W6 - The Privacy of the Fintechs - N26 Bank
Tags
UX 👋
Published Date
Description

My personal example: N26 Bank - just a mobile bank?

🤷🏽‍♂️
With common terms such as "banking secret" one should be able to trust a bank, right?
In this article, I am investigating whether banking secrecy is still as it used to be. What does my bank know about me and which external stakeholders might be involved?
Did the cool fintechs of today really just cut the paperwork - or are there any pitfalls? We are going to find out 🙂.

N26 Privacy Policy

Excerpt from the policy - Find the full version here https://n26.com/en-eu/legal-documents/privacy-policy

One bank, many external service providers

N26 as a fintech startup grew very fast. At the same time, the bank started offering plenty of additional services, such as insurances, where the actual contract is made with an external provider.
The overall appearance of these external services however is smoothly integrated in the app and might suggest, the user is still dealing with trusted services by the bank itself.
 
 
Regarding privacy, I consider this to be somewhat concerning, as the contract closing phase is kept very short, without the user is likely of doing any further research on the services of this external provider. At the same time however it is one more company that with one click receives personal data and solvency information of an individual. A process, where back in the days, pen, paper and a more extensive thinking process was involved.
 
Privacy evaluation - N26
Type
Description
Purpose
Quote from ToC
💰Personal Information & Solvency metrics
Information are transferred to third party services, when signing up for 3rd party services, (in-app, in the appearance of N26 Bank, yet with the services being executed another third party)
Required by law (Basic Information)
Market and opinion-research
Marketing
Examination and Optimization of processes
Risk assessment
3rd party services
N26 Invest
N26 You/Metal
N26 Fixed Savings
N26 Credit
N26 TransferWise
Assess credit risks (Schufa)
Stripe Top Up Feature
We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) if at least one of the following applies [...] If necessary, we process your personal data beyond our contractual obligations in order to protect our legitimate interests or the legitimate interests of a third party
👨🏽‍🎓Profiling
Money laundering
Terrorist financing
Endangering financial assets
[...] We process your personal data partially automated to assess certain personal aspects (profiling). "If we should use the possibility of a fully automated person related decision in order to provide our services fast and easy and if it is legally required, we will inform you upfront"
📱Phone book access
You can send money to the contacts from your mobile phone via MoneyBeam without knowing their bank details
Invite Friends
MoneyBeam
Shared Spaces
MoneyRequest
[...] If the recipient is also an N26 customer, the transactions will be carried out in real time. To enable this, N26 Bank will access the contacts stored on your end device. Furthermore, as a current account holder with N26 Bank, you are visible to your contacts
📍Location Access
N26 uses the users' location to show them a map with nearby locations where they can withdraw or deposit cash. At the same time, this information can be used to conduct location analysis, so N26 can extend the service area.
Cash26
List nearby locations
Learn customers POIs
[...] To display to you the location of our Cash26 partners nearby, we process your geolocation
💸Mobile Payment - Mastercard MPTS
Apple Pay and Google Pay use liked virtual cards that contain personal information, such as your name.
Apple Pay
Google Pay
[...] In order to be able to use the mobile financial services of Google and Apple, information concerning your current account is transferred to our processor Mastercard MPTS. The information is tokenized at Mastercard MPTS. The tokens are used to authorize and to perform transactions with one of the mentioned service providers. Your personal data will be shared with Alphabet Inc. (Google) or Apple Inc. as Google and Apple provide the technological basis. In case you deactivate these services, the token generated by MPTS is automatically deactivated and erased.
🆔Identify phone meta data
Fraud prevention
🎯Targeted marketing
Marketing
Market and opinion-research
"With targeted marketing we try to only make offers to you which are interesting for you and which meet your needs."
🎰Scoring data
Credit rating
"In order to evaluate your credit rating, we use scoring. Within the scoring process we calculate how probable it is that the respective customer meets his payment obligations. [...] we use personal data such as your salary, your expenses, existing obligations, your job, duration of employment, experiences of former contractual relations, repayment of former credits as agreed upon, as well as credit agencies’ information. Your scoring is the result of a mathematical-statistical procedure and it is necessary to fulfill the obligations of our credit contract (overdraft or N26 credit) according to Art. 22 2a) GDPR. The score results support our decision making, when a customer wishes to purchase an additional product and it is included in the current risk management."
📷Video-Ident and Photo-Ident
German Money Laundering Act
Identification
[...] The execution of video and photo identification is performed either on behalf of N26 Bank by an external service provider or directly by employees of N26 GmbH or its subsidiaries on behalf of N26 Bank. In both cases, identity is established by means of a web-based video or photo identification procedure via an encrypted transmission path. In both cases, web-based video and photo identification, N26 Bank may transmit personal data to external service providers for the purpose of verifying your identity.
 

Overview of potential 3rd parties being aware of your bank activities

  • N26 Bank GmbH and its subsidiaries
  • Alphabet Inc. (Google)
  • Apple
  • Clark Germany GmbH (“Clark”)
  • Raisin GmbH, MHB Bank AG
  • SCHUFA AG (Credit score)
  • CASH26 Supermarkets (Penny, Real, REWE, BUDNI, Ludwig, ON Express, Eckert, Adam’s, Barbarino and Mobilcom Debitel)
  • In co-operation with TransferWise Ltd., 6th Floor, The Tea Building, 56 Shoreditch High Street, London E1 6JJ, Great Britain (hereinafter: “TransferWise”), we offer “international transfers”
  • AWP P&C S.A. (branch for the Netherlands, which operates as Allianz Global Assistance Europe and is a member of Allianz Group
  • N26 Invest, N26 Bank collaborates with vaamo Finanz AG, Mainzer Landstrasse 250, 60326 Frankfurt am Main (hereinafter: "vaamo") and with FIL Fondsbank GmbH
  • [...] to use the Stripe Top Up Feature (“Top Up Feature”), account information is transferred to our processor Stripe Payments Europe Ltd. (“Stripe”), The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland

The danger of too many intermediaries

The actual danger of what could happen became clear to me, when I signed up for yet another "partner service" with just one click of a button. A few months later, a big data breach of MasterCards Loyalty program happened.
Although I briefly checked whether my card number was affected by the breach and made sure it wasn't, someone apparently gained access to that data and was able to execute two transactions on my name.
This showed me, how dangerous every stakeholder more in the chain potentially is.
 

Automated scoring and privacy

Automated scoring proceses algorithms always appeared problematically to me. Especially considering that in Germany, for the scoring of individuals, one particular agency is hired by major companies. The "Schufa" is a credit bureau supported by creditors. The algorithm however is kept secret and thus there are movements like OpenSchufa who are pledging for a more open scoring system .
For now however, whenever someone needs to close a contract, the Schufa is the single entity that is going to decide, whether a debitor can take the offer of not. A single point of failure. An organization created to create trust between companies and customers - while being a mysterious unloved blackbox for the public.
There are however other, more transparent, decentralized models with the potency of higher privacy upcoming - so I am rather optimistic here.
 

Perceived safety ≠ actual Privacy

The banking app implemented certain measures to make the user itself feel safe and prevent from actions he might regret.
Screenshots in the banking app are disabled by default. Yet even when the user decides to enable it, he can still hide the numbers associated to an account / transactions.
 
 
 
 

My conclusion

Less paperwork does not always result in more transparency and privacy - it might just be hidden in a more elegant way.
 

Further readings

 
 
 
Which privacy - enhancing technologies are you using already? E.g. self hosted open source software Nextcloud, decentralized Messengers such as "Element", Browsers like Tor or Brave who are blocking trackers by design?