During a press meeting on PSD2, the Privacy Seal of Approval PSD2 initiative was presented. The hallmark is intended to encourage financial providers and fintechs to put consumer privacy at the center.
De Volksbank
If you struggle to make ends meet, you will eventually develop physical complaints, according to two Utrecht general practitioners in the AD/Utrechts Nieuwsblad of March 7. Anyone who wants a healthy life must therefore also be financially healthy. Having a grip on your own finances and all the information that goes with it is part of that. In both areas, the Volksbank is happy to offer a helping hand.
The new PSD2 legislation paved the way for payment apps from new parties. Banks no longer have the sole right to offer payment services. That seems like good news for consumers. But there is also a downside. A customer who shares his data with such a new provider should be aware that he is sharing privacy-sensitive data. The bank cannot retrieve this data so the consumer is on his own if he regrets it.
The Consumers' Association recently warned that personal data is already being collected on a large scale for commercial reasons. With PSD2, this is only going to increase. Ultimately, 90 days of access is enough to create a digital profile that can be traded. Volksbank does not want that and believes that customer data should be safe with the bank. That means we don't sell customer data, whether on an individual or aggregate level. We make our money as a bank and not by selling our customers' data.
Volksbank sees as its task to help customers in the new changed environment to handle their own data in a safe and well-considered way. By providing good information (free is never really free) but also by taking additional measures themselves:
The master switch that increases self-awareness; data sharing becomes an informed decision. By default, the master switch is set to "off. A customer who wants to share his data must first flip the master switch before he can first instruct the bank to transfer his data to individual parties. Then the customer must also give per-party orders separately. The customer can stop data sharing with each party in the interim. Or at once with the master switch, which immediately stops access by all parties.
Together with Privacy First, some banks, KPMG and fintechs, a PSD2 label is being developed. With this, these organizations are responding to the call of the DNB, which notes that this is still lacking and there is a need for it. To our knowledge, we are the first country to address this. With the PSD2 label, it should become clear to consumers at once to whom they can/can't entrust their data. Volksbank is working hard on further development so that it will be ready as soon as PSD2 directive comes into force in the Netherlands.
Privacy First
Privacy First Foundation supports the PSD2 Privacy Hallmark. It would like to see it grow into an international hallmark with support from banks, fitness, providers, regulators and consumer organizations.
PSD2 offers benefits but unfortunately also risks to people's privacy. People are more than consumers. Privacy First doubts whether the measures mentioned in PSD2 to protect people's data and thus privacy will be sufficient. For example, PSD2 relies heavily on the AVG (n.b. currently the Directive, from 25/5 the AVG) for the protection of personal data. This regulation is not yet in force and we do not yet know what effects it will have in practice or what supervision will look like. Many organizations are not yet ready to meet all the requirements. However, they will not wait to offer their services. Nor are regulators ready to enforce privacy aspects. With PSD2, they want to start flying without a parachute check.
We hope the hallmark will encourage financial providers and especially fintechs to go further and put the consumer as a human being first. We want the requirements of the Seal of Approval to increase every year. We want providers to pay attention to the "information behind the information.
Disclosure of behavior and data by others
Services with the underlying purpose of collecting data (improper application)
Deriving data, such as transaction data from which special personal data can be derived
We urge fintechs to go further with data mitigation options. Consider excluding transaction data that may indicate religion, political affiliation and health. But also limiting the duration of transaction data.
