CommBank cops record fine over data right breaches

Consumer data right reforms allow Australians to securely transfer personal data held by companies to trusted third parties. 

"This is the highest total penalty to date for an alleged breach of the ... rules," commission deputy chair Catriona Lowe said on Tuesday.

The fine narrowly pipped National Australia Bank's previous penalty record of $751,200 for alleged breaches of data quality rules.

"We will continue to focus our compliance and enforcement efforts to enable the benefits the Consumer data right system delivers for consumers, including more choice and greater access to better deals on products and services," Ms Lowe said.

Consumer data right reforms rolled out in the banking sector in 2020, followed by the energy sector in 2022, with non-bank lenders to follow from mid-2026.

"Banks have now had a few years to understand and implement their ... obligations," Ms Lowe said.

"This penalty against CBA should serve as a reminder to all ... participants that failing to comply with the rules may result in the ACCC taking enforcement action."

Commonwealth Bank identified the issue and voluntarily reported it to the commission.

The watchdog noted it had received complaints from customers struggling to access consumer data right tools.

The failure came after the bank enabled data sharing for business accounts in 2021, but certain account types slipped through the cracks.

"CBA accepts the findings of the ACCC's investigation into CBA's compliance with its ... obligations, and we apologise to our customers affected by this issue," a bank spokesman said in a statement.

"CBA will be contacting customers who attempted to share their data but were unable to do so, to let those customers know that they may be eligible to participate in a remediation."

The bank continued to review and strengthen systems, processes and controls to support its ongoing compliance with consumer data right rules, the spokesman said.