Earlier this year, Dutch data protection agency De Autoriteit Persoonsgegeven launched an investigation into whether fintech companies in the Netherlands are correctly collecting personal data under PSD2, and whether this approach conflicts with GDPR requirements.
When asked why De Autoriteit Persoonsgegeven (AP) commenced this investigation, Quinten Snijders, spokesperson at the agency, said: “This investigation is not prompted by complaints or any other signal that a company does not comply with the GDPR. We launched
this investigation on our own initiative.”
The investigation and ongoing reports of data protection and privacy concerns is proving frustrating for Dutch fintech companies already fighting an uphill battle against wary consumer sentiment.
The Netherlands has a strong history of e-commerce and online banking, despite this, data protection and privacy remain contentious topics in the European nation. In 2018,
EY reported that only 18% of digitally active Dutch consumers are comfortable sharing transaction data with fintech companies in return for better services, a fundamental pillar of Open Banking.
Given the speed and scale in which Open Banking services have been adopted in the UK and across other parts of Europe, the Netherlands are certainly unique in their resistance. Industry players are likely curious as to whether this consumer distrust is simply
a characteristic of the Dutch, or whether the catalyst for such resistance was prompted by players who don’t view the competition engendered by Open Banking as advantageous.
The Dutch rolled out PSD2 in early 2019, a year later than its European counterparts and the European Banking Authority
currently lists Dutch registration of 54 payment institutions as bearing PSD2 licences to-date (not including firms operating in the country through passporting).
Of the 54, the country lists 10 firms as bearing a PSD2 licence for Payment Initiation Services (PIS) or Account Information Services (AIS). This is the category where significant Open Banking innovation by many third-party providers (TPPs) occurs.
“PSD2 is still relatively new and some fintech companies are new to processing payment account information, which can be very sensitive,” explains Snijders. “It is important to investigate whether these companies are aware of these risks and whether or not
they comply with the GDPR. Of course we do not want to draw any conclusions before we investigate a selection of these companies.”
The fundamental concern
Lupe Sampedro, Partner, Bird & Bird, explains that the interaction between PSD2 and GDPR is quite clear cut:
“PSD2 establishes that all processing of personal data by the TPPs shall be carried out in compliance with GDPR. Therefore, PSD2 establishes the framework of what information can be shared and who can have access, while GDPR establishes the general framework
applicable to the information that constitutes personal data.”
Sampedro notes that there are a number of lawful bases under the GDPR for the processing of data regulated by the PSD2 which allow the processing of said data by TPPs, examples of this include legal obligation, legitimate interest or contractual necessity.
Sampedro explains that a TPP which provides account information services, for example, would need to ensure that apart from “complying with the PSD2 they are processing all personal data in compliance with the GDPR. This would include information to be provided
to the customers or carrying out data privacy impact assessments among other measures.”
The conflict being explored by AP, lies in the access such fintech companies can gain into an account holder’s personal information which is accessible to them as a result of their PSD2 licence. There is potential that TPPs can look into digital statements,
for instance, to determine where or when an account holder eats, shops, visits a doctor or donates to political parties.
The processing of such data would be prohibited under Article 9 of the GDPR which states:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person,
data concerning health or data concerning a natural person’s sex life or sexual orientation
shall be prohibited.
Importantly, this processing is prohibited unless the data subject (or account holder) has given explicit consent to the processing of those personal data for one or more specified purposes.
Source:
EY
Adrian Calvo, Legal Counsel, Bird & Bird, explains this distinction, noting that despite overlap between PSD2 and GDPR, neither conflict nor crossover between the two frameworks exists: “There are lawful bases under the GDPR that allow fintechs to process
personal data under the PSD2.
“However, it's important that fintechs put in place privacy programs that ensure the alignment of all their products and services with the GDPR including, for example, checkpoints to ensure that privacy impact assessments are carried out when necessary and
privacy by design and default are at the core of their product design process.”
Calvo adds that the European Data Protection Board is working on a guidance paper addressing this interplay to be published later this year.
A conflict of approach, not regulation
The nature of this dialogue has proved to be a point of consternation for fintech companies or TPPs, which perceive the actions taken by AP as inflammatory and without valid justification, and do nothing but incite unnecessary fear in the minds of consumers.
Ralf Ohlhausen, vice-chair of the European TPP association and executive advisor at payments platform PPRO comments on the investigation: “I find this a little disturbing, because it isn’t the first time in the Netherlands that there has been unsubstantiated
public speculation about TPPs not doing what they’re supposed to do and thereby implying that De Nederlandsche Bank (DNB), the financial regulator, is not supervising them properly.
