Credit checks and lenders’ duties to consumers

Loan application Print publication


A recent case, Adelekun v Yorkshire Building Society [1], is an example of an individual’s attempt to rely on data protection laws and/or a tortious duty of care owed by a lender to a customer or potential customer to found a damages claim arising from a credit register entry.

Why is this case important?

Walker Morris has reported previously [2] on the increasing tactical use of data protection laws in claims brought by consumers/individuals against lenders and other businesses.  Walker Morris also reported, last year, on the Financial Conduct Authority’s (FCA) discussion paper DP18/5, which opened the debate on whether there is a need to impose a new duty of care on financial services firms which could enhance good conduct and culture and provide additional protection for consumers. Adelekun is of interest as it touches on those highly topical issues.  The case is also likely to be welcomed by lenders for its clear and common sense approach, which resulted in a dismissal of the claim, both by the judge at first instance and by the High Court on appeal.

What happened in Adelekun?

The claimant, Mr Adelekun, had applied to the defendant building society for a mortgage loan. The loan application was refused and the lender made an entry relating to Mr Adelekun on the National Hunter register (used for credit checks) which stated “false income”.  Mr Adelekun complained that that entry was inaccurate and brought a claim for damages in tort and under the Data Protection Act 1998 (which was the data protection law in force at the relevant time).

Upholding the first instance judge’s dismissal of the claim, the High Court decided:

  • On the authority of Durkin [3], there is a duty of care on credit companies to take reasonable care in making entries on a credit register.
  • The Durkin tortious duty of care is co-existent with duties under data protection legislation.
  • The difference between those duties is that: under the tortious duty, the burden is on the claimant to prove that a defendant has not taken reasonable care; whereas under the data protection legislation duty, the burden is on the defendant to prove that it has.
  • The judge had been entitled to find that the “false income” entry was accurate. Whilst the defendant building society had not adduced witness evidence, it had nevertheless discharged its burden of proof.
    • The judge had considered internal notes provided by the society and correspondence from HMRC which stated that Mr Adelekun’s income was nil.
    • There was a mismatch between Mr Adelekun’s submissions about his income and HMRC’s records. The taking of reasonable care did not require the society to run any further check[s]. The society was entitled to rely on the response it received from HMRC.
    • The judge had also heard evidence from Mr Adelekun on the point and did not believe him.
  • In any event, Mr Adelekun had failed to establish, on the evidence, that he had suffered loss, or that any alleged loss was caused as a result of the society’s “false income” entry.

What are the key takeaways for lenders?

Lenders should be aware that the Adelekun case is an endorsement of both the Durkin duty and data protection duties upon them to take reasonable care to make sure that any entries made on credit registers are accurate.  The judgment will be welcomed, however, for its clear message that lenders can adopt a common sense approach when it comes to discharging those duties.

For all practical purposes that means that, where any red flags appear in loan application submissions they do need to be investigated, but not necessarily to the ‘nth degree’. In particular, where enquiries are made of other appropriate authorities (such as HMRC), a lender is entitled to rely on responses received and further verification will not be required unless and until any further discrepancies or other warning signs materialise.

This case is also a helpful reminder of the fact that a claim will fail if a claimant cannot establish the fundamental elements of causation and/or loss. These are essential legal requirements which are often overlooked by claimants.  In many cases, therefore, defendant lenders would be well advised to critically assess causation and/or loss immediately any claim is instigated against it, and to take specialist legal advice as to whether any defects in the claim in those regards may give rise to the potential for the claim to be quickly and cost-effectively rejected by, say, summary judgment, split trial or some other early resolution option.

Finally, Adelekun is also interesting because its findings in relation to tortious and data protection duties are consistent with the conclusions which have recently been drawn and published by the FCA, that the creation and imposition of a new duty of care on financial services firms would be unnecessary as it would cover requirements already embedded in myriad existing tortious, contractual, statutory and regulatory duties.  (The FCA’s conclusions also acknowledge that duplicating existing standards into any new duty could create unnecessary legal complexity.)

The FCA proposes, instead, to review how the current regulatory framework is applied – in particular how its Principles for Business are applied in its authorisations, supervisory and enforcement functions, and how that is communicated to firms.  The FCA also proposes to consider implementing new and/or revised Principles to strengthen and clarify firms’ duties to consumers, including consideration of whether a potential private right of action for Principles breaches is appropriate.

The FCA is continuing to engage with industry stakeholders as to potential options to address any deficiencies in consumer protection and is expected to report further in the autumn of 2019. Walker Morris will continue to monitor and report on any key developments.


[1] [2019] EWHC 856 (QB)
[2] In particular, see our earlier briefings on data subject access requests and data protection-related claims
[3] [2014] UKSC 21