National Australia Bank Limited (NAB) has paid penalties totalling $751,200 after the ACCC issued it with four infringement notices for alleged contraventions of the Consumer Data Right (CDR) Rules.
The infringement notices relate to alleged failures by NAB to disclose, or accurately disclose, credit limit data in response to four separate requests made by different CDR accredited providers on behalf of consumers.
The CDR is an economy-wide data sharing program that empowers Australians to leverage the data businesses hold about them for their own benefit.
For the CDR to be effective it is critical that the data which a consumer has consented to be shared is accurate, up-to-date, complete and in the required format.
"Poor data quality prevents consumers from experiencing the full benefits of the CDR. When banks or energy retailers don't provide accurate data, consumers can't take advantage of CDR products and services to compare products, find better deals, manage their finances or make informed decisions about product switching," ACCC Deputy Chair Catriona Lowe said.
In this case, a failure to provide accurate information in relation to credit card limits impacted the service a number of fintechs provided to consumers, including some fintechs who offer mortgage broking tools using CDR data. These tools are designed to provide consumers with faster, simpler and more secure loan applications which better leverage their own data.
NAB's payment of these penalties is the highest amount paid for alleged contraventions of the CDR Rules to date. NAB cooperated with the ACCC's investigation and has rectified the data quality issues identified.
Data holders in the banking sector have had several years to understand and implement their CDR obligations. As the CDR continues to mature, data quality within the CDR remains a priority conduct area for the ACCC. In the second half of 2024, CDR participants reported to the ACCC that over 530,000 consumers successfully used CDR products and services across the banking and energy sectors, representing an increase of 135 per cent from the previous six months. During the same period, approximately 582 million consumer data requests were made.
"All CDR participants are reminded that failure to comply with the CDR rules will result in scrutiny by the ACCC and may result in enforcement action," Ms Lowe said.
Note
The payment of a penalty specified in an infringement notice is not an admission of a contravention of the CDR rules.
The ACCC can issue an infringement notice when it has reasonable grounds to believe a person or business has contravened certain provisions of the CDR rules.
More information on the obligations of data holders can be found in the Compliance guide for data holders.
At the time of the alleged conduct the penalty amount for each infringement notice was fixed at $187,800 for a listed corporation. Since 7 November 2024, the penalty has been increased to $198,000 for each infringement notice.
Background
CDR gives consumers the right to safely transfer data about themselves from data holders to accredited persons, potentially to access new products and services, including better deals on everyday products and services.
CDR is an economy-wide reform that is being rolled out sector by sector. The CDR has been rolled out to banking (from July 2020) and energy (from November 2022), with the non-bank lending sector to follow from mid-2026.
The transfer of consumer data occurs between data holders and accredited persons, or accredited providers. The Australian Government has designed and oversees the system to ensure it is safe and secure for consumers. Accredited providers must go through a rigorous process to become accredited by the Data Recipient Accreditor (currently the ACCC) to provide services to consumers using CDR data. A list of current providers (along with further information about CDR) is available on the CDR website.
The ACCC, together with its co-regulator, the Office of the Australian Information Commissioner, is responsible for ensuring CDR participants, including accredited providers and data holders, comply with their CDR obligations.
The Treasury leads CDR policy, including development of rules and advice to government on which sectors CDR should apply to in the future. Within Treasury, the Data Standards Body develops the standards that prescribe how data is shared under CDR.
