On Monday 24th February, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) communicated that it had initiated investigations into Dutch companies holding a PSD2 authorisation to access and process payment account information – referred to as 'account information service providers' or AISPs. The AP wants to verify whether these companies are aware of the privacy risks involved with processing such account information and whether they are complying with data protection legislation, such as the General Data Protection Regulation (GDPR).
PSD2 refers to the EU’s ‘Payment Services Directive 2’ and sets out rules for payment service providers. PSD2 requires that banks provide third parties (TPP) with access to payment accounts, though only with the prior explicit consent of the account holder. TPPs include AISPs, who may access the account information of account holders, and also payment initiation service providers (PISPs), who can initiate online payments on behalf of an account holder. Under PSD2, any AISP would require an authorisation to operate its business and to obtain access to the account information of an account holder.
In its publication announcing the investigations, the AP makes it clear that providing access to an individual's personal details can provide a detailed and often intimate view of that individual's life, from straight-forward transactions such as purchasing coffee or groceries to more sensitive transactions at pharmacies or casinos. In addition, the AP has told AISPs that they should take into due considerations that they are not only processing their customers’ data, but also the data from transactions between these customers and other individuals.
Focus on account information service providers
The investigations of the AP focus on AISPs. These parties, for example, offer the possibility of obtaining an overview of all income, expenses and funds in one go via an app by retrieving and aggregating account information from all the different banks where the customer has a payment account. According to the AP, the primary purpose of its investigation is not to impose sanctions such as fines, but if the regulator does indeed identify violations by AISPs, it may take appropriate enforcement action.
As part of its investigation, the AP sent a letter to all Dutch companies operating as AISPs, setting out the rules of the General Data Protection Regulation (GDPR) which are most relevant to them. Furthermore, the AP mentioned that it will approach all future AISPs after obtaining their new PSD2 license in this way over the coming years. The regulator emphasized that it is important that these - often young - fintech companies protect citizens' data properly from the outset.
Supervision of PSD2
In the Netherlands, supervision of PSD2 is being shared between four different regulators:
- the Dutch Bank (De Nederlandse Bank, DNB), which is i.a. tasked with granting authorisations to providers of payment services, such as banks and new fintech companies.
- the AP which supervises the protection of personal data in the context of PSD2, and specifically with regards to access to payment accounts by AISPs.
- The Dutch Authority for Financial Markets (Autoriteit Financiële Markten, AFM) which is i.a. tasked with behavioural supervision on payment services providers.
Dutch Authority Consumer and Market (Autoriteit Consument en Markt, ACM) which is i.a. tasked with supervision on competition between payment services providers.
DNB and the AP have developed a Cooperation Protocol (Samenwerkingsprotocol AP en DNB) describing how they will cooperate in monitoring compliance with PSD2 legislation.
The investigation by the AP is in addition to the investigation and market study conducted by the ACM last year, in which it launched a market study into the activities of the major tech firms such as Apple, Amazon, Google and Facebook in the Dutch payments market. ACM will also examine whether larger Chinese technology firms such as Tencent and Alibaba are planning to enter the Dutch payments market as well.
What is next and what can you do?
With its investigations and future commitments, the AP has made clear that this is an area that it will monitor closely – something that ties in with its earlier warning to banks to refrain from using transactional data for marketing purposes. We have seen the current approach of ‘systematic supervision’ in the two years since the GDPR came into force, which is a proven method for the AP to increase the level of compliance in a particular sector or on particular topics without directly engaging in more formal enforcement actions such as fines. Often, the AP publishes its findings following such general investigations, though in our experience it can take a while before the results are published online.
In the meanwhile, companies operating in this industry, especially AISPs, should consider this a clear sign that the AP is keeping a close eye on the sector and on developments in this space. AISPs are advised to have appropriate documentation ready in case of a request (or even a visit) from the AP, with such documentation including their register of processing activities, records of (explicit) consent and the required Data Protection Impact Assessments.
If you have received a letter from the AP or DNB, don’t hesitate to reach out. Our data protection and payment colleagues are experienced and well-equipped to assist you with dealing with regulators such as the AP and DNB and on topics such as the GDPR and PSD2.
Also see some of our earlier articles on this topic:
If you would like to receive our regular Data Protection and Payments alerts in your inbox, click here.