'PSD2, a European strategic blunder'

Bart Jacobs, professor of computer security at Radboud University in Nijmegen, called PSD2 'a strategic blunder'. He wrote a sharp column on 12 September 2017 in the online magazine iBoard.

If you'd like to scare the crap out of a banker one of these days you can ask: how far have you got with the PSD2? As of mid-January 2018, this Payment Service Directive 2 will be in force be in force. This is a European directive that forces all banks to open up their financial systems to be open to new FinTech service providers at no cost. Is this PSD2 such a good idea?

PSD2 has been conceived in recent years by the Brussels Directorate General of Competition. The directive was born out of anti-bank sentiments after the banking crisis of 2008 and from a blind faith in everything innovation and freedom of choice. The FinTech industry struggled to get off take off because banks shield our financial data so well. That had to be broken with a heavy hand! From privacy and protection of customers, and their data, is something they don't want at Competition.

Two new service providers are provided under PSD2, for making your payments and for providing personal advice on the basis of your based on your own financial data. In the Netherlands we are spoiled with the iDeal system, but in other European countries, online payments are not regulated as smoothly. iDeal is a joint effort of the Dutch banks. External parties could also do so, as soon as their payment orders are incorporated into the existing existing banking system. PSD2 therefore enforces this for Parties who have received a PSD2 payment license. In our case, the DNB will grant these permits.

The big problems start with account information service providers. These are new parties under PSD2, who, once again after obtaining a licence somewhere in a license somewhere in Europe, can retrieve account information from banks, as soon as a customer gives them permission to do so. The business model of these service providers is based on the processing of personal data. In the digital economy, carefully constructed collections of personal personal data have great value. Under PSD2 they can be claimed from banks free of charge. for free.

Big Five

The Competition Directorate's naïve motive seems to have been has been to help all those little sympathetic FinTech startups at the expense of those nasty of those nasty big banks who keep sitting on their golden eggs. The doesn't seem to have occurred to anyone that maybe not only small sympathetic parties parties will be applying for a PSD2 license, but also less sympathetic American ICT giants, such as the big five: Google, Facebook, Apple, Microsoft and Amazon. They will be offered the silverware of European banks on a silver platter. on a silver platter. The European banks can be sucked dry by these big five be sucked dry free of charge by these big five, while they have to maintain a non-costly payment infrastructure. The banking sector hereby loses contact with its own customers and loses control over very sensitive personal personal data. I can't think of a faster way to kill off a sector and put it in the hands and put it in the hands of overseas competitors. A strategic blunder of the highest order, which could form the basis of the next, exclusively European, banking crisis. A crisis that this time was not caused by greedy bankers, but by short-sighted policy makers and by politicians who have been fooled by the modern magic word 'innovation'. In five years from now we'll look at each other and ask ourselves: how did we ever let this let this happen?

Instead of shooting itself in the foot, Europe should at least have demanded reciprocity. Europe should at least have demanded reciprocity, whereby the (American) ICT sector is forced to make its valuable data available to other companies free of charge companies for free - only with the consent of the person concerned, of course. data subject. Then all kinds of innovative social media startups could get to work with the data from been able to work with the data of, for example, Facebook or Google. Why are these ICT companies are allowed to sit on their golden eggs? Was their lobby in Brussels perhaps stronger or smarter?

In addition, it is economically incomprehensible that this valuable financial data of customers must take place free of charge. should take place free of charge.

We can assume that a company like, say, Google, will apply for a PSD2 license in Europe. With that, Google can set up its own financial services here and link them to its already comprehensive existing digital infrastructure. Google will ask its users for permission Google will ask its users for permission to retrieve financial data from the users' banks. The PSD2 Directive limits the use of that data to financial services. But Google will undoubtedly ask for additional permission to be able to link this data to the data that Google already has on its users. Google will undoubtedly ask for additional permission to link this data with the data that it already has about these users. Think of what Facebook is doing with WhatsApp data, despite fine promises. Google then has an ideal informational position of power to and manipulate these users and for differential pricing: making the price of a product making the price of a product dependent on the personal circumstances of a potentially interested circumstances of the potentially interested buyer. This is Google's ideal of of 'service'. It does not lower prices.

Runaway banks

Many European banks will probably also, apply for a PSD2 licence themselves, for example through a subsidiary, so that they can financial information from their competitors. Are we waiting for such waiting for these hounded 'cowboy' banks that use financial data for all kinds of other for all kinds of other purposes so that customers pay the highest possible offers to pay the highest possible margins? Or was it perhaps not such a crazy idea that banks carefully protect the sensitive financial data of their customers? customers' sensitive financial data?

But we have supervisors, right? Yes, but the supervision of PSD2 is fragmented across De Nederlandsche Bank (DNB), the Authority Personal Data Authority (AP), and the Consumer and Market Authority (ACM). These parties have never before worked together on such an extensive job and still have to find each other with the limited resources at their disposal.

Is all lost? Of course, ill-considered legislation can be repaired, but that takes time. In the meantime, European banks banks may have collapsed. The free nature of the provision can be abolished can be removed. Also, the reciprocity towards the American ICT giants can still be enforced, in the first instance by means of the can still be enforced, in the first instance by means of the so far hardly elaborated requirement for data portability for private individuals. demand for data portability for private individuals in the forthcoming General General Data Protection Regulation. However, these are not fundamental solutions. fundamental solutions, however.

The underlying problem is the naive belief of policymakers in the supposed benefits of unbridled freedom of choice for consumers. Increasing freedom of choice adds nothing if everyone unseen always clicks 'yes' just to get on with it. What's more, increasing freedom of choice is counterproductive and actually weakens the position of consumers vis-à-vis all-powerful ICT giants; they only get to 'agree' to more requests for access, under the guise of free choice. It is time we learned to think in terms of actual protection of citizens.

Bart Jacobs is Professor of Computer Security at Radboud University in Nijmegen and Chairman of the Privacy by Design Foundation.