iscover
iscover 
NAB paid a total of $751,000 after the commission issued four infringement notices. This is reportedly the largest penalty paid for alleged CDR breaches.
The major bank is co-operating with the investigation and has since resolved the issue.
The ACCC alleged NAB failed to accurately disclose credit limit data in response to four separate requests made by different CDR-accredited providers on behalf of consumers.
In this instance, inaccurate information regarding credit card limits affected the services provided by several fintechs to consumers.
“Poor data quality prevents consumers from experiencing the full benefits of the CDR,” said ACCC deputy chair Catriona Lowe.
“When banks or energy retailers don’t provide accurate data, consumers can’t take advantage of CDR products and services to compare products, find better deals, manage their finances or make informed decisions about product switching.
“All CDR participants are reminded that failure to comply with the CDR rules will result in scrutiny by the ACCC and may result in enforcement action.”
NAB reached out to Broker Daily to provide some clarity on the issue.
“NAB has long been an active participant in the consultation and development of the CDR, including as an accredited data recipient. We see CDR as a safe and secure way that consumers can share their data with accredited recipients and we continue to explore new use cases that can help to deliver better experiences for customers," said NAB chief digital officer Sujeet Rana.
“NAB has made a significant investment to deliver the complex CDR requirements as well as investing resources to develop our capabilities to deliver new innovations."
“We have fully cooperated with the ACCC’s review and have resolved the data quality error identified. We appreciate and recognise the importance of ensuring we are meeting the standards necessary and expected under the regulations," said Rana.
NAB has become one of just a few lenders to be hit with penalties following CDR regulation.
ACCC hit BOQ with a penalty of $133,200 in July 2022 by failing to provide a service enabling consumers’ data to be shared.
Then, in December 2022, ING Bank paid $53,280 in penalties for failing to comply with CDR rules and making a false or misleading representation to consumers.
Then, in April last year, HSBC was issued a $33,000 penalty for two infringements after failing to disclose complete mortgage interest rate details and accurate credit card balances in response to separate requests for this data made via the CDR.
More lenders are now required to be compliant with CDR obligations as the system was expanded to non-banks in March of this year.
Lenders have been urged to be aware of the relatively new responsibilities to avoid being caught off guard.
In May, Regional Australia Bank (RAB) was found to have breached CDR obligations even though it had outsourced software.
Privacy commissioner Carly Kind said RAB’s recent incident saw the CDR data of 197 consumers “co-mingled”, which created a risk of “inaccurate information to other participants in the CDR ecosystem about an affected consumer.”
“Under Privacy Safeguard 11, data holders need to ensure the accuracy of the information they disclose, either personally or through a third-party service provider,” said Kind.
“While I found RAB took reasonable steps to comply with both privacy safeguards, Biza did not.”
[Related: Outsourcing doesn’t absolve CDR liability, OAIC warns]
