Corporate report

Register of breaches (2024)

Updated 7 April 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/breaches-of-the-cmas-markets-and-mergers-remedies/register-of-breaches-2024

Greene King/Spirit undertakings

Greene King plc

Greene King plc (Greene King) breached Greene King/Spirit undertakings. Reacquisition occurred in 2022 and was identified and notified following CMA periodic pro-active remedy monitoring in 2024. Greene King notified the CMA on November 2024.

Summary of breach

The lease of a single divestment site was inadvertently reacquired as part of a subsequent acquisition of a different hospitality business, without the CMA’s prior written consent, during the 10-year continued separation period.

Actions taken by Greene King

Greene King has re-reviewed all acquisitions and taken steps to strengthen its internal property controls, to ensure other sites are not inadvertently reacquired during the remaining continued separation period without the CMA’s prior written consent.

Action taken by the CMA

The CMA sent a private letter to Greene King.

Groceries Market Investigation (Controlled Land) Order 2010

Co-operative Group Limited

Co-operative Group Limited breached the Groceries Market Investigation (Controlled Land) Order 2010. The earliest breach began on 22 September 2010. 3 of the breaches are still in the process of being resolved.

Co-operative Group Limited notified the CMA on:  

  • 11 February 2022
  • 14 July 2023
  • 13 May 2024

Summary of breach

107 breaches of the Order concerning land agreements in these locations.

Actions taken by Co-operative Group Limited

Co-operative Group Limited is:

  • taking action to bring its ongoing breaches to an end by amending the relevant agreements

  • amending its processes and procedures to ensure that it is compliant with the Order and to prevent a recurrence of the breaches which have been identified

So far it has:

  • implemented annual training of its staff in relation to the requirements of the Order
  • produced revised guidance for its surveyors
  • revised precedent documentation to ensure future compliance with the Order
  • improved relevant internal and external processes, including the implementation of additional compliance controls
  • agreed enhanced processes with external advisers regarding the completion of relevant transactions and the training of staff

Action taken by the CMA

The CMA published a public letter to Co-op about land agreements restricting competition.

The Private Motor Insurance (PMI) Market Investigation Order 2015

Direct Line Group Limited

Direct Line Group Limited (Direct Line) breached the Private Motor Insurance (PMI) Market Investigation Order 2015 between June 2023 and 18 January 2024. The CMA was notified on 18 July 2024.

Summary of breach

Direct Line breached Part 2, Article 3.1 of the Order by failing to provide at least 320 customers with the NCB Protection Information and NCB Statement.

Actions taken by Direct Line Group Limited

Direct Line has:

  • ended the breach and will refund all the payments taken from customers who had not wanted NCB Protection. The value of the refunds is estimated to be around £20,000

  • tested systems which handle customers’ data, which should prevent the addition of unwanted additions to policies

  • carried out a check of the database which handles customers’ data for existing errors

Action taken by the CMA

The CMA published a public letter to Direct Line Group about a breach of the Private Motor Insurance Order.

Prima Subsidiary Ltd

Prima Subsidiary Ltd (Prima) breached the The Private Motor Insurance (PMI) Market Investigation Order 2015 between October 2022 and 16 February 2024. The CMA was notified on 29 January 2024.

Summary of breach

Prima breached Part 2, articles 3.1 and 3.3 of the Order by: 

  • understating the cost of No Claims Bonus (NCB) Protection by around £30 on average for some customers

  • failing to provide the required NCB Protection Statement and NCB Protection Information to some customers

  • providing a non-compliant NCB Protection Statement and failing to provide the required NCB Protection Information to some customers

  • providing some customers with policy documents that failed to include the required NCB Protection Information

Actions taken by Prima

Prima has:

  • offered all affected customers a refund

  • formalised both a second line of defence and a third line of defence regarding compliance with the Order

  • enhanced its existing training module

  • improved its governance of compliance activities

  • formalised the above into a Compliance Handbook

Action taken by the CMA

The CMA published a public letter to Prima Subsidiary Limited about a breach of the Private Motor Insurance Order.

Somerset Bridge Group Ltd

Somerset Bridge Group Ltd (SBGL) breached The Private Motor Insurance (PMI) Market Investigation Order 2015. The longest breach took place between December 2018 and November 2023. The CMA was notified on:

  • 5 December 2023
  • 1 November 2024

Summary of breach

SBGL breached Part 2, Article 3.1 and Article 3.3 of the Order by:

  • understating the cost of the NCB Protection for some PMI products
  • overstating the cost of the NCB Protection for some PMI products
  • failing to provide customers with the NCB Protection Statement and the NCB Protection Information in some circumstances

Actions taken by SBGL

SBGL is:

  • contacting all customers that may have suffered financial loss to offer refunds
  • improving its governance procedures
  • bringing all new product pricing and distribution activities within one regulated legal entity
  • implementing procedures to prevent technical failures in its systems
  • undertaking live audits to check compliance
  • providing training for relevant teams

Action taken by the CMA

The CMA published a public letter to Somerset Bridge Group about a breach of the Private Motor Insurance Order.

