The practices of advertising companies such as Google and Facebook often give rise to discussions about data protection and privacy. The operations of secret services and similar organizations such as the Dutch National Coordinator for Counterterrorism and Security (NCTV) equally draw attention and criticism.
There is a growing trend – remaining largely under the radar – towards general financial surveillance, whereby a number of large companies can follow citizens and organizations in detail on the basis of payment data. This is encouraged by public authorities and is spreading throughout society for all sorts of reasons, causing major data protection risks for citizens.
Privacy First would like to pay more attention to what it calls financial privacy in the period ahead.
What is financial privacy?
Financial privacy relates to the following:
- Detailed personal financial data in the hands of banks and other large parties. Nowadays, payments are made digitally for the most part; cash payments are becoming ever less common. As a result, parties involved in processing payments (banks, payment service providers and account information service providers) have detailed information about all their customers, including consumers, companies and various sorts of organizations. This means that these parties know a great deal about their customers. Financial data are becoming more and more detailed for all kinds of reasons and ever more companies can access these data. iDEAL 2.0, for example, is expected to cause further proliferation of personal financial data. In the past, banks have tried to monetize the financial data of customers, in the way that American advertising companies do, think of the ING affair in the Netherlands. This was stopped at the time, but could come back.
- New PSD2 services. The European Payment Services Directive 2 (PSD2) was intended to allow new services to be developed around the financial data of customers of payment institutions, including account information services. However, insufficient thought has been given to data protection, putting citizens at risk. Privacy First has been working on a campaign called Don’t-PSD2-me for several years now.
- Cash payments are disappearing, and so is this method of last resort to evade being tracked by banks from hour to hour. The European digital currency that is being developed is unlikely to be completely anonymous to enable crime fighting.
B. Privatization of crime fighting and the provision of services to public authorities
- Crime fighting duties of banks and other financial institutions (‘anti-money laundering’). These duties result in the collection of additional personal data of citizens. This concerns not only the identification of natural persons, but also the collection of data on and from natural persons involved in organizations. This may include directors and representatives of legal entities as well as the ultimate stakeholders. Customers often find themselves having to share confidential data with financial institutions in an insecure way. Please note that this is not only about crimes that can harm the customer or the financial institution. Institutions must actively check whether their own customers are holding criminal money and must report any suspicions of crime (‘unusual transactions’) to a section of the Dutch police: the Financial Intelligence Unit (FIU). The EU is currently working on a set of regulations, also known as the Anti-Money Laundering (AML) package, which will radically change the way in which companies combat crime. As a result of new regulations, more and more financial data will be transfered by companies to public authorities.
- Identification through biometrics among other ways. Banks and other financial institutions have to identify their customers, first and foremost to find out (under private law) with whom they are entering into an agreement, and secondly because anti-money laundering rules require it. There is some fuss about identification efforts, partly because banks now want to ‘re-identify’ existing customers, sometimes requiring biometric data in the process.
- UBO Register. Part of the crime-fighting duties of banks and designated enterprises, is that they must identify the ultimate beneficial owners (UBOs) of their customers and verify the accuracy of their customers’ registration with the UBO Register. Privacy First has litigated against the UBO Register and is now awaiting the outcome of similar cases pending before the European Court of Justice.
- Black lists. As part of crime fighting efforts and in order to protect financial interests, blacklists of ‘suspicious’ and convicted customers are created in the financial sector. There are two such lists, known as the internal referral register (Dutch abbreviation: ‘IVR’) and the external referral register (‘EVR’). The rules for these registers are laid out in ‘PIFI’, the Protocol Incident Warning System for Financial Institutions. Insurers have a complete overview of all claims that insurees have submitted to them. Increasingly, other companies with crime-fighting duties also want to create blacklists.
- Provision of data to public authorities (data reporting). Financial institutions, employers and, in the future, platforms too are required to provide data to public authorities. Within the framework of the obligation to provide information, many confidential data are collected from customers. One particular example is the obligation of financial institutions to collect customer data for the purpose of taxation by other countries. In this respect, the Foreign Account Tax Compliance Act (FATCA) is well known. It’s the US law that requires financial institutions around the world to provide free services to the US tax authorities, which relates not only to tax residents of the US and persons with property in or income from the US, but also anyone who has US citizenship (even if these people are without any real ties to the country, so-called ‘accidental Americans’). The Netherlands has entered into a FATCA treaty with the US and also participates in the ‘Common Reporting Standard’ (CRS), that many (EU) countries have implemented.
- Merchants in financial (personal) data. A number of very large and little-known parties are active on behalf of financial institutions, collecting financial and other data on both consumers and the natural persons involved in various organizations. These data are sold to financial institutions, among others, as credit information and as anti-money laundering information. Although these merchants must comply with the General Data Protection Regulation, they usually don’t, so the people whose data are being sold are not aware of the presence of their data with those merchants, nor can they verify whether the data are accurate and whether they were obtained lawfully. In other words, these people cannot exercise their GDPR rights. According to Privacy First, these merchants should be required to be licensed, just as financial institutions are, with a strong regulator and a strict review of executives.
- The Dutch Credit Registration Office (Bureau Kredietregistratie, BKR). This is a foundation recognized by the government and established by the financial sector to register data for the benefit of that sector.
What will Privacy First be doing?
Financial privacy covers a wide and complex area, which makes it difficult to tackle the issues surrounding this topic. In recent years, Privacy First has been active on the following subtopics:
- The UBO Register;
- The preservation of cash and anonymous means of payment.
 See for example https://ellentimmer.com/2015/12/23/gegevensuitwisseling/ (in Dutch).