Santander UK Plc · DRN-5873525

The complaint Mr M complains on behalf of ‘A’, a limited company, that Santander UK Plc unfairly restricted its account and provided poor customer service in connection with this. What happened The limited company A had an account with Santander. In July 2024 Santander reached out to Mr M as part of a routine review as it needed more information about A. Mr M didn’t respond and so in September 2024, Santander restricted A’s account. Over the months that followed there was back and forth contact between Mr M and Santander and at various points the restrictions to A’s account were lifted and then reapplied. In summary – Santander said it needed to understand A’s activities and its source of wealth – and that as Mr M had not completed the relevant paperwork in the correct way, it imposed restrictions on the account. Mr M said Santander’s questions were intrusive and an overreach beyond what was fair. He felt its tactics in blocking the account were bullying and he felt it ought to have contacted his accountant directly to obtain the information it required. Dissatisfied, Mr M complained to Santander on behalf of A. Santander responded to the complaint initially in September 2024 with a Summary Resolution Communication (SRC) and paid £75 as a goodwill gesture. It responded again in January 2025 issuing a Final Response Letter (FRL) paying £150 compensation – bringing the total compensation to £225. Mr M remained unhappy and referred A’s complaint to our Service. Santander said it was acting in line with its legal obligations in requesting this information from A and then restricting the account when this wasn’t provided. But it accepts it could have provided better service and offered the £150 to reflect failings in its service. Our Investigator looked at this and thought this was a fair resolution of the complaint. Mr M didn’t agree. He feels the administrative process sitting behind Santander’s checks was flawed and prolonged the process and restrictions unnecessarily. He also feels Santander behaved unethically in continuing to collect account fees despite the restrictions and threatening to default a bounce-back-loan that it had not allowed him to pay. He also feels Santander failed to take into account his vulnerability in the way it handled things. Mr M outlined the significant impact Santander’s actions had had on A including lost revenue through reputational damage, the damage of supplier relationships and the loss of customers. So, the complaint was passed to me to decide. After reviewing the evidence, I thought I’d reach the same outcome as our Investigator but for different reasons so I issued a provisional decision to give both parties the opportunity to respond before a final decision was given. In summary, I didn’t agree that Santander had acted unreasonably in the information it had requested or the way it had requested it. And whilst I noted that it could have recorded Mr M’s vulnerabilities sooner than it did, I didn’t think its decision to block A’s account was unreasonable. I also felt the £225 Santander had already paid A was sufficient for any service failings that had occurred.

-- 1 of 9 --

Santander accepted my provisional decision. Mr M did not. Mr M provided lengthy submissions in response outlining his concerns with Santander’s actions and my provisional findings. He emphasised the significant impact Santander’s actions had on A. I am now in a position to issue a final decision on this complaint What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. I’ve carefully read all of the correspondence both parties have sent this Service, including in response to my provisional decision. That being said, my decision won’t address every point or comment raised. I mean no discourtesy by this, it simply reflects the fact our Service is an informal dispute resolution service, set up as a free alternative to the courts. So, in deciding this complaint I’ve focussed on what I consider to be the key issues. I was sorry to read about Mr M’s difficult personal circumstances. I don’t doubt that this situation impacted him personally at an already very difficult time but I am not able to consider or award for this impact, as the eligible complainant here is A, not Mr M. Within this decision I am only considering the complaint issues covered in the FRL issued by Santander on 21 January 2025. In summary, this is about: 1. The way Santander initially asked for information was unreasonable – indistinguishable from a common security threat phishing exercise. 2. The reason Santander asked for this information is because incorrect Standard Industrial Classification (SIC) codes [codes used to classify the economic activity of a business] were registered against the account due to an admin error of Santander’s. 3. It was unreasonable that Santander asked for 11 years worth of source of funds. 4. Santander wouldn’t speak with the accountant directly which was unreasonable. 5. Santander failed to clearly communicate why submissions were rejected. 6. Santander’s aggressive course of action didn’t take into account Mr M’s circumstances. 7. Santander continuing to take the service charge fees whilst the account was restricted was unreasonable. So, any further complaints Mr M wishes to raise with our Service about Santander’s actions after this point would need to be considered separately. This includes A’s complaints about further information requests, restrictions, correspondence surrounding A’s bounce back loan and Mr M’s attempts to close A’s account. I appreciate Mr M is unhappy about the scope of this decision, as he thinks Santander has made additional mistakes which serve to prove its system is unfair, but I think I can fairly consider Santander’s actions here as per the January 2025 FRL without looking at these subsequent alleged failings. As a regulated financial business, Santander is required by law to understand how its customers fund their accounts. The 2017 Money Laundering Regulations (as amended) mean Santander is required to understand the source of its customers’ funds and, where relevant, the source of wealth, and to apply ongoing monitoring to ensure transactions are consistent with what it knows about its customer. This is not a box-ticking exercise. To comply with these regulations, it’s not enough for Santander to show that it followed a specific procedure or asked for a specific list of

