Financial Ombudsman Service decision

National Westminster Bank Public Limited Company · DRN-6137280

Data BreachComplaint upheldRedress £1,000
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Ms D complains that National Westminster Bank Public Limited Company (NatWest) failed to protect her data as a staff member accessed it unlawfully and used it to intimidate her. What happened Ms D was in an ongoing dispute with her neighbour who works at her local NatWest branch. She’s experienced harassment, threats and damage to her property, and it continued to escalate until the police were involved. This has had a substantial impact on Ms D as she’s had to increase her prescribed medication due to the stress and she was unable to leave the house at points. In June 2025, Ms D called NatWest as she was concerned the neighbour had accessed her statements due to the comments she’d been receiving. NatWest explained that they couldn’t see any issues from a quick search, but they could raise a complaint and do a full review, but Ms D chose not to proceed. She contacted NatWest again in August 2025 to raise a complaint, they conducted an internal investigation and found that her account had been viewed without justification. They apologised, confirmed that they will take serious internal actions and they offered £500 compensation. Ms D didn’t accept this and referred the complaint to our service as she thought NatWest should have discovered this when she first contacted them, she also had to quit her job due to the stress she was experiencing, so she didn’t think the compensation reflected the impact of her neighbour’s actions. During the investigation, NatWest explained that they didn’t think the breach could have been discovered sooner and they weren’t responsible for the neighbour’s actions outside of the workplace, but they offered to increase the compensation to £1,000. An Investigator reviewed the complaint and felt that £1,000 was reasonable compensation. They agreed that Ms D chose not to proceed with a full investigation in June and that they can only hold NatWest liable for the impact of the unauthorised access. The rest of the issues were a police matter. Ms D disagreed with this as she felt the investigation should have been carried out sooner and she thought the compensation should be higher, so she provided doctors notes to support what she’d said. This didn’t change the Investigator’s opinion, so the complaint has been passed to me for a decision. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Our service isn’t a regulator, so we can’t comment on NatWest’s internal data systems and controls. I can see that Ms D thinks that NatWest should have more robust internal controls

-- 1 of 3 --

in place, but that isn’t something our service can review. She can raise this with the Information Commissioner’s Office (ICO) or the Financial Conduct Authority (FCA) if she wishes to as they would be better suited to review these concerns. NatWest has agreed with Ms D that her data has been accessed without a suitable reason and I can only comment on the impact of this breach. I also agree with the Investigator that Ms D has provided a lot of detail about the issues experienced with the neighbour, but I can only hold NatWest liable for the impact in relation to the unauthorised access. I’ve no doubt that Ms D has been through a difficult time, but as an impartial party, I have to consider what NatWest have control over. Ms D has previously stated that she made three calls to NatWest, but they only have evidence of two calls taking place – one in June 2025 and one in August 2025. As they’ve been unable to locate any other calls and Ms D is unable to locate them on her records, I think it’s likely that only the above calls took place in relation to the reporting of the breach. I’ve listened to the call in June 2025, during which NatWest reassured Ms D that they couldn’t see any records of unreasonable access from the limited systems they could review, but if she had concerns, they could refer it as a complaint so that a full investigation could be carried out. Ms D was assured that the staff member wouldn’t be notified, but she seemed happy with the initial check and chose not to proceed. I think NatWest were clear in this call on what they were looking at and that they couldn’t provide a certain answer without an investigation. Ms D didn’t provide the name of the employee during the call and I think NatWest would have required this and Ms D’s authorisation in order to carry out the full investigation. As such, there’s nothing to suggest that NatWest were aware of the actions of the employee until the internal investigation was carried out in August 2025, and I don’t think the call in June 2025 included misleading information about the certainty of the checks that had taken place. So, based on the available information, I don’t think the unauthorised access of Ms D’s data could have been discovered sooner. Ms D’s explained that the neighbour had quoted payments she had made to her in order to intimidate her, so I’ll go on to consider the impact of this. Putting things right As set out above, I can’t hold NatWest responsible for something that they don’t have control over. The majority of the challenges Ms D experienced with this neighbour occurred outside of the workplace and actions such as verbal abuse, harassment and property damage are done on an individual basis and would be for the police to investigate. Ms D has provided evidence to support the impact the experience was having on her mental health by sending us doctors notes. She hasn’t provided the full set of notes, so I can’t see how this has changed over time, but they do support that Ms D was taking medication which was linked to the behaviour she was experiencing. Upon reviewing what Ms D has told us about the neighbours actions, I think it’s likely that the harassment she experienced and the property damage would have continued until the police were involved, which was after the breach was discovered. I don’t think NatWest could have prevented this, so I can’t say that they should compensate her for it. Overall, I think the offer of £1,000 compensation is reasonable based on the distress Ms D

-- 2 of 3 --

would have experienced due to the unauthorised access of her account. NatWest’s confirmed that they’ve taken this seriously and dealt with things internally. It’s not our role to comment on employment issue’s but NatWest has assured Ms D and our service that reasonable steps have been taken. I appreciate that this won’t be the outcome Ms D wants and I empathise with what she’s experienced, particularly as the actions of her neighbour have led to such difficulty for her and her family. However, as an impartial party, I can’t say that NatWest are responsible for a large part of it. My final decision My final decision is that I uphold this complaint and direct National Westminster Bank Public Limited Company to pay Ms D £1,000 compensation in line with the offer that’s been made. Under the rules of the Financial Ombudsman Service, I’m required to ask Ms D to accept or reject my decision before 28 April 2026. Chris Lowe Ombudsman

-- 3 of 3 --