Corporate report

Register of breaches (2024 onwards)

Updated 24 July 2025

Greene King/Spirit undertakings

Greene King plc

Greene King plc (Greene King) breached the Greene King/Spirit undertakings. Reacquisition occurred in 2022 and was identified and notified following CMA periodic pro-active remedy monitoring in 2024. Greene King notified the CMA on November 2024.

Summary of breach

The lease of a single divestment site was inadvertently reacquired as part of a subsequent acquisition of a different hospitality business, without the CMA’s prior written consent, during the 10-year continued separation period.

Actions taken by Greene King

Greene King has re-reviewed all acquisitions and taken steps to strengthen its internal property controls, to ensure other sites are not inadvertently reacquired during the remaining continued separation period without the CMA’s prior written consent.

Action taken by the CMA

The CMA sent a private letter to Greene King.

Groceries Market Investigation (Controlled Land) Order 2010

Co-operative Group Limited

Co-operative Group Limited breached the Groceries Market Investigation (Controlled Land) Order 2010 (the Groceries Order). The earliest breach began on 22 September 2010. 3 of the breaches are still in the process of being resolved.

Co-operative Group Limited notified the CMA on:

• 11 February 2022
• 14 July 2023
• 13 May 2024

Summary of breach

107 breaches of the Groceries Order concerning land agreements in these locations.

Actions taken by Co-operative Group Limited

Co-operative Group Limited is:

• taking action to bring its ongoing breaches to an end by amending the relevant agreements

• amending its processes and procedures to ensure that it is compliant with the Groceries Order and to prevent a recurrence of the breaches which have been identified

So far it has:

• implemented annual training of its staff in relation to the requirements of the Groceries Order
• produced revised guidance for its surveyors
• revised precedent documentation to ensure future compliance with the Groceries Order
• improved relevant internal and external processes, including the implementation of additional compliance controls
• agreed enhanced processes with external advisers regarding the completion of relevant transactions and the training of staff

Action taken by the CMA

The CMA published a public letter to Co-op about land agreements restricting competition.

Payment Protection Insurance (PPI) Market Investigation Order 2011

Lloyds Banking Group

Lloyds Banking Group (Lloyds) breached the Payment Protection Insurance (PPI) Market Investigation Order 2011 (PPI Order) from 2013 to 2023. The CMA was notified on 30 October 2024.

Summary of breach

Lloyds failed to send an Annual Review Statement to 26 policyholders, as required by the PPI Order.

Actions taken by Lloyds

As this breach results from a unique set of circumstances it is unlikely to recur. In addition, Lloyds has put in place a range of improvements to prevent similar issues arising.

Action taken by the CMA

The CMA added this breach to its register of breaches.

Nationwide Building Society

Nationwide Building Society (Nationwide) breached the PPI Order 2011 between April 2012 to December 2023. The CMA was notified on 23 January 2024.

Summary of breach

131 customers holding mortgage PPI policies with Nationwide were given incorrect information in their annual review statements. The monthly payment shown only contained the mortgage element of cover. Any additional cover the customer held was not included in that figure.

Actions taken by Nationwide

Nationwide has:

• written to 13 former policyholders who may have taken a decision to end their PPI policy on the basis of the incorrect information

• unconnected to this incident, Nationwide had already begun exiting the PPI market when the issue was discovered

• the exit programme began in December 2021 with final closure completed in March 2024

Action taken by the CMA

The CMA published a public letter: CMA takes action against Nationwide for providing incorrect information to PPI customers.

Private Healthcare Market Investigation Order 2014

The Hospital of St John and St Elizabeth

The Hospital of St John and St Elizabeth breached the Private Healthcare Market Investigation Order 2014 (the Private Healthcare Order). The breach took place since at least 2018. The CMA was notified on 7 February 2024.

Summary of breach

The Hospital of St John and St Elizabeth breached Part 3 of the Private Healthcare Order. Part 3 states that private hospital operators have a duty not to provide referring clinicians incentives to refer patients to that hospital. The Hospital did not offer high value services, including office rental, consultation rooms and medical secretarial services, in a non-discriminatory way or at fair market value. These can reasonably be seen as an incentive for a referring clinician.