-- 2 of 9 --

documents. The regulations are deliberately flexible. They require businesses to design their own policies, processes and controls to manage the risk of money laundering and terrorist financing. The checks they carry out will depend on their own assessment of risk and what they know about their business and their customers. Where a business cannot complete these due diligence measures, it won’t be able to carry out a customers’ instructions and may be required by law to close an account. I’ve thought about what this means for A’s complaint. The way Santander initially asked for information was unreasonable - indistinguishable from a common security threat phishing exercise. I’ve seen evidence Santander sent Mr M two letters via post and two emails in the months leading up to the block it placed on his account in September 2024. This correspondence made it clear that Santander needed information from Mr M. The correspondence provided a new log in reference for a portal to upload this information. The correspondence clearly explained that if Santander didn’t receive this information by 16 September 2024, it would restrict access to the account which could include being unable to process debits. It also offered a contact number if Mr M had any questions. I think this correspondence was clear and provided the information I would expect, so I don’t agree the way this information was asked for was unreasonable. Given the multiple communication methods used, and the multiple communication attempts made, I think Santander did enough to indicate this was a legitimate and important request. I appreciate Mr M was cautious about phishing, particularly given the new log-in information enclosed, but I can’t see that he contacted Santander to verify if these requests were genuine, which I think it’s reasonable to have expected him to do given the volume of correspondence he was sent via multiple contact methods and the implications outlined if there wasn’t a response. I would like to be clear that I am not blaming Mr M for being cautious, but I disagree with Mr M’s assertion that reaching out directly to the banking institution, via verified communication channels not obtained from the suspected phishing correspondence, is contrary to banking industry guidance – I think this was an option available to him at that time. In his response to my provisional decision Mr M also said that because he’d attempted to use the log in details he’d received and they failed, the only safe conclusion he could make was that this was a phishing scam. But in a call made by Mr M to Santander in September 2024, Mr M said he received correspondence and tried to log on to the portal using his existing username but couldn’t, and because there had been no change to A, he hadn’t bothered to do anything further. And so, it seems to me more likely than not that at some stage Mr M considered this to be a legitimate request from Santander and that his decision not to take any further action was influenced by the fact nothing with A had changed. I’d also like to be clear that I think the initial email and letter Santander sent made it clear that whilst Mr M had provided information in the past, Santander needed to check this was up to date and gain a complete picture of A and the people who control it. The follow up email and letter also referenced the fact Mr M might need to provide documentation. So, I’m also satisfied the content of the letters didn’t suggest that Mr M need not take action if there had been no changes. Ultimately, I think Santander acted reasonably here in the way in which it requested this information, particularly given there were options available to its customers to verify the

