ING pays over $53k for alleged CDR failures

The payment comes after the Australian Competition and Consumer Commission (ACCC) had issued the bank with four infringement notices in relation to the open banking regime and its associated CDR rules.

Under the CDR rules, ING was required to be in a position to be able to share data for certain financial products by specific deadlines. 

For example, banks have been obligated to share consumer data for bank accounts by 1 July (phase one products); for mortgages and personal loans by 1 November (phase two products); and for other data (including data that relates to direct debits or scheduled payments and “get account detail” data) by 1 November, too.

However, the competition watchdog alleges that ING Bank did not meet all of these obligations as required. 

It alleges that ING Bank missed three legislated deadlines and made a misleading statement to consumers on its website about the reliability and security of its CDR service.

The ACCC has alleged that ING:

• Did not enable consumer data sharing for phase two products, which was supposed to occur on 1 November 2021, until 30 September 2022;
• Did not enable sharing of “certain other data” about phase one products that relates to direct debits or scheduled payments from 1 November 2021 to 10 August 2022; and “get account detail” data from 1 November 2021 to the present;
• Has not made the sharing of joint account data available, even though the CDR rules have required it to do so by 1 October 2022.

This meant ING Bank was not able to facilitate certain consumer data sharing, as it was incapable of receiving consumer data requests from accredited data recipients acting on behalf of consumers.

Moreover, the ACCC also alleged that ING Bank breached the Australian Consumer Law by making a false or misleading representation on its website. 

It alleged that between 28 October 2021 and 2 February 2022, ING represented its accredited person request service had been operational since 1 July 2021 (and was therefore a reliable and secure system for customers to use to share data), when this was not the case.

However, ING Bank removed the allegedly false or misleading representation from its website after the ACCC raised its concerns.

The bank has now paid $13,320 for each alleged infringement (totalling $53,280), however, the payment of the infringement notice penalties does not act as an admission of guilt.

Responding after the penalty was paid, an ING spokesperson said: “At ING, we are committed to building a safe and secure open banking experience for our customers.

“We started our open banking journey in 2019 and have approached the delivery of this program with the best of intentions for Australian bank customers. In fact, we were the first non-major bank to release our product reference data to developers for open banking.

“However, in more recent times, our delivery commitments were delayed mostly due to an unforeseen technical compatibility issue that became apparent as the open banking regime requirements evolved. This issue has now been resolved.

“While we accept and have paid the fine, not resolving the compatibility issue would have jeopardised our ability to transfer customer data to the open banking ecosystem in a safe and secure manner. This is not something we were prepared to compromise on, even if it meant falling behind on delivery timelines,” the spokesperson continued.

“ING’s commitment to open banking remains a key priority for the organisation. We will continue to cooperate with the ACCC and we have a plan in place to deliver the remaining open banking functionality in 2023.”

‘Failure to comply with the CDR rules will result in scrutiny’

The commission stated that by failing to meet its obligations, ING potentially denied its customers the full benefits of being able to use the CDR program. 

ACCC Commissioner Peter Crone commented: “Under the CDR, consumers have a right to safely and securely share certain data with accredited providers, including fintech firms and other third parties, who in turn, can use that data to create better customised products and services for the consumer.

“Unlike customers of most other banks, many ING customers were not able to fully benefit from the services of accredited businesses using their CDR data.

He continued: “Allowing consumers to share CDR data relevant to these services, including those relating to financial management and comparison tools, is important, especially given current cost of living pressures and rising interest rates.

“All data holders are reminded that failure to comply with the CDR rules will result in scrutiny by the ACCC and may result in enforcement action, with potentially serious consequences including infringement notices or court proceedings.”

The commissioner warned all CDR participants that “any claims about the CDR must be accurate and able to be substantiated”, or they risk breaching the Australian Consumer Law, which can attract “significant penalties if the ACCC commences court proceedings”, he cautioned.

ING is not the first bank to be issued with penalties relating to alleged non-compliance with CDR rules.

In July, the Bank of Queensland paid a penalty of $133,200 for allegedly breaching the CDR rules by failing to provide a service enabling consumers’ data to be shared.

Written by Annie Kane

Last Updated: 16 December 2022

Published: 16 December 2022