relevant land agreements to ensure that it is compliant with the Order and to end the breaches which have been identified. In addition, Morrisons has: amended its existing training protocols for its staff; delivered additional training to staff and amended its policies and processes to ensure future transactions are compliant with the Order	Letter published on the CMA’s website
Nationwide Building Society	Retail Banking Market Investigation Order 2017	Nationwide failed to provide an estimated 51,185 Personal Current Account customers with notification on how to download their Payment Transaction Histories	Between 2 February 2018 and 17 May 2023	26 January 2023	Nationwide has put steps in place to: fix the breaches; conduct regression testing to ensure that all flags and markers placed upon accounts operate correctly; improve its communication reconciliation controls; and write to all impacted members who closed their account within the last 12 months prior to the implementation of the technical fix to notify them of how to access their 5 years of Payments Transactions Histories	Public letter
The Co-operative Bank	Retail Banking Market Investigation Order 2017	The Co-operative Bank failed to publish up-to-date service quality information (SQI) on its website	Between 15 August 2022 and 3 October 2022	31 January 2023. The Co-operative Bank missed the 14 day deadline for reporting breaches to the CMA	The Co-operative Bank has: made changes to the instructions for publishing SQIs; reminded staff of the importance of prompt reporting of breaches; started carrying out a mapping exercise to establish how the different CMA Order requirements are met; and started implementing robust controls and reviewing further enhancements required to prevent, detect and report breaches	Public letter
NatWest Group plc	Retail Banking Market Investigation Order 2017	NatWest: failed to publish service quality information (SQI) posters prominently in 26 branches; failed to publish SQI posters prominently in 9 NatWest branches; and published the interest rate instead of the APR on one webpage for three of its brands	The breaches lasted: between 15 August 2022 and 12 January 2023; between 15 February 2023 and March/April 2023; and between 1 November 2022 and 24 January 2023	The breaches were notified: 26 January 2023; 23 May 2023; and 1 February 2023	NatWest has: improved communications with its staff on the importance of SQIs; made branch self-certification more frequent; increased the frequency of third-party reviews of branch compliance; updated branch guidance so SQI guidance is more prominent; introduced a guide for its Digital team for pricing and rate updates; introduced additional product reviews; and extended training to its Digital team	Public letter
HSBC UK Bank plc	Retail Banking Market Investigation Order 2017	HSBC failed to send Payment Transaction Histories to up to approximately 12,200 former BCA holders	Between February 2018 and November 2022	16 December 2022. HSBC missed the 14 day deadline for reporting breaches to the CMA by one calendar day	HSBC has: carried out a review of the controls and processes used to comply with Part 5 of the Order; provided reminders and additional coaching on the correct process for sending Payment Transaction Histories; introduced an enhanced assurance process; reinforced the procedural requirement for all BCA closures; and implemented weekly exception reporting	Public letter
TSB Bank plc	Retail Banking Market Investigation Order 2017	TSB failed to send 105,607 Payment Transaction Histories to former BCA and PCA customers	Between April 2022 and 20 March 2023	19 April 2023. TSB missed the 14 day deadline for reporting breaches to the CMA	TSB has: introduced additional controls to ensure Payment Transaction Histories are sent; sent a compliance reminder on the purpose and importance of Payment Transaction Histories to relevant colleagues; and started a review of its reporting processes to underline the 14-day reporting deadline	Public letter
Phoenix Hospital Group	Private Healthcare Market Investigation Order 2014	Every private hospital is required to provide PHIN with information about the healthcare episodes it has carried out for patients treated at that facility. Phoenix Hospital Group has not provided PHIN with all the information required by the Order	Phoenix Hospital Group was in breach from 1 September 2016 and the breach is ongoing	The breach was notified to the CMA by PHIN	Phoenix Hospital Group has now provided to PHIN: NHS record numbers of patients, anaesthetic codes; the correct details for the main operating care professional; the correct primary operating code; patient satisfaction data. Phoenix has also committed to fully integrating Patient Reported Outcome Measures into care pathways by December 2023. This would result in full compliance.	Public letter
Tide Platform Ltd	Retail Banking Market Investigation Order 2017	Breach of Part 5 of the Order, by failing to send Payment Transaction Histories to 95% of customers which closed a Business Current Account within 10 days of account closure	Tide failed to meet the 95% threshold for the following 12-month periods: February 2022 to January 2023; March 2022 to February 2023; April 2022 to March 2023; May 2022 to April 2023; June 2022 to May 2023	1 February 2023	Tide has ended the breach and provided Payment Transaction Histories to all impacted customers. Tide has put steps in place to: regularly review its ongoing compliance with Part 5 of the Order; review and improve the effectiveness of its processes; and provide additional training to its staff	Private letter