Actions taken by The Hospital of St John and St Elizabeth

The Hospital of St John and St Elizabeth has:

• restructured costing arrangements for outpatient consulting rooms in January 2023

• formalised the process for office rentals, with written licenses to occupy

• engaged with the consultants who use medical secretarial services

• undertaken additional work to ensure compliance with Part 4 of the Private Healthcare Order

Action taken by the CMA

The CMA published a public letter to The Hospital of St John and St Elizabeth.

Private Motor Insurance Market Investigation Order 2015

Direct Line Group Limited

Direct Line Group Limited (Direct Line) breached the Private Motor Insurance Market Investigation Order 2015 (the PMI Order) between June 2023 and 18 January 2024. The CMA was notified on 18 July 2024.

Summary of breach

Direct Line breached Part 2, Article 3.1 of the PMI Order by failing to provide at least 320 customers with the NCB protection information and NCB statement.

Actions taken by Direct Line Group Limited

Direct Line has:

• ended the breach and will refund all the payments taken from customers who had not wanted NCB protection. The value of the refunds is estimated to be around £20,000

• tested systems which handle customers’ data, which should prevent the addition of unwanted additions to policies

• carried out a check of the database which handles customers’ data for existing errors

Action taken by the CMA

The CMA published a public letter to Direct Line Group about a breach of the Private Motor Insurance Order.

EUI Limited and Admiral Insurance Company Limited (Admiral)

Admiral is required to comply with the PMI Order. It requires private motor insurers and brokers to provide an explanation of no claims bonus (NCB) protection, its benefits and its cost by providing customers with the NCB protection information and NCB statement in a clear and prominent manner at the time of making a NCB protection offer.

Admiral breached the PMI Order by failing to provide 1,491 customers with the NCB protection statement and the NCB protection information at the time of making an NCB protection offer between 4 November 2024 and 3 January 2025.

Actions taken by Admiral

Admiral is:

• offering refunds of their NCB protection payment to customers who were not provided with the correct information at the point they were offered NCB protection 

• introducing weekly management information reporting, to provide senior management with oversight of updates to scripts used to communicate with customers, and of peer reviews of those scripts 

• improving procedures around scripts used to talk to customers

Action taken by the CMA

The CMA sent a private letter to Admiral.

Markerstudy Group

Markerstudy Group (Markerstudy) is required to comply with the PMI Order. It requires private motor insurers and brokers to provide an explanation of NCB protection, its benefits and its cost by providing customers with the NCB protection information and NCB Statement in a clear and prominent manner at the time of making a NCB protection offer. 

Brands within the Markerstudy group (iGO4 and Lloyds Latchford) breached the PMI Order by either failing to provide the NCB protection statement and the NCB protection information, or by providing outdated information to around 35,000 customers between November 2022 to January 2025.

Actions taken by Markerstudy

Markerstudy is:

• contacting all current customers who purchased Darwin insurance policies from iGO4 to offer them the option to cancel the unused element of the NCB protection and a refund of the cost on a pro-rata basis

• contacting around 6,800 current Lloyd Latchford customers who have received outdated tables in the last 12 months to inform them of the error and provide them with the correct NCB protection information

• regularly reviewing policies used to comply with competition law

• introducing an annual online e-learning training module, periodic compliance reviews and new controls and procedures to ensure compliance with the PMI Order

• ensuring that the Markerstudy distribution compliance team is centrally responsible for overseeing compliance with the PMI Order

Action taken by the CMA

The CMA sent a private letter to Markerstudy.

Prima Subsidiary Ltd

Prima Subsidiary Ltd (Prima) breached the PMI Order between October 2022 and 16 February 2024. The CMA was notified on 29 January 2024.

