The withdrawal of valid consents from thousands of ING customers warrants enforcement action from the Australian Competition and Consumer Commission, which regulates the data sharing regime, the groups allege.
They say communication about the change has been poor, with several data recipients hearing about the cancellations second hand. The groups believe ING should run two parallel systems until existing consents can transition to the new system.
“Maintaining backwards compatibility is just general good practice in these types of system changes. But this is not the path ING has taken, which sets a very dangerous precedent for CDR as an emerging ecosystem should this planned approach not be stopped immediately,” the joint statement says.
Data recipients are also concerned they will bear the cost of reintegration and any damage to their business.
In a letter to FDATA members sent on Monday and obtained by The Australian Financial Review, its regional director Mathew Mytka called on the ACCC to “issue an immediate stop order to ING given the timeline of their plans”.
“Australians are in the middle of one of the deepest cost of living crises in recent history,” he said in a subsequent statement. “While many banks are doing the right thing, we do need to see a firm response from the regulator to ensure this does not set a precedent.”
ING was fined $53,280 for four infringements relating to CDR data after the ACCC alleged it failed to meet obligations last year. Users of data say the level of fine, which is set by the legislation, was too low to force compliance.
An ING spokesperson said the bank was “committed to building a safe and secure open banking experience for our customers that has the potential to offer more functionality in the future” and it was working with data recipients to “make the process as seamless as possible”.
“One of the unintended consequences of the platform upgrade is that we will have to bring forward the re-consent of some customers, a step that everyone subscribed to the consumer data right needs to do on an annual basis,” the spokeswoman said. “This update will ultimately enhance the Open Banking experience for [data recipients] and customers with expanded functionality and benefits.”
But Rehan D’Almeida, general manager of FinTech Australia, said the move from ING “sets a dangerous precedent for the consumer data right rollout and endangers the benefits it is bringing to consumers”.
“It’s perplexing that ING, a bank with consistently high customer satisfaction ratings, would not prioritise the consumer data right,” he said. “This is a transformational reform and the banks have had years to establish the systems they need to be compliant.”
The data recipients say ING’s planned conduct may breach CDR rules 4.25 and 4.26, which “relate to the conditions under which authorisations and consents can be revoked”. These are supposed to be consumer initiated through the authorisation dashboard. If a data holder like ING is unable to respond to data requests when there is both a current and valid consent and authorisation in place, this would mean that each cancelled authorisation would result in an inability to comply with the rules, FDATA told the ACCC in emails last week.
“Each revoked active consent and inability to respond to a valid consumer data request would be a breach of the rules. We would expect each revocation would be a separate fine, per authorisation, should this go ahead, which would extend into the range of tens of millions dollars, if the ACCC were to fine the maximum amount.”
The Financial Review reported last week that users of the open banking regime say ING has been providing low-quality data under the regime.
