 Welcome to PSD2, a banking standard for scammers with a question mark because that's what we're trying to find out. I won't be giving a presentation today because that's usually not what I do. But I will tell you a story. And with this story, I'm going to take you on an epic journey from Holland here to Belgium, to our capital of Europe, to Portugal, and all the way back to Latvia. So I think that's pretty interesting. Let me start by telling you a little bit about me. I have a background in electrical engineering. That's what I studied. And in 2002, I founded my company, Cloud Aware. And I'm a technical consultant. And now for one, I'll always ask me, so what is it that you do? And that's a difficult question because in the word cloud next to my name, you can see it's quite a lot. So what I usually say is I go to mostly non-technical companies and I help them with technical questions. About 10 years ago, I also started working with VoIP services. And I think as far as I know, and please do correct me later if you know that I'm wrong, as far as I know, I'm the only telco in Europe that is providing emergency services, 112, in every member state in Europe. If you want to talk to me later, after the talk, you can find me in the Swiss village here at May Contain Eggers. All right, so a while ago, I was working for a customer and the customer wanted the PSD2 product. So I started working on that. And while I was working for that, I thought, okay, what is it exactly? Well, PSD2 is a payment service directive. It's active since 2019. And for those of you who are familiar or outside of the EU, a directive is a document that is crafted in Brussels by the European Commission. And that document has to be implemented in law in every different member state in Europe. That is very important. It is implemented in every member state in Europe. I'll get to that later. It is mainly used, it's meant to drive innovation because in the old days, you needed to be a bank in order to provide financial services. And now you can also register yourself as a payment institution. And a payment institution is not someone who is a bank or a credit card company, but it still has very strict capital and risk management requirements. And I'll definitely get back to that later because that's very important in this talk. So let me focus a little bit on how Holland does this because that's where I'm from. I don't know the most of it. In Holland, the body that regulates this is called the Nelons Bank, the Dutch National Bank. I'll just call it for now DNB because that's less Dutch and more international. And the DNB says, okay, so first you have to draft all these documents, you know, prove stuff and provide information to us. And then we're going to make a decision about it. And the decision is going to take minimum three months. So okay, that's quite some time, but okay, it's still doable. The price, they didn't want to be too specific about it, but I do understand from people in the industry that it is, you can buy a really nice car from it and a really nice car. So yeah, it's not cheap to get a PSD2 license in Holland. And then there's a document and the document says which requirements do you have if you want to have a PSD2 license in Holland? And the document is eight pages long and it is basically just refers to law. So it is very, very extensive. And I just picked four out of them because otherwise we wouldn't have enough in 30 minutes here. Let me have a look at the first one. It's article 3.9 from the WEDOP financial two-sicht. So the law that governs financial institutions. And it says you need to have a reliable decision maker. In other words, if you have a criminal record or something like that, you cannot be a board member of the company that wants a PSD2 license. Okay, that makes sense, you know, you don't want, for example, scammers to have a banking license. You have to register everything in procedures that everyone who has ISO certification knows how difficult that can be. So the three months is definitely a minimum. It probably takes a lot longer to get one of these licenses in Holland. And there was one very interesting one. All your employees have to take an oath. And yeah, I was a bit interested in that. So I'm not sure what the oath says, but it specifically said that all your employees have to take an oath if you want to have this license. Never seen that before. The article 117 was also interesting. That basically says that you have reasonable wages. And it doesn't state that, but I'm guessing it's not at the low end of the wages, but it's probably board members who cannot make three or four times more than the whole revenue of a year for this company. Which also makes sense, because you don't want specific people to withdraw all the money from that company and then go bankrupt or something like that. Creates huge problems. You want to have trust in financial institutions. So actually, this is a very good idea. This is how you would want to do it. Don't make it too easy, but do create options for fintechs to create financial products. So then I thought, yeah, that's a lot of work. Can it be done easier? And then I thought of a different law. And I thought of Lisbon. And Lisbon is a nice city, nice people, good food, good wine, better weather than Holland. But Lisbon has something else. It has the Lisbon Treaty. And specifically Article 56 of the Lisbon Treaty. And this article says that, and I'll just read this. Within the framework, restrictions on freedom to provide services within