Northern Bank Limited t/a Danske Bank	Northern Bank Limited t/a Danske Bank	Danske breached Part 5 of the Order on one occasion, by failing to publish its policy regarding retention of Payment Transaction Histories on its website.	The breach commenced on 15 April 2022. The breach was resolved by Danske on 11 January 2023.	24 January 2023	Danske has restored the relevant policy to its website, and has taken steps to prevent a recurrence, by; implementing a monthly manual check of the Payment Transaction Histories retention policy webpage, reminding all relevant staff of Danske’s obligations under Part 5 of the Order, and working on the development of an automated solution in ensuring information required by the Order remains available on its website.	Private letter
The Ulster Independent Clinic	The Private Healthcare Market Investigation Order 2014	Article 21 of the Order requires private hospitals to supply PHIN with information about the healthcare episodes it has carried out for patients treated at that facility, sufficient for PHIN to publish performance measures. The Ulster Independent Clinic did not provide PHIN with the information required by the Order, namely on admitted patient care, adverse events, patient feedback, patient reported outcomes and consultant engagement.	Ongoing since 1 September 2016	The CMA identified the breach through PHIN.	The Ulster Independent Clinic has now provided complete and accurate diagnosis coding as part of admitted patient care data, provided completed adverse events data for the required period and has introduced a process for continued monthly submissions, and resolved outstanding consultant data queries (51 queries) spanning from 2018 to 31 December 2022. The Ulster Independent Clinic has agreed to provide complete data for patient feedback and relevant patient reported outcomes within a timeframe agreed with the CMA.	Public letter
The Fortius Clinic	The Private Healthcare Market Investigation Order 2014	Article 21 of the Order requires private hospitals to supply PHIN with information about the healthcare episodes it has carried out for patients treated at that facility, sufficient for PHIN to publish performance measures. The Fortius Clinic did not provide PHIN with the information required by the Order, namely on admitted patient care, patient feedback, patient reported outcomes and consultant engagement.	From 1 September 2016 to 31 May 2023	The CMA identified the breach through PHIN.	The Fortius Clinic is now fully compliant with all elements of the order for data collected from end of May 2023 onwards, and has resolved outstanding consultant data queries. For historic data prior to end of May 2023 Fortius has agreed to complete submissions by 8 August 2023.	Public letter
Sainsbury’s Supermarket Ltd	Groceries Market Investigation (Controlled Land) Order 2010	18 breaches of the Order concerning land agreements in; Ballymena; Bishops Stortford; York; Rotherham; Hinckley; Chelmsford; Chertsey (on two occasions); Cardiff (on two occasions); Brighton; South Woodford, London (on two occasions); Stevenage; Kempston; Doncaster; Culcheth; Birmingham.	The earliest breach began on 1 February 2011. 9 of the breaches are still in the process of being resolved.	8 September 2020, 16 April 2021 and 15 December 2022	Sainsbury’s is amending the relevant land agreements to ensure that it is compliant with the Order and to end the breaches which have been identified. In addition, Sainsbury’s has delivered additional training to internal staff and external advisers regarding the requirements of the Order, as well as amending its policies and processes for the drafting of clauses which are relevant to the Order.	m Letter published on the CMA’s website
Asda	Groceries Market Investigation (Controlled Land) Order 2010	14 breaches of the Order concerning land agreements in: Stenhousemuir (on five occasions); Aberdeen (on five occasions); Inverness; Falkirk; Benwell; Gloucester.	The earliest breach began on 15 April 2011.	6 January 2021, 16 March 2022 and 31 January 2023.	Asda is amending its processes and procedures to ensure that it is compliant with the Order and to prevent a recurrence of the breaches which have been identified. Asda has delivered additional training to staff regarding the requirements of the Order, begun amending its internal guidance to reflect the CMA’s direction through this exercise, and agreed to ensure that any external parties which advise it in relation to its land transactions expressly confirm compliance with the Order.	Letter published on the CMA’s website
Bank of Ireland (UK) plc	Retail Banking Market Investigation Order 2017	Failure to deliver the Variable Recurring Payment standard for sweeping services according to the Open Banking Roadmap	Ongoing since July 2022	12 March 2021	Put in place a delivery plan and governance structure to deliver the required functionality by 21 August 2023. Provide additional monthly reporting on delivery to the Implementation Trustee.	Public letter
AIB Group (UK) plc	Retail Banking Market Investigation Order 2017	Failure to deliver the Variable Recurring Payment standard for sweeping services according to the Open Banking Roadmap	Ongoing since July 2022	June 2021	Put in place a delivery plan and governance structure to deliver the required functionality by 31 March 2024. Provide additional monthly reporting on delivery to the Implementation Trustee.	Public letter
