On Wednesday 30 July 2014, the District Court of Midden-Nederland ruled in preliminary relief proceedings [kort geding] that AFAS Software B.V. (“AFAS”) had acted unlawfully in asking customers of ING Bank N.V. (“ING Bank”) to enter their internet banking credentials on AFAS’s website. The Court ruled that AFAS must now desist from such practice, subject to a penalty fine for every future breach.

The case related to AFAS’s online web-application which gives customers an overview of their personal finances. In the latest version of the product, AFAS automatically set up a link between its personal finance application and the online banking environment of ING Bank. It achieved this by asking AFAS customers to enter their ING Bank internet banking credentials, which allowed AFAS to log on as an ING Bank customer [Mijn ING] and download their personal transactional data. AFAS alleged that this feature made the application more user-friendly compared to previous versions.

ING Bank instituted summary proceedings against AFAS, holding that the breach of their secure online banking environment was unlawful. The bank submitted that:

  • ING Bank’s General Terms and Conditions and the Uniform Safety Standards of the Dutch Banking Association prohibit customers from disclosing their personal internet banking credentials to third parties. AFAS was encouraging ING Bank customers to act in breach of their obligations in order to allow AFAS to benefit from it.
  • AFAS had created an intermediate online banking security risk by asking ING Bank customers to supply their internet banking credentials.
  • AFAS had used ING Bank’s logo and trademark unlawfully in order to create the impression that its software was safe and that ING Bank was in agreement with AFAS’s practices.

In its decision, the District Court of Midden-Nederland ruled in favour of ING Bank, observing that AFAS was aware that ING Bank’s customers would be acting in breach of contract by supplying their personal internet banking credentials and, in full knowledge of this, proceeded to encourage them to share their credentials. The fact that AFAS had an external digital security expert analyse and approve its application and automatic link with ING Bank’s online banking environment did not absolve AFAS from having acting unlawfully. The Court noted that if it had condoned AFAS’s activities, it would have the effect of undoing the positive effects of years of campaigning by Dutch banks and the Dutch Banking Association [Nederlandse Vereniging van Banken] to tackle internet banking fraud.

An interesting aspect of the decision was the Court’s rejection of AFAS’s argument that its services, including the offer of an automatic connection between third party applications and online banking environments, would be regulated through the Payment Services Directive II. The Court held that the Payment Services Directive II was not yet in force and that the proposed text of the Directive was still under discussion. The court noted this particularly applied to the paragraphs that AFAS had purported to rely on, which might not make it into the final text of the Directive. In its submissions, ING Bank made reference to the recommendation of the ECB on 14 May 2014 and statements made by the Greek Presidency of the EC on 20 June 2014 (Council of the European Union: DG 1B/11147/14).

AFAS must now desist from offering and/or encouraging ING customers to share their personal internet banking credentials with the AFAS website, subject to a penalty for every such breach of the order.