Be careful what you allow to access your bank account

There are a lot of interesting things happening on the bridge between tech and finance, or FinTech. If you’ve observed what the EU’s GDPR did for privacy around the world in a short time, it’s time for you to take a look at the EU’s PSD2 which is going to have a similar affect to FinTech.

What is PSD2? The Revised Payment Service Directive allows private/tech companies to manage the bank accounts of both consumers and businesses. I don’t know how to hit home how relevant this is in terms of privacy, but if you’re aware that your web surfing habits are actively bought, sold, and traded in the background, this can legally now happen with your bank account information.

This means there will be a new wave in short order of FinTech apps that are offering you services to make your financial life easier — and the question will be the same as your web surfing and free email service choices — will you accept the convenience of what they offer, in exchange for your privacy? For example, there will be apps that can help you improve your credit score, or help you invest smarter, or automatically increase your credit card size, or shop for you. All of these will be common within a year or two. They’ll likely even be “free”, just as Google is an advertising company that offers a free search engine and free email service you likely use. In the background these companies will sell, share, or broker your data. In many cases even some of those broker deals might also offer you better service delivery than you have now.

There’s one notable distinction — your search engine data offers plausible deniability, and unless published is really hard to tie to you as a person, especially in increments. This is different than your financial transaction history. This is not a dynamic list that often changes — once it’s out there, it can be used against you for the rest of your life.

What would a privacy breach of your financial history do to you?

This is an issue that will become real, and in the short-term.

This is not unique to the EU. In Canada, the Department of Finance as released an OpenBanking 101 document, and just closed a consultation on the merits of OpenBanking. Not only are all of the big 5 banks actively in discussions on this, the Canadian Credit Union Association is on tour to all of the credit unions in the country on this.

I have several concerns about this.

1) There have been no in-depth study as to the repercussions of a FinTech financial transaction history data breach. The closest we have is the resultant of the Equifax breach, which opens the doors to ID fraud for your lifetime, at a minimum. Again, this is different than your shopping habits at one given store — if your transaction history is breached, this is a disclosure of all of your past shopping habits, out there for ever. I would propose this needs a massive re-think on access control lists for your transaction history.

2) It’s not clear what the repercussions of a breach will be. In Canada, we have good (not great) privacy laws, but we have little to no repercussions for violations. The federal privacy commissioner does not have binding power. This means that companies don’t really care if they violate your privacy, or if their data is breached, there are little repercussions to them. There needs to be strong financial penalties for any breach of privacy, but this is especially important before Canadian’s financial histories are on the line to exposure.

3) The above two are compounded with the growth of a new industry. The creation of this new wild-west FinTech OpenBanking industry will introduce anyone looking to make a quick buck. This means instead of building in strong risk management regimes, strong compliance regimes, as we have with our banks and credit unions, all will be out the window as my fellow tech entrepreneurs race for “first mover advantage” to collect your bank records.

The average consumer to date hasn’t been willing to fight for their right to privacy, and as such, it will continue to be eroded like any human or civil right that isn’t fought for. People are still choosing free, over paying for products that will protect their privacy.

If you’re interested and willing to put time and/or money into protecting the privacy of yourself and others in terms of FinTech and OpenBanking, I’d love to start a dialogue.