Shelby Finance Ltd	The Payday Lending Market Investigation Order 2015	Four breaches of Part 4 of the Order due to failure to send Summaries of Borrowing	Longest breach lasted up to 3 months	6 September 2022	Issuing overdue Summaries of Borrowing and carrying out appropriate system fixes. Apologising to affected customers and in certain circumstances waiving interest payments. Improved compliance monitoring processes. Preventative systems upgrades.	Public letter
Auden Group Ltd	The Payday Lending Market Investigation Order 2015	Two breaches of Part 4 of the Order due to failure to send Summaries of Borrowing on time and failure to send notifications that Summaries of Borrowing were available on time.	Longest breach lasted up to 10 months	8 August 2022	Incidents logged and rectified, and additional controls put in place. All affected customers contacted. Staff training. Design improvements to Summary of Borrowing generation systems. Additional process controls and Incident Management Framework.	Public Letter
HSBC UK Bank plc	Retail Banking Market Investigation Order 2017	Part 2 (Open Banking) HSBC published inaccurate information through its Open Data APIs on more than 50 occasions, relating to fees, charges and rates, as well as to eligibility criteria and features and benefits of accounts and loans.	2017 to 2022	13 June 2022	HSBC has; more clearly defined responsibility for completion and oversight of the information to be published through Open Data APIs; improved control processes to check information before it is made available through Open Data APIs; delivered training and guidance notes on the requirements of Part 2 of the Order, including through written reminders and enhanced user guides.	Public letter
HSBC UK Bank plc	Retail Banking Market Investigation Order 2017	Part 8 (SME information): HSBC published the wrong Effective Annual Rate (EAR) for its Business Overdrafts for Business Current Accounts on one page of its website. The rate should have read 12.29% but it read 11.74%.	11 to 30 August 2022	2 September 2022	HSBC has; corrected the published EAR on the same day the error was identified. Put in place improvements to its internal control framework.	Entry on Register of Breaches
Lloyds Banking Group plc	Retail Banking Market Investigation Order 2017	Breaches of Part 2 of the Order, by: failing to include lunchtime closing hours within the stated operating hours for 22 of its branches/mobile stops; stating incorrect information on its API regarding transaction fees for one of its PCAs; incorrectly stating on its API that a feature was available for one of its PCAs; and incorrectly omitting information regarding transaction fees within one of its BCA APIs.	For the breaches relating to; Lunchtime closing hours: March 2021 to August 2022. Incorrect PCA information: the longest breach was between June 2019 and November 2022, and the shortest breach was between September 2021 and October 2022. Incorrect BCA information: November 2022 to January 2023.	Breach notifications received on 23 August, 28 October and 1 December 2022, and 17 January 2023.	Lloyds has updated its API to detail the correct reference and product information, and has amended its procedures and controls to ensure that this information is kept current.	Private letter
NatWest Group plc	The Retail Banking Market Investigation Order 2017	NatWest breached Part 8 (SME Lending) by failing to display the correct APR for an SME lending product offered by its Ulster Bank brand between 2017 and 2022	2017 to 2022	29 July 2022	NatWest has corrected the information and has taken steps to prevent a recurrence, including improvements to its processes and procedures and to its training	Public letter
Nationwide Building Society	The Retail Banking Market Investigation Order 2017	Nationwide breached Part 2 of the Order (Open Banking) by publishing inaccurate information through its Open Data APIs on 10 occasions	The longest breach lasted from 2017 to 2022	27 May 2022 and 14 October 2022	Nationwide has corrected the information and has taken steps to prevent a recurrence, including improvements to its training provided to relevant staff	Public letter
Northern Bank Limited trading as Danske Bank	The Retail Banking Market Investigation Order 2017	Danske breached Part 2 of the Order (Open Banking) by publishing inaccurate information through its Open Data APIs on 45 occasions	The longest breach lasted from 2018 to 2022	13 July 2022	Danske has corrected the information and has taken steps to prevent a recurrence, including improvements to its training provided to relevant staff	Public letter
Barclays Bank plc	Payment Protection Insurance Market Investigation 2011	Barclays failed to send Annual Reviews to up to 1,306 of its former MPPI policyholders	2014 to 2017	8 October	Barclays is actively communicating with all affected policyholders, providing an up-to-date Annual Review and providing affected policyholders with monetary remediation of up to £1m in total	Public letter
Bank of Ireland (UK) plc	The Retail Banking Market Investigation Order 2017	Breaches of Parts 2 of the Order by making incorrect information available about its products and services. Breaches of Part 3 of the Order as its mobile banking app did not display a link to the SQIs within two steps of the primary mobile banking app screen when accessed through tablet devices	Part 2: 2 October 2019 to 10 May 2022. Part 3: 25 May 2020 to 22 April 2022	Part 2: 18 May 2022. Part 3: 1 February 2022	Bank of Ireland: has introduced more substantive checking of published information; more frequent checking of SQI availability on all platforms; updated procedures and controls to ensure read-only data is kept current	Letter published on CMA’s website
