A financial services giant has been fined millions of dollars for a repeated breach of spam laws, including promoting credit cards without giving recipients a way to opt-out. 

Latitude Financial was forced to pay $3.96 million after the Australian Communications and Media Authority found it had broken the laws more than 2.7 million times, the regulator revealed on Wednesday.

The company sent more than 2.3 million spam messages between March 2024 and April 2025 which failed to include accurate contact information for the company as required by law.

Of those messages, almost 345,000 also lacked a working unsubscribe function.

A close-up of a mobile phone with the Latitude app, as a pair of hands prepares to tap the screen

Latitude Financial provides short-term loans, credit and travel cards, and buy now, pay later services. (ABC News: James Maasdorp)

Latitude, which is the largest non-bank consumer finance company in Australia, was forced to pay a $1.5 million fine for similar breaches in 2022.

Authority member Samantha Yorke said there was no excuse for Latitude’s repeated compliance failures, as reflected by the scale of the latest fine.

“Latitude is now a two-time offender and it is disappointing that it let consumers down again,” Ms Yorke said.

“The spam laws have been in place for more than 20 years, and there is simply no excuse for ongoing non-compliance, particularly after a prior enforcement action.”

The messages, which promoted Latitude credit card products and financial services, told recipients they could reply “STOP” to unsubscribe, however in many circumstances the function simply did not work.

Under Australian law, consumers must have the option to unsubscribe from commercial messaging, which must also provide accurate contact information for the sender.

The exterior of a city office building.

The penalty was issued by the Australian Communications and Media Authority. (ABC News: Clarissa Thorpe)

Latitude is now legally required to appoint an independent consultant to review its compliance with the spam laws and undertake regular and comprehensive reporting to the communications authority.

“Given Latitude’s history of non-compliance, we will be very closely monitoring how it meets its obligations,” Ms Yorke said.

In March 2023, Latitude was the target of a major cyber attack in which the data of 7.9 million customers was stolen, including names, addresses, telephone numbers, dates of birth and driver’s licence numbers.

Income and expense information for about 900,000 loan applications, including bank and credit card account details, was also stolen.

A $1 million lawsuit brought against the company by an individual who claimed their information had reached the dark web after the breach was dismissed after a judge found it had little chance of succeeding.

Latitude declined to comment ahead of the penalty being made public.

AAP/ABC