Personal data: new sources of revenue for banks
In July 2019, the Dutch Data Protection Authority, the Dutch equivalent of France's CNIL, stated that banks may not use data collected on their customers' transactions for purposes other than payment or withdrawal services, even with their consent. This announcement follows action taken by the online bank ING, which submitted a modification of its conditions of use to its customers. The aim: to be able to use transaction data to offer targeted promotions. Other banks such as ABN Amro, Rabobank and Volksbank were also exploiting their customers' payment data.
The Netherlands has thus put a stop to a promising source of revenue for banks by relying on a rigorous reading of the General Data Protection Regulation (GDPR). This episode shows the possible uses of personal data.
Banking secrecy rules
Although banks have access to their customers' personal data, they are not free to use it for their own purposes. Two sets of rules govern the use of this data. The first is banking secrecy, governed by the French Monetary and Financial Code, which requires banks to ensure the confidentiality of their data in the broadest sense of the term. There are, however, a few exceptions to this rule, as certain government bodies are legally entitled to obtain information covered by banking secrecy, in order to carry out missions considered to be in the public interest. Among the bodies entitled to derogate from banking secrecy are the tax authorities, supervisory authorities, the criminal justice system and bodies involved in combating money laundering and the financing of terrorism.
Personal data is also governed by the RGPD, which came into force throughout the European Union in May 2018. This text aims to strengthen the protection of individuals and make those involved in data processing more accountable. Payment-related information is covered by the RGPD, which means that it does not belong to the bank even if the bank protects its confidentiality.
While historically low interest rates and restrictive regulations may encourage banks to find new sources of revenue by exploiting their customers' transactional data for commercial purposes, as ING has done in the Netherlands, in France few establishments resort to this practice for fear of a loss of image. In any case, they cannot do so without their customers' consent. It is therefore advisable to be vigilant, by carefully reading the general and special conditions governing your relationship with the bank and, if necessary, withdrawing your consent.