Summary of breach

Prima breached Part 2, articles 3.1 and 3.3 of the PMI Order by: 

• understating the cost of NCB protection by around £30 on average for some customers

• failing to provide the required NCB protection Statement and NCB protection Information to some customers

• providing a non-compliant NCB protection statement and failing to provide the required NCB protection information to some customers

• providing some customers with policy documents that failed to include the required NCB protection information

Actions taken by Prima

Prima has:

• offered all affected customers a refund

• formalised both a second line of defence and a third line of defence regarding compliance with the PMI Order

• enhanced its existing training module

• improved its governance of compliance activities

• formalised the above into a compliance handbook

Action taken by the CMA

The CMA published a public letter to Prima Subsidiary Limited about a breach of the Private Motor Insurance Order.

Somerset Bridge Group Ltd

Somerset Bridge Group Ltd (SBGL) breached the PMI Order. The longest breach took place between December 2018 and November 2023. The CMA was notified on:

• 5 December 2023
• 1 November 2024

Summary of breach

SBGL breached Part 2, Article 3.1 and Article 3.3 of the PMI Order by:

• understating the cost of the NCB protection for some PMI products
• overstating the cost of the NCB protection for some PMI products
• failing to provide customers with the NCB protection statement and the NCB protection information in some circumstances

Actions taken by SBGL

SBGL is:

• contacting all customers that may have suffered financial loss to offer refunds
• improving its governance procedures
• bringing all new product pricing and distribution activities within one regulated legal entity
• implementing procedures to prevent technical failures in its systems
• undertaking live audits to check compliance
• providing training for relevant teams

Action taken by the CMA

The CMA published a public letter to Somerset Bridge Group about a breach of the Private Motor Insurance Order.

Retail Banking Market Investigation Order 2017

Barclays Bank UK plc

Barclays Bank UK plc (Barclays) breached the Retail Banking Market Investigation Order 2017 (the Retail Banking Order) from June to August 2023. The CMA was notified on 1 February 2024.

Summary of breach

Barclays failed to provide 1,648 payment transaction histories (PTH) to customers with a further 659 PTH sent, but after the 40-day deadline.

Actions taken by Barclays Bank UK plc

Barclays has:

• started to write to all former customers who should have received a PTH but did not, with an explanation of how to access one

• started carrying out a detailed end-to-end review of the processes and controls relating to delivering PTH

• started reviewing and updating the support and resources provided to colleagues

Action taken by the CMA

The CMA published a public letter to Barclays about breaching Part 5 of the Retail Banking Order.

Barclays Bank UK plc

Barclays is required to send PTH to any personal current account customer who closes their account (unless an exemption applies) by Part 5 of the Retail Banking Order. 

Barclays breached the Retail Banking Order in 4 ways, resulting in around 700,000 former account holders in total not receiving their PTH. The longest lasting of these failures was over 6 years in duration and is still ongoing.

Actions taken by Barclays

Barclays will:

• bring all the remaining breaches to an end by the end of Q3 2025

• provide an explanation of how to access a PTH to customers who should have received a PTH but did not from January 2024 onwards 

• carry out a full review of all parts of the Retail Banking Order and has already appointed an external body to independently validate its plans and identify any potential process or control gaps

• implement a robust control mapping exercise

• introduce a full education workstream to deliver a mandatory, and audited training programme for all staff impacted by the requirements by Q1 2026

• require its internal audit to provide assurance work to validate the effectiveness of the governance, risk management and control that has been applied to processes relating to compliance with the Retail Banking Order

Action taken by the CMA

The CMA published a letter to Barclays about breaching Part 5 of the Retail Banking Order.

HSBC UK Bank plc

HSBC UK Bank plc (HSBC) breached the Retail Banking Order from 27 October 2023 to 28 February 2024. The CMA was notified on 21 February 2024.

Summary of breach

HSBC breached Part 7 of the Retain Banking Order by displaying an incorrect value for its monthly maximum charge (MMC) on some of its multi-function devices (MFD).

Actions taken by HSBC

HSBC has:

• ensured that all MFD and automated teller machines (ATM) now display the correct MMC value

• improved its user acceptance testing

• captured learnings from this breach and shared them across the organisation

Action taken by the CMA

The CMA published a public letter to HSBC.