HSBC UK Bank plc	The Retail Banking Market Investigation Order 2017	Breaches of Part 7 of the Order through failing to mention the MMC where it should have done. Breach of Part 8 of the Order when one of the pages of its public website displayed out of date information about the representative EAR for its Unsecured Business Overdrafts	The earliest breach commenced in 2018. All breaches were fixed by 20 May 2022	Part 7: 2 February 2022. Part 8: 19 May 2022	HSBC will: improve its checking and sign-off procedures for its website; introduce an automated system where changes to one webpage are automatically updated on duplicate webpages; send reminders about and deliver refresher sessions on the requirements of Part 7 and 8 of the Order to teams within HSBC	Letter published on CMA’s website
NatWest Group plc	The Retail Banking Market Investigation Order 2017	Breaches of Part 2 of the Order through failing to update records on branch and ATM closures. Breach of Part 10 of the Order as the information it shared with independent comparison tools on its small business loans included incorrect interest rates	Part 2: 15 June 2021 to 19 August 2021. Part 10: 18 / 19 September 2021 to 2 February 2022	1 February 2022	NatWest has, for Part 2: introduced early identification of planned branch closures and improved its Management Information with respect to branch/ATM API performance. For Part 10: improved its checklist for loan compliance to set out the full end-to-end process, introduced a monthly third-party data feed check as part of its existing Order control activities, and has run a refresher training session for relevant staff	Letter published on CMA’s website
Barclays Bank plc and Barclays Bank UK plc	The Retail Banking Market Investigation Order 2017	Two breaches of Part 8 of the Order through failing to keep the representative EAR up to date on two pages: the Business Banking agricultural overdraft webpage; and the Corporate Banking webpage	The first (agricultural page) breach lasted from 2 August 2018 to 17 December 2021 while the second lasted from 26 April 2021 to 17 November 2021	11 January 2022	Barclays has: carried out a review to ensure there were no similar breaches; introduced tracking of all Business Banking and Corporate Banking pages displaying overdraft rates; improved the communication of rate change information within Barclays; given page owners greater responsibility for ensuring updates are made	Letter published on CMA’s website
Lloyds Banking Group plc	The Retail Banking Market Investigation Order 2017	Breach of Part 3 of the Order by failing to publish in brochures and on branch posters in 3% of its bank branches the latest SQIs. Breach of Part 8 of the Order by failing to keep the (EAR) in relation to Bank of Scotland’s business banking overdraft up to date and accurate on one of its webpages	Part 3: 15 February 2022 and 29 April 2022. Part 8: 22 April 2021 and 5 November 2021	Part 3: 28 March 2022 Part 8: 16 November 2021	Lloyds has for Part 3: ensured the distribution of NI posters will be managed from a different location from GB posters; taken measures to ensure correct posters are displayed and incorrect ones are destroyed; introduced an additional final approval of the branch communications from LBG’s Chief Customers Office. For Part 8: introduced procedures to check for incorrect information being published; introduced a four-eye process for each change; introduced post-publication checking of each change made	Letter published on CMA’s website
Metro Bank plc	The Retail Banking Market Investigation Order 2017	Breach of Part 7 of the Order by charging 92 customers more than Metro Bank’s £60 Monthly Maximum Charge (MMC) for unarranged overdraft use	From August 2017 to January 2022	5 January 2022	Metro Bank has: refunded customers a total of £20,773.59; implemented a control to ensure any accounts which have not had the £60 MMC cap applied correctly are rectified before the customers are charged more than the £60 MMC; implemented a new monthly check of a sample of accounts to ensure that the £60 MMC cap has been applied; fixed the root cause of the breach	Letter published on CMA’s website
NatWest Group plc	Small and medium-sized enterprise (SME) banking undertakings	Breach of Clause 17 of the Undertakings because its Electronic On-Boarding Account Opening system automatically opened a BCA for new-to-bank Small Business Loan customers who applied for an account, even if the customer had required a feeder account	From November 2016 to 15 May 2020	29 January 2021	NatWest has been directed to: appoint an independent body to check its process and procedures for compliance; remind all its SME banking customers about NatWest’s obligations under the Order; remind its staff to report breaches; introduce a compliance checklist; train staff on the undertakings and then assess the effectiveness of that training	Directions issued by the CMA
Monzo Bank Limited	The Retail Banking Market Investigation Order 2017	Breach of Part 5 of the Order through failing to send Payment Transaction Histories to 13,046 personal account and 506 joint account holders and to 14 business account holders	Between 31 May 2021 and 11 March 2022 for PCAs and between 1 March 2022 and 11 March 2022 for BCAs	15 March 2022	Monzo has been directed to: appoint an independent body to check its process and procedures for compliance; report on compliance on a monthly basis to the CMA	Directions issued by the CMA