-- 3 of 9 --

legitimacy of these requests if they had any phishing concerns, as Mr M has indicated he did. The reason Santander asked for this information is because incorrect SIC codes were registered against the account due to an admin error of Santander’s. Santander initially asked for two types of information, one was a non-banking financial institution (NBFI) questionnaire, and the other was a source of wealth questionnaire (SOWQ) for both the business and any related parties. I appreciate Mr M thinks the request for this information was driven by incorrect SIC codes Santander had associated with his business, but the evidence I’ve seen shows Santander was carrying out a routine review of all of its business customers. This review led to scrutiny of A’s website and it was the content of the website that led Santander to add the SIC codes Mr M felt were unfairly applied. System notes indicate Santander’s rationale for adding these SIC codes was that whilst it didn’t consider A to be a NBFI, A’s website showed A was carrying out crowdfunding and providing subscription activities and so it wanted to capture information about A as per the NBFI questionnaire. It wanted to clarify with A precisely what activities it was undertaking in relation to these matters. And I don’t consider this to be unreasonable. In saying this, I am aware Santander paid compensation in relation to A’s complaint about incorrect SIC codes being added, but it has since confirmed to me that these were not incorrectly applied so it seems to me that it needn’t have paid compensation for this. I appreciate Mr M thinks this is disproportionate, but as outlined above, it is up to individual banks to design their own processes to ensure it has a sufficient understanding of the activities of its customers. It’s also not our Service’s role to regulate businesses, this would be for the Financial Conduct Authority (FCA). So, it’s not my role to decide whether a business’s policies are appropriate or should be changed. My role is to determine whether Santander treated A fairly here, and taking into account what it was asking of A – which was the completion of relatively short questionnaire which it would have asked of any business in a similar position – I am not persuaded that what Santander was asking was inherently unreasonable. I’m also satisfied that regardless of the SIC codes added, Santander would always have reviewed this business and requested a source of wealth information. So, I don’t agree that but for the addition of these SIC codes, Santander would not have asked for more information from A/Mr M. In this case, Santander asked Mr M for information to better understand the activities A was undertaking and for both his and A’s source of wealth. Based on what I’ve seen, I’m satisfied Santander’s regulatory obligations required it to understand the activities A undertook and the source of A’s wealth (which included Mr M’s wealth) – and I’m satisfied that it was acting in line with these obligations when it asked Mr M to provide additional information to help it do this. I note in response to my provisional decision Mr M has said he was told by Santander’s customer service department that his account was blocked due to two suspicious payments. I would like to reassure Mr M that I remain satisfied, based on the available evidence, in particular the contemporaneous notes made at the time in relation to the KYC review, that this was not the reason his account was flagged for review initially nor was it the reason any of the blocks I have considered were applied. It was unreasonable that Santander asked for 11 years worth of source of funds

-- 4 of 9 --

I acknowledge that the information Santander has asked for includes information going back a number of years. But its obligations under the regulations are ongoing – and the fact that these funds were paid to A some time ago doesn’t prevent Santander later needing to ask questions about them. So, I don’t think this was unreasonable. Santander wouldn’t speak with the accountant directly which was unreasonable I’d like to be clear that I don’t think it was unreasonable that Santander asked for the forms that Mr M submitted to be certified by an accountant or solicitor. I think it’s reasonable that it wanted to verify the accuracy of the information it was obtaining given its obligations. And I also don’t think it was Santander’s job to seek out A’s accountant to get this authorisation. Santander first notified Mr M that it needed this information back in July 2024, two months before it blocked his account. So, I think it gave him sufficient notice and time to obtain this certification. I’m also satisfied it sent him sufficient reminders via calls, letter and email warning him of the consequences of not providing this information. I have taken into account Mr M’s vulnerabilities when reaching this finding. But I note Mr M was clearly in touch with his accountant and provided no reason why his accountant couldn’t submit the signed form in its entirety beyond the accountant initially being out of the country and later not being able to scan all the pages. I appreciate Mr M’s circumstances may have made physically visiting his accountant more difficult, but I think there were ways around this problem, for example, the accountant using scanning facilities elsewhere ie. a library, or the accountant posting the forms to Mr M for him to scan. Santander failed to clearly communicate why submissions were rejected I have reviewed the emails, letters and calls between Mr M and Santander during this time. Having done so, I don’t agree that Santander failed to communicate why Mr M’s submissions were rejected. The documents he needed to complete were detailed within the Customer Verification Portal so although Mr M was sent multiple letters and emails reminding him to complete these forms, these communications advised him to log into the portal to provide Santander with the updated information it needed. In the calls on 18 September 2024, I’m satisfied Santander made it clear to Mr M that he needed to do a SOWQ which would need to be signed by an accountant and the NFBI form. On 19 September 2024 Mr M submitted a SOWQ for himself and an NFBI form. These documents were rejected. The NFBI wasn’t signed by Mr M (and I’m satisfied the form made clear that it needed to be) and the SOWQ wasn’t signed by an accountant (which Mr M had been told and the form made clear was required). So I think Mr M ought reasonably to have realised his documents weren’t completed properly, but in any event, in the call on 24 September Santander advised Mr M that the documents he’d submitted weren’t certified and signed and that’s why they’ve been rejected – it also made clear when Mr M needed to resubmit completed forms by in order to stop further blocks being applied. Mr M resubmitted a signed NFBI form on 7 October 2024 and this was accepted. He then called Santander on 17 October when blocks were reapplied and was told that whilst the NFBI form was correct, there was a request for a SOWQ for him and his business on the portal. This was the first time on a call Mr M has been told two SOWQs needed to be completed, but I’m satisfied the blocks would have been applied in any event as Santander had not received a certified copy of any SOWQ despite clearly requesting one.

