Latitude Finance Fined $2.61 Million as Repeat Spam Breaches Draw Regulator Scrutiny

Key Takeaways

• Repeat Enforcement Escalates Risk: Latitude’s $2.61 million (AUD $3.96 million) penalty reflects its status as a repeat offender, following a prior $1.02 million (AUD $1.55 million) fine in 2022 for similar breaches.
• Breakdown Between Policy and Execution: Millions of messages failed basic compliance requirements, highlighting how easily operational gaps can undermine established controls.
• Unsubscribe Functionality Under Scrutiny: Over 344,000 messages lacked a working opt-out mechanism, reinforcing that unsubscribe processes must function in practice, not just exist in theory.
• Regulator Leveraging Ongoing Monitoring: The latest breaches were uncovered through mandatory compliance reporting tied to earlier enforcement, showing how regulators are using sustained oversight to detect repeat failures.
• Wider Crackdown on Spam Compliance: More than $6.99 million (AUD $10.6 million) in penalties over 18 months signals increased enforcement pressure on marketing practices and consumer communications.

Deep Dive

Latitude Finance Australia is back in the regulatory spotlight, this time with a $2.61 million (AUD $3.96 million) penalty after Australia’s communications regulator found the lender breached spam laws more than 2.7 million times.

The action, brought by the Australian Communications and Media Authority, focuses on a stretch of marketing activity between March 2024 and April 2025 that, in the regulator’s view, crossed a line from aggressive outreach into non-compliance.

At the center of this issue were more than 2.3 million marketing messages that lacked accurate contact details. For hundreds of thousands of recipients, the problem went further. Over 344,000 of those messages also failed to provide a working unsubscribe function, despite suggesting that customers could opt out by replying “STOP.”

In practice, many couldn’t.

A Familiar Problem, Revisited

There’s a sense of déjà vu here. Latitude had already been penalized in 2022, paying $1.02 million (AUD $1.55 million) for similar breaches. That earlier case led to a court-enforceable undertaking and ongoing compliance reporting obligations. Ironically, it was that very reporting that helped surface the latest failures.

For regulators, the repeat nature of the conduct appears to have been decisive.

“Latitude is now a two-time offender and it is disappointing that it let consumers down again,” said Samantha Yorke, a member of the ACMA.

Her remarks reflect a broader frustration that tends to surface in repeat enforcement actions. The rules themselves are not new. Australia’s spam laws have been in place for more than two decades, and the expectations around consent, identification, and unsubscribe functionality are well established.

Which makes breakdowns like this harder to frame as anything other than failures in execution.

When “STOP” Doesn’t Mean Stop

The messages in question promoted Latitude’s credit card products and other financial services. On the surface, they included a familiar compliance signal. Recipients were told they could reply “STOP” to opt out.

But the regulator found that, in many cases, that mechanism didn’t work as advertised.

That gap between what the message promises and what the system delivers is where compliance risks tend to crystallize. It’s also where regulators are increasingly focusing their attention, particularly as marketing systems become more automated and scaled.

Yorke underscored that point directly, noting that unsubscribe options must not only exist but function reliably, and that businesses must clearly identify themselves in every message.

As part of the enforcement action, the ACMA has accepted a new set of court-enforceable undertakings from Latitude. These require the company to bring in an independent consultant to review its compliance with spam laws and to implement more rigorous, ongoing reporting.

The regulator has also made clear that Latitude will remain under close watch.

“Given Latitude’s history of non-compliance, we will be very closely monitoring how it meets its obligations,” Yorke said.

A Bigger Pattern

Over the past 18 months, businesses in Australia have paid more than $6.99 million (AUD $10.6 million) in spam-related penalties.

The takeaway isn’t just about marketing rules. It’s about the fragility of control frameworks when they rely too heavily on assumptions. A working unsubscribe function, accurate sender information, clear consent. These are not complex requirements. But at scale, even simple controls can fail in ways that are difficult to detect until a regulator comes knocking.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.