By 
The U.K.’s Competition and Markets Authority (CMA) has uncovered that HSBC breached a regulatory order mandating banks to provide payment transaction histories to certain customers. As part of the Retail Banking Market Investigation Order 2017, banks are required to send these histories to any business current account (BCA) customer with a turnover below £6.5 million (approximately $8.4 million) when they close their BCA.
In a letter notifying HSBC of its findings, the CMA stated that HSBC failed to send around 12,200 payment transaction histories to former BCA holders between February 2018 and November 2022. The failure was attributed to weaknesses in HSBC’s control environment and individual human errors among its staff. The bank’s control weaknesses also made it difficult for HSBC to ascertain the exact number of payment transaction histories it failed to deliver.
HSBC has since taken corrective measures to address the breaches and prevent future occurrences. The bank reported the breaches to the CMA on December 16, 2022, after becoming aware of them on December 1, 2022. The CMA reminded HSBC that regulatory noncompliance must be reported to the authority within 14 days of discovery.
Part 5 of the Order was introduced to facilitate easier switching of BCAs for small and medium-sized businesses (SMBs). Previously, SMBs were concerned about losing access to their banking history, which is often needed when seeking credit from lenders.
To rectify the situation, HSBC is reviewing its controls and procedures, providing reminders and additional coaching to staff, and implementing an enhanced assurance process.
As a result of the actions taken by HSBC, the CMA has decided not to pursue further formal enforcement action at this time. However, the CMA stated that it will consider such action if any further breaches occur.
This incident comes on the heels of another finding six months ago, where the CMA discovered that HSBC had breached another part of the Retail Banking Market Investigation Order 2017 by failing to publish required information or providing inaccurate data.
Comments