HSBC UK Bank plc

HSBC breached the Retail Banking Order:

• between 4 September 2024 and 23 October 2024 (breached Part 2)
• between 14 March 2020 and 28 June 2024 (breached Part 7)
• between 8 September 2023 and 24 May 2024 (breached Part 8)

The CMA was notified on:

• 4 November 2024 for the breach of Part 2
• 5 July 2024 for the breach of Part 7
• 6 June 2024 for the breach of Part 8

Summary of breach

HSBC breached:

• Part 2 of the Retail Banking Order by failing to disclose through Read-Only application programming interfaces (APIs) the location of 110 replacement ATM which were not listed at 31 locations

• Part 7 by failing to remove 10 online PDF documents which contained an out-of-date MMC

• Part 8 by failing to remove 1 online PDF document that included an out-of-date representative annual percentage rate (APR) for small business loans

Actions taken by HSBC

HSBC has offered to ensure that the Initial Assurance Engagement to be carried out under these Directions will examine the control enhancements that HSBC is implementing to address these breaches of Part 2 and Part 8 and include this in its Report to the CMA. HSBC has also proposed improvements to its procedures to prevent breaches of Part 7.

Action taken by the CMA

The CMA added this breach to its register of breaches.

Lloyds Banking Group plc

Lloyds Banking Group plc (Lloyds) breached the Retail Banking Order between 7 December 2023 to 12 January 2024. The CMA was notified on 24 January 2024.

Summary of breach

Lloyds breached Article 12 in Part 2 of the Retail Banking Order through failing to publish the location of 363 ATMs through Open Banking APIs.

Actions taken by Lloyds

Lloyds has:

• introduced an additional process step to manually add ATMs to the API data feed in the short term until a change to a new database was completed

• improved control descriptions to avoid misunderstandings. Implemented an additional ATM volume check

• completed a review of its change process to ensure any changes to its processes in future are properly risk assessed

Action taken by the CMA

The CMA published a public letter to Lloyds about breaching Part 2 of the Retail Banking Order.

Lloyds Banking Group

Lloyds is required to send PTH to any personal current account customer who closes their account (unless an exemption applies) by Part 5 of the Retail Banking Order.

Lloyds breached the Retail Banking Order by failing to provide around 360,000 former account holders with letters which explained how to access their PTH. This failure lasted from April 2018 to October 2024.

Actions taken by Lloyds

Lloyds has:

• written to customers who should have received a letter in the final 2 years of the breach, but did not, with a letter explaining how to access their PTH

• now included the information on accessing the PTH in the PCA closing statement

• made significant improvements to its general compliance regime over the last 5 years

• put procedures in place reconciling the number of account closure statements with actual account closures

• introduced a new approach to managing risk across its portfolio

Actions taken by the CMA

The CMA published a letter to Lloyds about breaching Part 5 of the Retail Banking Order.

Metro Bank plc

Metro Bank plc (Metro Bank) breached the Retail Banking Order between 16 February 2024 to 29 February 2024. The CMA was notified on 29 February 2024.

Summary of breach

Metro Bank failed to publish service quality indicators in 3 of its branches. This was due to a failure in the routers used to transmit information to its digital displays.

Actions taken by Metro Bank

Metro Bank has replaced affected routers and put in place provisions for paper posters in the event of future problems with its digital displays.

Action taken by the CMA

The CMA sent a private letter to Metro Bank.

Monzo Bank Limited

Monzo Bank Limited (Monzo) breached the Retail Banking Order. The longest beach lasted from August 2017 to April 2024. The CMA was notified on 1 February 2024.

