Commonwealth Bank is reviewing how it handles customer data as part of its response to losing records for nearly 20 million accounts.
CBA has entered into an enforceable undertaking with the Office of the Australian Information Commissioner that includes reviewing and enhancing internal privacy policies, procedures and record retention standards.
The move follows two incidents the lender reported to the information commissioner, one of which was last year’s public admission that it had lost tapes holding customer names, addresses, account numbers and transaction details for 19.3 million accounts from between 2000 and 2016.
CBA chief risk officer Nigel Williams said on Thursday was proactively engaging with regulators to ensure it continues to build better systems, processes and controls to manage customers’ personal information.
“We have offered this EU as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the commissioner,” Mr Williams said.
“We continue to take action to address issues, earn trust and be a better bank for our customers.”
CBA’s public admission that it couldn’t confirm whether the two magnetic tapes used to record customer statements were destroyed or not attracted widespread derision last year, including from then-Prime Minister Malcolm Turnbull.
The OAIC had not taken any action when it was notified of the incident in 2016, but Mr Turnbull described the incident as an “extraordinary blunder” and said customers should have been informed.
CBA insisted there was no compromise to the bank’s technology platforms, systems, services, apps or websites, but on Thursday said it had nonetheless been working to address the incidents.
CBA now has 90 days to submit its plan to the commissioner.