Finances (2023)

finleap connect GmbH

The BigBrotherAward in the Finance category is given to the fintech company finleap for the fact that over several years, it has wrongly sent information about changes of bank accounts to organisations that have no stake in the process. As a consequence, names, dates of birth and new account numbers have got into the wrong hands. Numerous efforts to make the company aware of the problem have been ignored.
Frank Rosengart am Redner.innenpult der BigBrotherAwards 2021.
Frank Rosengart, Chaos Computer Club (CCC)

The Big Brother Award in the Finance category goes to the company finleap connect, represented by managing director Nicola Breyer and managing director Marco Jostes, for constantly sending letters about bank account changes to the wrong recipients.

In recent months, a large number of letters containing massive amounts of private data have arrived at the office of Digitalcourage. They even included the scanned signatures of those affected. These letters listed addresses, account details and other sensitive data – including recurring account withdrawals – with the purpose of amending a direct debit mandate. They came from people who are completely unkown to the membership database of Digitalcourage.

What's going on, why would this happen?

To explain, we have to go back a bit:

With the introduction of version two of the EU Payment Services Directive (PSD2), it became possible to grant third parties access to your own account data. Since then cloud-based service providers could be used, for example, to manage one’s account, i.e., check incoming payments, make transactions, etc. – things you can easily do without a cloud on a computer with decent home banking software.

So, why go through a third party?

At the beginning of the online shopping boom, only a few ways existed to pay for purchases on the Internet so that retailers would be guaranteed to see a timely payment in their accounts. Hence, payment provider “Sofortüberweisung” (or ‘immediate debit’) came into play. Customers entrusted this provider with access to their online banking, “Sofortüberweisung” then initiated the payment and confirmed the successful transaction. That way, retailers could be sure of getting paid.

Incidentally, the company “Sofortüberweisung” now belongs to last year’s award winner Klarna.

This procedure was not in line with the terms of use of most banks. There was, however, an undeniable need for such solutions, prompting the EU to create PSD2 as a regulated means for customers to grant third parties access to their accounts. To this end, the third-party provider asks permission via online banking with the customer confirming the access.

One of the first ‘inventive’ ideas on how else to use such an interface came from the leading German credit bureau, Schufa. Their suggestion: Using the PSD2 procedure, you could simply grant Schufa access to your account statements to confirm your creditworthiness. What a great idea! Schufa is simply asking customers to strip down in front of them in order to receive a positive Schufa score. And of course, this happens completely voluntarily, considering you can't even get a mobile phone plan without a Schufa report, let alone an apartment.

However, Schufa backed out faster than they could receive a BigBrotherAward.

Another directive, slightly older than PSD2, is the legal obligation of banks to help with account switching. Meaning, if you close your checking account and move to another bank, the previous bank has to help with the process, e.g., transfer direct debit authorisations. Because banks are none too happy with this task, (after all, that customer just up and left), it makes sense to outsource it, i.e., to ask someone else to do it.

Residing in the beating heart of Berlin on Ku’Damm, the so-called fintech incubator Finleap acts as a kind of umbrella company for founding individual start-ups as subsidiaries that are supposed to provide special services to the financial sector. One of these subsidiaries is ‘finleap connect’ – our award winner, a company specialising in applications related to the aforementioned PSD2 interface and offering account switching as a service.

When a leaving customer’s bank contracts this company for account switching services, finleap retrieves transactions from the old account via the PSD2 interface and filters out recurring direct debits.

Based on this direct debit information, finleap tries to automatically find the corresponding recipient and then mails them the new bank details. If, for example, Finleap finds recurring debits from a large online retailer in said account data, they attempt to assign the retailer as direct debit recipient and, ideally, even extract a customer ID or similar from the payment reference.

What could possibly go wrong?

In order to use the account switching service, a few more details must be provided, because the direct debit recipients (companies like Amazon, electricity providers or organisations like Digitalcourage collecting membership fees) naturally need exact information about which customer data has changed. Thus, a customer ID or similar – topped off with some additional data to make it more credible that the real customer is requesting the change. Something like date of birth and their address, of course. With all this information, finleap proceeds to write a letter – “Kindly change my information” – and mails it to the direct debit recipient. This actually looks as if the bank-switching customers themselves posted it. There even might be a scanned signature on that letter!

In fact, this is a rather neat service. If it weren't for the messed-up systems at finleap connect mailing personal data (name, address, date of birth, account data and even lines from the bank statement) of random customers to random recipients with wild abandon, as in our Digitalcourage example mentioned at the beginning.

Since the mailings to the wrong recipients appear to happen completely at random, it has to be assumed that this is a larger problem, meaning a lot of data falls into the wrong hands every month. Digitalcourage has pointed out this problem to the provider several times. In response, finleap asked for the data of those affected – a request that Digitalcourage, for obvious reasons, was not inclined to comply with. However, even without this data, finleap should be able to stop these random mailings. Alas, they are not.

Wrongly assigned account change letters keep arriving, exposing the regular debits of those affected, full of all sorts of sensitive data.

Is it a software problem? A vengeful employee? Ill intention? We do not know.

This can have major implications for those affected. After all, a bank statement can also include information about the most private areas of life. ‘Erotic retailer receipt’ comes to mind, or sensitive medical bills.

Detailed information like that from a stray letter could cause massive harm in the hands of criminals. A stolen identity can do a lot of damage to those affected, like mail order fraud, targeted phishing attacks and similar. The letters contain ample details to that end, making it a major nuisance for those involved.

Maybe our BigBrotherAward will help put an end to this mess once and for all. Congratulations, dear finleap connect!


Frank Rosengart am Redner.innenpult der BigBrotherAwards 2021.
Frank Rosengart, Chaos Computer Club (CCC)

About BigBrotherAwards

In a compelling, entertaining and accessible format, we present these negative awards to companies, organisations, and politicians. The BigBrotherAwards highlight privacy and data protection offenders in business and politics, or as the French paper Le Monde once put it, they are the “Oscars for data leeches”.

Organised by (among others):

BigBrother Awards International (Logo)

BigBrotherAwards International

The BigBrotherAwards are an international project: Questionable practices have been decorated with these awards in 19 countries so far.