Customers of the Triodos Bank received on Monday September 9th the opportunity to receive a padlock to shield their accounts. Within a week, the Triodos Bank removed the padlock. You don't just develop a service like that. A case of cold feet or clever marketing?
The PSD2 is in force for some time. The fact that banks now inform their customers is because as of 14 September technical agreements in force. With this RTS, PSD2 service providers can actually start offering their services.
Triodos gives customers a padlock
In its newsletter of 9 September, Triodosbank introduced the 'Shield account' option in Mobile or Internet Banking. This enabled a consumer to deliberate choice to completely shield a checking account with a kind of 'extra' padlock in the form of a simple slide. If you give permission to use a PSD2 service, you should also remove this padlock. Earlier, Volksbank (with the brands SNS bank, ASN Bank and Regiobank) came up with a main switch. Also pleaded the Consumers' Association before for extra protection. With this 'main switch' a customer can close his payment account completely for PSD2 service providers, or choose to open the account.
Extra option: Shield account
"In Internet and Mobile Banking you have the possibility to turn on 'Shield account'. If you enable this option, no other party will have access to your account. If you want to give a party access anyway, this is only possible when you disable 'Block account'. (source: Triodosbank newsletter 9 September 2019)
In both cases, the protection is limited and can be used only once. As soon as you give a provider permission to use your payment details, the extra protection is removed. However, it is possible to revoke all your permissions at once.
Padlock turns out to be dead sparrow
After four days Triodosbank deactivated the Account Shielding option. Triodos gives as a reason "The legislation and regulations surrounding this subject are relatively new and further clarification on how this extra protection fits in with this appears to be necessary".
Does this communication suggest that Triodos is assuming that ring-fencing of the account will become possible again? Privacy First would welcome this. The freely given consent is under pressure. An extra step can contribute to a high-quality consent where a consumer actually makes an informed and conscious choice of his own.
Update 17 September: additional information Tridos
Triodos was asked for more information on 16 September. On 17 September we received the following response:
Q: How many customers have made use of the account shielding feature?
A: We had only offered the facility for a short time, so it was too early to give a complete picture of the interest, but we did see that customers responded positively. We had also received signals earlier that there was a clear need among customers for an option to add an extra warning.
Q: What prompted the Triodos Bank to develop the padlock and then deactivate it? You don't set up such a protection just like that, it costs the necessary resources.
A: Because we regularly receive questions from customers about the protection of their account details, we look at how we can offer this extra protection. The laws and regulations surrounding this subject are relatively new and further clarification on how this extra protection fits in is necessary. Until this clarification has been completed, we choose not to offer this extra padlock.
Q: The Volksbank has a similar possibility, the 'main switch'. They have indicated several times that they may want to litigate. Why didn't you take this route?
A: Each company is responsible for interpreting the laws and regulations and their application. Because we regularly receive questions from customers about the protection of their account details, we look at how we can offer extra protection. As soon as we have more information about the possibility of extra protection for a payment account, we inform our customers.
Q: The announcement referred to a 'conscious choice' for extra security. Now that this protection is gone, what signal does that give about the protection offered by the PSD2?
A: It is important to know that customer account details are and remain protected. Customers always give their express permission to share data with third parties and use their identifier for this purpose. The 'Shield account' option was an extra service that enabled customers to completely shield a payment account with a kind of 'extra' padlock. This gives a customer an extra reminder when they are tempted to share data with third parties, because they first have to remove that extra padlock before they give permission. In all cases it is up to the customer.