Information sharing to combat payment fraud

About the project

DNB, Nordea, SpareBank1, Eika Gruppen and the Norwegian Computing Center aim to strengthen their collaboration and share more customer information in order to combat fraud in the sector more effectively.

In this sandbox project, the institutions, together with the Data Protection Authority and the Financial Supervisory Authority, have explored current regulations and the scope for data sharing to prevent, investigate or expose payment fraud.

The final report has been prepared by DNB, Nordea, SpareBank 1, Eika Gruppen and the Norwegian Computing Center. It summarises the key assessments made in the project. The assessments are based on the guidance provided by the Data Protection Authority and the Financial Supervisory Authority through collaboration on our regulatory sandboxes.

The need for regulatory amendments was also discussed. We used the experience from the project as a basis for providing input to the Ministry of Finance’s consultation on amendments to the Financial Institutions Act. This experience was also used by the Financial Supervisory Authority in its consultation draft.

Read the final report further down in the article.

Summary of findings and discussions in the project

Below we summarise some of the findings from the sandbox project that may be of relevance to other payment service providers.

The report provides the context for the assessments, and we therefore recommend reading it in its entirety.

• It is primarily the confidentiality obligation under the Financial Institutions Act that limits whether a financial institution may share personal data relating to a customer relationship with another financial institution. Where the sharing of personal data is prohibited due to a confidentiality obligation, it cannot be permitted under data protection regulations either. Therefore, financial institutions must identify one or more exceptions to the confidentiality obligation before assessing the legal basis for sharing such information under data protection regulations.
• Section 13‑21 of the Financial Institutions Act contains exceptions to the confidentiality obligation and allows payment service providers to share and process personal data when necessary to prevent, investigate or expose payment fraud. At the same time, the Act sets clear limits on what can be shared, for which purposes and with which actors.
  • Based on the discussions in the sandbox, these limits were raised in the Ministry of Finance’s consultation on amendments to the Financial Institutions Act, which also assessed institutions’ sharing of data with the police and telecom operators.
• Payment service providers can find suitable legal bases for processing in both the GDPR Article 6(1) (e) (‘necessary for the performance of a task carried out in the public interest’) and (f) (‘legitimate interest’) when they process personal data for the purposes mentioned in Section 13-21 of the Financial Institutions Act.
• Under Section 13‑21 of the Financial Institutions Act, payment service providers can find a legal basis for processing information about criminal convictions and offences, or related security measures, in accordance with Article 10 of the GDPR.
  • The Data Protection Authority and the Financial Supervisory Authority consider that the law should be further clarified by the legislature to prevent ambiguity.

We emphasise that it is important for payment service providers to consistently and continuously assess the principle of data minimisation. This ensures that they only share and process information that is essential for the prevention, investigation or exposure of payment fraud.

The final report is only available in Norwegian. Go to the article.