The Data Protection Authority (AP) has granted 160 banks and other financial institutions a license to register and share fraudsters’ data with each other. Fraudsters are often active in multiple institutions. Banks and insurers can warn each other by exchanging information, for example on issues such as identity fraud or spoofing. However, institutions must comply with the rules of the new protocol on incident alert system for financial institutions (PIFI). It states, among other things, that the institutions are not allowed to exchange data on a large scale. Nor should there be a black list in which details of incidents can be searched. Institutions may keep an overview of incidents within their own organisation, including personal data. For example, if an insurer accepts a new customer, the latter may ask other parties whether the customer is registered. Customers have the right to know if they are registered. They can also object if they feel that their registration is unjustified. The AP stresses that institutions must weigh up every time whether it is necessary to provide or receive data. The Supervisory Authority may withdraw a license if it appears that a company does not comply with the protocol.