In the past weeks, we have received many questions on the subject of security, the BaFin order and money laundering and financial crime prevention at N26. We would like to take the opportunity to answer your questions here.
What is a BaFin order and what does it mean for N26? An order is an instruction from the regulator to take particular actions to fix process deficiencies within a certain time frame. The BaFin order we received earlier this week requests further optimization of existing processes to prevent money laundering and an increase in N26 staffing levels. Specifically, BaFin ordered N26 Bank GmbH to eliminate backlogs in transaction monitoring, to optimize and document process descriptions and workflows, and to re-identify a limited number of existing customers. We take the order very seriously and already initiated or, in some cases, completed the measures ordered by BaFin. Our anti-money laundering team has been working intensively to combat financial crime and money laundering for a long time. Ahead of schedule, we have already completely processed our backlog of cases identified by our systems as irregular or unusual. We are therefore confident that we will be able to implement all requirements ahead of the deadline set by BaFin.
What does the order mean for your customers? It doesn’t affect the accounts of trusted N26 customers in any way. The measures aim to identify accounts opened by fraudsters solely for the purpose of money laundering or financial crime. Where necessary, we will run customer identity verification again, but this only includes a small amount of accounts.
How does N26 keep pace with its customer growth? We have some of the most satisfied customers in the banking sector. We owe most of our growth to them, as they recommend our bank to others. As our success grows, so does our responsibility to provide our customers with a safe and positive experience. We take this responsibility very seriously. In the past year, the number of N26 customers has tripled and in that same time we have doubled the total number of our employees. By the end of the year, we intend to increase our headcount by a further 50 percent from 1,000 to 1,500 employees. In addition to our locations in Berlin, Barcelona and New York, we recently announced a new technology center in Vienna, where up to 300 employees will work on security matters in the medium term. We have also expanded our operational presence in Berlin and will move into additional offices in Schöneberg this year. We are of course also continuously investing in our customer service and our security and financial crime measures.
How secure are mobile banks? Why should customers choose a mobile bank? Mobile banks are as secure as traditional banks. When N26 was founded, our goal was to create a digital bank that would offer a modern and excellent customer experience. However, not only is being a digital challenger in banking important to us, security and the prevention of financial crime are a central focus for us. At N26, we deploy our own higher-level systems together with trusted systems that are also used by many other banks around the world to minimize the risk of cybercrime.
How secure are online identification procedures? Online identification procedures are as secure as other banking identification procedures. While we enable customers to open an account in just a few minutes, there are several security levels involved in the process. All our verification procedures comply with the applicable legal requirements. As a fully licensed bank, we work with established verification partners who also work for other renowned banks in Germany and around the world. Both our employees and those of our partners are specialists in the field of identity verification. They work with a high degree of process security and have a wealth of expertise.
How do money laundering cases happen? Money laundering often originates from identity theft through social engineering. For example, people are persuaded by fraudsters to "test" the quality of a bank's video identification process. In this context, some fraudsters even claim to be employees of federal authorities like BaFin. The applicants are then told not to disclose during verification that they are opening an account for ‘testing’ purposes, even if they are explicitly asked throughout the registration process. Accounts that are opened this way may then be used by fraudsters for criminal purposes such as marketplace fraud or money laundering. Unfortunately, there are always people who share their personal information with fraudsters, including N26 customers. In addition to all regulatory requirements for fraud prevention, we continuously improve our precautions and systems to identify and prevent unwanted transactions and logins even faster.
How do phishing cases happen and how do you handle them at N26? As N26 grows and becomes more internationally recognized, we are increasingly on the radar of fraudsters. In the phishing cases we see, fraudsters ask N26 customers to provide personal information such as passwords, either by email or by phone. Unfortunately, customers often unknowingly share their personal information with fraudsters. As soon as we’re aware of phishing incidents, we contact the affected customers, immediately block their account and reimburse any payments that may have been made by the fraudster. In the past, we have not been able to communicate quickly enough with our customers in individual cases. We have been working hard to improve this and have taken the necessary steps to ensure that no financial damage was caused to any customer.
How can people protect themselves against social engineering? You can take measures to prevent falling victim to social engineering. During the registration process, we ask our new customers not to open accounts in their own name on behalf of third parties. We also make our customers aware that our customer service staff would never ask for information such as card number, password, card PIN or similar by telephone or in writing. We educate our customers about the dangers of cybercrime, e.g. by publishing blog posts and social media articles.
N26 received a fine from the data protection authority. What was the issue you were fined for and have you solved it already? We received a fine because we compared all former and existing customer data with the data of people who wanted to sign up for a new account. We did this to prevent legally excluded customers, such as fraudsters, from opening an account with our bank again. As a result, that meant all former customers were unable to re-open a bank account with us, which was not a compliant way of using this data. End of last year, we fixed this problem by enabling former customers that do not need to be legally excluded, to sign up for a new account with us.