HSBC, Nationwide and TSB reprimanded by CMA for transaction histories breaches

The UK’s Competition and Markets Authority (CMA) has reprimanded HSBC, Nationwide and TSB for failing to provide transaction histories to personal and business current account customers, but stopped short of taking enforcement action against any of the three banks.

TSB, Nationwide and HSBC all breached Part 5 of the Retail Banking Market Investigation Order 2017, under which banks must send payment transaction histories to any business current account (BCA) customer with a turnover of less than £6.5 million, or any personal current account (PCA) customer who closes their business or personal account.

The CMA reported that HSBC failed to send an estimated 12,200 payment transaction histories to former BCA holders between when Part 5 of the Order came into effect in February 2018 and December 2022.

In a letter to HSBC UK Bank, Colin Garland, director, remedies, business and financial analysis at the CMA, wrote that the failures were “due to weaknesses in its control environment and individual human errors amongst its staff”, meaning the bank was unable to identify the exact number of breaches.

Garland wrote: “The CMA considers it unacceptable that a large, regulated entity such as HSBC manifestly failed to implement an effective process to ensure that BCA customers that closed their accounts would be provided with their Payment Transaction History in accordance with its legally binding obligations.

“This failure led to breaches which have been ongoing since the Order came into force, and HSBC’s processes, systems and staff were not capable of detecting and reporting these breaches until December 2022.”

He added: “In addition, the inability for HSBC to determine the scale of these breaches due to the inadequacy of its systems and processes is a further concern. These breaches represent a significant failure, not only in implementing processes which will comply with its legal requirements, but also of management oversight and accurate reporting to the CMA.”

HSBC self-identified the breaches and has since begun a review of the controls and processes used to comply with Part 5 of the Order, as well as introducing an enhanced assurance process among its account closure teams.

TSB’s breaches occurred between April 2022 and 20 March 2023, when it failed to send 105,607 transaction histories to former BCA and PCA customers.

The banks should have reported their non-compliance with the Order within 14 days of becoming aware of the breaches.

According to the CMA, TSB became aware that it was not sending transaction histories on 8 March 2023, and confirmed internally that it had breached the Order on 30 March 2023, but only notified the CMA on 19 April 2023.

In writing to TSB Bank, Garland said: “These breaches represent a significant failure, not only in carrying out processes which will comply with legal requirements, but also of management oversight.”

Nationwide’s failure to provide an estimated 51,185 transaction histories to former PCA holders between 2 February 2018 to 17 May 2023 were as a result of “putting ‘no trace’ markers on certain PCAs where it was concerned that addresses were out of date”.

Garland wrote: “On removing the ‘no trace’ marker, Nationwide failed to check that impacted customers received information on how to download Payment Transaction Histories.”

Given that each of the three banks has since “taken action to put things right”, the CMA has confirmed it will not be taking further formal enforcement action at this time.