The São Paulo Consumer Protection and Defense Program (Procon-SP) notified Serasa on Monday (1st) to provide clarifications on the collection, and possible use, of the internet banking passwords required by the credit bureau to carry out searches on the site.
The request for a bank password, made in the “customer area”, was denounced via Twitter on February 22 by the product director of an e-commerce, Madelaine Silva, who questioned: “It is not enough to leak general data, they want to the internet banking password “, referring to the infamous data leak of 220 million Brazilians.
In a press release released last week, the credit analysis company confirmed the request for information, but stressed that participation is “optional” and that “consumers only provide the password for internet banking, which does not allow the realization of any bank transaction. ”
The reason for requesting the bank password of its users would, according to the company, be part of a test that Serasa would be conducting on a new “functionality to make the analysis of Brazilian credit more precise”.
What does Procon-SP think?
The São Paulo consumer protection agency intends to assess whether the credit bureau’s requirement violated the Consumer Protection Code and the LGPD (General Data Protection Law), which came into force in September last year. Speaking to the Uilt portal’s Tilt channel, Procon’s chief of staff, Guilherme Farid, said that Serasa could be fined up to R $ 10 million.
For the director of the public agency, there is no reason to carry out any type of research that requires the user of the system to provide his / her internet banking password. “This seems to me to be a serious consideration from the point of view of protecting the consumer,” said Farid.
Repeating an obvious principle, Farid concluded: “Password is personal, non-transferable, private. Financial companies themselves get tired of saying not to pass passwords.” Serasa has up to 24 hours to comment on this.