Summary of breach

Monzo breached Parts 3, 7, 8 and 12 of the Retail Banking Order by failing to:

• publish correct Service Quality Indicator tables on its website

• publish the Monthly Maximum Charge on four occasions where it should have been published

• publish the Representative Rate for SME loans in its website in one location and on one financial promotions document

• notify the CMA of some of the breaches listed above within 14 days of becoming aware it was not compliant

Actions taken by Monzo

Monzo will:

• add to its existing compliance training; enhance its change management processes; improve controls of its Financial Promotions publications; implement an external software platform to map all regulatory obligations

• specifically for Part 3, has implemented a review checklist and a procedure guide

• specifically for Part 7, has confirmed that it will no longer levy unarranged overdraft charges

• specifically for Part 8, has introduced mock-ups of financial promotions for testing

• specifically for Part 12, updated its internal regulatory breach procedures

Action taken by the CMA

The CMA published a public letter to Monzo about breaching parts 3, 7, 8 and 12 of the Retail Banking Order.

Monzo Bank Limited

Monzo is required to publish representative APRs for unsecured loans and representative effective annual rates (EAR) for standard tariff unsecured business overdrafts to small and medium-sized enterprises (SMEs) by Part 8 of the Retail Banking Order. Part 8 of the Retail Banking Order further requires Providers to publish additional contextual information to explain the APRs and EARs.

Monzo breached the Retail Banking Order by publishing:

• on its website certain parts of the contextual information required under Part 8, such as the size and term of the loan associated with the APR and rate of interest, in a way which was illegible for SMEs
• incorrect information about the cost of a loan on the Monzo app and website - the same incorrect information was sent to SMEs through a marketing communication
• on its website and on the Monzo app the rate of interest instead of the APR for one of its lending products

The longest of these failures lasted a month, and at most around 30,000 SMEs saw the documents or webpages where the information was missing or incorrect across the 3 breaches.

Actions taken by Monzo

Monzo has:

• improved its controls and operating guidance for Representative Rate and contextual information updates
• introduced greater automation of contextual information and Representative Rate updates and reduced the number of fields where manual updates are required
• engaged an external partner to carry out a full review of its processes and controls involved in delivering compliance with the Retail Banking Order (Monzo has introduced improvements where necessary)

Action taken by the CMA

The CMA sent a private letter to Monzo.

NatWest Group plc

NatWest Group plc (NatWest) is required, by the Retail Banking Order, to: 

• set a monthly maximum charge (MMC) in relation to unarranged overdraft charges. Providers cannot charge customers more than the MMC in any given month. Providers must say what their MMC is each time they mention unarranged overdraft charges in product literature (Part 7)

• disclose the representative cost in EAR terms of their overdrafts and in APR terms for their loans in the way set out in the Retail Banking Order (Part 8)

• offer a price and eligibility tool which will enable SMEs to obtain an indicative price quote and indication of their eligibility for unsecured loans and standard tariff unsecured business overdrafts (Part 9)

NatWest breached the Retail Banking Order by failing to: 

• Part 7: either provide the MMC, or to provide the correct MMC to around 104,800 customers in 3 separate breaches. The longest breach lasted from 16 June 2023 to 2 April 2024 

• Part 8: include the Representative EAR in letters to 66,765 SME customers which included an offer to renew an overdraft between May 2021 and February 2024 

• Part 9: continuously offer the price and eligibility tool defined in the Retail Banking Order on 4 occasions. The longest breach was between at least 1 May 2023 until 5 July 2024 and affected around 200 SMEs per month

Actions taken by NatWest

NatWest is carrying out a range of initiatives to prevent further breaches.

Part 7

NatWest is: 

• correcting letter templates
• improving compliance controls and procedures
• reminding staff of their responsibilities under the Retail Banking Order

Parts 8 and 9

NatWest is:

• carrying out an internal review of its processes and procedures for compliance with these parts of the Retail Banking Order
• introducing annual reminders to staff who work on compliance with parts 8 and 9 of the Retail Banking Order
• extending training which is currently focused on staff working on compliance with Part 8 to staff who work on Part 9 of the Retail Banking Order

Action taken by the CMA

The CMA published a public letter to NatWest about breaching Parts 7, 8 and 9 of the Retail Banking Order.

Santander UK plc

Santander UK plc (Santander) breached the Retail Banking Order. The duration of the breach has been up to 7 years. The CMA was notified on 1 March 2024.

