CMA orders RBS and Santander to fix PPI breaches

Stack of pound coins.

The Competition and Markets Authority (CMA) has issued the Royal Bank of Scotland (RBS) and Santander with directions requiring them to appoint an independent body to audit their payment protection insurance (PPI) processes. They must also put in place procedures to ensure that similar incidents do not happen again.

In addition, RBS has now written to those affected, providing a reminder of their right to cancel their policy and has so far paid out over £1.5m in refunds to customers.

Following an investigation into PPI by the Competition Commission in 2011, a legally-binding Order was put in place, which requires – among other things – that customers receive an annual reminder from their PPI provider that clearly sets out how much they’ve paid for their policy, the type of cover they have, and reminds them of their right to cancel.

RBS failed to provide reminders to almost 11,000 of its customers for up to 6 years, meaning those affected were unable to fully assess whether they wanted to continue paying for PPI, and were stopped from shopping around effectively. Moreover, many customers may not have even been aware they still had PPI.

Santander breached the Order by sending out annual reminders containing incorrect information to over 3,400 of its mortgage PPI customers from 2012-2017. It must now appoint an independent body to review its PPI processes and continue to maintain its systems to prevent further breaches. The results of the audits will be fed back to the CMA.

This is not the first time RBS and Santander have breached the Order, with both banks being warned by the CMA to improve their PPI practices in 2016.

Adam Land, the CMA’s Senior Director of Remedies, Business and Financial Analysis, said:

It is unacceptable that some banks aren’t providing PPI reminders – or are sending inaccurate ones – 8 years after our Order came into force. The legally binding directions we’ve issued today will make sure that both RBS and Santander now play by the rules.

These are serious issues that, in the future, may result in fines if the Government gives us the powers we’ve asked for.

For now, we expect RBS to repay all affected customers quickly, and for both RBS and Santander to make sure that similar breaches do not happen again.


  1. The CMA is the UK’s primary competition and consumer authority. It is an independent non-ministerial government department with responsibility for carrying out investigations into mergers, markets and the regulated industries and enforcing competition and consumer law.
  2. RBS and Santander are in breach of the Payment Protection Insurance Market Investigation Order 2011 (the PPI Order). One of the requirements of the order is that all PPI customers would receive an annual reminder from their provider setting out information including how much they had paid into their policy and the underlying credit product.
  3. Directions are a formal enforcement instrument, which can be used to ensure that an Enterprise Act 2002 remedy imposed by the CMA, in this case the PPI Order, is complied with fully.
  4. RBS notified the CMA of the breach in 20 April 2018, and Santander notified of their breach in 15 October 2018.
  5. The CMA previously wrote to Santander in 2016 and sent a further private letter in 2017, and wrote privately to RBS in 2016. All related to breaches of the Order.
  6. In 2018, the CMA issued Directions under the PPI Order to Barclays and Lloyds.
  7. The CMA does not currently have the power to impose financial penalties for breaches of this kind. The CMA has called for such powers in order to increase incentives for businesses to comply with market and merger remedies and to rectify any breaches quickly. The Government is set to consult on whether the CMA will be given such powers.
  8. For CMA updates, follow us on Twitter, Facebook and LinkedIn.

/Public Release. View in full here.