Privacy hallmark PSD2 initiative presented

At a press meeting on PSD2, the Privacy Hallmark PSD2 initiative was presented. The hallmark is intended to encourage financial providers and fintechs to put consumer privacy at the centre.

People's Bank

If you struggle to make ends meet, you will eventually develop physical complaints, according to two Utrecht GPs in the AD/Utrechts Nieuwsblad of 7 March this year. Anyone who wants a healthy life must therefore also be financially healthy. Having a grip on your own finances and all the data that goes with them is part of this. In both areas, the Volksbank is happy to offer a helping hand.

The new PSD2 legislation paves the way for payment apps from new parties. Banks no longer have the sole right to offer payment services. This seems like good news for consumers. But there is also a downside. A customer sharing his data with such a new provider should be aware that he is sharing privacy-sensitive data. The bank cannot retrieve this data, so the consumer is on his own if he regrets it.

The Consumers' Association recently warned that personal data is already being collected on a large scale for commercial reasons. With PSD2, this is only going to increase. Eventually, 90 days of access will be enough to create a digital profile that can be traded. Volksbank does not want that and believes that customer data should be safe with the bank: "That means we don't sell customer data, whether on an individual or aggregate level. We make our money as a bank and not by selling our customers' data."

Volksbank sees it as its task to help customers in the new changed environment to handle their own data in a safe and well-considered way. By educating properly (free is never really free) but also by taking additional measures themselves:

• The main switch which increases self-awareness; data sharing becomes an informed decision. By default, the main switch is set to 'off'. A customer who wants to share his data must first flip the main switch, before he can give the first order to the bank to transfer his data to individual parties. Subsequently, the customer must also give orders separately for each party. For each party, the customer can stop sharing data in the interim. Or at once with the master switch, which immediately stops access by all parties.
• Together with Privacy First, other banks, KPMG and fintechs are developing a PSD2 trustmark. In doing so, these organisations are responding to the call by DNB, which notes that this is still missing and needed. To our knowledge, we are the first country to address this. With the PSD2 seal, it should become clear to consumers at once to whom they can/can't entrust their data. Volksbank is working hard on further development so that it will be ready as soon as the European PSD2 directive comes into force in the Netherlands.

Foundation

Privacy First Foundation supports the Privacy Hallmark at PSD2. Privacy First would like to see it grow into an international hallmark with support from banks, fintechs, providers, regulators and consumer organisations.

PSD2 offers benefits but unfortunately also risks to people's privacy. People are more than consumers. Privacy First doubts whether the measures mentioned in PSD2 to protect people's data and thus privacy will be adequate. For instance, PSD2 relies heavily on the new General Data Protection Regulation (AVG) for the protection of personal data. This regulation is currently not yet in force and we do not yet know what effects PSD2 will have in practice or what supervision will look like. Many organisations are not yet ready to comply with all the requirements. However, they will not wait to offer their services. Nor are regulators ready to enforce all privacy aspects. With PSD2, they want to start flying without the parachute being checked.

We hope the hallmark will encourage financial providers and especially fintechs to go further and put the consumer at the centre as a human being. We want the hallmark's requirements to increase every year. We want providers to pay attention to the 'information behind the information':

• Disclosure of behaviour and data by others
• Services with the underlying purpose of collecting data (improper use)
• Deriving data, such as transaction data from which special personal data can be derived.

We call on fintechs to go further with data mitigation options. Consider excluding transaction data that may indicate religion, political affiliation and health. But also limiting the duration of transaction data.

Also published on https://www.privacy-web.nl/nieuws/privacy-keurmerk-psd2-initiatief-gepresenteerd.