A major change in payment regulations was implemented recently when the European Union introduced PSD2, the second Payment Services Directive. The idea of the directive is simple…before PSD2, your bank stored and solely owned your user data and there was no (easy, digital) way you to share this data with other companies. And you might want third parties to have access to this data, for instance because this would be a very easy way to prove your eligibility for a mortgage or a specific service.
As the EU is a strong advocate for giving customers control over their data (GDPR is the best example of this) the new directive aims to give citizins more control over their personal banking data. PSD2 will let you, the customer, decide who you want to share your financial data with, by giving third parties explicit permission to access it. Your bank will have to facilitate this process and allow third parties to access your data.
So far, good. But what if you do not want to share any of your data with any third parties. No problem, the EU says, third parties will only get access after your explicit permission. This is the main focus in all of the online information portals. DNB (Central bank of the Netherlands) launched a new portal called ‘U beslist'(i.e. ‘You decide’; https://www.psd2bankieren.nl/) which stresses this every two sentences.
What is not explained on the site, however, is what happens in the following situation:
Let’s say I don’t give permission to third parties. But I send money to several friends or family members about once a month. Those friends have given permission to about 20 third parties to access their transaction. All of those parties could potentially see the amount of money I send my friends, my banking details, my personal details (name etc) The third parties could potentially link that info to other info they have on me (because I might be their customer, even though I do not want to share financial info with them) and this could potentially lead to more profiling, direct marketing, and spam.
How can I protect myself against this? How do I opt-out of ‘friends-of-friends’-data-sharing? I emailed the DNB with these questions, and look forward to hearing back from them….(to be continued)