Corporate report

SME Banking Behavioural Undertakings 2002 annual report on compliance, July 2023 to June 2024

Published 3 June 2025

Introduction

The obligations are contained in the SME Banking Undertakings 2002 (the Undertakings) and the 2014 Agreement.

There is a separate document which provides the background to the Undertakings and obligations on banks. There is a separate document which includes a glossary of terms.

The banks subject to these obligations are:

  • AIB Group (UK) plc (known as AIB NI in this report, and previously known as First Trust)
  • Bank of Ireland, in respect of its SME business and branches in Northern Ireland (Bank of Ireland)
  • Barclays Bank plc and Barclays Bank UK plc (together, Barclays)
  • Clydesdale Bank plc바카라 사이트™s SME Business and Branches in Scotland branded as Virgin Money (Clydesdale)
  • HSBC UK Bank plc (HBUK). HSBC바카라 사이트™s non-ringfenced bank HSBC Bank plc (HBEU) remains subject to the Undertakings but was released from the 2014 Agreement during 2023
  • Certain group companies of Lloyds Banking Group plc, formed from the merger of HBOS plc and Lloyds TSB Bank plc (Lloyds)
  • Northern Bank Limited (Danske)
  • NatWest Group plc (NatWest) (formerly the Royal Bank of Scotland Group plc (RBS)) which includes Ulster Bank Limited (Ulster Bank) in Northern Ireland.

This report sets out the CMA바카라 사이트™s findings from its analysis of the audit reports prepared by the banks on their compliance with the Undertakings for the period from 1 July 2023 to 30 June 2024 (the reporting period).

The report outlines the breaches for the reporting period and examples of best practice.

A list of enforcement action taken by the CMA to date under these obligations is set out in the appendix.

Guidance

The CMA is available to provide guidance in relation to matters regarding compliance for these and other Undertakings and Orders affecting retail banks. The CMA encourages banks to contact the CMA as soon as any breaches or potential issues arise, even where the full details have not become clear. This is to enable the CMA to understand the breaches and consider appropriate action with the organisation concerned. There are further details in the CMA바카라 사이트™s published guidance Merger and market remedies: Guidance on reporting, investigation and enforcement of potential breaches and Administrative Penalties: Statement of Policy on the CMA바카라 사이트™s Approach. [footnote 1]

For queries relating to the SME Banking Undertakings and compliance reporting, contact the CMA바카라 사이트™s Remedies Monitoring and Enforcement Team: remediesmonitoringteam@cma.gov.uk

Breaches for the reporting period

NatWest has identified 24 breaches during the reporting period, the majority of which relate to the government loan schemes put in place during the Covid 19 pandemic. NatWest considers that these breaches occurred due to the unusual circumstances in which these loans, which were Bounce Back Loans (BBLs) and Coronavirus Business Interruption Loans (CBILs), were offered to customers.바카라 사이트¯ To address these breaches, NatWest is engaging with staff to re-iterate the key message not to reject requests for SMEs to switch BCA where that customer also holds a BBL/CBIL.  Due to the small number of breaches identified by NatWest, the CMA does not intend to take public enforcement action.

The performance of banks against best practice

We set out below best practice in ensuring compliance with the Undertakings; to enable the banks to identify where they could strengthen their compliance.

Banks should have in place policies, practices and procedures to monitor their compliance with the Undertakings

Purpose

  • to ensure that any compliance issues are identified and dealt with promptly

Banks바카라 사이트™ response

  • all banks confirmed they have such policies, practices and procedures in place. Barclays stated that the control framework it had in place to monitor compliance with the Undertakings did not extend fully to two in-scope products which were sold through its Private Bank and Wealth Management business

Best practice

  • controls should be checked to ensure that they extend to all in-scope products

Banks should have in place policies, practices and procedures to ensure their internal communications support compliance with the Undertakings

Purpose

  • to ensure staff are informed of their responsibilities under the Undertakings

Banks바카라 사이트™ response

  • all banks confirmed they have such policies, practices and procedures in place

  • Clydesdale does not consider that second line compliance assurance is necessary, bearing in mind the extent of its first line assurance and the audit carried out by its internal audit function. NatWest reported that around 7% of their Relevant Staff did not receive an annual reminder

