BOQ found in breach of CDR rules for nearly half a year

BOQ Consumer Data Right

The Bank of Queensland (BOQ) has paid out a more than $130,000 fine to Australia’s competition watchdog after it allegedly failed to meet a key obligation of the Consumer Data Right (CDR) regime for nearly five months.

Under CDR rules, BOQ was – alongside other non-major banking institutions in Australia – required to be ready to share data, at the discretion of consumers, for financial products, including savings accounts, term deposits and credit cards by 1 July 2021.

The Australian Competition and Consumer Commission (ACCC) contends that BOQ failed to meet this obligation by the required date, and only did five months after the set deadline – on 13 December 2021.

While the big four banks were required to be CDR-ready by July 2020, the scheme’s official launch date, non-major banks were given another year to meet the consumer data-sharing scheme’s regulatory and technical requirements.

According to the consumer watchdog, which co-regulates the CDR scheme, this is the first infringement notice issued by it for an alleged breach of CDR rules.

“Under the CDR, consumers have a right to safely and securely share certain data with accredited providers, including fintech firms and other third parties, who in turn can use that data to create better customised products and services for the consumer,” said ACCC Commissioner Peter Crone.

“For the CDR to work effectively for consumers, participants including all banks must meet their data sharing obligations within the timeframes set by the regulations,” Crone added.

BOQ was, according to the ACCC, not the only bank to miss its CDR deadline, with the competition regulator conceding that a number of institutions were delayed due to Covid-related resourcing issues and a shortage of skilled IT resources.

However, the magnitude of BOQ’s alleged breach stood out to the ACCC, with the competition regulator taking into account the bank’s “period of alleged non-compliance, the number of customers potentially impacted, the resourcing constraints… faced in developing its CDR infrastructure and the steps it took to limit the duration of its non-compliance”.

The ACCC clarified: “The payment of a penalty specified in an infringement notice is not an admission of a contravention of the CDR Rules. The ACCC can issue an infringement notice when it has reasonable grounds to believe a person or business has contravened certain provisions in the CDR Rules.”

While BOQ has yet to issue a statement on the matter, the ACCC confirmed the bank paid a total penalty of $133,200 for the alleged breach.

As of February this year, banking and lending institutions have entered the third and final phase of the consumer data-sharing scheme, currently requiring them to share information on overdrafts and business finance with registered data recipients. Phase 3 will also extend to the provision of data on investment loans, lines of credit (personal and business), asset finance, cash management accounts, pensioner deeming accounts, retirement savings accounts, and foreign currency accounts, among others.

As of today, 76 organisations are registered as accredited data holders within the scheme, while 32 organisations hold data recipient status (those that are eligible to receive data from holders). While now a registered data holder, BOQ is yet to receive accreditation as a data recipient.

Phase One of the CDR (launched for non-major authorised deposit-taking institutions in October 2020) included data on savings, chequing, debit and credit accounts, among others, while Phase Two obligated the sharing of mortgage and personal loans data.

From 1 November 2022, non-major ADIs (and major ADIs in relation to their non-primary brands) must commence CDR functionality for non-individuals, partnerships, nominated representatives and secondary users.

The CDR, unofficially known as Open Banking in its initial three-phase, ADI-restricted rollout, is set to be expanded this year to the energy sector, with energy providers to commence the sharing of product reference data from October this year.

By November 2022, consumer data-sharing commences for customer data held by the Australian Energy Market Operator, AGL Energy Group, Origin Energy Group and Energy Australia Group.