Payment Protection Insurance (PPI) Market Investigation Order 2011

Lloyds Banking Group

Lloyds Banking Group (LBG) breached Payment Protection Insurance (PPI) Market Investigation Order 2011 from 2013 to 2023. The CMA was notified on 30 October 2024.

Summary of breach

LBG failed to send an Annual Review Statement to 26 policyholders, as required by the Order.

Actions taken by LBG

As this breach results from a unique set of circumstances it is unlikely to recur. In addition, LBG has put in place a range of improvements to prevent similar issues arising.

Action taken by the CMA

Added to register of breaches.

Retail Banking Market Investigation Order 2017

Barclays Bank UK plc

Barclays Bank UK plc (Barclays) breached the Retail Banking Market Investigation Order 2017 from June to August 2023. The CMA was notified on 1 February 2024.

Summary of breach

Barclays failed to provide 1,648 Payment Transaction Histories to customers with a further 659 Payment Transaction Histories sent, but after the 40-day deadline.

Actions taken by Barclays Bank UK plc

Barclays has:

  • started to write to all former customers who should have received a Payment Transaction History but did not, with an explanation of how to access one

  • started carrying out a detailed end-to-end review of the processes and controls relating to delivering Payment Transaction Histories.

  • started reviewing and updating the support and resources provided to colleagues

Action taken by the CMA

The CMA published a public letter to Barclays about breaching Part 5 of the Retail Banking Order.

HSBC UK Bank plc

HSBC UK Bank plc (HSBC) breached the Retail Banking Market Investigation Order 2017 from 27 October 2023 to 28 February 2024. The CMA was notified on 21 February 2024.

Summary of breach

HSBC breached Part 7 of the Order by displaying an incorrect value for its Monthly Maximum Charge (MMC) on some of its multi-function devices (MFDs).

Actions taken by HSBC

HSBC has:

  • ensured that all MFDs and ATMs now display the correct MMC value

  • improved its User Acceptance Testing

  • captured learnings from this breach and shared them across the organisation

Action taken by the CMA

The CMA published a public letter to HSBC.

HSBC UK Bank plc

HSBC UK Bank plc (HSBC) breached the Retail Banking Market Investigation Order 2017:

  • between 4 September 2024 and 23 October 2024 they breached Part 2 of the Order.
  • between 14 March 2020 and 28 June 2024, they breached Part 7 of the Order
  • between 8 September 2023 and 24 May 2024, they breached Part 8 of the Order

The CMA was notified on:

  • 4 November 2024 for the breach of Part 2
  • 5 July 2024 for the breach of Part 7
  • 6 June 2024 for the breach of Part 8

Summary of breach

HSBC breached:

  • Part 2 of the Order by failing to disclose through Read-Only application programming interfaces (APIs) the location of 110 replacement Automated Teller Machines (ATMs) which were not listed at 31 locations

  • Part 7 of the Order by failing to remove ten web-based PDF documents which contained an out-of-date Monthly Maximum Charge

  • Part 8 of the Order by failing to remove one web-based PDF document that included an out-of-date representative annual percentage rate (APR) for small business loans

Actions taken by HSBC

HSBC has offered to ensure that the Initial Assurance Engagement to be carried out under these Directions will examine the control enhancements that HSBC is implementing to address these breaches of Part 2 and Part 8 and include this in its Report to the CMA. HSBC has also proposed improvements to its procedures to prevent breaches of Part 7.

Action taken by the CMA

Added to register of breaches.

Lloyds Banking Group plc

Lloyds Banking Group plc (Lloyds) breached the Retail Banking Market Investigation Order 2017 between 7 December 2023 to 12 January 2024. The CMA was notified on 24 January 2024.

Summary of breach

Lloyds breached Article 12 in Part 2 of the Order through failing to publish the location of 363 ATMs through Open Banking APIs.

Actions taken by Lloyds

Lloyds has:

  • introduced an additional process step to manually add ATMs to the API data feed in the short term until a change to a new database was completed

  • improved control descriptions to avoid misunderstandings. Implemented an additional ATM volume check

  • completed a review of its change process to ensure any changes to its processes in future are properly risk assessed

Action taken by the CMA

The CMA published a public letter to Lloyds about breaching Part 2 of the Retail Banking Order.

Metro Bank plc

Metro Bank plc (Metro Bank) breached the Retail Banking Market Investigation Order 2017 between 16 February 2024 to 29 February 2024. The CMA was notified on 29 February 2024.

Summary of breach

Metro Bank failed to publish service quality Indicators in 3 of its branches. This was due to a failure in the routers used to transmit information to its digital displays.