the union shall be prohibited in respect of nationals of member states who are established in member states other than that of the person of whom the service are intended. In other words, I can buy this service anywhere in the European Union. And maybe there's a different member state where these PSD2 rules are less strict. That would be nice. So I started looking and I promise you we're going on a journey today. So let's go to Latvia. And Latvia is a member of the European Union and therefore they provide PSD2 services. And I found a reseller of PSD2 services. So I went to this reseller and I said, sounds interesting. This is exactly what I want. So how can I become a customer of yours? And I said, oh, just go online and fill out your email address, choose a password and you're good to go. That sounds fantastic. I said, so how much does it cost? And I was thinking about this nice car, right? And they were like, let's see, do you need more data with that? So do you want to know for specific data if it was a transaction for a supermarket or something like that? And I was like, no, no, no. I said, I just want to roll data itself. And I said, oh, that's fine. Then it's free. I was like, oh, interesting. So basically I went from big six figures plus a lot of work to five minutes of work and zero euro. I said, okay, fantastic. So then I thought, so I have this capability now and I should test it. And so I called up my friend, Bob, there you go. And I said, Bob, can I try to hack your bank account? And Bob is a nice guy, he's smart. And this is the person who would never click on a scamming or phishing link. So I thought it will be difficult, but everyone has everything online. So I checked out his LinkedIn, I checked out his social media, and I have a lot of information about him. I know his address, I know his date of birth, full name, where he works, everything. So it was like, interesting. So let's create an email where I say, don't fill out any information because that's what scammers do. Don't do that. But this is the information we have about you. Can you please confirm this? And I thought it's a long shot, you know? He will never do this. And it was a few weeks after I talked to him, so he was probably already forgotten. So I thought he will never click on it. And yeah, I was wrong. You don't have to read this, but this is the raw data that I got from his bank account. I literally got all his bank accounts, all his, how much money was in the bank accounts, and literally every transaction of the past year of his bank account. And just go, I'll go over a few of them because, well, it's difficult to see, but you'll probably have to check it out later on the streams, the stored streams online. But there are some interesting information in there. For example, I know that he's going to Albert Heijn every day between seven and eight. So you're like, so why is this important? Well, you know, you can imagine that for some people, this could be a security issue. I don't know, ministers, stuff like that, you know? So for some people, you don't want to have a specific pattern known. And you can actually get that from this data. But you can also see that he has Spotify and Netflix, and definitely have to ask him about that. That's good. There's also a lot of order data in there. So I can actually see that he orders from bull.com, which is a Dutch Amazon, basically, with the order number and everything. And I can also see his, what, yeah, I can also actually see his address, because he paid for his water bill. And the water bill actually was transferred the amount of money with the complete address and everything in it. So I know how much water he uses and where he lives and everything. I already knew that, of course, because, you know, I'm Jeroen and I know him. But, you know, scammers could definitely use this in sort of information. This is such an amazing source of data. OK, so yeah, huge amounts of information. I get raw data for free from Latvia without any certification. I could be a criminal. I could have a criminal record. No one ever asked me about it. Yeah, so how difficult is it to do this? Well, I already told you, in Latvia, you can get a reseller for PSD2 for nothing within five minutes. And then I use some amazing tools, Curl, basically. So I just use the REST API of that reseller. Then I converted it to CSV for viewing it in Calc. And that's basically it. But I mean, it's this easy. You could do it in any way. You could push it into a Python object or whatever and do it really automatically. So I was thinking, is this actually used? And then I started thinking about PayPal. Because if you go to PayPal, they say, you can link your bank account. And in the old days, they transfer two amounts of money to you, like $0.01 and $0.05. And then you had to fill out $0.01, $0.05. And then your bank account is matched to your PayPal account. Not anymore. So what they now say is, link your bank account. You say, choose your bank. And in Holland, it looks like this. I just choose my bank. And then it says this. And now it becomes really interesting. Because this text actually says this is an actual screenshot from PayPal. And it says, log in to use your bank account instantly. This will allow us to confirm your bank account details and view balances and transactions in your bank account any time it's necessary over the next 90 days. We will save and use this data exclusively for fraud prevention and risk management. And to make sure there's enough funds for your PayPal payments, by