NRC: Bunq employees can view customer accounts – IT Pro – News

Online banking staff were able to view customer accounts. The Norwegian Refugee Council states this based on its own research. Secretly looking at other people’s financial statements, called “account peeping,” is a clear violation of the banker’s oath.

Retool writes that Bunq employees can view customer details via the bank’s software Norwegian Refugee Council. This also happened: the newspaper found four (former) employees who viewed the accounts of friends or dates, for example. Employees felt secure that monitoring these types of privacy violations would not be a high priority. Conversations with fifteen (former) employees, internal documents, and internal discussions on Slack show that warnings about this matter were ignored or dismissed by founder and CEO Ali Niknam.

In 2021, Punk introduced a new access system with different access levels. Departments, such as Compliance and Legal, can still see a lot of banking data, but other departments no longer can. However, later that year, employees complained of being unable to view certain accounts, and the system was downsized again. In 2022, Bunq’s senior management had discussed the risks of account peeping, but there were no additional checks.

Account peeping is a violation of the banker’s oath and banks often take disciplinary action themselves if they catch an employee. That’s why many banks use strict internal security systems that record what employees view of privacy-sensitive customer data. They also operate on a zero trust principle, where no one can be trusted blindly, and the smallest possible number of employees have access to the least amount of customer data. Anyone who is caught and must appear before a disciplinary judge often receives a professional ban of several months and a fine.

Bunq also has a code of conduct that requires employees to handle “personal information with the utmost care and in accordance with privacy laws.” Peeping into the account contradicts that.

If the NRC’s findings are correct, “it means they have seriously violated their promises and responsibilities,” Peng told the Norwegian Refugee Council. The bank asked the newspaper for the names of the (former) employees who had access to the accounts, but the newspaper did not want to reveal them for reasons of protecting the source. Tweakers has asked Bunq to respond.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top