W6 - The Privacy of the Fintechs

My personal example: N26 Bank - just a mobile bank?

🤷🏽‍♂️

With common terms such as "banking secret" one should be able to trust a bank, right?

In this article, I am investigating whether banking secrecy is still as it used to be. What does my bank know about me and which external stakeholders might be involved?

Did the cool fintechs of today really just cut the paperwork - or are there any pitfalls? We are going to find out 🙂.

N26 Privacy Policy

01privacy-policy-en.pdf

343.0KB

Excerpt from the policy - Find the full version here https://n26.com/en-eu/legal-documents/privacy-policy

One bank, many external service providers

N26 as a fintech startup grew very fast. At the same time, the bank started offering plenty of additional services, such as insurances, where the actual contract is made with an external provider.

The overall appearance of these external services however is smoothly integrated in the app and might suggest, the user is still dealing with trusted services by the bank itself.

Regarding privacy, I consider this to be somewhat concerning, as the contract closing phase is kept very short, without the user is likely of doing any further research on the services of this external provider. At the same time however it is one more company that with one click receives personal data and solvency information of an individual. A process, where back in the days, pen, paper and a more extensive thinking process was involved.

Privacy evaluation - N26

Type

Description

Purpose

Quote from ToC

💰

Personal Information & Solvency metrics

Information are transferred to third party services, when signing up for 3rd party services, (in-app, in the appearance of N26 Bank, yet with the services being executed another third party)

Required by law (Basic Information)

Market and opinion-research

Marketing

Examination and Optimization of processes

Risk assessment

3rd party services

N26 Invest

N26 You/Metal

N26 Fixed Savings

N26 Credit

N26 TransferWise

Assess credit risks (Schufa)

Stripe Top Up Feature

We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) if at least one of the following applies [...] If necessary, we process your personal data beyond our contractual obligations in order to protect our legitimate interests or the legitimate interests of a third party

👨🏽‍🎓

Profiling

Money laundering

Terrorist financing

Endangering financial assets

[...] We process your personal data partially automated to assess certain personal aspects (profiling). "If we should use the possibility of a fully automated person related decision in order to provide our services fast and easy and if it is legally required, we will inform you upfront"

📱

Phone book access

You can send money to the contacts from your mobile phone via MoneyBeam without knowing their bank details

Invite Friends

MoneyBeam

Shared Spaces

MoneyRequest

[...] If the recipient is also an N26 customer, the transactions will be carried out in real time. To enable this, N26 Bank will access the contacts stored on your end device. Furthermore, as a current account holder with N26 Bank, you are visible to your contacts

📍

Location Access

N26 uses the users' location to show them a map with nearby locations where they can withdraw or deposit cash. At the same time, this information can be used to conduct location analysis, so N26 can extend the service area.

Cash26

List nearby locations

Learn customers POIs

[...] To display to you the location of our Cash26 partners nearby, we process your geolocation

💸

Mobile Payment - Mastercard MPTS

Apple Pay and Google Pay use liked virtual cards that contain personal information, such as your name.

Apple Pay

Google Pay

[...] In order to be able to use the mobile financial services of Google and Apple, information concerning your current account is transferred to our processor Mastercard MPTS. The information is tokenized at Mastercard MPTS. The tokens are used to authorize and to perform transactions with one of the mentioned service providers. Your personal data will be shared with Alphabet Inc. (Google) or Apple Inc. as Google and Apple provide the technological basis. In case you deactivate these services, the token generated by MPTS is automatically deactivated and erased.

🆔

Identify phone meta data

Fraud prevention

🎯

Targeted marketing

Marketing

Market and opinion-research

"With targeted marketing we try to only make offers to you which are interesting for you and which meet your needs."

🎰

Scoring data

Credit rating

"In order to evaluate your credit rating, we use scoring. Within the scoring process we calculate how probable it is that the respective customer meets his payment obligations. [...] we use personal data such as your salary, your expenses, existing obligations, your job, duration of employment, experiences of former contractual relations, repayment of former credits as agreed upon, as well as credit agencies’ information. Your scoring is the result of a mathematical-statistical procedure and it is necessary to fulfill the obligations of our credit contract (overdraft or N26 credit) according to Art. 22 2a) GDPR. The score results support our decision making, when a customer wishes to purchase an additional product and it is included in the current risk management."

