Fintech giant Tyro Payments has pledged to agree with all recommendations from an independent review in its policies after it was found to have breach Australian laws by sending 150,000 spam messages with no unsubscribe option.

Tyro was founded in 2013 and is an EFTPOS provider for all banks except for the big four, and is an Australian bank operating under the Australian Prudential Regulation Authority (APRA). It is now a publicly-listed tech firm in Australia.

This year and last year, Tyro sent 150,000 emails and SMS messages to consumers that did not include an unsubscribe function, putting them in breach of the Spam Act, according to the Australian Communications and Media Authority (ACMA).

“The Spam Act has been in place for 17 years and provides important protections to consumers,” ACMA deputy chair Creina Chapman said.

“Australians should not receive marketing messages they haven’t consented to, and they must be able to easily withdraw their consent when they choose.”

Tyro was alerted to the potential compliance issues by ACMA, and then self-reported the breach.

It has now entered into a two-year court enforceable undertaking with ACMA which will see it have its policies, procedures and systems independently reviewed, with a commitment to implement the recommendations arising from this review.

Tyro will also provide training to its staff and report any further instances of non-compliance to the watchdog as part of the undertaking.

“We appreciate that Tyro has come to us with these commitments,” Chapman said. “Although it’s clear that its practices and systems were not adequate to comply with the spam laws, its actions since receiving our alert are appropriate to address the issues.

“However, the ACMA will not hesitate to pursue more serious enforcement action, including financial penalties, in appropriate cases.

“We will also be actively monitoring Tyro’s compliance with the spam laws and its commitments.”

If Tyro does breach the undertaking, ACMA can then apply to Federal Court to have it enforced, with the court also able to order payment of any benefit obtained through the breach to be made to the Commonwealth and as compensation to those impacted.

This should put all Australian fintech firms on notice that they must comply with Australia’s unsolicited communications laws, Chapman said.

Unlawful financial services marketing, through SMS, email or phone, is now a compliance priority for ACMA due to the potential for serious harm.

The body is undertaking a range of compliance activities, including alerting companies that they may be in breach of the law.

In the last year, businesses have paid over $1,726,200 for ACMA-issued infringement notices for breaking Australian spam and telemarketing laws.

The agency has also accepted six court-enforceable undertakings and dished out six formal warnings in this time.