Banks possess an extraordinary power over their business customers. They can deny a business access to its own funds, sitting in its account, thus preventing it from paying its bills, paying its taxes, and moving money to another account, including to an account provided by a competing bank.
This extraordinary power can be exercised at any moment, without notice, without any requirement to give reasons, and it can be sustained for an indefinite period of the bank’s own choosing. Moreover, to date at least, a bank can do these things without any ex post accountability for its actions.
When the power is exercised denial of access (DoA) to the relevant money transmission services can obviously cause great harm to the customer. We can see this from those occasions on which there have been denial of service attacks by cyber-criminals: they cause great distress, only tolerable because the durations of the periods over which attacks have been sustained have been short.
Banks themselves can, however, choose to cause such distress for much longer durations stretching into weeks and months, and it is a matter of recorded fact that that has happened. For an individual customer therefore, the economic harm caused by a bank’s denial of access to an account can be much greater than that caused by denial-of-service cyber attacks.
This capacity/power to cause harms to customers is frequently justified on the ground that its existence serves anti-fraud and anti-money laundering purposes. Therefore, so the argument goes, it provides a more general, albeit more diffuse, benefit to bank customers, which is at least as great as the harms caused.
There is, though, a country mile to travel before concluding that a practice that is known to cause egregious harms is justified because it may have some unquantified benefits. The benefits have to be substantiated and there is need to establish that less harmful means of achieving them are not feasible. There are trade-offs here that stand in need of examination in the specific contexts of relevance and, as yet, no regulatory authority (in which category the UK’s Competition and Markets Authority (CMA) is to be included) appears to have engaged in detail with them. For banks an abstract ‘justification’ is a convenient assertion: for regulatory authorities it is a challenge.
How can a regulatory authority meet the challenge?
A good starting point for considering the relevant issues is to observe that the power in question is a ‘policing power’: it is justified in terms of catching criminals and hindering criminality. That suggests using analogies drawn from the exercise of powers by the Police Force itself as opening footholds in an assessment process.
The obvious first point to note is that exercise of the Police Force’s powers is constrained by a range of checks and balances (see, for example, Police powers of arrest: your rights – GOV.UK (www.gov.uk). Those arrested/detained must be given a reason for the action, the period of detention ‘on suspicion’ is highly time-limited, and so on.
Such arrangements explicitly recognise that the powers create risks of potential harms to the public as well as benefits, and they implicitly take account of the old wisdom that all power corrupts, and that extraordinary power greatly strengthens the effect. The powers create risks of abuse – risks that are known to eventuate in practice on a recurring basis. (The ‘good cop/bad cop’ trope is a familiar one in the police procedurals we watch on screens and the media routinely report on ex post investigations of whether or not, in a particular instance, there has been some or other abuse of power.) The arrangements amount to a system of checks and balances (constraints) on what would otherwise be unconstrained actions.
No such checks and balances have, as yet, been established for the ‘detention’ of the liquid assets of businesses entailed by a bank’s denial of access to an account, notwithstanding the great harms that it can cause and the potential for abusive conduct that such power brings.
In what follows, I argue that a process of establishing the required constraints can be initiated by using existing laws (although I think that there is call for new legislation as well) and that the task of doing this falls to those regulatory authorities with responsibilities to enforce the UK’s Competition Act 1988.
The argument is consistent with a message given to banks by the Financial Conduct Authority (FCA) in 2016, at a time when the FCA was increasing the priority to be given to Anti Monetary Laundering (AML) activities: “We note that banks, like all firms, are subject to competition law, in particular the prohibitions on anticompetitive agreements and abuse of market power contained in the UK Competition Act 1998, and in the Treaty on the Functioning of the European Union. They should be mindful of these obligations when deciding to terminate existing relationships or decline new relationships.”
Developments over the last year or so provide the relevant regulators with a near perfect opportunity to get on top of the DoA problem. That is because, while casual empiricism suggests that most banks act have been acting responsibly in their use of DoA powers (i.e. not abusing them), at least one prime suspect for systematic ‘bad cop’ behaviour has come into view, namely HSBC UK Ltd. The conduct in question concerns both the nature of its ‘Safeguard’ programme, i.e. the nature of the chosen business policy itself, and the ways in which it has been implemented.