continuing, you agree to the above permissions. And I was like, aha, I know for sure this is that PSPZ2. So yeah, this is actually used. And there's very little scope. I sort of trust PayPal. They're not scammers or anything like that. But there's a lot of data that you're transferring to PayPal. And the real question is, do you want this? Or do you still want to pay one and two cents and then just link your bank account that way? I think the latter, obviously. So let me see. Yeah, the scope, pretty much everything. And once you have given consent, the consent is valid for 90 days. So for example, if after 80 days they want to know, let's see what is in the past 20 days. They can, again, query your bank accounts and get all transactions. And they can do this every day. I think that's a problem. So conclusion, I do think it's good that something like PSD exists, not just banks who can actually create financial products, but actually have fintechs who create amazing products this way. But I do think that it needs a little bit of regulation, and especially harmonization and national regulations. It was really weird to see that I went from Holland where I had to do all this stuff to get this data. And then I just went to Latvia and I said, yeah, fine. Here it is, without any questions asked. So harmonization is definitely needed here. I do think that the consent has to be more explicit. If you remember this button at PayPal, it's just this big button. Yeah, click here to link your bank account. And no one is going to read this. I mean, South Park explained it pretty nicely in their episode about consent. So I think, yeah, it should be more explicit. And it should be easy to withdraw consent. So I tried to query my own bank account data and it specifically says, you can always, if you want to, withdraw this consent. And then the 19 days just stops from that moment on. They don't have access to your data anymore. I haven't found this button yet. So I consider myself a pretty technical guy. And I was not able to withdraw consent. So I think there's an issue there, too. This should be addressed. Yeah. So basically, what I'm saying here is, once the moment you are in this PhD to prison, you won't be pardoned. You're locked in. So there are some time for questions, I think. Thanks a lot. And we do have time for questions. So if you have any questions, please line up at the microphones in the middle of the room. OK, front microphone, please. I have two questions. I think there could be rather simple solutions to the problem you state when you go to your bank account and can see which consents you have given. And also, when you go to your bank account and can see who has used that consents, so that all queries are locked for the end user. Absolutely. I think everyone from Holland knows the whole discussion with the electronic patients dossier. So all doctors can view your medical information. This is website Volg Jezorech, for example. And at that website, you can see which doctor has consent to see your medical data and who has actually queried this data. I think that's a fantastic solution for this. And if you would integrate that with your electronic banking environment, there's your solution. But I do think we should do that, European wide end. Yeah, but thank you very much. OK, next question, please. Hey, so this is actually my day job, to a certain extent, with these kind of things. So I work at a financial institution on their side. The PayPal bit that you've demonstrated is actually on the PayPal side, but not the actual scope definition, which goes on the next screen. So you click through. PayPal is very greedy with its scopes. It says everything. But you can just do balances, things like that. The thing is a lot of the banks are integrating in very different ways. And as you say, on some banks, there is no way to withdraw consent or to stop things after that, which is a big problem. But there are other kind of systems out there that, for example, open banking in the UK, where they are very prescriptive, because it seems a lot of things in your talk resellers not doing their proper due diligence on things. And where the PST2 regulations are quite clear as to who can have access, and the level of compliancy and risk training you have to have to actually get access to it. Because I'm registered for open banking and PST2 and everything, so it's a case of, depending on how you do it, it's better than the alternative, which was screen scraping at the time. But there's a huge amount of, shall we say, unification of how you withdraw those rights universally and make sure that people like PayPal don't use ridiculously greedy scopes to go and cover everything. Because, I mean, usually with the way the UK regulator has made it, is you have to explicitly say, this bank account with this information on the workflow itself. But I think a lot of things could be solved with that regulator in your jurisdiction going to the reseller and saying, don't do that. Yeah, this is, of course, a little bit the issue in the United States of Europe, where you have member states and everyone is just doing it a little bit differently. Yeah, it is absolutely in PST2 and you can withdraw your consent, but the button is very, very hidden. I haven't found it, that is the real issue, of course. Yeah, I think with a lot of the, all those bits, they just need to come up with unification. Do you have the next one, please? Thank you very much. First to note, if the oath you mentioned is the banker's oath, it's