The major bank has paid penalties after the ACCC alleged it breached Consumer Data Right rules when it failed to enable data sharing for some business and partnership accounts.
The Commonwealth Bank of Australia paid $792,000 in penalties after the ACCC issued four infringement notices for alleged breaches of the Consumer Data Right Rules (CDR).
The ACCC alleged CBA did not comply with the rules by failing to enable data sharing for certain accounts held by business customers and partnerships. This meant affected consumers were unable to share their data to access CDR-enabled services used for functions such as business accounting.
The ACCC received complaints from customers who reported difficulties accessing CDR, with some forced to use manual workarounds or less secure methods of data sharing.
Under the CDR framework, the major banks have been required since November 2021 to enable data sharing for in-scope products for non-individual CDR consumers.
“This is the highest total penalty to date for an alleged breach of the CDR rules,” ACCC deputy chair Catriona Lowe said.
“We will continue to focus our compliance and enforcement efforts to enable the benefits the CDR system delivers for consumers including more choice and greater access to better deals on products and services.”
The ACCC said insufficient data quality and failures to meet compliance dates remain enforcement priorities.
The regulator highlighted that CDR offers benefits to business owners, including access to secure digital accounting tools and easier product comparisons that can help reduce operational costs.
“In the first half of 2025, the number of CDR participants increased by 55 per cent from the previous six months, and we expect this number to continue to grow as the CDR expands to the non-bank lending sector from mid-2026,” Lowe said.
Earlier this year, National Australia Bank (NAB) paid $751,200 in penalties for alleged contraventions of the CDR rules relating to data quality issues.
“Banks have now had a few years to understand and implement their CDR obligations,” Lowe said.
“This penalty against CBA should serve as a reminder to all CDR participants that failing to comply with the Rules may result in the ACCC taking enforcement action.”
CBA has agreed to provide remediation as part of an administrative resolution with the ACCC, including enabling data sharing for remaining Trading Entity Business Name accounts by 19 December 2025.
The remediation will include a goodwill payment to eligible affected business customers, along with additional payments to customers who can demonstrate further financial or non-financial loss.
The program will commence in the week of 19 January 2026, with CBA set to email affected customers and publish details on its website.
CBA said it voluntarily reported the issue to the ACCC and co-operated with the investigation.
It said the problem stemmed from certain business account types not being enabled for data sharing when CDR access was switched on in November 2021.
CBA said it accepted the ACCC’s findings and apologised to affected customers.
The bank will contact customers who attempted to share data but were unable to do so from the week commencing 19 January 2026.
CBA said it is continuing to review and strengthen its systems, processes and controls to support ongoing compliance with CDR obligations.
