PSD2: better information on account information services
Consumers will be better informed about account information services. To this end, the Maatschappelijk Overleg Betalingsverkeer recently published 'good practices' for better information. Privacy First welcomes the published 'good practices' and calls on MOB members to really start working on this.
The Social consultation on payments (MOB) was established by the Minister of Finance in 2002 with the mandate to contribute to the socially efficient organisation of the payment system. DNB chairs the MOB and provides the secretariat. Account information services are services that can be used to create a 'consolidated view' of a person's payment data. This has been possible since PSD2 (Payment Service Directive 2) came into force, which allows you to share your payment data with parties other than your own bank. An example is a digital household book, but other forms are also possible.
Better information badly needed
When you give your consent to a provider, it gets access to all the transaction data you also see in your own banking environment. So if your own bank lets you look back up to 10 years, so can the account information service. You thus share a complete profile of data.
Data sharing is not without risk. This is because the profit for many account information service providers is not in the digital household book, but in additional services that can be provided. Think of analyses towards fixed expenses, risk analyses when applying for a mortgage or assessing creditworthiness.
Because a lot of confidential data is involved, consumers need to clearly understand what they are consenting to. The information consumers receive now is too much and too unclear. Legally required information is too long, difficult to read and tucked away in long privacy statements.
MOB publishes good practices account information services
Calls for better information had been sounding for some time. From late 2017, Privacy First was involved in an initiative by the Volksbank to better inform consumers about account information services. This initiative was then adopted by the Betaalvereniging Nederland and, from May 2019, by the MOB.
The MOB agreed last May with good practices. These are seven standardised questions for account information service providers to answer before a consumer gives consent. The questions contain the most important (legal) information and answer consumers' most important questions. In addition, the MOB has prepared an elaboration with explanatory notes. The questions are:
- Who requests access to my account information? How is the service regulated?
- What service does offer that requires my data?
- What data from my account will use?
- What else does use the data for?
- What data goes to third parties and for what purpose?
- How can I reverse my previously given consent?
- Where can further information be found?
Beware of remaining non-committal
The MOB's good practices are a very good step. Now it comes down to applying and using these good practices. Unfortunately, using the good practices is non-binding. "The MOB cannot oblige providers of account information services to comply with the good practice. However, MOB members have agreed to bring the best practice to the attention of their constituencies." Given the MOB's force field, which includes both providers and users, this is understandable. But it will be careful that the good practices do not become too non-committal. The interests of providers and consumers go hand in hand.
By the end of 2021, the MOB will take stock of whether providers are adopting the good practices and report back at the May 2022 meeting.
Privacy First won't wait
Privacy First calls on MOB members to put good practices into practice. After all, protecting citizens by giving them better information and choices as consumers is in everyone's interest.
Privacy First is positive about the outcome of the MOB. The seven questions and standardised answers can be quite an improvement on the current situation. At the same time, we think the bar could be raised. How could the MOB better highlight good practices?
- The MOB can call on its members and relevant third parties to start using the good practices, rather than just providing the opportunity.
- MOB members can each speak in favour of using the good practices and make their use a condition for cooperation.
- The MOB can clarify who the relevant MOB parties are that can play a role in disseminating the good practices.
- The MOB could be more explicit about when a consumer is informed through good practices. Privacy belongs "in the customer journey"</a>; so these good practices should not be hidden away.
- Instead of assessing the deployment of good practices once, the MOB could do so more frequently, say quarterly.
- The MOB may send providers in Europe a letter in advance, so they know what Dutch consumers think should they make plans to offer services in the Netherlands.
Privacy First believes the ball is in the MOB's court on deployment and application. But Privacy First is also exploring whether it can play a role itself in getting providers to use the good practices.
- Link to MOB's message (see last paragraph for the piece on account information services)
- Link to the document Good practice transparency account information services in the Netherlands (DOCX, 75.6 kB)
- Link to the Explanatory note good practice account information services in the Netherlands (DOCX, 70.6 kB)
This post appeared earlier on our PSD2 campaign website: https://psd2meniet.nl/betere-informatie-over-rekeninginformatiediensten/.