I therefore believe that now would be a very good time for one of the competent regulatory authorities to step up to the plate and establish some ‘rules of the game’ for what might, if unaddressed, become a ballooning problem with systemic economic effects: money transmission is a fundamental pillar of a commercial society, since access to a means of payment is indispensable for participation in commercial life. Denial of access is therefore a big deal.
The Competition Act 1998
Chapter II of the UK Competition Act 1998 (CA 1998) states that:
Subject to section 19, any conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market is prohibited if it may affect trade within the United Kingdom.
(Section 19 provides for the exclusion of some activities from the general prohibition.)
The prohibition raises two immediate questions:
What is meant by a dominant position in a market?
What distinguishes abusive commercial conduct from non-abusive (normal, acceptable) commercial conduct?
What is meant by dominance?
In European and UK law, dominance has come to be defined as a position of economic strength (‘market power’) that confers on a company/undertaking “the power to behave to an appreciable extent independently of its competitors, its customers and ultimately of its consumers.” Put in terms of perhaps more familiar language, a position of dominance is one in which there are only weak checks and balances (constraints) on the commercial conduct of a business in some or other economically important aspect of its activities.
There is a question of degree to be settled here since all businesses make their own decisions and, in that sense, act ‘independently’. In practice, therefore, the notion of dominance comes into play when the power in question is judged substantial in its capacity to cause economic harms, where ‘substantial’ is assessed relative to some ‘normally observable’ or normative benchmark
What is meant by abuse of dominance?
The holding of a position of substantial economic power is not prohibited per se: the purpose/intent of the legislation is, whenever and wherever such power exists, to prevent or hinder its use in ways that cause significant economic harms (‘abuse’).
In the law as it has developed in practice the primary domain/reach of the harms of concern in a particular case are the customers of a business under examination and, if the relevant customers are themselves businesses, the downstream, end customers of the relevant supply chain, i.e. ‘consumers’.
Chapter II can also be, and has been, applied to cases of harm to suppliers by the conduct of a business with substantial buying power and to cases of harms to competitive processes themselves.
In relation to ‘harm to competition’, business conduct can be judged abusive even if it does not cause immediate detriments to customers/consumers, if it can be expected to reduce the effectiveness of checks and balances (constraints) on harmful business conduct in the future. For example, predatory pricing might be good for a firm’s customers in the short run (lower prices), but, if it eliminates a significant rival, competitive pressures (a source of major checks and balances on power) may be weakened in the longer term.
Viewing its two, central concepts (dominance and abuse) together, Chapter II can be seen to be a policy implementation of a general, ages-old social norm or normative principle to the effect that ‘with great power comes great responsibility’, see With great power comes great responsibility – Wikipedia. The legislation serves to sustain and promote this ethical principle in everyday commercial conduct.
Recognition of this linkage to ethical standards in commercial life is to be found in the case law. Thus, when faced with what are sometimes barrages of technical economic and legal points, in dealing with dominance cases Courts have talked of the ‘special responsibilities’ of dominant companies and have tended to proportion those additional/special responsibilities to the degree of dominance (economic power) itself. From this perspective abuse (which causes harms) can be seen as a significant deviation from these standards, whether the deviation is intentional or not.
Denial of service (DoA) in business banking
As indicated at the outset, denying access to its bank account for anything more than a few hours or a day or two can inflict significant harm on a business, to the point of it being an existential threat to the bank’s customer, i.e. it could put the customer out of business. Yet, right now, it is possible to observe DoA for periods of two months and possibly more, including for accounts that are manifestly unproblematic.
The domain/reach of the potentially abusive conduct of interest is all UK business bank customers, since access to their bank deposit(s) can be denied to each and every one of them. They are all subject to the potential for unconstrained ‘police actions’. For CA 1998 purposes, this domain/reach is the most obvious first candidate ‘definition of the relevant market’.
In the business banking context, the harm caused by abusive use of DoA is not significantly mitigated by competition. Once access to an account has been denied, a disgruntled or distressed customer cannot switch the deposit to, say, a competing bank. This is, by and of itself, a manifestly anti-competitive effect.