📷

Video-Ident and Photo-Ident

German Money Laundering Act

Identification

[...] The execution of video and photo identification is performed either on behalf of N26 Bank by an external service provider or directly by employees of N26 GmbH or its subsidiaries on behalf of N26 Bank. In both cases, identity is established by means of a web-based video or photo identification procedure via an encrypted transmission path. In both cases, web-based video and photo identification, N26 Bank may transmit personal data to external service providers for the purpose of verifying your identity.

Overview of potential 3rd parties being aware of your bank activities

N26 Bank GmbH and its subsidiaries

Alphabet Inc. (Google)

Apple

Clark Germany GmbH (“Clark”)

Raisin GmbH, MHB Bank AG

SCHUFA AG (Credit score)

CASH26 Supermarkets (Penny, Real, REWE, BUDNI, Ludwig, ON Express, Eckert, Adam’s, Barbarino and Mobilcom Debitel)

In co-operation with TransferWise Ltd., 6th Floor, The Tea Building, 56 Shoreditch High Street, London E1 6JJ, Great Britain (hereinafter: “TransferWise”), we offer “international transfers”

AWP P&C S.A. (branch for the Netherlands, which operates as Allianz Global Assistance Europe and is a member of Allianz Group

N26 Invest, N26 Bank collaborates with vaamo Finanz AG, Mainzer Landstrasse 250, 60326 Frankfurt am Main (hereinafter: "vaamo") and with FIL Fondsbank GmbH

[...] to use the Stripe Top Up Feature (“Top Up Feature”), account information is transferred to our processor Stripe Payments Europe Ltd. (“Stripe”), The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland

The danger of too many intermediaries

The actual danger of what could happen became clear to me, when I signed up for yet another "partner service" with just one click of a button. A few months later, a big data breach of MasterCards Loyalty program happened.

Mastercard Breach Affected 90K Germans' Data | PYMNTS.com

Belgian and German data protection regulators were notified by Mastercard of a possible data breach, Bloomberg reported on Friday (Aug. 23). The breach was first noticed on Aug. 19 and "affected a large number of data subjects," the Belgian watchdog said in a statement. The leak involved 90,000 customers' names, addresses and credit card numbers.

https://www.pymnts.com/news/security-and-risk/2019/mastercard-loyalty-program-data-breach-germany/

Although I briefly checked whether my card number was affected by the breach and made sure it wasn't, someone apparently gained access to that data and was able to execute two transactions on my name.

This showed me, how dangerous every stakeholder more in the chain potentially is.

Automated scoring and privacy

Automated scoring proceses algorithms always appeared problematically to me. Especially considering that in Germany, for the scoring of individuals, one particular agency is hired by major companies. The "Schufa" is a credit bureau supported by creditors. The algorithm however is kept secret and thus there are movements like OpenSchufa who are pledging for a more open scoring system .

For now however, whenever someone needs to close a contract, the Schufa is the single entity that is going to decide, whether a debitor can take the offer of not. A single point of failure. An organization created to create trust between companies and customers - while being a mysterious unloved blackbox for the public.

There are however other, more transparent, decentralized models with the potency of higher privacy upcoming - so I am rather optimistic here.

Proof of Solvency: Technical Overview

We ran the same procedure for all the assets on the ICONOMI platform and built a tree for every asset to get multiple root nodes. These root nodes are extremely important because they show the liabilities we have for each asset.

https://medium.com/iconominet/proof-of-solvency-technical-overview-d1d0e8a8a0b8

Perceived safety ≠ actual Privacy

The banking app implemented certain measures to make the user itself feel safe and prevent from actions he might regret.

Screenshots in the banking app are disabled by default. Yet even when the user decides to enable it, he can still hide the numbers associated to an account / transactions.