Weekly roundup: car finance redress in the courts, plus a Lloyds data breach that keeps growing

Two stories dominated the consumer rights week: a wave of legal challenges to the FCA's motor finance redress scheme, and a Lloyds Banking Group data breach that has now grown well past half a million customers. Both will affect a lot of people. Here is the short version, and what to actually do.

Motor finance: the FCA's redress scheme is now under four legal challenges

On 1st May the FCA confirmed it is defending its PS26/3 motor finance consumer redress scheme against four separate legal challenges. One of those comes from a consumer body called Consumer Voice, represented by Courmacs Legal. Three more come from car finance lenders.

Consumer Voice is arguing the FCA's compensation formula does not reflect the harm consumers experienced. Their case rests on two points. First, full refunds of all undisclosed commission have been limited to a small group of cases that closely match a particular court decision. Second, the formula's APR figures are drawn largely from a period when overcharging was already on the way down, which they say underestimates how much drivers actually overpaid.

The lenders are pushing in the opposite direction.

The FCA's position is firm: the scheme is lawful, it remains the best route to resolving a long-running and complex problem, and the regulator will defend it. On its current numbers, the FCA expects two-thirds or more of any commission paid to be returned, with an estimated average of around £830 per unfair agreement.

What this means in practice is that timing slips. A payout window that looked like 2026 for many drivers now realistically moves into 2027 if the litigation runs its course.

A separate but related point matters here too. The pause on motor finance complaint handling lifts on 31st May. From that day, firms must resume processing complaints under the PS25/18 rules. If you have been waiting, the clock starts again at the end of this month.

What to do if you had a PCP or HP agreement between 2007 and 2021

1. Get your complaint in. Do not wait for the legal challenges to settle. Lodging a complaint preserves your position and starts the clock running on the firm's response window.
2. Ask for a copy of your finance agreement and any commission disclosure documents. The lender has to provide them.
3. If the lender rejects you, escalate. The Financial Ombudsman Service is free, and the eight-week deadlock window starts on the day you complained.
4. Keep a paper trail. Every email, every letter, every phone call note. Cases that go to FOS are won and lost on what you can prove.

Lloyds, Halifax, Bank of Scotland: the data breach got bigger

The Lloyds Banking Group data breach, originally reported as affecting around 450,000 customers, has now expanded to more than 530,000 once roughly 80,000 joint account holders are factored in. Halifax and Bank of Scotland customers are caught up in the same incident because the three brands sit inside one banking group.

The cause was a software defect during an overnight update. Customers were briefly able to see other people's financial information. The data exposed includes names, account numbers, sort codes, payment references, and in some cases National Insurance numbers.

That last point matters. National Insurance numbers, paired with sort codes and account details, are the kind of data set that gives fraudsters real leverage. This is not a "passwords reset and we are sorry" kind of breach. This is a UK GDPR Article 33 and Article 34 territory event, with all the notification obligations that flow from it.

Separately, customers affected by the recent Lloyds Banking Group app outage are being paid £40 in goodwill compensation. That is a different incident, but in the same period and from the same group, which compounds the disruption for affected users.

What to do if you bank with Lloyds, Halifax, or Bank of Scotland

1. Check your accounts now. Look for unfamiliar transactions, especially small "test" amounts, and any direct debits or standing orders you do not recognise.
2. Ask the bank in writing for confirmation of whether your data was exposed, what specifically was disclosed, and what protective steps they are putting in place. You have a right to know under UK GDPR.
3. Register with CIFAS Protective Registration if you are concerned about identity fraud. It costs £30 and lasts two years.
4. If the bank has fobbed you off or its response does not address your specific exposure, escalate. After eight weeks (or sooner if you receive a final response), you can take the complaint to the Financial Ombudsman Service. Distress and inconvenience awards apply.
5. If you suffered direct financial loss because of the breach, that is a separate claim track. Document the loss and keep every piece of correspondence.

Quietly worth noting

• The FCA opened a review into whether annual percentage rates actually help consumers make better decisions. This will not produce immediate change, but it is the sort of review that ends in a Consumer Duty policy statement.
• Three people were arrested in an FCA and ERSOU operation targeting suspected unlawful financial promotions, with searches in Chelmsford and Romford. Names have not been released.
• The FCA has charged an individual, Shaun Lawrence, with carrying out unauthorised mortgage broking under FSMA 2000.
• From 19th June the Data Use and Access Act gives every UK consumer a statutory right to complain directly to a data controller about any processing they believe breaches data-protection law. Worth keeping in mind given the Lloyds story above.

If you are caught in any of these, EvenStance's letter library has the templates and Frank can walk you through escalation. Stand stronger.