Underexposed: financial privacy
Discussions about data protection and privacy often feature the practices of advertising companies such as Google and Facebook. The activities of secret services and similar institutions (such as NCTV) also attract attention and criticism.
Largely under the radar, there is a move towards blanket financial surveillance, where a number of large companies can track citizens and organisations in detail based on payment data. It is a development encouraged by the government and spreading throughout society for a variety of reasons, with major data protection risks for citizens.
What is financial privacy?
Financial privacy may include the following:
A. Payments
-
Detailed financial personal data present in banks and other major parties. The payment system is largely digital; cash payments are disappearing. As a result, those involved in that payment traffic (banks, payment service providers and account information service providers) have detailed information about all their customers, both consumers and businesses and organisations. This means that banks et al know very much about their customers. The financial data is becoming more and more detailed for all kinds of reasons, and more and more businesses can access it. Thus, iDEAL 2.0 is expected to ensure further dissemination of financial personal data. In the past, banks have tried to monetise customers' financial data in the manner of US advertising companies, remember the ING affair. That was stopped at the time, but this could come back.
- New PSD2 services. The European PSD2 regulations were supposed to allow the development of new services around the financial data of customers of payment institutions, including account information services. Data protection has not been sufficiently considered, putting citizens at risk. Privacy First has been campaigning for some time PSD2MeNot.
- Cash payment disappears, eliminating the last possibility of not being tracked hourly by banks. The digital money being prepared by Europe is unlikely to be completely anonymous to enable crime fighting.
B. Privatisation of crime fighting and government services
- Crime-fighting tasks of banks and other financial institutions ('anti-money laundering'): these tasks result in additional personal data being collected from citizens, this concerns not only the identification of individuals, but also the collection of data on and from individuals involved in organisations. This may include directors and representatives of legal entities and the 'ultimate stakeholders'. Confidential data has to be exchanged by customers with financial institutions, this is often done in an insecure manner.
Note that this is not just about crime that could harm the customer or the financial institution. The institution must actively check whether its own customer is holding any criminal money and must report suspicions of crime ('unusual transactions') to an arm of the police: FIU-Netherlands.
Europe is working on a package of regulations, also known as the 'AML package', which will radically change the crime-fighting duties of companies. As a result of new regulations, more and more financial data will be exchanged by companies with the government. - Identification, including biometrics. Banks and other financial institutions have to identify their customers, firstly to know (under private law) with whom they are entering into an agreement, and secondly because anti-money laundering rules require it. There is much to do around identification, partly because banks want to 're-identify' existing customers and sometimes also require biometric data.
- UBO register. As part of the crime-fighting duties of banks and other designated companies, they are required to identify their customers' beneficial owners and verify the accuracy of their customers' registration with the UBO register. Privacy First reported on the UBO register litigated and is now awaiting the outcome of similar cases pending before the European Court of Justice.
- Blacklists. In the financial sector, blacklists of 'suspicious' and convicted customers are created as part of crime-fighting duties and to protect their own financial interests. These lists are known as 'IVR' (internal referral register) and 'EVR' (external referral register). The rules governing these registers is contained in 'PIFI', the Financial Institutions Incident Alert System Protocol.
Insurers have a complete record of all claims submitted to them by policyholders. Increasingly, other companies with crime-fighting duties are also looking to create blacklists. - Data deliveries to government (data reporting). Financial institutions, employers and, in the future, platforms are required to provide data to the government. This is also known as 'information reporting'. Under the information reporting obligation, many confidential data are collected from customers. A particular example is the obligation of financial institutions to collect customer data for the purpose of taxation by other countries. Very well known is FATCA, the US law requiring financial institutions around the world to provide free services to the US tax authorities, which includes not only tax residents of the US and persons with assets in or proceeds from the US, but also anyone with US nationality (even if lacking further ties to the country, so-called "accidental Americans"). The Netherlands has concluded a FATCA treaty with the US and further participates in the Common Reporting Standard (CRS), on which treaties have been concluded with EU and other countries. See, for example https://ellentimmer.com/2015/12/23/gegevensuitwisseling/
C. Other
- Dealers in financial (personal) data: on behalf of financial institutions, a number of very large parties operate, which are less well known to the public. They collect financial and other data on both consumers and organisations and the natural persons involved in organisations. That data is sold to financial institutions, among others, as credit information and anti-money laundering information. Although these merchants have to comply with the AVG, they usually do not, so the people whose data is sold are not aware of the presence of their data with those merchants, nor can they check whether the data was obtained lawfully and is accurate. They cannot exercise their AVG rights. Such traders should be subject to licensing, according to Privacy First, just as financial institutions are, with a strong regulator and strict scrutiny of those in charge.
- Bureau Kredietregistratie (BKR): this is a foundation recognised by the government and set up by the financial sector that records data for the benefit of that sector.
What will Privacy First do?
Financial privacy is a broad and complex area, which makes it difficult to do anything about. Privacy First has already been active on a number of sub-topics in recent years:
- PSD2
- UBO register
- preservation of cash and anonymous means of payment.
We want to do more. Would you like to participate or have ideas: let us know!