Commonwealth Bank has been forced to review how it handles and stores customer data as part of its response to losing records for nearly 20 million accounts.
CBA has entered into an enforceable undertaking with the Office of the Australian Information Commissioner to review and enhance internal privacy policies, procedures and record retention standards.
The move follows two incidents Australia’s biggest bank reported to the commissioner, one of which was the loss by a third-party company of tapes holding customer names, addresses, account numbers and transaction details for 19.3 million accounts from between 2000 and 2016.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said an inquiry into how CBA handled the issue took into account the Australian Prudential Regulation Authority’s recent finding that CBA was reactive to risk and compliance matters.
“The Australian community expects financial service providers, and indeed all organisations, to be proactive in protecting the personal information they hold,” Commissioner Falk said on Thursday.
“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction.”
The OAIC did not initially taken action when, in 2016, it was notified that CBA couldn’t confirm whether the two magnetic tapes used to record customer statements were destroyed or not.
The loss was made public last year, when CBA also informed the OAIC of inadequate internal access controls to customer data, and the lender attracted widespread derision, including from then-Prime Minister Malcolm Turnbull.
Mr Turnbull described the incident as an “extraordinary blunder” and said customers should have been informed even though CBA insisted there was no compromise to technology platforms, systems, services, apps or websites.
Commissioner Falk on Thursday said people had a right to expect more from CBA, which like its peers has been refunding customers over various wrongdoings raised at the financial services royal commission.
“When an organisation is entrusted with our personal information, access must be limited to a need-to-know basis and the data must not be kept past its use-by date,” she said.
CBA chief risk officer Nigel Williams said the bank was proactively engaging with regulators to ensure it continues to build better systems, processes and controls to manage customers’ personal information.
“We have offered this EU as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the commissioner,” Mr Williams said.
“We continue to take action to address issues, earn trust and be a better bank for our customers.”
CBA now has 90 days to submit a plan under which – while overseen by an independent expert – it will review its privacy policies, procedures and retention standards, and provide staff training to ensure compliance.
CBA must also assess its IT services and systems to make sure it takes appropriate steps to control access to customers’ personal information.
The OAIC can take court action at any stage if CBA does not fully comply with the terms of the undertaking.
Earlier this year, Commonwealth Bank’s first-half cash profit fell 2.1 per cent to $4.676 billion, weighed down by slowing property markets and royal commission-related remediation costs.
Profit for the six months to December 31 fell from $4.871 billion in the prior corresponding period after revenue fell 1.9 per cent and risk, compliance and remediation costs jumped to $221 million from $100 million.
Australia’s biggest bank will report its full-year profit in August.
At 1447 AEST, CBA shares were 50 cents, or 0.6 per cent higher, at $82.69, making them the best performing by far of all the big four banks.