no big deal. I did it at ING, but my question was, I've been given to understand that PST2 does not qualify your bank balance as privacy-sensitive data. Is that true? I'm not entirely sure, but I'm absolutely sure that all the data that we saw here, is it address, is shopping data, order data, stuff like that, I would pretty much say that is personal data. And even if someone pays at a medical institute, let's say, for example, he pays at an institute for cancer or something like that, I would say that is even the highest level of personal data, which I just got for free. So there's definitely an issue there. Okay, and back microphone, please. So this was a topic that was recently discussed, actually on Hacker News, because new cash comes up every once in a while, and then people start talking about alternatives, and how to get your actual transsexual data as a person. And in general, this was mentioned, preventing people from building any kind of software for budget management of their own. Could this be a way around it? Then find a reseller that gives you this data for free, because like in the Netherlands, as you mentioned, even I checked like for ABN Amro, to get the API access, you need to be a business, you need to have stuff, right? So could this be a way for a simple person to build an open source solution for themselves, and then get that data over a reseller, or is giving that reseller access to your bank account a bad idea? Yeah, that's a two-part question. So yes, what you want to do is absolutely possible with this, because you could potentially say, oh, so I'm spending this much in a supermarket, and this much on water and electricity, you could definitely do that with this data. The other part is, how much do you trust this reseller? It's a very difficult question. Banks sometimes fail too. So, I would say that's extremely difficult question. These companies, this reseller, probably goes through the same sort of processes that banks go through. So they are reasonably trustworthy, I would say. But yeah, don't go through the Dutch paths to get this data, to build your own open source software. Definitely go for the reselling option there, because it's a lot cheaper. Okay, question from a front, microphone please. I've worked with a French company doing open banking. The French banks just don't understand the concept of PSD2. It's generally just the innovation department, which means, yeah, just throw money and play with it. So most of the time, actually they are not implementing PSD2. What they are actually doing to do open banking is web scrapping the website of your bank. So the issue is not really PSD2, at least in France. The issue is that banks are just old companies that don't get anything about the thing called internet. Yes, but if you create a bank extend like PSD2 and there's something in it like, for example, consent, then implement it, make that button somewhere, maybe even somewhere else on a different website where they can withdraw it, and yeah, definitely. My point was just, do complain to your bank teller, tell them that their website and their process is shitty and maybe someday they will implement PSD2 correctly. Absolutely. Thank you and next question, front microphone please. Just to clarify here, so it looked like you were trying to set up a financial institution in Netherlands, but you were just going through a reseller in Lithuania. Are there similar resellers in Netherlands or did you try to set up an actual financial institution in Latvia, my God? Absolutely, there are services like this in Holland. They do exist, they were rather expensive, and also I don't know the quality of them, I would say it's pretty much the same as any other reseller of PSD2, but it was basically a pricing problem that was here in Holland. And this pricing problem was probably also because of the Dutch National Bank, the DNB, because they have this very strict regulations here in Holland, I have the idea that's not the case in Latvia, and in Holland there was another issue that the customers of my customer have to be onboarded at the reseller here in Holland. So for example, if you would want to use it for your web shop and you just buy, I don't know, whatever, you buy something and buy a TV online, then you would have to onboard at the reseller of where we do the PSD2, which was obviously not acceptable, because then you basically have to check out twice. So the issue is significantly more with the reseller system than PSD2 itself in any capacity? Sorry? So the issue is more with the data reseller bits than anything with PSD2 as a legislation? I think it's because of the national implementation of the directives, of the European directives, and I think there's so much leeway there, it changes dramatically from nation to nation. Okay, thank you. Okay, and we have time for one last question, so please, Frank. So if I understood, it was ultimately the Latvian institution that chose to grant your access, is there any way, can you essentially, so essentially that approval, that 90-day approval was just going through this Latvian institution, is there any way to essentially opt out of this so that if you have some account, you don't want other people in other countries to have access to, they can't. You mean beforehand, before you potentially give a consent, that you just opt out, I never want to do this? Yeah. I'm not aware of that. Okay, then that's it. I would like to thank you for the talk, it was really interesting. Please give a round of applause. Thank you.