Freedom Healthnet Limited trading as Freedom Health Insurance	Private Healthcare Market Investigation Order 2014	Breach of article 25.1 and 25.2 of the Order	From the date Article 25 of the Order came into force on 6 April 2015	16 May 2022	Freedom Healthnet has included the required information in its pre-authorisation letters; welcome and renewal letters for individual policies; policy wordings and on its website. Wording on its welcome and renewal letters for group scheme members will be completed shortly	Private letter from the CMA to Freedom Healthnet
Waitrose Limited	Groceries Market Investigation (Controlled Land) Order 2010	7 breaches of the Order concerning its land agreements in: Bromsgrove; Rustington; Swindon; Daventry; Chester; Notting Hill Gate; and Market Harborough	The earliest breach began on 9 March 2012. Two of the seven breaches are still in the process of being resolved.	15 April 2021 and 22 December 2021	Waitrose is seeking the removal of ongoing breaches from its land agreements. In addition: Waitrose real estate lawyers now receive regular training on the Controlled Land Order from competition lawyers; Waitrose real estate lawyers have access to an enhanced set of guidance materials on the operation and application of the Controlled Land Order; Waitrose Group has updated its internal Controlled Land Order training for its surveyors and internal lawyers, and the property team attended a bespoke legal training session on this, which will be repeated annually. Dentons and Waitrose Group also compiled information and an FAQ document which has been shared with Waitrose’s team of surveyors	Letter published on CMA’s website
Pressuretech Transport Services Ltd T/A BDS Fuels	Domestic Bulk Liquefied Petroleum Gas Market Investigation Order	BDS Fuels breached the Order twice by failing to limit the exclusivity period in contracts to 24 months, and by failing to provide important information to customers when providing them with contracts	From at least 2017 to April 2022	The breach was brought to the CMA’s attention through a complaint in December 2021	BDS Fuels has removed the auto-rollover clauses from its template agreements and informed all customers subject to those clauses they are free to switch. It will also include the missing information in future communications with customers and introduce compliance training for staff	Letter published on the CMA’s website
Aetna Insurance Company Limited	Private Healthcare Market Investigation Order 2014	Article 25 of the Order requires private medical insurers to inform patients that helpful information as to consultants and private hospitals is available on the website of the Private Healthcare Information Network (PHIN). Aetna has informed the CMA that it did not include any such wording in relevant communications with customers	From the date Article 25 of the Order came into force on 6 April 2015	4 February 2022	Aetna has added the appropriate standard wording referring members to PHIN in its welcome emails to new members; in renewal letters to existing members; in member handbooks; and on Aetna’s “Health Hub”, website	Private letter from the CMA to Aetna
HSBC UK Bank plc	The Retail Banking Market Investigation Order 2017	Multiple breaches of Part 2, 8 and 10 of the Order	The earliest breach commenced on 22 October 2020. All breaches were fixed by 20 January 2022	26 January 2022	Following launch, HSBC transferred product management of its Kinetic products to BAU control teams; reviewed and amended its Product Governance Change Management Checklists; delivered refresher awareness sessions with relevant staff	Letter published on CMA’s website
Tarmac	Cement Market Data Order 2016	Tarmac sent Individual Cement Market Data to the Mineral Products Association (trade association) in breach of Article 3.2 of the Order	The data was sent on 4 March 2022. The data was deleted on 5 April 2022	The breach was brought to the CMA’s attention by the Mineral Products Association on 11 April 2022	Tarmac: has implemented revisions to its internal compliance training programme; has emphasised spreadsheets must be checked for hidden data, and updated training to support this	Letter published on CMA’s website
Tesco Bank	The Private Motor Insurance Market Investigation Order 2015	Tesco Bank understated the financial benefit of removing No Claims Bonus Protection (NCBP) from motor insurance renewal documents by an average of around £10. This affected 124,451 customers	April 2020 to 14 September 2021	20 August 2021	Tesco has written to all affected customers to offer refunds for any customers who would have removed NCBP had they known its true cost. It has also taken action to prevent a recurrence by introducing system changes and manual checks	Letter published on the CMA’s website
Tesco Bank	Retail Banking Market Investigation Order 2017	Tesco Bank failed to publish three Service Quality Indicators in the correct place on its mobile banking app. This resulted in an information loss for approximately 544 customers	24 July 2021 to 21 September 2021 (and ongoing until customers update their mobile banking apps)	19 August 2021	Tesco is reminding Digital colleagues and providing refresher training sessions to teams with regards to the processes in place for app changes. Tesco is ensuring that colleagues with the relevant Regulatory knowledge are represented on the weekly mobile app working group forum. Tesco has committed to carrying out a retrospective compliance review from the point Tesco fell into the scope of Part 3 of the Order to date	Letter published on the CMA’s website
