ING Bank has received a slap on the wrist from the ACCC after the regulator found the bank had failed to meet its obligations to consumers under Consumer Data Right (CDR) legislation that requires banks to give consumers access to their data when they request.
CDR has been rolled out in stages and ING was required to be ready to share information about its products by fixed deadlines.
The bank missed three such deadlines, the ACCC has ruled, including the provision of residential home loan data by 1 November 2021 and joint account data by 1 October 2022.
By failing to meet these and other deadlines, ING was unable to meet its CDR obligations because it was unable to receive data requests from accredited data recipients (ADRs) who had been appointed by consumers to act on their behalf.
As a consequence, ING has paid penalties totalling $53,280 and suffered the ignominy of being called out in a press release by ACCC commissioner Peter Crone, who said that “unlike customers of most other banks, many ING customers were not able to fully benefit from the services of accredited businesses using their CDR data.”
CDR data can be used by financial management and service comparison tools to identify potential savings from competing financial products, and to facilitate the transition to new banking products or innovative fintech services.
“Allowing consumers to share CDR data relevant to these services, including those relating to financial management and comparison tools, is important,” Crone said, “especially given current cost of living pressures and rising interest rates.”
ING Bank had made false or misleading representations on its website, breaching Australian Consumer Law by suggesting on its website that its accredited person request service had been operational since 1 July 2021 “and was therefore,” the agency said, “a reliable and secure system for customers to use to share data, when this was not the case.”
“Any claims about the CDR must be accurate and able to be substantiated.”
Putting teeth behind CDR
Some 114 ‘data holder brands’ are now participating in the CDR, with data-sharing APIs invoked by member organisations around 1.2 million times per day and over 187.5 million times to date.
The scheme is currently being extended to utility companies, with telecommunications companies to follow soon after.
Yet for all the ACCC’s good intentions, the paltry fine levied on ING Bank – four violations at the legislated rate of $13,320 per violation – is a rounding error for the company, which posted a $549 million profit last year.
The fine is just half the penalty levied on the Bank of Queensland, which paid an ACCC penalty of $133,200 in July – equivalent to 10 violations – after the ACCC found that its failure to meet CDR implementation deadlines left consumers unable to share CDR data for five months after they should have been able to.
“For the CDR to work effectively for consumers,” Crone said at the time, “participants including all banks must meet their data sharing obligations within the timeframes set by the regulations.”
With the fines so low in banking terms, whether they change banks’ behaviour remains to be seen – especially given the not insignificant cost of implementing the security, data management, consumer interfaces, and other CDR compliance requirements.
For now, the fines are more of a gentle nudge to remind banks about CDR, than a genuine deterrent – although Crone warned that more flagrant violations can attract “significant penalties” if the ACCC successfully pursues court action.
The agency recently secured a $21 million verdict against Uber, a $60 million penalty of Google, and a $33.5 million fine against telecommunications companies Telstra, Optus, and TPG – reminding data holders, Crone said, that “failure to comply with the CDR rules will result in scrutiny by the ACCC and may result in enforcement action.”