Best practice

  • the CMA considers that second line assurance provides an important cross-check of compliance separate to that of first line assurance, providing a degree of independent analysis. Annual reminders to staff are important as they can prevent breaches of legal requirements

Banks should provide training to staff on how to comply with the Undertakings and assess their understanding

Purpose

  • to ensure all staff are trained on their legal obligations, even if SMEs are not their main customers, or if they are new to the role

Banks바카라 사이트™ response

  • all banks confirm that training programmes were in place and were rolled out to relevant staff

Best practice

  • Clydesdale carries out training on compliance with the Undertakings on a six-monthly rather than annual basis. We encourage banks to think about the frequency and timeliness of training (for example including training in induction processes for new staff) to prevent breaches before they happen

Banks should review their lending appeals processes

Purpose

  • reviewing lending appeals processes allows banks to check if potential customers have been refused loans or savings accounts because they were not offered a BCA

Banks바카라 사이트™ response

  • all banks except Clydesdale carried out a review of their lending appeals process. Clydesdale explained that it did not deem this necessary due to the level of colleague awareness in relation to product bundling and because there were no incidences of non-compliance identified this year

Best practice

  • the CMA considers that regular reviews of the lending appeals process provide an additional route to finding any instances of bundling which may have occurred

Banks should review their own internal complaints

Purpose

  • reviewing internal complaints is important as staff with concerns about practices which may lead to non-compliance can share them, leading to non-compliance being identified and stopped

Banks바카라 사이트™ response

  • all banks confirmed that internal complaints are reviewed

Banks should have an individual complaint code for the bundling of products

Purpose

  • having an individual compliant code for the bundling of products is important as it allows complaints about this specific problem to be easily identified

Banks바카라 사이트™ response

  • all banks have an individual complaint code for bundling. Although Barclays Bank UK plc (which holds the majority of Barclays바카라 사이트™ BCAs) has an individual complaints code for bundling, Barclays바카라 사이트™ Private Bank and Wealth Management business does not. Barclays has explained that this is due to the low numbers of in-scope BCAs

Best practice

  • the CMA recommends that individual complaint codes are in place for each business subject to the Undertakings, to permit fast identification of potential non-compliance

Enhanced measures used by banks

AIB NI and HSBC carry out mystery shopping exercises to test their own compliance with the Undertakings. This typically involves calling the banks바카라 사이트™ call centre as a potential SME customer and analysing the results of the call against the prohibition on bundling or threatening to bundle BCAs with loans and savings accounts.

The CMA considers that mystery shopping exercises are particularly valuable as they provide the closest test to SMEs actually taking out a loan or savings account. We encourage banks to introduce and maintain measures such as mystery shopping exercises to ensure their systems and procedures are appropriate to prevent breaches occurring.

Appendix

Enforcement action taken by the CMA under the Undertakings to date

Total number of public enforcement actions taken by the CMA since 2014:

  • 10

Total number of customers affected by breaches since 2014:

  • 32,571

Directions issued in 2014 to HSBC A number of SMEs affected. These Directions have been revoked and replaced by the Directions issued in 2022 to HSBC

Directions issued in 2014 to First Trust 6 SMEs affected

Directions issued in to 2019 to Barclays 816 SMEs affected

Public letter to AIB NI published in 2020 Failure to comply with Directions

Public letter to Lloyds published in 2020 30,000 SMEs affected

Public letter to Clydesdale published in 2021 55 SMEs affected

Public letter to Danske published in 2021 305 SMEs affected

Public letter to Danske published in November 2021 on a second breach 205 SMEs affected

Directions issued in 2022 to HSBC. 204 SMEs affected

Directions issued in 2022 to NatWest. 956 SMEs affected

  1. Note that the new administrative powers under the Digital Markets, Competition and Consumers Act 2024, mentioned in this guidance are not applicable to orders/undertakings put in place before 1 January 2025 (including the SME Banking Undertakings). ↩