CDR fines hit limits of foreign firms

Avatar photo

Joseph Brookes

Global banking giant HSBC has avoided a hefty fine despite allegedly sending inaccurate and incomplete data through Australia’s budding economy-wide data sharing scheme.

The bank paid penalties of $33,000 after the consumer watchdog announced on Tuesday that it had issued HSBC with two infringement notices for failing to disclose complete mortgage interest rate details and accurate credit card balances.

The penalty for breaching consumer data right (CDR) rules was the maximum available at the time of the alleged contraventions last year for a corporation not listed in Australia. HSBC is listed on the London Stock Exchange.

Fellow non-Australian listed bank ING paid four penalties totalling $53,280 in 2022 for allegedly missing data sharing deadlines and for making a false or misleading representation to consumers.

The ASX listed Bank of Queensland in 2022 paid $133,200 for allegedly being five months late in switching on its data sharing.

The CDR is an economy-wide data sharing scheme being rolled out sector by sector, starting with banks and energy. It allows users to direct accredited data holders to share their data with accredited recipients. The ability to port data around is aimed at improving competition and innovation.

The Australian Competition and Consumer Commission (ACCC) investigated claims that HSBC failed to accurately disclose home loan data through the CDR over two months last year.

The ACCC found that the bank had not included the featured fixed interest rates it was advertising on its website in CDR disclosures.

“If accurate home loan rates are not provided, product data users, such as comparator sites and brokers, are unable to present accurate comparisons of home loan products to consumers. This has the potential to lead to consumers making decisions based on incorrect information about home loan interest rates on offer,” ACCC commissioner Peter Crone said.

The regulator also examined claims the bank was not supplying accurate credit card account balance data to consumers through the CDR.

The ACCC issued infringement notices for both alleged contraventions of the CDR rules.

Poor quality or limited data flowing through the CDR scheme threatens to undermine what can be a genuinely useful reform, according to UNSW research fellow Dr Natalia Jevglevskaja

She told that “relatively lenient penalties” could exacerbate non-compliance with CDR data quality standards, but breaches like HSBC also bring reputational risk.

“The ACCC employs a risk-based approach to enforcement, prioritising situations with the potential to cause substantial harm to the CDR regime. Therefore, infringement notices are only considered in cases where the ACCC is likely to pursue court-based resolutions if recipients opt not to pay.”

HSBC cooperated with the investigations and paid the penalties, which is not an admission of a contravention of the CDR rules.

“We have been fully assisting the ACCC. We will continue to invest and enhance our CDR program,” an HSBC spokesperson told

CDR fines are based on penalty units, with a breach of the CDR rules set at 600 penalty units for a listed corporation and 60 penalty units for any other person.

Penalty units increased last July making the current fines $18,780 per infringement notice for unlisted corporations and $187,800 for listed corporations.

Dr Jevglevskaja said the penalties are only one way to encourage compliance.

“The irony lies in the fact that despite the myriad benefits offered by the CDR, many businesses, particularly data holders, fail to recognise and fully appreciate its value,” she said.

“Thus, the more challenging task at hand is to persuade them of the advantages provided by the regime and encourage them to capitalise on its benefits at the earliest opportunity, thus also eliminating the need for penalties.”

Do you know more? Contact James Riley via Email.

Leave a Comment