W6 - The Privacy of the Fintechs - N26 Bank
W6 - The Privacy of the Fintechs - N26 Bank
UX 👋
Published Date

My personal example: N26 Bank - just a mobile bank?

With common terms such as "banking secret" one should be able to trust a bank, right?
In this article, I am investigating whether banking secrecy is still as it used to be. What does my bank know about me and which external stakeholders might be involved?
Did the cool fintechs of today really just cut the paperwork - or are there any pitfalls? We are going to find out 🙂.
notion image

N26 Privacy Policy

Excerpt from the policy - Find the full version here https://n26.com/en-eu/legal-documents/privacy-policy
Excerpt from the policy - Find the full version here https://n26.com/en-eu/legal-documents/privacy-policy

One bank, many external service providers

N26 as a fintech startup grew very fast. At the same time, the bank started offering plenty of additional services, such as insurances, where the actual contract is made with an external provider.
The overall appearance of these external services however is smoothly integrated in the app and might suggest, the user is still dealing with trusted services by the bank itself.
notion image
notion image
Regarding privacy, I consider this to be somewhat concerning, as the contract closing phase is kept very short, without the user is likely of doing any further research on the services of this external provider. At the same time however it is one more company that with one click receives personal data and solvency information of an individual. A process, where back in the days, pen, paper and a more extensive thinking process was involved.

Overview of potential 3rd parties being aware of your bank activities

  • N26 Bank GmbH and its subsidiaries
  • Alphabet Inc. (Google)
  • Apple
  • Clark Germany GmbH (“Clark”)
  • Raisin GmbH, MHB Bank AG
  • SCHUFA AG (Credit score)
  • CASH26 Supermarkets (Penny, Real, REWE, BUDNI, Ludwig, ON Express, Eckert, Adam’s, Barbarino and Mobilcom Debitel)
  • In co-operation with TransferWise Ltd., 6th Floor, The Tea Building, 56 Shoreditch High Street, London E1 6JJ, Great Britain (hereinafter: “TransferWise”), we offer “international transfers”
  • AWP P&C S.A. (branch for the Netherlands, which operates as Allianz Global Assistance Europe and is a member of Allianz Group
  • N26 Invest, N26 Bank collaborates with vaamo Finanz AG, Mainzer Landstrasse 250, 60326 Frankfurt am Main (hereinafter: "vaamo") and with FIL Fondsbank GmbH
  • [...] to use the Stripe Top Up Feature (“Top Up Feature”), account information is transferred to our processor Stripe Payments Europe Ltd. (“Stripe”), The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland

The danger of too many intermediaries

The actual danger of what could happen became clear to me, when I signed up for yet another "partner service" with just one click of a button. A few months later, a big data breach of MasterCards Loyalty program happened.
Although I briefly checked whether my card number was affected by the breach and made sure it wasn't, someone apparently gained access to that data and was able to execute two transactions on my name.
This showed me, how dangerous every stakeholder more in the chain potentially is.
notion image

Automated scoring and privacy

Automated scoring proceses algorithms always appeared problematically to me. Especially considering that in Germany, for the scoring of individuals, one particular agency is hired by major companies. The "Schufa" is a credit bureau supported by creditors. The algorithm however is kept secret and thus there are movements like OpenSchufa who are pledging for a more open scoring system .
For now however, whenever someone needs to close a contract, the Schufa is the single entity that is going to decide, whether a debitor can take the offer of not. A single point of failure. An organization created to create trust between companies and customers - while being a mysterious unloved blackbox for the public.
notion image
There are however other, more transparent, decentralized models with the potency of higher privacy upcoming - so I am rather optimistic here.

Perceived safety ≠ actual Privacy

The banking app implemented certain measures to make the user itself feel safe and prevent from actions he might regret.
Screenshots in the banking app are disabled by default. Yet even when the user decides to enable it, he can still hide the numbers associated to an account / transactions.
notion image

My conclusion

Less paperwork does not always result in more transparency and privacy - it might just be hidden in a more elegant way.

Further readings

Which privacy - enhancing technologies are you using already? E.g. self hosted open source software Nextcloud, decentralized Messengers such as "Element", Browsers like Tor or Brave who are blocking trackers by design?