Last month, the Midden-Nederland District Court passed judgment in preliminary relief proceedings instituted by ING against AFAS. The dispute was related to the following. In AFAS Personal, an online housekeeping book, AFAS had included an option to create an automatic link between individual customers’ housekeeping books and their payment account with ING. To that end, customers needed to submit their online banking log-in data.
ING was not happy with this and requested the court to order AFAS to disable the link with immediate effect. ING’s request was granted. The court ruled that AFAS had committed a wrongful act against ING. The online banking Mijn ING Terms and Conditions prohibit payment account holders from divulging their log-in data to third parties. Accounts holders who nevertheless do so are in breach of contract. Although AFAS was aware of this prohibition, it urged account holders to supply their log-in data. In the court’s opinion, an important aspect in this context are the joint efforts that the Dutch Banking Association (Nederlandse Vereniging van Banken, NVB) and the Dutch banks have been making since 2007 to combat online banking fraud. According to ING, this is precisely why the Mijn ING Terms and Conditions prohibit customers from entering their log-in data on other websites. ING will reimburse customers for unauthorised payments provided that they have observed ING’s security policy.
By encouraging customers to enter their log-in data in AFAS Personal, AFAS incited them to breach their contract with ING and undermined ING’s security policy, constituting a wrongful act in the court’s opinion. This opinion is not affected by the possible introduction in the revised Payment Services Directive of an obligation for banks to facilitate precisely this kind of link.
Meanwhile, customers are left empty-handed, given that a useful tool to gain easy and rapid insight into their personal finances is being withheld from them and ING’s own online housekeeping book (TIM) recently ended in a fiasco.
From a legal perspective, I believe the Midden-Nederland District Court’s judgment is open to debate. For instance, does the disclosure of log-in data always constitute a wrongful act? It seems to me that many situations are conceivable in which divulging such data is not wrongful. Furthermore, I interpret the relevant provision from the Mijn ING Terms and Conditions not so much as a direct obligation on the account holders’ part, but rather as a limitation of ING’s liability: if you reveal your log-in data to someone else, ING will not be liable for any loss or damage you may suffer as a result.
In my opinion, the question whether AFAS acted wrongfully by linking to Mijn ING should therefore be assessed first and foremost on the basis of its system’s security. If the system is watertight and if the data are properly encrypted and not used for any purpose other than establishing the link, AFAS’ conduct is not wrongful. The mere fact that the Mijn ING Terms and Conditions stipulate that account holders should never share their log-in data with others does not suffice in my view. If security is what ING is truly after, the opinion on wrongfulness should be based primarily on an analysis of AFAS’ security.