Lloyds Banking Group plc	Retail Banking Market Investigation Order 2017	Multiple breaches of Part 2 of the Order (Open Banking) relating to Open Banking APIs	The earliest breach commenced on 20th March 2017. All of the breaches have been corrected	Breach notifications received on 8 June; 9 July; 18 August; 1 October; 13 October 2021	Lloyds has committed to improve compliance, including through: correcting all the outstanding breaches; putting in place systemic fixes to prevent a recurrence; introducing additional compliance training	Letter published on the CMA’s website
Barclays Bank UK plc	Retail Banking Market Investigation Order 2017	Several breaches relating to product and service Open APIs (Open Banking APIs)	The earliest breach commenced on 13 January 2018. All were fixed by 11 August 2021	22 September 2021	Barclays has introduced monthly manual controls on what has been published; trained staff on Open Banking API requirements; introduced a process to ensure Open Banking APIs are updated in parallel with other updates	Letter published on the CMA’s website
The London Clinic	Private Healthcare Market Investigation Order 2014	The London Clinic failed to publish details of payments made to, and a summary of the duties performed by Consultants who hold part-time positions at that hospital	April 2015 to 5 October 2021	The CMA identified the breach and informed The London Clinic on 23 August 2021	The London Clinic has published the correct information on its website; centralised responsibility for updating Consultant information; introduced regular reminders to be sent to check compliance status; and assigned editing capability to teams with delegated responsibility	Letter published on the CMA’s website
Barclays Bank UK plc	Retail Banking Market Investigation Order 2017	The Barclays home page (which is also its personal banking page) contained an out-of-date Overall Service Quality visual, referring to the previous reporting period	16 August 2021 to 14 October 2021	27 October 2021	Barclays has introduced a range of procedures to prevent a recurrence, including enhancing team instructions; more comprehensive checks and reminders to staff	Letter published on the CMA’s website
Monzo Bank Ltd	Retail Banking Market Investigation Order 2017	Monzo failed to include the Monthly Maximum Charge (MMC) within its Fee Information document	25 October 2018 to 19 November 2021	The CMA notified Monzo of the suspected breach on 9 November 2021	Monzo is implementing a new procedure whereby its Terms and Conditions will be subject to an internal annual audit legal review to ensure compliance with the Order	Letter published on the CMA’s website
HSBC UK Bank plc	SME Banking Undertakings 2002	The breaches primarily concern loan agreements governed by Scottish Law (‘Scots law’) and secured by a Scots law floating charge. A total of 221 loans were affected, impacting 204 customers	The breaches affecting a number of loan agreements occurred between 2002 and 2021	First notified in July 2020	HSBC confirmed it put an end to the breach from September 2021 when it wrote to impacted customers to waive the non-compliant clauses from the relevant loan agreements. HSBC also offered refunds of all BCA fees and charges and reminded those affected customers that they are not required to open or maintain a BCA with HSBC in order to have a loan with it. Enhanced compliance measures to be implemented through the Directions. See HSBC’s Action Plan.	CMA issued Directions
Lloyds Banking Group plc	Retail Banking Market Investigation Order 2017	Lloyds Banking Group failed to publish important contextual information about SME lending representative APR on one page of its website. 503 customers took out a loan in this period	June 2020 to March 2021	1 February 2021	Lloyds has published the information on its website and put in place controls to prevent a recurrence	Letter published on the CMA’s website
NewDay Ltd	PPI Market Investigation Order 2011	Failure to issue Annual Reviews to customers. Issued Annual Reviews to customers with incorrect information. Approximately 27,000 customers affected in total. Failure to appoint a PPI Compliance Officer	8 years	5 March 2021	Arranged for an independent audit of its compliance systems. Will send apology letters and offer refunds to 27,000 customers	Letter published on the CMA’s website
Danske Bank (a trading name of Northern Bank Limited)	Small and medium-sized enterprise (SME) banking undertakings 2002	Requiring up to 205 SMEs to open Business Current Accounts with Danske Bank in order to apply for loans under the Government backed Bounce Back Loan Scheme	11 months (4 May 2020 to 31 March 2021)	On 30 April 2021, Danske Bank notified the CMA of this breach of the Undertakings	Danske Bank wrote to affected customers and offered refunds of BCA fees and transactional charges incurred. See Danske’s Action Plan	Letter and action plan published on CMA website
Santander UK plc	Retail Banking Market Investigation Order 2017	Breaches 1 and 2: SQI for NI BCAs not published and SQI for GB BCAs out of date.	Breaches 1 and 2: 23 April 2021 to 11 May 2021	Breaches 1 and 2: 21 May 2021	Santander has introduced additional checking procedures; additional training of, and guidance to, website editors; automated identification of changes to webpages; automated highlighting of placeholder content that requires updating during website changes.	Letter published on the CMA’s website
