AInvest Newsletter
Daily stocks & crypto headlines, free to your inbox
NAB Fined $12.5m for CDR Rule Breaches Over Inaccurate Credit Limit Data
ByAinvest
Wednesday, Jun 18, 2025 7:52 pm ET2min read
NAB has been fined for data breaches under the Consumer Data Right (CDR) rules. The bank allegedly failed to disclose or accurately disclose credit limit information to CDR-accredited providers, affecting fintech firms offering mortgage broking tools. NAB cooperated with the investigation and has since corrected the issues. This is the largest penalty to date for alleged CDR rule breaches, and the ACCC warns that failure to comply with CDR rules will result in scrutiny and potential enforcement action.
National Australia Bank Limited (NAB) has paid penalties totalling $751,200 after the Australian Competition and Consumer Commission (ACCC) issued it with four infringement notices for alleged contraventions of the Consumer Data Right (CDR) Rules [1]. The infringement notices relate to alleged failures by NAB to disclose or accurately disclose credit limit data in response to four separate requests made by different CDR accredited providers on behalf of consumers.The CDR is an economy-wide data sharing program that empowers Australians to leverage the data businesses hold about them for their own benefit. For the CDR to be effective, it is critical that the data which a consumer has consented to be shared is accurate, up-to-date, complete, and in the required format. Poor data quality prevents consumers from experiencing the full benefits of the CDR. When banks or energy retailers do not provide accurate data, consumers cannot take advantage of CDR products and services to compare products, find better deals, manage their finances, or make informed decisions about product switching [1].
In this case, a failure to provide accurate information in relation to credit card limits impacted the service that a number of fintech firms provided to consumers, including some fintechs who offer mortgage broking tools using CDR data. These tools are designed to provide consumers with faster, simpler, and more secure loan applications that better leverage their own data.
NAB's payment of these penalties is the highest amount paid for alleged contraventions of the CDR Rules to date. NAB cooperated with the ACCC's investigation and has rectified the data quality issues identified.
Data holders in the banking sector have had several years to understand and implement their CDR obligations. As the CDR continues to mature, data quality within the CDR remains a priority conduct area for the ACCC. In the second half of 2024, CDR participants reported to the ACCC that over 530,000 consumers successfully used CDR products and services across the banking and energy sectors, representing an increase of 135% from the previous six months. During the same period, approximately 582 million consumer data requests were made [1].
"All CDR participants are reminded that failure to comply with the CDR rules will result in scrutiny by the ACCC and may result in enforcement action," ACCC Deputy Chair Catriona Lowe said [1].
The payment of a penalty specified in an infringement notice is not an admission of a contravention of the CDR rules. The ACCC can issue an infringement notice when it has reasonable grounds to believe a person or business has contravened certain provisions of the CDR rules [1].
The CDR gives consumers the right to safely transfer data about themselves from data holders to accredited persons, potentially to access new products and services, including better deals on everyday products and services [1]. The CDR is an economy-wide reform that is being rolled out sector by sector. The CDR has been rolled out to banking (from July 2020) and energy (from November 2022), with the non-bank lending sector to follow from mid-2026 [1].
The ACCC, together with its co-regulator, the Office of the Australian Information Commissioner, is responsible for ensuring CDR participants, including accredited providers and data holders, comply with their CDR obligations. The Treasury leads CDR policy, including the development of rules and advice to government on which sectors CDR should apply to in the future. Within Treasury, the Data Standards Body develops the standards that prescribe how data is shared under CDR [1].
References:
[1] https://www.miragenews.com/nab-fined-751k-for-alleged-consumer-data-1480696/
Ainvest News articles are AI-generated using advanced large language model (LLM) technology designed to analyze and synthesize publicly available data and news. While AI tools assist in producing initial drafts and insights, all AI generated content published on Ainvest is subject to comprehensive human editorial review before publication. A designated human editor reviews, verifies, and approves each article for factual accuracy, coherence, and compliance with AInvest Fintech Inc’s editorial and disclosure standards.
Despite these review procedures, the information provided may still contain inaccuracies, incomplete data, or time sensitive references due to the inherent limitations of AI generated analysis and evolving changes. The material is provided strictly for informational and educational purposes and does not constitute personalized investment, legal, or financial advice. Readers should independently verify all facts, figures, and statements before making any decision based on this content.
AInvest Fintech Inc. its affiliates, and partners accept no liability or responsibility for any direct or consequential losses arising from reliance on this content. All articles and analyses are subject to revision, update, or removal without prior notice to maintain accuracy and integrity in our publications.
Comments
No comments yet