Actions taken by Metro Bank

Metro Bank has replaced affected routers and put in place provisions for paper posters in the event of future problems with its digital displays.

Action taken by the CMA

The CMA sent a private letter to Metro Bank.

Monzo Bank Limited

Monzo Bank Limited (Monzo) breached the Retail Banking Market Investigation Order 2017. The longest beach lasted from August 2017 to April 2024. The CMA was notified on 1 February 2024.

Summary of breach

Monzo breached Parts 3, 7, 8 and 12 of the Order by failing to:

  • publish correct Service Quality Indicator tables on its website

  • publish the Monthly Maximum Charge on four occasions where it should have been published

  • publish the Representative Rate for SME loans in its website in one location and on one financial promotions document

  • notify the CMA of some of the breaches listed above within 14 days of becoming aware it was not compliant

Actions taken by Monzo

Monzo will:

  • add to its existing compliance training; enhance its change management processes; improve controls of its Financial Promotions publications; implement an external software platform to map all regulatory obligations

  • specifically for Part 3, has implemented a review checklist and a procedure guide

  • specifically for Part 7, has confirmed that it will no longer levy unarranged overdraft charges

  • specifically for Part 8, has introduced mock-ups of financial promotions for testing

  • specifically for Part 12, updated its internal regulatory breach procedures

Action taken by the CMA

The CMA published a public letter to Monzo about breaching parts 3, 7, 8 and 12 of the Retail Banking Order.

Santander UK plc

Santander UK plc (Santander) breached the Retail Banking Market Investigation Order 2017. The duration of the breach has been up to 7 years. The CMA was notified on 1 March 2024.

Summary of breach

Santander failed to:

  • keep information published under Article 12 up to date

  • publish some information under Article 12 at all, as required under Part 2 of the Order

Actions taken by Santander

Santander has:

  • simplified the way it presents information through Open Banking

  • introduce enhancements to its processes and controls to prevent a recurrence

Action taken by the CMA

The CMA published a public letter to Santander about breaching Part 2 of the Retail Banking Order.

Starling Bank

Starling Bank (Starling) breached the Retail Banking Market Investigation Order 2017. Surveys published between August 2021 and February 2025 were affected. The CMA was notified on 26 June 2024.

Summary of breach

Starling breached Part 3 of the Order by failing to provide the market research company which carries out Service Quality Information surveys with data on holders of the Starling Sole Trader Account.

Actions taken by Starling

Starling has:

  • revised its template submission to the market research company that carries out the surveys to include sole traders

  • reviewed the data requirements for the surveys more widely to ensure there are no further omissions

  • improved its processes and controls relating to all requirements of the CMA’s Order

  • provided further training and guidance on all relevant parts of the Order

  • paid for a survey ‘boost’ which will involve additional Starling Sole Trader Account customers being surveyed in advance of the next publication of the survey results in February 2025

Action taken by the CMA

The CMA published a public letter to Starling Bank about breaching Part 3 of the Retail Banking Order.

Private Healthcare Market Investigation Order 2014

The Hospital of St John and St Elizabeth

The Hospital of St John and St Elizabeth breached the Private Healthcare Market Investigation Order 2014. The breach took place since at least 2018. The CMA was notified on 7 February 2024.

Summary of breach

The Hospital of St John and St Elizabeth breached Part 3 of the Order. Part 3 states that private hospital operators have a duty not to provide referring clinicians incentives to refer patients to that hospital. The Hospital did not offer high value services, including office rental, consultation rooms and medical secretarial services, in a non-discriminatory way or at fair market value. These can reasonably be seen as an incentive for a referring clinician.

Actions taken by The Hospital of St John and St Elizabeth

The Hospital of St John and St Elizabeth has:

  • restructured costing arrangements for outpatient consulting rooms in January 2023

  • formalised the process for office rentals, with written licenses to occupy

  • engaged with the consultants who use medical secretarial services

  • undertaken additional work to ensure compliance with Part 4 of the Order

Action taken by the CMA

The CMA published a public letter to The Hospital of St John and St Elizabeth.

PPI Market Investigation Order 2011

Nationwide Building Society

Nationwide Building Society (Nationwide) breached the PPI Market Investigation Order 2011 betweet April 2012 to December 2023. The CMA was notified on 23 January 2024.

Summary of breach

131 customers holding Mortgage PPI policies with Nationwide were given incorrect information in their Annual Review Statements. The monthly payment shown only contained the Mortgage element of cover. Any additional cover the customer held was not included in that figure.

Actions taken by Nationwide

Nationwide has:

  • written to 13 former policyholders who may have taken a decision to end their PPI policy on the basis of the incorrect information

  • unconnected to this incident, Nationwide had already begun exiting the PPI market when the issue was discovered

  • the exit programme began in December 2021 with final closure completed in March 2024

Action taken by the CMA

The CMA published a public letter: CMA takes action against Nationwide for providing incorrect information to PPI customers.

Back to top