Credit institutions are particularly heavily regulated and have well-equipped compliance departments. It can therefore be assumed that they also comply with applicable laws in terms of data protection.
But, is this really the truth? decareto examined the websites of 28 of the largest banks in Germany and the result is sobering: no defects were found on only 4 of the websites examined.
46% set cookies without permission
A website must not set non-essential cookies without the consent of the user, as the case law agrees. However, 13 of the banks (46%) set such cookies without consent. Almost all of these (11 banks) do this, although at the same time they give the impression of respecting the user's choice through a cookie banner.
The sources of these cookies are trackers built into websites, mostly those of the big US tech companies, most notably Google and Facebook.
Many violations of Schrems II judgment
Since the European Court of Justice overturned the Privacy Shield certificate in mid-2020, the USA has been considered an "unsafe third country", which means that, strictly speaking, no external services from the USA may be integrated without the user's consent, even if they do not set cookies, because in any case, the IP address of the user will be transmitted.
On the other hand, 82% of the websites examined (23 banks) violated this rule. Above all, one would not want to do without Google Fonts and Youtube (used without consent by 43% and 37% of the websites respectively). What is particularly serious, however, is that the advertising service Doubleclick is used by 27% and Google Analytics by 13% of the banks without permission.
rating
With the decareto risk score, we evaluate the number of vulnerabilities found on a website, with a value from A to F. We were only able to award a score of A for 4 of the 28 banks, after all, another 11 have a score of B and thus only a few few vulnerabilities. 13 banks have a score of D or worse.
We examined the following banks:
Bayerische Landesbank, Comdirekt Bank, Commerzbank, DekaBank Deutsche Girozentrale, Deutsche Apotheker- und Ärztebank, Deutsche Bank, Deutsche Pfandbriefbank, DZ Bank, Hamburg Commercial Bank, Hamburger Sparkasse, Hessische Landesbank, ING, KfW, L-Bank, Landesbank Berlin, Landesbank- Baden-Württemberg, Landwirtschaftliche Rentenbank, N26 Bank, Norddeutsche Landesbank, Norisbank, NRW Bank, Postbank, Santander Consumer Bank, Sparda Bank, Sparkasse, UniCredit Bank AG (“HypoVereinsbank”), Volksbank, Volkswagen Bank
Author: Eckhard Schneider