opinion

Privacy is not an 'obstacle' and belongs in customer travel

DNB started on 9 August 2019 with the public consultation of the Q&A 'Customer journey without obstacles concerning payment initiation and account information services via third parties'. A mouthful. It's about what a customer has to do and experiences before a PSD2 service becomes available. The emphasis on working without obstacles puts privacy protection under pressure. A customer journey in which the customer is allowed to think about privacy is desirable.

The PSD2 states that after a consumer has given permission, all data must be shared. This RTS gives a technical elaboration of it. Under the PSD2, a bank may not obstruct a third party provider. Article 32 of the technical rules requires third parties to be able to offer payment services 'in an unhindered and efficient manner'. These are banks that offer a interface offer. Banks must not create obstacles for third parties in the interface. Obstacles are, for example:

  1. Perform strong customer authentication ("SCA") twice in one customer journey
  2. Management of the scope of consent of consent management-related steps
  3. Additional confirmation screens (e.g. an overview page with 'continue' button)
  4. Redirection screens requiring an action from the payment service user
  5. Dissuasive language

DNB has described what an efficient customer journey is. The figure below shows the process for account information services. The process can easily be compared to the process of an online transaction. You buy something and pay via iDeal. It would be inefficient to have to go back to the store after your payment to confirm your payment again.

Customer journey: information and permission is part of it

A consumer must give explicit permission to an account information service provider before a bank is allowed to share data. Before he gives permission, he must be informed and know what he is giving permission for.

It is not clear from the DNB process where consumers are informed in this process. In the above diagram, informing consumers will probably take place before the first process step. There are better places to think. Preference is given to clear information just before consent is given. For example:

  • just before a consumer goes to the vicinity of an account information service provider;
  • just before a consumer confirms his consent;

These two moments are included in the modified figure below:

Point in customer journey with attention to privacy (information, permission)

Striking

Because the customer journey is focused on the efficiency of the technical process, the no space given to privacy within the customer journey. Informing a consumer is missing from the consultation document. Instead of referring to the granting of explicit consent, the term is 'confirm'.

It is notable that the consultation document for payment service providers does offer a possibility for additional information during the customer journey: "Separate step if desirable from the customer's perspective or if additional information needs to be displayed". A quick thought is that this may apply to account information services.

Responses to the consultation can be sent to DNB via consultatie@dnb.nl stating 'Q&A Customer travel without obstacles concerning payment initiation and account information services via third parties'. The deadline for submitting responses is 20 September 2019.