-- 5 of 9 --

Mr M called again on 21 October 2024 and was told Santander still didn’t have a SOWQ that was signed and dated by a solicitor/accountant. Mr M explained he couldn’t contact his accountant previously because they’d been away, but the accountant was now back home. Mr M asked for Santander to contact his accountant. The advisor said they would escalate this request to the team dealing with the matter. Mr M resubmitted the SOWQ for himself, with a separate email from his accountant showing a signed signature section of the form (but no other parts of the form) on 23 October 2024. Mr M called Santander on 24 October 2024. He was told that he had only submitted one SOWQ and that Santander needed two SOWQs and that both needed to be certified. The advisor said he would ask the relevant team to review the separately submitted signature to see if this was acceptable. A call on 29 October 2024 indicates Mr M was having difficulties uploading documents to the portal. The advisor explained how to do this and reminded Mr M of the deadline for submission. The advisor said to contact Santander if Mr M had any further difficulties or questions. They confirmed on the phone that they could now see Mr M’s uploads which he’d submitted whilst on the phone and that these would be reviewed within 48hours. Mr M had uploaded a SOWQ for himself and a separate email from his accountant showing a certifying signature and an extract from the SOWQ for A, showing one question. The former was rejected as it was missing a certifying signature, and the one for A was noted to be ‘incomplete’. I’d also like to be clear that I don’t think it was unreasonable Santander didn’t accept a separate signature from Mr M’s accountant. Without the signature attached to the full document, Santander had no categorical evidence the accountant had seen and certified the document as submitted in its entirety. On 7 November 2024 Mr M spoke with Santander again. He said he’d just seen a message saying Santander isn’t happy with the latest documents he’d submitted. The advisor said it still required completed SOWQs for both Mr M and A. The advisor then ran through the reasons why previous uploads had been rejected, including that they couldn’t accept a signature detached from the document it’s certifying. On 7 January 2025 Mr M spoke with Santander as he’d couldn’t access the portal. The advisor helped him reset his password. Mr M noted his accountant still hadn’t been contacted and that his accountant was of the view Santander ought to have contacted him directly. Mr M said he still had no idea what information he was missing, and no one was prepared to coach him through this. Mr M was once again told the document he uploaded in October 2024 was missing a signature. Mr M said his accountant sent this separately and the advisor once again told Mr M the signature needed to be on the same form. Mr M said he felt Santander was being pedantic. The advisor then agreed to escalate Mr M’s concerns to the relevant team to see if they would accept the separate signature even though it was not in the correct format. On 14 January 2025 Mr M spoke with Santander again and said he’d complied with every information request and Santander wouldn’t help him fill in the forms or tell him what forms were needed. Mr M’s portal access was not working once again. Mr M was told once again he needed to provide the completed SOWQ for both A and himself in one place, not just a one-page signature. Mr M reiterated that he didn’t think this was logical. I appreciate Mr M didn’t like what he was being asked to do by Santander and he feels its requirements for certification was a bureaucratic technicality. However, I think Santander

