Corporate report

SME Banking behavioural undertakings 2002 - annual report on compliance – July 2021 to June 2022

Published 20 July 2023

Introduction

This report sets out the CMA’s findings from its analysis of the banks’ audit reports relating to compliance with the SME Banking behavioural undertakings 2002, covering the period from 1 July 2021 to 30 June 2022.

It describes how well eight banks have complied with obligations which restrict their ability to bundle certain banking products offered to Small and Medium-size Enterprises (SMEs). It also showcases examples of best practice.

The obligations are contained in the SME Banking Undertakings 2002 (the Undertakings) and the 2014 Agreement.

The banks subject to these obligations are:

• AIB Group (UK) plc (known as AIB NI in this report, and previously known as First Trust)

• Bank of Ireland

• Barclays Bank plc and Barclays Bank UK plc (together, Barclays)

• Clydesdale Bank plc’s SME Business and Branches in Scotland branded as Virgin Money (Clydesdale).

• HSBC UK Bank plc (HBUK). HSBC’s non-ringfenced bank HSBC Bank plc (HBEU) remains subject to the Undertakings but was released from the 2014 Agreement during 2023.

• Certain group companies of Lloyds Banking Group plc, formed from the merger of HBOS plc and Lloyds TSB Bank plc (Lloyds)

• Northern Bank Limited (Danske)

• NatWest Group plc (NatWest) (formerly the Royal Bank of Scotland Group plc (RBS)) which includes Ulster Bank Limited (Ulster Bank) in Northern Ireland.

The background and obligations on banks can be found in a separate document. A glossary of terms can also be found in a separate document.

A list of enforcement action taken by the CMA to date under these obligations is set out below.

Guidance

The CMA is available to provide guidance in relation to matters regarding compliance for these and other Undertakings and Orders affecting retail banks. The CMA encourages banks to contact the CMA as soon as any breaches or potential issues arise, even where the full details have not become clear. This is to enable the CMA to understand the breaches and consider appropriate action with the organisation concerned. There are further details in the CMA’s published guidance ‘Merger and market remedies: Guidance on reporting, investigation and enforcement of potential breaches’.

For queries relating to the SME Banking Undertakings and compliance reporting please contact the CMA’s Remedies Monitoring and Enforcement Team: RemediesMonitoringTeam@cma.gov.uk

Breaches dashboard for this reporting year

One bank reported that six customers who requested a fee-free Loan Servicing Account were given a BCA, which charges SMEs, instead. Refunds were provided to each affected customer. This is a breach of Clause 17 of the Undertakings but due to the scale of the breach and the remedial action taken by the bank, the CMA did not take public enforcement action.

The performance of banks against best practice

We set out below best practice in ensuring compliance with the Undertakings and where banks have fallen short. The purpose of this is to identify where banks should strengthen their compliance.

• banks should have in place policies, practices and procedures to monitor their compliance with the Undertakings. This is to allow any problems to be identified and addressed quickly

  • NatWest reported that, as a result of weaknesses in its control framework, there is an increased risk of a breach. NatWest is reviewing and improving its controls to address this

  • Bank of Ireland, Clydesdale and Danske each reported that they did not have second-line assurance procedures in place to prevent breaches. Bank of Ireland have committed to introducing them for the following reporting year. Danske agreed with the CMA that a planned second-line assurance monitoring review in 2022 could be cancelled as they could place sufficient reliance on an Audit undertaken by an Independent Body into their compliance with the Undertakings

• banks should have in place policies, practices and procedures to ensure their internal communications support compliance with the Undertakings. This is to ensure staff are informed of their responsibilities under the Undertakings

  • two banks failed to send an Annual Reminder to all their relevant staff in this reporting period. NatWest reported that 44 members of staff did not receive the Annual Reminder. Lloyds reported that it did not issue annual reminders to certain staff which oversee Mid Corporate and Corporate and Institutional Coverage businesses which include some SMEs. Each bank has corrected its procedures

• banks should provide training to staff on how to comply with the Undertakings and assess their understanding. The CMA considers that it is important that all staff are trained on their legal obligations, even if SMEs are not their main customers, or if they are new to the role

  • Lloyds explained that its SME Credit and Business Banking Credit teams did not perform annual training. NatWest reported that 364 staff did not receive the annual staff training on the Undertakings. Both banks have put in place changes to ensure that all Relevant Staff receiving training in the next reporting year

  • Danske reported that no interviews of staff were carried out to assess their understanding of the Undertakings. Danske agreed with the CMA that interviews did not need to be carried out as they could place sufficient reliance on an Audit undertaken by an Independent Body into their compliance with the Undertakings

• banks should review their lending appeals processes. This allows them to check if potential customers have been refused loans or savings accounts because they were not offered a BCA

  • Clydesdale reported that it had not reviewed its lending appeals process

• banks should review their own internal complaints. This is important as staff with concerns about practices which may lead to non-compliance can share them, leading to non-compliance being identified and stopped

• banks should have an individual complaint code for the bundling of products (such as BCAs and loans/savings accounts). This is important as it allows complaints about this specific problem to be easily identified

  • Bank of Ireland did not have an individual complaint code for bundling but introduced one in September 2022

Enhanced measures put in place by banks

Clydesdale carries out training twice yearly, which increases the chance of staff members having their training prominent in their minds when undertaking their duties.

We encourage banks to introduce measures to prevent breaches before they happen.

Enforcement action taken by the CMA under the Undertakings to date

Total number of public enforcement actions taken by the CMA since 2014: 10

Total number of customers affected by breaches since 2014: 32,547

Details

Directions issued in 2014 to HSBC. Some HSBC staff informed a number of SMEs that there was a requirement to open a BCA in order to obtain a loan. These Directions have been revoked and replaced by the Directions issued in 2022 to HSBC.

Directions issued in 2014 to First Trust. 6 SMEs affected.

Directions issued in to 2019 to Barclays. 816 SMEs affected.

Public letter to AIB NI published in 2020. Failure to comply with Directions.

Public letter to Lloyds published in 2020. 30,000 SMEs affected.

Public letter to Clydesdale published in 2021. 55 SMEs affected.

Public letter to Danske published in 2021. 305 SMEs affected.

Public letter to Danske published in November 2021 on a second breach. 205 SMEs affected

Directions issued in 2022 to HSBC. 204 SMEs affected.

Directions issued in 2022 to NatWest. 956 SMEs affected