ING Bank (Australia) Limited has paid penalties totalling $53,280 for allegedly failing to comply with Consumer Data Right (CDR) Rules and making a false or misleading representation to consumers, after the ACCC issued it with four infringement notices.

The ACCC alleges that ING Bank missed three important legislated deadlines and made a misleading statement to consumers on its website about the reliability and security of its CDR service.

The CDR is an economy-wide data sharing program that enables Australians to leverage the data businesses hold about them for their own benefit. It has commenced in the banking and energy sectors. 

The transfer of consumer data is at the direction of consumers.

Under the CDR Rules, ING was required to be in a position to share data for certain financial products by specific deadlines. This included data relating to residential home loans by 1 November 2021, and data relating to joint accounts by 1 October 2022.

The ACCC alleges that ING Bank did not meet all of these obligations as required. This meant ING Bank was not able to facilitate certain consumer data sharing, as it was not capable of receiving consumer data requests from accredited data recipients acting on behalf of consumers.

The ACCC alleges that by failing to meet its obligations, ING potentially denied its customers the full benefits of being able to use the CDR program. 

“Under the CDR, consumers have a right to safely and securely share certain data with accredited providers, including fintech firms and other third parties, who in turn can use that data to create better customised products and services for the consumer,” ACCC Commissioner Peter Crone said.

“Unlike customers of most other banks, many ING customers were not able to fully benefit from the services of accredited businesses using their CDR data.”

“Allowing consumers to share CDR data relevant to these services, including those relating to financial management and comparison tools, is important, especially given current cost of living pressures and rising interest rates,” Mr Crone said.

“All data holders are reminded that failure to comply with the CDR Rules will result in scrutiny by the ACCC and may result in enforcement action, with potentially serious consequences including infringement notices or court proceedings.”

The ACCC also alleged that ING Bank breached the Australian Consumer Law by making a false or misleading representation on its website. Between 28 October 2021 and 2 February 2022, ING Bank represented its accredited person request service had been operational since 1 July 2021 and was therefore a reliable and secure system for customers to use to share data, when this was not the case.

“All CDR participants are warned that any claims about the CDR must be accurate and able to be substantiated, or they risk breaching the Australian Consumer Law, which can attract significant penalties if the ACCC commences court proceedings,” Mr Crone said.

ING Bank removed the allegedly false or misleading representation from its website after the ACCC raised its concerns.

Note to editors

The payment of a penalty specified in an infringement notice is not an admission of a contravention of the CDR Rules or Competition and Consumer Act 2010.

The ACCC can issue an infringement notice when it has reasonable grounds to believe a person or business has contravened certain provisions of the CDR Rules or the Australian Consumer Law.

More information on the obligations data holders must comply with is in Compliance guide for data holders - banking sector.

The penalty amount in each infringement notice under the Australian Consumer Law is fixed at $13,320 for an unlisted corporation or $133,200 for a listed corporation.

ING Bank is not a listed corporation in Australia.


From July 2021, ING Bank and all other non-major authorised deposit-taking institutions (ADIs) were obligated under the CDR Rules to enable certain types of data sharing by specific dates. These include:

  1. Consumer data relating to phase 1 products (by 1 July 2021) including savings accounts, term deposits, transaction accounts and credit cards.
  2. Consumer data relating to phase 2 products (by 1 November 2021) including residential home loans, home loans for an investment property and personal loans.
  3. ‘Certain other data’ about phase 1 products (by 1 November 2021) including data that relates to direct debits or scheduled payments and “get account detail” data (i.e. detailed information on specific accounts, such as lending rates, deposit rates or fees).
  4. Consumer data in respect of joint accounts (by 1 October 2022).

ING Bank’s alleged breaches of the CDR Rules are below:

  • ING Bank did not enable consumer data sharing for phase 2 products, which was supposed to occur on 1 November 2021, until 30 September 2022.
  • ING Bank did not enable sharing of ‘certain other data’ about phase 1 products that relates to direct debits or scheduled payments from 1 November 2021 to 10 August 2022; and “get account detail” data from 1 November 2021 to the present.
  • ING Bank has to date not made the sharing of joint account data available, even though the CDR Rules have required it to do so by 1 October 2022.

CDR gives consumers the right to safely access data about them, held by data holders, and direct this information to be transferred to accredited third parties, potentially to access new products and services, including better deals on everyday products and services.

CDR is an economy-wide program that is being rolled out sector by sector. CDR has already been rolled out to banking and energy. For banking, all ADIs are designated data holders with obligations to share data through CDR.

CDR is designed and overseen by the Australian Government and independent regulators to ensure it is safe and secure for consumers. The ACCC, together with its co-regulator, the Office of the Australian Information Commissioner, is responsible for ensuring CDR participants, including accredited providers and data holders, comply with their CDR obligations.