Lloyds Banking Group plc	PPI Market Investigation Order 2011	Lloyds Banking Group failed to include the monthly PPI benefit value figures in 41 customers’ PPI Annual Reviews, relating to some of its AXA (TSB) Mortgagesure PPI policies. Lloyds Banking Group reported that it identified this breach as a result of enhanced controls which were put in because of the CMA’s intervention.	March 2019 to March 2020	8 April 2021	Lloyds Banking Group is sending apology letters to all customers with an open and closed policy affected by the breach. Lloyds Banking Group will also be offering affected customers (with open and closed policies) the option to receive a refund of premiums with 8% interest. Four customers have requested a refund so far and LBG has issued refunds, totalling £1,500.	Letter published on the CMA’s website
Monzo Bank Limited	Retail Banking Market Investigation Order 2017	Monzo failed to send Transaction Histories to 199,673 former holders of a PCA (it originally reported that 143,437 former customers were affected)	March 2019 to 31 May 2021 (originally reported 1 March 2020 to 31 May 2021)	1 February 2021	Monzo has ended the breach; put in place measures to prevent future breaches; and committed to write to affected customers with their Transaction History	Letter published on the CMA’s website
NatWest Group	Retail Banking Market Investigation Order 2017	NatWest failed to send Transaction Histories to 903 former holders of a PCA with its brand Bó	14 November 2019 to 1 May 2020	29 January 2021	NatWest has put in place measures to prevent future breaches; and committed to write to affected customers with their Transaction History (subject to opt-out)	Letter published on the CMA’s website
Virgin Money UK plc	Retail Banking Market Investigation Order 2017	Virgin Money failed to send Transaction Histories to 220 former holders of a PCA or BCA	1 January 2020 to 11 February 2021	1 February 2021	Virgin Money has ended the breach and started to remediate customers by offering their Transaction Histories. Virgin has put in place controls to prevent a recurrence.	Letter published on the CMA’s website
Bank of Ireland UK Limited	Retail Banking Market Investigation Order 2017	BOI failed to send Transaction Histories to 1066 former holders of a PCA or BCA	Breach 1 and 2: 24 March 2020 to 30 June 2020 Breach 3 and 4: 1 August 2019 to 1st April 2021	Breach 1 and 2: 1 February 2021 Breach 3 and 4: June 10 2021	BOI has ended the breach and remediated customers by offering their Transaction Histories free of charge. BOI has also issued a notification of an apology to all impacted customers and a £50 gesture of goodwill for customers impacted by breaches 2 and 4. BOI has put in place controls to prevent a recurrence.	Letter published on the CMA’s website
Lloyds Banking Group	Payment Protection Insurance Market Investigation Order 2011	Approximately 8,800 PPI customers received Annual Review statements with correct information in the wrong box and/or contained missing or incorrect information. Breaches involve 3 different errors in Annual Review Statements.	Breach 1: 10 January 2013 to 17 January 2013 Breach 2: January 2014 to January 2021 Breach 3: January 2013 to September 2020	15 September 2020	See Lloyds Banking Group’s Action Plan	Public letter and Action Plan published on CMA website
Danske Bank (a trading name of Northern Bank Limited)	Small and medium-sized enterprise (SME) banking undertakings 2002	Requiring 305 SMEs (who operate their business finance through a Danske Bank personal current account) to open Business Current Accounts with Danske Bank before Danske Bank would consider an application for the Government backed Bounce Back Loan Scheme.	9 months (4 May 2020 to 27 January 2021)	On 1 February 2021, the CMA informed Danske Bank that it had breached the Undertakings.	Danske Bank’s Action Plan, Danske Bank refunded BCA fees and transactional charges incurred by the 305 SMEs.	Public letter and Action Plan published on CMA website
Clydesdale Bank PLC	Small and medium-sized enterprise (SME) banking undertakings 2002	Clydesdale breached the Undertakings by requiring 55 customers to open a business current account with the bank in order to obtain a loan through the Government’s Bounce Back Loan Scheme.	8 months (May 2020 – December 2020)	On 11 November 2020, the CMA informed Clydesdale Bank that it had breached the Undertakings.	Clydesdale Bank’s Action Plan	Public letter and Action Plan published on CMA.GOV.UK with CMA press release
Cardif Pinnacle	PPI Market Investigation Order 2011	4 customers received incorrect information in Annual Reviews.	4 years	25 November 2020	Corrected system faults. Apology letters sent to affected customers.	Letter published on CMA website
Cardif Pinnacle	PPI Market Investigation Order 2011	4,808 customers received incorrect information in Annual Reviews.	8 years	6 November 2020	Commenced work to correct system faults ahead of the next Annual Review mailing cycle. Apology letters sent to affected customers.	Letter published on CMA website
Argos Limited	Undertakings given under section 154 of the Enterprise Act 2002 by Comet Group plc, Argos Limited and DSG Retail Limited	Argos failed to meet the requirements of Clause 4.1 and affected 414,578 consumers of which 114,002 may have been financially affected. They did not include a link to the ‘Compare Extended Warranties’ website which should be one click away from the product page.	July 2019 to October 2020	CMA identified the breach on 18 August 2020	Argos updated its product pages with the comparison link and put in place procedures to prevent a recurrence. It will offer 114,002 affected customers who may have got a cheaper deal a £5 e-gift card.	Letter published on CMA website
