Bank of Queensland Ltd has paid a penalty of $133,200 after the ACCC issued it with an infringement notice for allegedly breaching the Consumer Data Right (CDR) Rules by failing to provide a service enabling consumers’ data to be shared.

The CDR is an economy-wide data sharing program that enables Australians to leverage the data businesses hold about them for their own benefit. The CDR was first rolled out to banking in July 2020 for the major banks, with all other banks required to share certain data by 1 July 2021.

The transfer of consumer data is at the direction of consumers.

Under the CDR rules, Bank of Queensland was required to be in a position to share data for financial products, including savings accounts, term deposits and credit cards, by 1 July 2021.

The ACCC alleges that Bank of Queensland did not meet this obligation on 1 July 2021 as required.

Bank of Queensland did not make the required services available until 13 December 2021, which meant that the bank’s customers were unable to share their CDR data for more than five months after the date by which this service was required to be available to them.

“Under the CDR, consumers have a right to safely and securely share certain data with accredited providers, including fintech firms and other third parties, who in turn can use that data to create better customised products and services for the consumer,” ACCC Commissioner Peter Crone said.

“For the CDR to work effectively for consumers, participants including all banks must meet their data sharing obligations within the timeframes set by the regulations” he said.

“In the current environment of rising interest rates, consumers benefit from greater access to information and tools to help them compare products and make informed decisions about switching banks, and the CDR assists this” Mr Crone said.

The ACCC closely monitors compliance with CDR obligations and provides support for participants to assist them in preparing for and entering the CDR program.

“As it is rolled out, the CDR will increase consumer choice and promote the innovation needed to improve competition in financial services and other areas. It will play a central role in enhancing productivity,” Mr Crone said.

If CDR participants do not comply with their obligations, the ACCC will consider taking enforcement action in line with the CDR Compliance and Enforcement Policy. This can include administrative outcomes, enforceable undertakings, infringement notices, suspension or revocation of accreditation, or commencing court proceedings.

This is the first infringement notice the ACCC has issued for an alleged breach of the CDR Rules.

A number of banks were delayed in implementing their CDR solutions, in part due to issues related to the COVID-19 pandemic and a shortage of skilled IT resources. In deciding to issue an infringement notice to Bank of Queensland, the ACCC took into account a number of factors, including the period of alleged non-compliance, the number of customers potentially impacted, the resourcing constraints Bank of Queensland faced in developing its CDR infrastructure and the steps it took to limit the duration of its non-compliance.

Note to editors

The payment of a penalty specified in an infringement notice is not an admission of a contravention of the CDR Rules. The ACCC can issue an infringement notice when it has reasonable grounds to believe a person or business has contravened certain provisions in the CDR Rules.


CDR gives consumers the right to safely access data about them, held by data holders, and direct this information to be transferred to accredited third parties, potentially to access new products and services, including better deals on everyday products and services.

CDR is an economy-wide reform that will be rolled out sector by sector. CDR has already been rolled out to banking. For banking, all Authorised Deposit-taking Institutions (ADIs) are designated data holders with obligations to share data through CDR. The energy sector is set to commence sharing product (general) information in October this year, and to commence sharing consumer data from 15 November this year.

CDR is designed and overseen by the Australian Government and independent regulators to ensure it is safe and secure for consumers. The ACCC, together with its co-regulator, the Office of the Australian Information Commissioner, is responsible for ensuring CDR participants, including accredited providers and data holders, comply with their CDR obligations.