On Wednesday 30 July 2014, the District Court of Midden-Nederland ruled in preliminary relief proceedings (kort geding) that AFAS Software B.V. (AFAS) is acting unlawfully and must desist from asking customers of ING Bank N.V. (ING) to enter their personal internet banking credentials on the website of AFAS in order to log on automatically to the secure online banking environment of ING.
One of AFAS' products is an online application that provides AFAS customers with an overview of their personal finances. In the latest version of this product, AFAS automatically set up a link between its personal finance application and the personal online banking environment of ING customers by asking ING customers to enter their personal ING internet banking credentials. After obtaining these credentials, AFAS was able to log on to the secure online banking environment of an ING customer (Mijn ING) and, as a result, was in a position to download the customer's transaction data. AFAS alleged that this feature made the application more user-friendly as compared to a previous version which did not have the automatic link.
ING instituted summary proceedings against AFAS taking the position that the breach of ING's secure online banking environment is unlawful for the following reasons. First, ING's General Terms and Conditions and the Uniform Safety Standards of the Dutch Banking Association prohibit customers to disclose their personal internet banking credentials to third parties. AFAS in fact urged customers to act in breach of their obligations, while at the same time (or at least in the future) benefiting from it. Second, AFAS created an immediate online banking security risk by asking ING customers to supply their internet banking credentials. Third, AFAS unlawfully used ING's logo and/or trademark in order to create the impression that (i) its software is safe, and that (ii) ING is in agreement with AFAS' practices.
In its 30 July decision the District Court of Midden-Nederland ruled in favour of ING. The Court observed that AFAS was aware of the fact that ING customers would act in breach of contract by supplying their personal internet banking credentials and that it nevertheless encouraged ING customers to share those credentials. The fact that AFAS had an external digital security expert analyse and approve its application and the automatic link with ING's secure online banking environment could not serve to absolve AFAS from acting unlawfully. The Court furthermore acknowledged that AFAS' activities (ie encouraging to supply banking credentials) would undo the positive effects of years of campaigning by Dutch banks and the Dutch Banking Association (Nederlandse Vereniging van Banken) to prevent internet banking fraud. In order to prevent fraud, internet banking credentials should never be provided to third parties, according to the Court.
An interesting aspect of the decision is the Court's rejection of the argument brought forward by AFAS that its services, including the offer of an automatic connection between third party applications and online banking environments, will be regulated through the Payment Services Directive II. The Court sided with ING's argument that the Payment Services Directive II is not yet in force and that the proposed text of the Directive is still under discussion, which goes especially for the respective paragraphs that AFAS purported to rely on and which - according to the Court - may not make it to the final text of the Directive. ING made reference in this regard to the recommendation of the European Central Bank of 14 May 2014 and statements made by the Greek Presidency of the European Council on 20 June 2014.
The outcome of the decision is that AFAS must desist from offering and/or encouraging ING customers to enter their personal internet banking credentials on the AFAS website, subject to a penalty for every breach of the order.