-- 6 of 9 --

clearly explained to Mr M on multiple occasions what it needed from him and why what he’d submitted was rejected. Whilst I acknowledge there were a couple of occasions where Santander’s communication could have been better ie. not making it clear on the initial calls there were two SOWQs, and not getting back to Mr M to confirm it would not be contacting his accountant directly, I’m not persuaded better communication in these instances would have led Mr M to provide the documentation Santander needed. I say this noting that when this was clearly communicated to him at various points, he still didn’t provide this appropriately certified documentation. I say this also noting Santander never agreed to contact Mr M’s accountant for him, it simply confirmed his request would be escalated to the relevant team, so I don’t think it would have been reasonable for Mr M to presume this would happen. I’d also note that during this time Mr M continued to receive correspondence from Santander asking him to provide the outstanding information, so I think it ought to have been apparent he needed to take action to resolve things. Santander’s aggressive course of action didn’t take into account Mr M’s circumstances Santander says the first time it was informed about Mr M’s circumstances was in a call on 7 November 2024. And I’ve seen no evidence to the contrary from Mr M. So, I’m satisfied that this was the earliest date that it could reasonably have been expected to take this into account when determining the appropriate course of action. From listening to various calls, it would appear that on 14 January 2025 an advisor asked Mr M for permission to record his difficult personal circumstances on the system. So, the evidence indicates a proper record wasn’t made on 7 November 2024 or the 7 January 2025 when Mr M mentioned his vulnerabilities to the advisors he spoke with. And I think these advisors ought to have asked Mr M for permission to record this information so it could be taken into account when Santander determined its next steps on A’s account. Following Mr M’s initial disclosure, Santander applied blocks to A’s account on 16 December 2024. These were removed on 14 January 2025, following a call from Mr M, reapplied on 15 January and removed again on 17 January. A further one month extension was then granted for him to provide the information Santander needed. I have thought carefully about whether Santander fairly blocked the account given we know Mr M had already made this disclosure, but I am not persuaded this was unreasonable – I’ll explain why. Ultimately, I would expect Santander to approach a consumer in Mr M’s circumstances with sensitivity and allow them additional time to respond. If the existing process for providing information wasn’t suitable for Mr M’s circumstances, I’d have expected Santander to consider alternative ways it could support Mr M to provide the information it needed. At the time the December 2024 block was applied, Santander had been seeking to obtain this information from A/Mr M for five months. And as outlined above, I think it had clearly outlined what information it needed on multiple occasions. I also note that at various stages, Santander already allowed Mr M additional time to provide the information, removing blocks to the account; for example, it extended the deadline in September 2024 for one month, and in October 2024 for one and a half months. I can also see that when Mr M got in contact in January 2025, Santander removed the block and gave him additional time to respond as I’d expect. At no stage in this complaint has Mr M indicated that his vulnerabilities were the reason he was unable to provide the information Santander requested in the format it requested by the deadlines set. Having listened to the calls, Mr M was clearly frustrated by the requests and

-- 7 of 9 --

felt they were unreasonable. It’s also apparent that the blocks to A’s account added to his distress at an already very difficult time. Whilst I don’t doubt Mr M’s difficult personal circumstances have made Santander’s information request more inconvenient and stressful, this doesn’t mean it was unfair for it to continue to seek this information or to block the account when he failed to provide this. Ultimately, given Santander felt it couldn’t complete its due diligence without the completed forms from Mr M and, given its obligations under the 2017 Money Laundering Regulations, even taking into account Mr M’s vulnerability, I don’t think it was unreasonable that it blocked A’s account in December 2024 in these circumstances, for the reasons outlined above. Santander continuing to take the service charge fees whilst the account was restricted was unreasonable I can understand why Mr M thinks it’s unfair that Santander continued to charge him for an account he wasn’t able to use. However, I don’t think this was unreasonable. I have outlined above that I am satisfied Santander restricted the account reasonably and gave Mr M sufficient notice and time to provide the information it required to avoid this. I’m also satisfied it was still costing Santander money to administer this account, including costs associated with the process it was undertaking to try to obtain the information it was required to by law. So, I don’t think it was unfair that Santander continued to charge the monthly account fee Mr M had agreed to at the point he took out his contract with Santander. I saying this also noting that the terms and conditions of the account made clear Santander may block the account and not make payments if Mr M failed to give it information it had reasonably requested. Customer Service Santander has acknowledged there were some customer service failings and paid A £225. I note Mr M has mentioned a number of customer service issues including, but not limited to, issues with an address change, difficulties accessing the portal, not receiving promised call backs, not being provided with the correct envelope size and being told a block would be removed only for it to be applied the next day in January 2025 (which was removed two days later). I also think Mr M was provided with incorrect information about the reasons behind the blocks on occasions, for example in relation to the SIC codes. Having carefully considered things, I think the £225 Santander has already paid fairly accounts for the inconvenience caused to A from any service failings that may have occurred here. I acknowledge Mr M thinks grouping these service failings together fails to recognise the sustained nature of these errors (which have been upheld in multiple FRLs) and the systematic breakdown that occurred. But I’d like to be clear that I am only considering matters covered in the FRL dated 21 January 2025. It’s also not my role to punish a business for its errors, it’s my role to consider the impact of errors on the eligible complainant, which is A – and I’d like to reassure Mr M that I’ve done this. It might help to remind Mr M that I am only awarding for the inconvenience caused to A, not the distress he personally experienced as he’s not the eligible complainant. And for all of these reasons, I think the £225 already paid is sufficient. So, whilst I appreciate my decision will come as a disappointment to Mr M, I won’t be asking Santander to do anything else.

-- 8 of 9 --

My final decision My final decision is that Santander UK Plc does not need to do anything further. Under the rules of the Financial Ombudsman Service, I’m required to ask A to accept or reject my decision before 1 April 2026. Jade Cunningham Ombudsman

-- 9 of 9 --