Information security|Tori.fin’s new Toridiili payment service requires personal account information from the user, even though it is not needed for anything. “The customer can only agree and trust that the data will not be misused,” says the information security expert.

Shopping site What’s new at Tori.fin Consumers who have used the Toridiili payment service have wondered why the service requires a user who registers as a seller to hand over personal bank information to the service.

When registering, the user is required to share, among other things, the balance of the bank account and, depending on the bank, sometimes also account information for a period of two years.

Information is requested during the registration phase by a company called Tink, which is a Swedish-based banking platform. Multinational credit company Visa bought the platform in 2022.

HS found out why so much personal information is required from consumers, who processes the information and whether consumers’ personal information is safe.

Tori.fin manager Jenni Tuomisto notes that none of Toridiil’s parties need user account information, but they are automatically transferred via the PSD2 interface used by banks.

The interface is related to the EU’s second payment services directive (PSD2), the purpose of which was, among other things, to improve customers’ rights, make payments even safer and increase competition in the strictly regulated banking industry.

The court opens the operation of the Toridiili service:

In the new Toridiili service, Tori.fi takes on the role of a payment service and uses two partners for this, Adyen and Tink.

When a buyer buys a product through Toridiil, the money is transferred to a so-called escrow account offered by the Dutch payment platform Adyen.

The money is in an escrow account between the seller and the buyer until the buyer has received the product and verified that it is as agreed.

Before the payment can be released to the seller’s account, Adyen requires Tor to ensure that the seller also owns the account to which the money from the escrow account is paid.

User verification is required in anti-money laundering regulations, such as KYC- (Know Your Customer) and AML (Anti-Money Laundering) in regulations. This verification is handled by Tink, which requests verification from the bank via the PSD2 interface.

For this step, the user has to make a strong identification when registering, in connection with which Tink also receives the balance of the user’s account and, in the case of some banks, account information for a period of two years.

“ “We haven’t come up with a better way than the current solution.”

The court says that just the account number and information about its owner would be enough for identification. However, it is not always possible to perform a narrower data search through the interface, instead additional data comes to Tink automatically.

“We haven’t invented another way,” says Tuomisto.

Some other similar consumer-to-consumer marketplaces have solved the issue in a different way, for example by asking for a photo of an ID card or passport to verify the user’s identity, and a bank statement to prove account ownership, says Tuomisto.

“However, we want a scalable and electronic solution, and we haven’t come up with a better way than the current solution.”

Because confirmation is done by Tink, Tori only gets confirmation that the account belongs to the owner. The account information is therefore only in Tink’s possession.

Tink told Tor that data retrieved from customers is kept for 24 hours and then deleted. Tink says that the data is not used for purposes other than user authentication.

According to Tink, how much data is included in the information request depends on the bank. Some allow requesting a limited amount of data and some do not. Tink says that it uses the narrowest possible data request and does not store unnecessary data.

Court according to, customers have received many inquiries on the subject. Most of the inquiries concern OP bank, Tuomisto says.

Director responsible for OP group’s everyday financial services Masa Peura informs HS by email that the OP group’s PSD2 interface meets the regulatory requirements.

“According to the regulation, the account information interface is intended for retrieving account information and transactions, and the payment interface for initiating payments, not just for identification, for example,” writes Peura.

The OP does not comment on whether it would be possible to implement the system so that unnecessary information would not circulate so much.

“At the request of the authority, we have to hand over the information in accordance with the regulations.”

According to Peura, operators registered to use the interfaces have the responsibility to use the information obtained through the interfaces within the limits allowed by law.

“ “The customer can only trust that the data will not be misused.”

Information security and technology-savvy information writer Petteri Järvinen says he is familiar with the problem.

“It’s kind of awkward and awkward,” he says.

“The EU company has been using the PSD2 directive to make payments easier and lower transaction costs. However, there is always the risk that there are untrustworthy actors or data breaches.”

Järvinen says that information requests like Toridiil’s are easiest for banks to implement in a standard way, which also includes unnecessary data.

“The customer can only agree and trust that the data will not be misused.”

According to Järvinen, in the case of Toridiil, trust is increased by the fact that its parties are well-known companies and subject to the EU data protection regulation, i.e. GDPR.

“However, data breaches and leaks can always happen.”

Järvinen says that the field of payment services and platforms is confusing, as there are constantly more new operators. The consumer cannot know everyone by name.

“The consumer is in a difficult position, they have to agree to the terms and conditions if they want to use a service.”

According to Järvinen, Tori.fi, which created the payment service, is ultimately responsible.

“Toridiili is a paid service created by them, and they are ultimately responsible for ensuring that their partners act responsibly,” says Järvinen.

“After all, with their reputation, they will ultimately pay if abuse or damage is discovered.”