Nor can it be said that the different practices in relation to DoA that are adopted by different banks can be expected to have a material impact on customers’ choices of banks. In all likelihood, the great majority of customers are not aware of the DoA policies/practices of individual banks and there is little sign that banks advertise their differing policies on DoA in order to win customers from competitors.
The bottom line is that, in the absence of effective enforcement of competition law, there are no effective checks and balances on abusive practices in respect of DoA. Inter-bank competition fails in this respect. There is no legislation that addresses the issue. There is no regulatory or supervisory framework that effectively constrains abusive practices. And to date there has been no enforcement of competition law by the relevant authorities. In a nutshell, use of the policing powers by banks has been inadequately supervised.
In respect of denial of access to money transmission services then, banks satisfy the criteria for dominance established in the Courts: each bank, or at a minimum each of the major banks, possess the power to behave to an appreciable extent independently of its competitors, its customers and ultimately of its consumers. HSBC’s ‘Safeguard’ programme demonstrates that. More generally in relation to DoA, the capacity to act independently and in a harmful way can be substantiated by a few, simple, observable facts.
It is an anomalous situation. The Police Force operates within a framework of checks and balances. There can be disputes about its effectiveness, but the framework is there.
Likewise, regulatory authorities exercise strong economic powers (including what can reasonably be called policing and monitoring powers), but they too are subject to supervisory frameworks. To open an investigation in the context of Chapter II enforcement the relevant regulator – whether the Payment Systems Regulator (PSR), the FCA or the CMA – must have reasonable grounds for suspicion that an infringement of Competition Act 1998 has occurred. There are established processes for conducting an investigation, including consultation. Decisions can be judicially reviewed. Some types of decisions can be reviewed ‘on their merits’.
None of these safeguards — found in other, comparable contexts — exist in respect of bank decisions concerning DoA.
So to the final point. As someone who has worked on a number of abuse of dominance cases and who, in a professional capacity, has been asked to provide answers to the enforcement Authorities’ first question – ‘are there reasonable grounds for suspicion that there has been an infringement of Chapter II?’ – I can say that if, asked that question in relation to DoA in UK business banking, the answer would be an unqualified yes.
I would though also be inclined also to add a footnote, in recognition of the fact that enforcement authorities inevitably face the task of determining priorities when allocating limited resources to particular challenges. The additional points would be reminders that:
- To open an investigation is to do no more than that: the resources that it might entail later depend on what is subsequently discovered and resource usage can be cut back or enhanced at any time in light of information obtained. A stone is lifted and what follows will be determined by what is found there. That may be less than what might be expected ex ante , it might be more.
- Abusive conduct thrives when blind eyes are turned, when stones are not lifted. Ending that state of affairs by and of itself inhibits the development of the unwanted organisational cultures, whatever the final outcome of a case taken on. ‘Rattling the cage’ can induce immediate behavioural changes and it can serve the more familiar ‘pour encourager les autres’ purpose of competition law.
- Bank customers who have been harmed would not obtain any direct compensation from the financial penalties that might be levied if infringements are found, but such a finding would open the door to the possibility of class actions on their behalf for compensation. It would therefore empower customers and that also is a relevant consideration for an authority or authorities to take into account.
- The first case in any new economic context tends to carry more than usual influence on what follows.
Annex: Examples of early-stage questions that might be asked by an investigating authority
What is the bank’s policy in relation to DoA?
If there is no explicit policy, what are the conventional practices that the bank typically follows?
In either case, what criteria are used when deciding whether to deny access to a particular account?
Are customers given reasons for the DoA?
How many DoAs for more than 24 hours have there been and what is the total value of funds affected?
What metrics are used in determining how successful DoA has been in preventing fraud?
Have potentially more customer-friendly approaches to fraud prevention been evaluated?
What are the arrangements for supervising, monitoring and evaluating the DoA decisions made?
What is the average time for an account holder to be denied access?
Is there a target maximum time limit on a period of DoA?
How are customer complaints handled?
Is there a customer compensation (for bad decisions) scheme?
Does the bank apply a ‘reasonable suspicion’ test before denying access?
Who in the bank makes these decisions?
Have the responsible decision makers received training in the implications of CA 1998 for their work?