HSBC UK	Retail Banking Market Investigation Order 2017	HSBC has estimated that around 100 customers affected by the breach which led to these Directions should have been sent an Alert, but weren’t before being charged for entering an unarranged overdraft.	February 2018 to December 2019	The original breach was notified in March 2019	The 100 affected customers cannot be identified through proportionate means, so HSBC has published wording on its website encouraging affected customers to contact it for a refund.	Entry on the Register of breaches
Hanson Group	The Cement Market Data Order 2016	Hanson UK breached Article 3.2 of the Order due to its annual MPA subscription payment being disclosed to the MPA which could have been used as a proxy for Individual Cement Market Data relating to a previous trading year	3 weeks to 11 September 2020 to 2 October 2020	21 September 2020	Training has been repeated by all relevant employees; a member of the Hanson Legal Department will be added to the list of the MPA’s controlled persons; and a dedicated person has been identified to process subscription payments to ensure no repeat	Public letter
MYJAR	The Payday Lending Market Investigation Order 2015	Incorrect information provided in the summary of borrowings issued to 551 customers between 15 May and 2 June 2020	2 weeks	10 September 2020	The lender established a fix and the missing field was implemented. All affected Summary of Borrowings were reissued on 16th June	Entry on the Register of Breaches
Cardif Pinnacle	PPI Market Investigation Order 2011	167 Customers received incorrect information in Annual Reviews	2 months	14 August 2020	Corrected system faults. Apology letters sent to customers affected	Public letter
AIB Group (UK) plc	Directions given under the Small and medium-sized enterprise (SME) banking undertakings 2002	AIB failed to comply with a Direction to include wording in its Business Lending Policy not to bundle products	8 months	31 July 2020	Replaced wording that had been removed from Business Lending Policy	Public letter
The Money Hive Limited	The Payday Lending Market Investigation 2015	227 customers did not receive summary of borrowing statements at the times required under the Order	30 months	6 July 2020	Committed to refunding or writing off charges incurred outside the loan term.	Private letter
Lloyds Banking Group	PPI Market Investigation Order 2011	156 customers received Annual Reviews containing incorrect information	6 months	1 July 2020	Enhanced controls implemented. Provided correct information to customers	Private letter
Cardif Pinnacle	PPI Market Investigation Order 2011	77 customers did not receive Annual Reviews at the times required by the Order	16 months	25 June 2020	Corrected system faults. Sent Annual Reviews and apology letters to affected customers	Public letter
Santander UK plc	Retail Banking Market Investigation Order 2017 (Part 6 relating to text alerts)	Santander’s system failed to send text alerts to 1,444 customers whose overdraft usage increased at the same time that Santander reduced the overdraft limit	Almost 2 years - from February 2018 to December 2019	15 June 2020	Committed to refunding all customers who did not receive an alert but were charged	Published on Register of Breaches. Responsibility for Alerts now sits with FCA
Hanson UK	Aggregates, Cement And Ready-Mix Concrete Price Announcement Order 2016	Hanson reported that 2 individual price increases, whilst not generic price increase announcements, did not include 2 of the required items of information under Article 4.1	2 instances - 1 in 2017 and in 2018	5 June 2020	Introducing package of measures to enhance existing processes	Published on Register of Breaches
Lloyds Banking Group	Payment Protection Insurance Market Investigation Order 2011	2 customers were not issued with their Annual Review Statement when they should have been, in breach of Article 4.1 of the Order	Isolated incidents in 2 years (2016 and 2019)	21 May 2020	Enhanced controls and monitoring introduced by both Lloyds and its third party partner to prevent future breaches	Letter published on CMA website
Nationwide Building Society	Payment Protection Insurance Market Investigation Order 2011	3,053 customers were not issued with their Annual Review Statement when they should have been, in breach of Article 4.1 of the Order	4 months – 1 February 2020 to 4 June 2020	20 May 2020	Issued the late Annual Reviews, sent apology letters, offered refunds of premiums if customers choose to cancel their policy (from 1 January 2020) which include 8% compensatory interest	Letter published on CMA website
Lloyds Banking Group	The Retail Banking Market Investigation Order 2017 (Part 9 - Tool offering indicative price quotes and eligibility indicator)	Lloyds removed mandatory information from a small number of pages on its website on 11 May 2020	58 days	15 May 2020	Reinstated the information on 7 July 2020	Published on Register of Breaches
Lloyds Banking Group (Lloyds Bank and Bank of Scotland brands)	Small and medium-sized enterprise (SME) banking undertakings 2002	Requiring around 30,000 SME customers (who operate their business finance through a personal current account) to open Business Current Accounts with Lloyds as a pre-condition of applying for a loan under the Government backed Bounce Back Loan Scheme	130 days (8 May 2020 – 15 September 2020)	12 May 2020	See Lloyds’ Action Plan	Public letter and Lloyds’ Action Plan (non-confidential version) published on CMA website. CMA stops Lloyds ‘bundling’ business accounts with loans