Summary of breach

Santander failed to:

• keep information published under Article 12 up to date

• publish some information under Article 12 at all, as required under Part 2 of the Retail Banking Order

Actions taken by Santander

Santander has:

• simplified the way it presents information through Open Banking

• introduce enhancements to its processes and controls to prevent a recurrence

Action taken by the CMA

The CMA published a public letter to Santander about breaching Part 2 of the Retail Banking Order.

Starling Bank

Starling Bank (Starling) is required to comply with Part 3 of the Retail Banking Order. This provides the service quality indicator (SQI) remedy. The purpose of the SQI remedy is to provide consumers and SMEs with the results of surveys on banks’ quality of service. This helps consumers and SMEs to decide which banks they would like to bank with. Specifically, Article 16 requires banks to provide details of customers to a market research company, who will undertake the surveys.

Article 45 of the Retail Banking Order requires Starling to provide the number of personal current account (PCA) and business current account customers it has to the CMA. This in turn allows the cost of the SQI surveys referred to above to be split fairly between the banks.

Starling breached Article 16 within Part 3 of the Retail Banking Order by excluding around 17% of Starling’s PCA customers from the data provided to the market research company in both December 2023 and June 2024.

Starling breached Article 45 of the Retail Banking Order between 2020 and 2023 by over-reporting the number of accounts held by its customers, as part of its annual report to the CMA.

Actions taken by Starling Bank

Starling has:

• reviewed its existing processes and controls relating to all Retail Banking Order requirements

• started to provide further training and guidance on the Retail Banking Order

• required its second-line compliance monitoring team to review compliance with various aspects of the Retail Banking Order in Q4 2024

• enhanced reviews of the SQI webpages by introducing an additional check for any changes containing content relating to the survey results

• started to carry out periodic checks between survey publication dates to ensure all information is up to date and accurate

• reviewed all existing processes and controls relating to all data submissions relating to Part 3 of the Retail Banking Order

• reviewed the requirements of Article 45 for other potential non-compliance 

• enhanced its procedures around reporting under Article 45

Action taken by the CMA

The CMA published Directions to Starling Bank about breaches of the Retail Banking Order .

Starling Bank

Starling breached the Retail Banking Order. Surveys published between August 2021 and February 2025 were affected. The CMA was notified on 26 June 2024.

Summary of breach

Starling breached Part 3 of the Retail Banking Order by failing to provide the market research company which carries out Service Quality Information surveys with data on holders of the Starling Sole Trader Account.

Actions taken by Starling

Starling has:

• revised its template submission to the market research company that carries out the surveys to include sole traders

• reviewed the data requirements for the surveys more widely to ensure there are no further omissions

• improved its processes and controls relating to all requirements of the Retail Banking Order

• provided further training and guidance on all relevant parts of the Retail Banking Order

• paid for a survey ‘boost’ which will involve additional Starling Sole Trader Account customers being surveyed in advance of the next publication of the survey results in February 2025

Action taken by the CMA

The CMA published a public letter to Starling Bank about breaching Part 3 of the Retail Banking Order.

Tide Platform Limited

Tide Platform Limited (Tide) is required to send PTH to any business current account customer who closes their account (unless an exemption applies) by Part 5 of the Retail Banking Order.

Tide breached the Retail Banking Order by failing to provide around 9,300 former account holders with their PTH. This failure lasted from January 2022 to December 2024.

Actions taken by Tide

Tide has:

• contacted each SME business that should have received a PTH but did not in the period June 2023 to December 2024
• made adjustments to ensure that PTHs are sent to all account holders who close their accounts, without any exclusions
• introduced quality assurance checks on the automated solution it implemented to deliver PTH to customers
• reassessed the requirements of the Retail Banking Order, mapping the regulatory requirements to the current controls in place to manage relevant risks, and undertaken a comprehensive review of existing controls to ensure they are effective and proportionate
• established automated checks and evidence-gathering mechanisms for quarterly testing
• reported the results of the testing as management information within Tide’s relevant governance forums

Action taken by the CMA

The CMA sent a private letter to Tide.