ACCC issues first fine for alleged CDR breach

Brandon How

The competition watchdog has issued its first infringement notice for an alleged breach of the Consumer Data Right to the Bank of Queensland.

The Australian Competition and Consumer Commission (ACCC) issued a $133,200 fine along with an infringement notice to the Bank of Queensland (BoQ) for allegedly breaching the CDR rules. Phase one of data sharing obligations under the CDR for all banks came into effect on July 1, 2021, however the ACCC alleges this was not met by the bank.

The services required by the CDR legislation were only made available by BoQ from December 13 last year, five months after the obligations came into effect, and more than a month after the rectification date proposed by the bank.

A spokesperson for Bank of Queensland said it acknowledges the delays in implementing the first phase of the CDR open banking regime. It said the delay was “largely due to the complexity of adapting BoQ source systems to the Open Banking requirements and third-party testing issues”.

Factors considered in the action were the period of non-compliance, the number of customers potentially impacted, BoQ’s resourcing constraints in developing its CDR infrastructure, and the steps taken to limit the duration of its non-compliance.

ACCC chair Gina Cass-Gottlieb

ACCC commissioner Peter Crone said that consumers have a right to safely and securely share their data with accredited data recipients.

“For the CDR to work effectively for consumers, participants including all banks must meet their data sharing obligations within the timeframes set by the regulations,” Mr Crone said.

This penalty comes about a month after the new ACCC chair Gina Cass-Gottlieb declared that the regulator would consider enforcement action against data holders not meeting their obligations. At the time she acknowledged that the CDR obligations are complex but reiterated that “the law now provides a data right for consumers and data holders need to meet their legal requirements”.

When the action against the Bank of Queensland was announced, the ACCC acknowledged that many banks had been delayed in CDR implementation due to the Covid-19 pandemic and a shortage of skilled IT resources.

As of May 2, international money transfer provider Wise Australia and the BNK Banking Corporation were the only open banking data holders yet to become active on the CDR Register.

In addition to the Bank of Queensland, there are six other open banking data holders that have not been able to become active on the CDR Register by their proposed rectification schedule. There are also three firms that only  became active on the CDR Register this year.

The four major data holders, ANZ, Commonwealth Bank, National Australia Bank, and Westpac, all have ongoing data-sharing or account holder consent issues and have rectification schedules in place.

According to the ACCC however, rectification proposals are not considered “a satisfactory resolution of non-compliance” leaving many banks open to compliance or enforcement action.

Tony Thrassis, the chief information officer of Frollo, Australia’s largest CDR data recipient, backed the ACCC’s consideration of compliance and enforcement action. However, he noted that some banks have been slow to comply because providers of their core banking platform and data holding solution have been unable to deliver a working system.

Given ongoing delays in the CDR rollout, the ACCC delayed the deadline for non-major banks to begin sharing joint account information from April 2022 to October 2022.

The deadline for the final phase of the CDR open banking rollout was in February 2022. Data sharing under the CDR is expected to commence in November 2022 for the energy sector.

Do you know more? Contact James Riley via Email.

Leave a Comment