The Commonwealth Bank of Australia (CBA) has paid penalties totalling $792,000 after the ACCC issued it with four infringement notices for alleged breaches of the Consumer Data Right (CDR) Rules.
The ACCC alleges that CBA did not comply with the rules by failing to enable data sharing for certain accounts for business consumers and partnerships.
This meant affected consumers were unable to share their data to access CDR-enabled products and services, such as those used for business accounting. The ACCC received complaints from consumers reporting difficulties accessing CDR and impacted customers had to either perform manual workarounds or revert to less secure methods of data sharing.
CDR is an economy-wide data sharing reform that empowers Australians to use the data businesses hold about them for their own benefit. Since November 2021, the four major banks, including CBA, have been required to enable consumer data sharing of in-scope products for non-individual CDR consumers.
"This is the highest total penalty to date for an alleged breach of the CDR Rules," ACCC Deputy Chair Catriona Lowe said.
"We will continue to focus our compliance and enforcement efforts to enable the benefits the CDR system delivers for consumers including more choice and greater access to better deals on products and services."
Insufficient data quality and failure to meet compliance dates are enforcement priorities for the ACCC.
CDR delivers many benefits to business owners, such as enabling them to use products and services, such as accounting services, to manage their finances more efficiently and securely. It also allows them to easily compare products, leading to savings and potentially reduced operational costs.
"In the first half of 2025, the number of CDR participants increased by 55 per cent from the previous six months, and we expect this number to continue to grow as the CDR expands to the non-bank lending sector from mid-2026," Ms Lowe said.
Earlier this year, National Australia Bank Limited paid penalties totalling $751,200 for alleged contraventions of the CDR Rules relating to data quality issues.
"Banks have now had a few years to understand and implement their CDR obligations," Ms Lowe said.
"This penalty against CBA should serve as a reminder to all CDR participants that failing to comply with the Rules may result in the ACCC taking enforcement action."
CBA to provide redress to consumers and accredited providers
CBA cooperated with the investigation and has made several commitments as part of an administrative resolution with the ACCC, including enabling consumer data sharing for remaining Trading Entity Business Name (TEBN) accounts by 19 December 2025 and providing remediation to customers and accredited data recipients affected by the conduct.
The remediation includes a goodwill payment to affected business customers who meet the relevant eligibility criteria, and additional payments to business customers who can substantiate further financial and non-financial loss.
The remediation program will begin in the week commencing 19 January 2026 and CBA will email affected customers and publish a notice on its website outlining how affected customers can submit remediation claims. For further information on the remediation program, consumers and accredited data recipients should refer to the Open Banking section of CBA's website.
Note
The payment of a penalty specified in an infringement notice is not an admission of a contravention of the CDR Rules.
The ACCC can issue an infringement notice when it has reasonable grounds to believe a person or business has contravened certain provisions of the CDR Rules.
More information on the obligations of data holders can be found in the Compliance guide for data holders.
Penalty amounts for infringement notices are calculated by reference to the value of a penalty unit set in the Crimes Act 1914. This value is regularly indexed. It was most recently increased on 7 November 2024.
Background
The ACCC alleges that CBA failed to provide an Accredited Person Request Service that enabled consumer data sharing for non-individuals whose customer profile was set up with a TEBN in the account holder field to allow accredited data recipients to request data on behalf of these consumers.
This prevented affected consumers from utilising the CDR to share their data, limiting the ability of accredited data recipients to deliver products and services to consumers using CDR data and restraining the potential growth of the CDR.
The infringement notices relate to CBA's alleged failure to enable consumer data sharing for four separate consumers whose customer profiles were set up with a TEBN.
The CDR gives consumers the right to safely transfer data about themselves from data holders to accredited persons, potentially to access new products and services, including better deals on everyday products and services.
The CDR is an economy-wide reform that is being rolled out sector by sector. The CDR has been rolled out to banking (from July 2020) and energy (from November 2022), with the non-bank lending sector to follow from mid-2026.
The transfer of consumer data occurs between data holders and accredited persons, or accredited providers. The Australian Government has designed and oversees the system to ensure it is safe and secure for consumers. Accredited providers must go through a rigorous process to become accredited by the Data Recipient Accreditor to provide services to consumers using CDR data. A list of current providers, along with further information about the CDR, is available on the CDR website.
The ACCC, together with its co-regulator, the Office of the Australian Information Commissioner, is responsible for ensuring CDR participants, including accredited providers and data holders, comply with their CDR obligations.
The Treasury leads CDR policy, including development of rules and advice to government on which sectors the CDR should apply to in the future. Within Treasury, the Data Standards Body develops the standards that prescribe how data is shared under the CDR.
