Commonwealth Bank (CBA) has paid penalties totalling $792,000 after the ACCC issued four infringement notices for alleged breaches of the Consumer Data Right (CDR) rules.
ACCC alleges CBA failed to enable data sharing for certain business and partnership accounts, preventing affected customers from using CDR‑enabled products and services such as business accounting tools. Some customers had to rely on manual workarounds or less secure data‑sharing methods.
“This is the highest total penalty to date for an alleged breach of the CDR rules,” ACCC deputy chair Catriona Lowe said in a media release.
“We will continue to focus our compliance and enforcement efforts to enable the benefits the CDR system delivers for consumers including more choice and greater access to better deals on products and services.”
Lowe said CDR is delivering clear benefits, particularly for business owners.
“In the first half of 2025, the number of CDR participants increased by 55% from the previous six months, and we expect this number to continue to grow as the CDR expands to the non-bank lending sector from mid-2026,” she said.
“Banks have now had a few years to understand and implement their CDR obligations,” Lowe said.
“This penalty against CBA should serve as a reminder to all CDR participants that failing to comply with the Rules may result in the ACCC taking enforcement action.”
ACCC notes that paying an infringement notice penalty is not an admission of a contravention, but it can issue such notices where it has reasonable grounds to believe the CDR rules have been breached.
ACCC alleges CBA failed to provide an accredited person request service that enabled consumer data sharing for non‑individuals whose customer profiles were set up with a trading entity business name (TEBN) in the account holder field. This prevented accredited data recipients from requesting data on behalf of these customers.
As a result, affected consumers were unable to fully utilise the CDR to share their data, limiting accredited recipients’ ability to deliver products and services using CDR data and restraining the growth of the regime.
The infringement notices relate to CBA’s alleged failure to enable consumer data sharing for four separate consumers whose profiles were set up with a TEBN.
CBA has entered an administrative resolution with the ACCC over alleged Consumer Data Right breaches, paying $792,000 in penalties and committing to a remediation program.
“CBA identified and voluntarily reported this issue to the ACCC and has cooperated with the ACCC’s investigation," the bank said in a media release.
“The investigation related to a failure to enable a subset of CBA accounts for data sharing. When CBA enabled data sharing for business accounts via the CDR in November 2021, some account types were not enabled. As a result, some customers may have been unable to share certain data with accredited recipients, and their providers.
“CBA accepts the findings of the ACCC’s investigation into CBA’s compliance with its CDR obligations, and we apologise to our customers affected by this issue.”
As part of the resolution, CBA has committed to:
ACCC said the remediation package will include goodwill payments for eligible business customers, with additional compensation available for those able to demonstrate further financial or non-financial loss.
CBA said it will contact customers who tried but were unable to share their data, advising them of potential eligibility for remediation from the week commencing 19 January 2026 and providing further details about the program on its website.
“CBA is continuing to review and strengthen its systems, processes, and controls to support ongoing compliance with its CDR obligations,” the big bank said.
Affected customers and accredited data recipients will be able to find further information in the Open Banking section of CBA’s website.
Get the hottest and freshest mortgage news delivered right into your inbox. Subscribe now to our FREE daily newsletter.
