Bank of Queensland pays penalty for CDR breach

The Bank of Queensland (BoQ) has paid a $133,2000 penalty after the Australian Competition and Consumer Commission (ACCC) issued the bank with an infringement for allegedly breaching the Consumer Data Right (CDR) rules by failing to provide a service enabling consumers’ data to be shared.

The CDR is an economy-wide data sharing program that enables Australians to leverage the data businesses hold about them for their own benefit. The CDR was first rolled out to banking in July 2020 for the major banks, with all other banks required to share certain data by 1 July 2021.

This is the first infringement notice the ACCC has issued for an alleged breach of the CDR rules.

Under the CDR rules, BoQ was required to be in a position to share data for financial products, including savings accounts, term deposits and credit cards, by 1 July 2021.

The ACCC alleges that Bank of Queensland did not meet this obligation on 1 July 2021 as required.

Bank of Queensland did not make the required services available until 13 December 2021, which meant that the bank’s customers were unable to share their CDR data for more than five months after the date by which this service was required to be available to them.

Peter Crone, ACCC Commissioner said, “Under the CDR, consumers have a right to safely and securely share certain data with accredited providers, including fintech firms and other third parties, who in turn can use that data to create better customised products and services for the consumer.

“For the CDR to work effectively for consumers, participants including all banks must meet their data sharing obligations within the timeframes set by the regulations.”

Crone said in the current environment of rising interest rates, consumers benefit from greater access to information and tools to help them compare products and make informed decisions about switching banks, and the CDR assists this.

The ACCC closely monitors compliance with CDR obligations and provides support for participants to assist them in preparing for and entering the CDR program.

Crone said, “As it is rolled out, the CDR will increase consumer choice and promote the innovation needed to improve competition in financial services and other areas. It will play a central role in enhancing productivity.”

If CDR participants do not comply with their obligations, the ACCC will consider taking enforcement action in line with the CDR Compliance and Enforcement Policy. This can include administrative outcomes, enforceable undertakings, infringement notices, suspension or revocation of accreditation, or commencing court proceedings.

A number of banks were delayed in implementing their CDR solutions, in part due to issues related to the COVID-19 pandemic and a shortage of skilled IT resources.

In deciding to issue an infringement notice to Bank of Queensland, the ACCC took into account a number of factors, including the period of alleged non-compliance, the number of customers potentially impacted, the resourcing constraints Bank of Queensland faced in developing its CDR infrastructure and the steps it took to limit the duration of its non-compliance.