Bank of Queensland fined $133,200 for breach of Consumer Data Rights Rules
July 13, 2022 |
The Australian Competition and Consumer Commission (ACCC) issued the Bank of Queensland with a penalty of the $133,200 for breaching the Consumer Data Right Rules in failing to have available a service to enable consumers to share their data. The breach was that the BOQ failed to meet its implementation deadline.The ACCC is a practiced litigant and active in enforcing legislation for which it is responsible. So while the breach is actual it relates to a technical breach rather than a breach resulting in material prejudice to any one consumer. The fine plus the publicity acts as a deterrent against others breaching the Rules.
The statement from the ACCC relevantly provides:
Bank of Queensland Ltd has paid a penalty of $133,200 after the ACCC issued it with an infringement notice for allegedly breaching the Consumer Data Right (CDR) Rules by failing to provide a service enabling consumers’ data to be shared.
The CDR is an economy-wide data sharing program that enables Australians to leverage the data businesses hold about them for their own benefit. The CDR was first rolled out to banking in July 2020 for the major banks, with all other banks required to share certain data by 1 July 2021.
The transfer of consumer data is at the direction of consumers.
Under the CDR rules, Bank of Queensland was required to be in a position to share data for financial products, including savings accounts, term deposits and credit cards, by 1 July 2021.
The ACCC alleges that Bank of Queensland did not meet this obligation on 1 July 2021 as required.
Bank of Queensland did not make the required services available until 13 December 2021, which meant that the bank’s customers were unable to share their CDR data for more than five months after the date by which this service was required to be available to them.
“Under the CDR, consumers have a right to safely and securely share certain data with accredited providers, including fintech firms and other third parties, who in turn can use that data to create better customised products and services for the consumer,” ACCC Commissioner Peter Crone said.
“For the CDR to work effectively for consumers, participants including all banks must meet their data sharing obligations within the timeframes set by the regulations” he said.
“In the current environment of rising interest rates, consumers benefit from greater access to information and tools to help them compare products and make informed decisions about switching banks, and the CDR assists this” Mr Crone said.
The ACCC closely monitors compliance with CDR obligations and provides support for participants to assist them in preparing for and entering the CDR program.
“As it is rolled out, the CDR will increase consumer choice and promote the innovation needed to improve competition in financial services and other areas. It will play a central role in enhancing productivity,” Mr Crone said.
If CDR participants do not comply with their obligations, the ACCC will consider taking enforcement action in line with the CDR Compliance and Enforcement Policy. This can include administrative outcomes, enforceable undertakings, infringement notices, suspension or revocation of accreditation, or commencing court proceedings.
This is the first infringement notice the ACCC has issued for an alleged breach of the CDR Rules.
A number of banks were delayed in implementing their CDR solutions, in part due to issues related to the COVID-19 pandemic and a shortage of skilled IT resources. In deciding to issue an infringement notice to Bank of Queensland, the ACCC took into account a number of factors, including the period of alleged non-compliance, the number of customers potentially impacted, the resourcing constraints Bank of Queensland faced in developing its CDR infrastructure and the steps it took to limit the duration of its non-compliance.
………
Background
CDR gives consumers the right to safely access data about them, held by data holders, and direct this information to be transferred to accredited third parties, potentially to access new products and services, including better deals on everyday products and services.
CDR is an economy-wide reform that will be rolled out sector by sector. CDR has already been rolled out to banking. For banking, all Authorised Deposit-taking Institutions (ADIs) are designated data holders with obligations to share data through CDR. The energy sector is set to commence sharing product (general) information in October this year, and to commence sharing consumer data from 15 November this year.
CDR is designed and overseen by the Australian Government and independent regulators to ensure it is safe and secure for consumers. The ACCC, together with its co-regulator, the Office of the Australian Information Commissioner, is responsible for ensuring CDR participants, including accredited providers and data holders, comply with their CDR obligations.
The story has been picked up by itnews with Bank of Queensland pays first ACCC open banking fine. It has also been picked up with a tutt tutting piece in the Australian Financial Review.
The itnews article provides:
Missed last year’s implementation deadline.
A missed deadline has cost the Bank of Queensland $133,200, after it failed to meet the Australian Competition and Consumer Commission’s 1 July 2021 start date for Consumer Data Right (CDR) data availability.
The ACCC issued the notice against the bank last week, and today announced the fine had been paid.
It was the first CDR rules infringement notice the ACCC issued.
The bank wasn’t able to share financial product data like savings accounts, term deposits, and credit cards until 13 December 2021.
The ACCC said this meant “the bank’s customers were unable to share their CDR data for more than five months after the date by which this service was required to be available to them.”
“Under the CDR, consumers have a right to safely and securely share certain data with accredited providers, including fintech firms and other third parties, who in turn can use that data to create better customised products and services for the consumer,” ACCC commissioner Peter Crone said.
“For the CDR to work effectively for consumers, participants including all banks must meet their data sharing obligations within the timeframes set by the regulations.”
BoQ wasn’t the only bank to miss the deadline, with the Covid-19 pandemic and a shortage of IT skills causing delays among a number of banks.
In deciding to fine the bank, the regulator says it “took into account a number of factors, including the period of alleged non-compliance, the number of customers potentially impacted, the resourcing constraints BoQ faced in developing its CDR infrastructure and the steps it took to limit the duration of its non-compliance.”
iTnews has asked BoQ for comment.