“These things feature prominently in press and television and are seeding doubts, which undermine all the efforts TPPs have put into building up the necessary trust of the population into their services under PSD2.”
Ohlhausen elaborates that banks are holding sensitive data, “which is partly why they are regulated and also one reason why TPPs have been brought under the same regulation and supervision a couple of years ago."
He argues that the investigation would have been understandable before the regulations were put in place, although “it should be highlighted that even then there has not been any report of data breaches at TPPs, quite in contrast to card payments, where
this seems to happen every day.”
Given the rigorous process required in order to even obtain a PSD2 licence, “a PSD2-licenced TPP would have received this licence only after a lengthy application process which pertinently requires TPPs to prove their ability to protect customer data. So,
the suggestion that a DNB licenced entity would not know about privacy risks is quite something.”
Bird & Bird’s Sampedro highlights the challenge here, as “personal data obtained outside the scope of the PSD2 using, for example, screen scraping techniques is more complex from a data protection perspective since this technique is not aligned with the
GDPR. Since the use of these techniques is very common, this is, in reality, the area of concern.”
Ohlhausen says the opposite is true. He argues that screen scraping allows the retrieval of the user’s relevant information with the precision of a surgeon. This is particularly pertinent when compared with most APIs which are not very granular and only
provide large chunks of data, often forcing fintech companies to obtain consent for data they don’t need to deliver their services to the user.
The contradiction of a pro-digital payments, anti-PSD2 Dutch population
As yet we have not seen a single, publicly disclosed penalty handed out for breach of Article 9 of the GDPR in the Netherlands, and only 9 in total
handed out for contravention of Article 9 across the EU.
A
2020 report produced by DNB titled “Consumer propensity to adopt PSD2 services: trust for sale?” assessed in detail to what extent consumers in the Netherlands are willing to give consent to the usage of their payments data and their adoption intention
of new payment-related services that are introduced as part of PSD2.
The DNB report states: “We find that most people are unwilling to agree with the usage of their payments data by any bank or any of the newcomers. Support for payments data usage is highest if the data user is one’s own bank. Only a minority of the consumers
would give consent to other banks they are not consumers of or to newcomers in the payments market.”
The Netherlands has a strong appetite for e-commerce payments, particularly those made by bank transfer. A
report by JP Morgan found that 60% of e-commerce payment methods (by value) in the Netherlands were made by bank transfer while 16% were made by card and 7% of payments carried out through Digital Wallets (such as PayPal or ApplePay).
In the UK, just 3% of e-commerce payment methods (by value) were made by bank transfer in the same period. The UK also saw 25% of these payments made through digital
wallets and 53% using cards.
While bank transfers dominate in the Netherlands,
JP Morgan is bullish on the performance of cards and digital wallets, predicting that they will slightly threaten the dominance of bank transfers: “Looking ahead, new app-based payment providers may have a better chance at winning market share as the revised
European Payment Services Directive regulations come into place, opening up the market. Third-party providers will be able to initiate payments without the need for the customer to use their online bank’s website.”
Arguably though, this uptick in non-bank actors in the Netherlands’ Open Banking landscape will only come to fruition if the ‘Dutch panic’ regarding PSD2 is considerably quelled.
If trust is broken, who should fix it
The DNB report concludes that while PSD2 may indeed enhance competition in the consumer retail payments market, the position of incumbent banks with a large customer base is strong:
“Newcomers [TPPs] need to work on gaining people’s trust, and show that their payments data is safe with them. Furthermore, they may attract customers by offering them financially attractive products, as consumers’ demand for PSD2 services turns out to be
sensitive to prices.
“They might be able to do so, in product markets where the margins are high and by making intelligent use of people’s payments data so that they can make tailor made offers, which adequately price credit risks.”
This begs the question, is the best way to try and engender trust in the eyes of consumers to persist with unprompted investigations?
If the explanation behind a lag in uptake of Open Banking products across the Netherlands is genuinely born from a lack of consumer trust, and if the market players and regulators currently in dominant positions truly do intend to promote and develop Open
Banking in the nation, who benefits from the pursuit of unprompted, publicised investigations that call the behaviour of fintech companies into question?
According to Snijders, the consumer and the consumer’s protection remain the driving force behind AP’s actions:
“As a data protection supervisory authority, we are committed to the protection of the fundamental right to the protection of personal data. The GDPR does not intend to stifle technological innovation or the development of new innovative goods and services.
On the contrary, the GDPR intends to set the boundaries with respect to the fundamental rights of citizen to create a level playing field for innovation.”