PSD2 and XS2A: Account data in danger?
Pretty much exactly a year ago a ghost went through Germany. People´s account data were no longer secure. Due to PSD2, which has since come into force, and associated possibility foe third-party providers to access account information (Access to account / XS2A), the account data is in danger. The question as to whether account data is in danger could already be answered with a no at that time. This is because the floating data which is in “highest danger” is protected above all by the “last bastion”, the user. Account information data must be explicitly released to third-party providers. This release requires a login into online banking, which is a very conscious process for the customer. This is a more deliberate process than placing a tick mark in the fine print, for example for credit checks.
Even today, one year later, the question of how evil the PSD2 and XS2A (Access to account), with the basic functions “account information service” (AIS) and “payments initiation service” (PIS), is, is being discussed. Considering that the PSD2 is an EU initiative of German origin, one should not build a horror scenario, but seriously think about the positive possibilities the PSD2 brings with it. Especially against the background of the current criticism of information bureaus. Even if one considers who collects all data in the meantime, the process is not particularly transparent, and the consumer cannot even contradict the data collection, the discussion about the PSD2 / XS2A must be conducted differently: how can PSD2 / XS2A in the future help those interested in information, to give them all important information, but still create transparency for the customer.
Far from the PSD2: who has my data
The good news is there is no warrant from me on Interpol. The less good news is the realization about which and how much data of mine float around the world history. And the ones who now immediately think of Google or Facebook should be taught otherwise, because not only do Facebook and Co. collect, but also many other various places. With the difference that these places don’t offer me services like Google Mail, Google Docs, Facebook or anything else fancy. Instead, the data collection of some credit bureaus gets in the way of the consumer again and again. For example, when consumer credit is refused because an incomprehensible algorithm says someone is not creditworthy.
I know what you did last summer
The website “Datenschmutz” offers a generator to generate requests for informationfor different authorities. Depending on what you select there, several dozen letters will be generated. After a few days, the mail comes: from the State Criminal Police Office, Interpol or the constitution protection. Pro tip: inaugurate family members. It could be a little bit irritating, if on gets for example mail from constitution protection.
After dozens of answers from various authorities, the feeling is growing that not Google, Facebook and Co. are interested in my data. Quite the opposite. Whether it´s a government agency or a private credit agency: they know me well. For me as a consumer, it´s nice to know that the constitution protection isn´t watching me (although in the opposite case it´s somehow funny to tell a watched person that they are being watched),but “not watching” doesn’t mean that there is not data available.
Private and official database
With the private databases, the classic scoring databases such as SCHUFA, Infoscore or CRIF, the situation is once again different.
As a reminder: The aim of these databases is basically to create a (credit) score in order to be able to make a statement about how likely it is that a person will meet his or her payment obligations. This information is of course essential for companies to be able to protect themselves effectively against payment defaults. Basically, there is nothing wrong with that if it were not for the question of data sovereignty and transparency. Consumers can request a self – disclosure and “request” the deletion of certain data records, but there is no self – service. Neither the self – disclosure is very simple, nor is there any easy way to look at one´s records online or even to improve the option or reference to a score in any way. The algorithm of the scoring providers is in the end a black box and does not help to improve the creditworthiness (or willingness to pay).
An example: If you are involved with Fintechs and this industry, you try out a lot. In the meantime, I’ve got a few current accounts, debit cards, etc. In the use are only two accounts, a credit card and a debit card. Nevertheless, my score gets worse with every new account – although there is no credit facility, or any liabilities left open (with the exception of the parking ticket in Switzerland, sorry!). In short: some algorithm makes me into a let’s say B customer. Of course, nobody tells me which factors play a role and so it can happen, that for example a purchase on account is denied every now and then or my savings bank tells me that we should talk about my creditworthiness. Of course, I can imagine which abuse could be possible, but I am more than the number of the current accounts.
Due to the lack of transparency, the possibility of influencing his score himself, it can happen that a distorted image of a person occurs. All databases have a problem with this: they never represent reality, they are a post-mortem.
I know what you will do next summer
Teach giants such as Facebook or Google, whose business model and DNA are designed to collect data in order to target advertising, are playing in a completely different league. Here it is all about being able to make a statement about how a customer will behave in the future in order to place targeted advertising.
What Facebook collects
Facebook collects around 29,000 so-calledsocial indicators for this purpose. 98 percent of these are based on user behaviour on Facebook. The amount if data collected daily is 600 terabytes. This corresponds to 75,000 copies of the movie “War and Peace” and it is with more than 6 hours running time a quite long one. Facebook collects this wealth of data every day. Whenever the user writes data to the front end (app, website), data is being written in the background to the back end. Not only is data collected, but also so-called shadow profiles are being created: Profiles that contain data, that the user never gave to Facebook directly, like alternative e-mail addresses. Thanks to the “digital biometric template”, Facebook knows the faces of the users – even of those people who are not even on Facebook. Facebook also collects deleted posts, deleted pictures or deleted comments. Keystrokes and mouse movements are also recorded. In short: everything that can collect, is being collected. Data scandal or not, these are the rules over there.
What Google collects
Google is no different. All you have to do is look at your own search behaviour. Google knows on which pages a person was, which devices they use, who they are and where they were. And it´s completely transparent. You can even look it up yourself:
The difference between the respective databases is simple:
- Databases of Google, Facebook and Co: These serve to get to know the customer and to place advertisement. The customer gets better advertising and in return can use all service free of charge.
- Credit bureaus, scoring databases: serve to protect companies from their customers in the broadest sense. First and foremost, from black sheep who will not comply with a payment.
- Official databases: in case of doubt, they serve the welfare of all. Basically, it is about protecting and managing society.
Chance PSD2: The bank as a data dashboard?
We need data. Maybe even data kraken. Above all, however we need transparency and customer focus. In the end, it’s all about customer identity. Social networks are voluntary. Official databases are simply there. But especially when it comes to scoring databases, the question has to be asked how up-to-date they really are.
PSD2 as a chance
Thanks to PSD2, banks could end up positioning themselves as white knights. The only question is how they design XS2A and how transparent it is for the user. It would be a dream if third party providers that have been approved for online banking could be deactivated with a single click. Then the house bank would become the hub of data – with the difference that these data live, because every day new revenues are added, and the customer retains control over which data objects are made accessible to which third-party providers. If the bank were to issue a financial score, then one or the other scoring database would have to consider how viable this business model actually is.
Then the house bank would become the linchpin of data – with the difference that these data live
Facebook and Co will continue to collect data diligently. Authorities will also do this and won’t stop doing it. But there will be sector where XS2A third parties will be satisfied with the knowledge of what kind of user or customer they are dealing with, while at the same time these will have control over their data.