National Australia Bank (NAB) has paid $751,200 in penalties after the Australian Competition and Consumer Commission (ACCC) issued four infringement notices for alleged breaches of the Consumer Data Right (CDR) rules.
The alleged breaches relate to failures in disclosing or accurately disclosing credit limit data in response to four separate requests made by CDR-accredited providers on behalf of consumers.
The payment of a penalty specified in an infringement notice is not an admission of a contravention of the CDR rules. ACCC may issue an infringement notice when it has reasonable grounds to believe a person or business has contravened certain provisions of the CDR rules.
At the time of the alleged conduct, the penalty amount for each infringement notice was fixed at $187,800 for a listed corporation. Since Nov. 7, 2024, this amount has increased to $198,000 per notice.
The CDR framework allows consumers to securely access and share their data to access more competitive products and services in banking, energy, and other sectors.
“For the CDR to be effective it is critical that the data which a consumer has consented to be shared is accurate, up-to-date, complete and in the required format,” said ACCC Deputy Chair Catriona Lowe (pictured).
The data issues identified impacted fintech services, including mortgage broking tools that rely on CDR data for faster, simpler, and more secure loan applications.
“Poor data quality prevents consumers from experiencing the full benefits of the CDR,” Lowe said. “When banks or energy retailers don’t provide accurate data, consumers can’t take advantage of CDR products and services to compare products, find better deals, manage their finances or make informed decisions about product switching.
“In this case, a failure to provide accurate information in relation to credit card limits impacted the service a number of fintechs provided to consumers, including some fintechs who offer mortgage broking tools using CDR data.”
The CDR is a national data-sharing framework introduced in banking in 2020 and extended to the energy sector in 2022. The non-bank lending sector is expected to follow in mid-2026.
It allows consumers to direct data holders to share their data with accredited providers—businesses that must meet strict accreditation criteria governed by ACCC and other regulators.
The Treasury leads the development of CDR rules, while the Data Standards Body sets the technical standards for secure data transfer.
In the second half of 2024, over 530,000 consumers used CDR products across the banking and energy sectors—a 135% increase from the previous six months. Around 582 million consumer data requests were made during the same period.
“All CDR participants are reminded that failure to comply with the CDR rules will result in scrutiny by the ACCC and may result in enforcement action,” Lowe said.
