National Australia bank fined $751,200 for breaches of the Consumer Data Right Rules
June 24, 2025 |
The Australian Competition and Consumer Commission has fined the National Australia Bank (“NAB”) $751,200 for breaches of the Consumer Data Right Rules. The Rules are relatively recent legislative provisions which are designed to be a secure, safe and easy to use means of sharing data with an accredited provider via Consumer Data Right. Through the CDR Rules data should be securely transferred from an existing provider.
The ACCC media release provides:
National Australia Bank Limited (NAB) has paid penalties totalling $751,200 after the ACCC issued it with four infringement notices for alleged contraventions of the Consumer Data Right (CDR) Rules.
The infringement notices relate to alleged failures by NAB to disclose, or accurately disclose, credit limit data in response to four separate requests made by different CDR accredited providers on behalf of consumers.
The CDR is an economy-wide data sharing program that empowers Australians to leverage the data businesses hold about them for their own benefit.
For the CDR to be effective it is critical that the data which a consumer has consented to be shared is accurate, up-to-date, complete and in the required format.
“Poor data quality prevents consumers from experiencing the full benefits of the CDR. When banks or energy retailers don’t provide accurate data, consumers can’t take advantage of CDR products and services to compare products, find better deals, manage their finances or make informed decisions about product switching,” ACCC Deputy Chair Catriona Lowe said.
In this case, a failure to provide accurate information in relation to credit card limits impacted the service a number of fintechs provided to consumers, including some fintechs who offer mortgage broking tools using CDR data. These tools are designed to provide consumers with faster, simpler and more secure loan applications which better leverage their own data.
NAB’s payment of these penalties is the highest amount paid for alleged contraventions of the CDR Rules to date. NAB cooperated with the ACCC’s investigation and has rectified the data quality issues identified.
Data holders in the banking sector have had several years to understand and implement their CDR obligations. As the CDR continues to mature, data quality within the CDR remains a priority conduct area for the ACCC. In the second half of 2024, CDR participants reported to the ACCC that over 530,000 consumers successfully used CDR products and services across the banking and energy sectors, representing an increase of 135 per cent from the previous six months. During the same period, approximately 582 million consumer data requests were made.
“All CDR participants are reminded that failure to comply with the CDR rules will result in scrutiny by the ACCC and may result in enforcement action,” Ms Lowe said.
The fine has been reported widely including by 9News, Reuters, Cyber Daily, InnovationAus and the Advisor.
The Advisor’s article states:
National Australia Bank (NAB) has paid a record $751,200 in penalties for alleged breaches of Consumer Data Right (CDR) rules after the major bank received four infringement notices from the Australian Competition and Consumer Commission (ACCC).
As part of the CDR, participating lenders are required to ensure that the data consumers have consented to be shared is kept “accurate, up-to-date, complete and in the required format”.
However, the regulator alleges NAB failed to “disclose, or accurately disclose” credit limit data in response to four separate requests made by different CDR-accredited providers on behalf of consumers.
These alleged failures reportedly impacted the service of several undisclosed fintechs, according to the ACCC, including “some fintechs who offer mortgage broking tools using CDR data”.
The ACCC also noted NAB’s penalties are the highest amount paid for alleged contraventions of CDR rules to date.
ACCC deputy chair Catriona Lowe said poor data quality prevented consumers from realising the full benefits of the CDR.
“When banks or energy retailers don’t provide accurate data, consumers can’t take advantage of CDR products and services to compare products, find better deals, manage their finances or make informed decisions about product switching,” Lowe said.
NAB responds
The consumer regulator said the major bank had fully co-operated with its investigation and has since made efforts to rectify data quality issues identified.
Speaking to The Adviser, Sujeet Rana, NAB chief digital officer, said: “NAB has long been an active participant in the consultation and development of the Consumer Data Right (CDR), including as an accredited data recipient. We see CDR as a safe and secure way that consumers can share their data with accredited recipients and we continue to explore new use cases that can help to deliver better experiences for customers.
“NAB has made a significant investment to deliver the complex CDR requirements as well as investing resources to develop our capabilities to deliver new innovations.
“We have fully cooperated with the ACCC’s review and have resolved the data quality error identified. We appreciate and recognise the importance of ensuring we are meeting the standards necessary and expected under the regulations.”
Ongoing evolution
The data sharing program continues to evolve.
In the second half of 2024, CDR participants reported that more than 530,000 consumers had successfully used CDR products and services across the banking and energy sectors, according to the ACCC.
Earlier this year, the Albanese government also confirmed the future trajectory of the scheme, with a range of changes, including expanding to non-bank lenders and reducing the period for which data must be held and shared.
However, with this focus comes scrutiny and the ACCC said participating lenders have had several years to understand their obligations.
“All CDR participants are reminded that failure to comply with the CDR rules will result in scrutiny by the ACCC and may result in enforcement action,” Lowe said.