HSBC Bank Australia Limited (HSBC) has paid penalties totalling $33,000 after the ACCC issued it with two infringement notices for alleged contraventions of the Consumer Data Right (CDR) rules.

The infringement notices related to alleged failures by HSBC to disclose complete mortgage interest rate details and accurate credit card balances in response to separate requests for this data made via the CDR. 

The ACCC investigated allegations that, from at least 20 February 2023 to 25 April 2023, HSBC failed to accurately disclose its fixed rate home loan interest rates, requested via the CDR. Some of the product data HSBC disclosed for its fixed rate home loan products did not include the corresponding featured interest rates advertised on its website.

“If accurate home loan rates are not provided, product data users, such as comparator sites and brokers, are unable to present accurate comparisons of home loan products to consumers. This has the potential to lead to consumers making decisions based on incorrect information about home loan interest rates on offer,” ACCC Commissioner Peter Crone said.

The ACCC also investigated allegations that, from at least 9 January 2023 to 27 May 2023, HSBC failed to accurately disclose credit card account balance data after receiving consumer data requests.

“For the CDR to be effective, it is critical that CDR data is of high quality. This means that product data and consumer data – which a consumer has consented to share - must be accurate, up-to-date, complete, and in the required format,” Mr Crone said. 

“The value of CDR and the importance of data quality is particularly relevant in the current economic climate where Australians are increasingly concerned with cost-of-living pressures and mortgage interest rates."

“Through the CDR, consumers can access information and tools using their own data, that help them compare products, manage their personal finances, and make informed decisions about switching,” Mr Crone said.

“Data quality within the CDR is a priority conduct area for the ACCC. All CDR participants are reminded that failure to comply with the CDR rules will result in scrutiny by the ACCC and may result in enforcement action, with potentially serious consequences.” 

HSBC cooperated with the ACCC’s investigation and has taken steps to improve its CDR compliance, including by rectifying data quality issues identified by the ACCC in its investigation.

Note to editors

The payment of a penalty specified in an infringement notice is not an admission of a contravention of the CDR rules.

The ACCC can issue an infringement notice when it has reasonable grounds to believe a person or business has contravened certain provisions of the CDR rules.

More information on the obligations data holders must comply with is in Compliance guide for data holders - banking sector.

At the time of the alleged conduct the penalty amount for each infringement notice was fixed at $16,500 for an unlisted corporation or $165,000 for a listed corporation. HSBC is not a listed corporation in Australia.


CDR is an economy-wide program that is being rolled out sector by sector. CDR has already been rolled out to banking and energy.

The CDR allows consumers to safely and conveniently elect to share data about them, held by data holders, with accredited providers. The CDR aims to make it easier for consumers to compare products and services, access better value and improved services, and assist financial management. Allowing consumers to share their data with accredited providers of their choice leads to increased competition and drives innovation across the economy.

CDR is designed and overseen by the Australian Government to ensure it is safe and secure for consumers. The ACCC, together with its co-regulator, the Office of the Australian Information Commissioner, is responsible for ensuring accredited providers and data holders comply with their CDR obligations.