First-tier Tribunal upholds decision to fine Hall and Hanley Limited for data breaches and unauthorised copying of client signatures

The First-tier Tribunal (the Tribunal) has upheld a fine of £91,000 imposed on Hall and Hanley Limited (H&H) by the Claims Management Regulator (CMR), the former regulator for claims management companies (CMCs). The hearing for the Tribunal was conducted by the Financial Conduct Authority (FCA) which has taken over the functions of the CMR.

H&H is a CMC whose business focused on claims for mis-sold payment protection insurance (PPI).

The £91,000 fine was initially imposed by the CMR under the previous regulatory regime for CMCs due to data breaches and unauthorised copying of client signatures. H&H appealed to the Tribunal against the fine.

Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA said,

‘The failure by Hall and Hanley to take previous advice and warnings from the former claims management regulator and the firm’s repeated use of consumer data and customer signatures without their consent are clear examples of a firm falling short of the standards we expect.

‘The decision by the Tribunal to uphold the findings of the CMR is another important message to industry that firms must conduct all business with integrity and due care, skill, and diligence.’

On 5 March 2019, the CMR found that H&H had breached rules requiring CMCs to take all reasonable steps to ensure that any referrals, leads or data purchased from third parties had been obtained in accordance with applicable laws. Marketing text messages concerning PPI claims were sent to consumers’ mobile telephone numbers, without H&H having taken sufficient steps to check that affected consumers had consented to receiving such messages.

In addition, when reviewing a sample of 16 of H&H’s client files, the CMR found that in 8 of the files clients’ signatures on claim documentation (including letters of authority) had been copied without authorisation. The CMR considered the unauthorised copying of clients’ signatures, submitted by H&H to financial firms, to be a serious matter and considered H&H to have been negligent in failing to detect and prevent this conduct by one of its employees.

The Tribunal upheld the CMR’s decision in its entirety. In relation to data breaches, the Tribunal found that these were serious and followed from H&H not having taken previous compliance advice and warnings on board. It concluded that H&H failed to act with the required degree of competence and therefore acted negligently.

Regarding the copied customer signatures, the Tribunal concluded that H&H acted negligently in failing to provide proper training and supervision to its employees, and that ‘the underlying matter was so serious that a financial penalty is justified.’

Notes to editors

  1. Find out more information about the FCA.
  2. Read the Tribunal's decision.