ASN Bank NV is responsible for the processing of your personal data.

Privacy is of the utmost importance to us. We handle your data carefully and adhere to the applicable privacy legislation. We do not retain data longer than necessary and only process data that is truly needed for the purpose for which we process it.

We have a Data Protection Officer, privacy officers, privacy lawyers, and multiple privacy employees. They ensure that ASN Bank and its employees comply with privacy regulations.

• The privacy employees work in different parts of the organization and are the contact point for privacy-related matters.
• The privacy office supports the privacy employees.
• The privacy lawyers ensure that ASN Bank is and remains up to date with all legal developments regarding privacy and advise on this.
• The Data Protection Officer is the internal supervisor in the field of privacy and the contact point for the external supervisor, the Dutch Data Protection Authority.

We also have employees who are solely responsible for the security of our general IT infrastructure, internet banking, and mobile banking. All our employees have signed a confidentiality agreement and have taken the banker's oath. Only employees who truly need to do so can access and process your personal data.

This privacy statement applies to you if we process your personal data. This privacy statement applies to:

Persons who are (former) customers of ours:

• ASN Bank customers are also customers who have a product from SNS, RegioBank and BLG Wonen. This also includes our business customers who are sole proprietorships, partnerships, general partnerships and limited partnerships.
• You are a director or contact person of a company that is a customer of ours.

Persons who are not our customers:

• You visit one of our websites or branches.
• You have shown interest in one of our services or products.
• You transfer or receive money from one of our customers.
• You are the UBO or shareholder of one of our business customers; When we make use of the services of your company.
• You are registered as an authorized representative on an account of one of our customers.

This privacy statement does not apply to personal data processed by third parties, for example:
Our website contains links to websites of others. This privacy statement does not apply to these external websites. We always try to keep external links up-to-date and to refer to the correct websites. We are not responsible for the content of external websites and the way in which they handle your personal data. We always advise you to read how these external websites handle your personal data.
Our websites sometimes have social media buttons, such as WhatsApp, Facebook or X (formerly Twitter). This Privacy Statement does not apply to what the respective social media platform does with your personal data. We advise you to always carefully read the privacy rules of these social media before using them. This way you know what happens to your data.

Personal data are all data that can be traced back, directly or indirectly, to you as a person. Think for example of your name, address, date of birth, telephone number and email address. But also your customer and account number, deposits and withdrawals, nationality, etc. Everything that is done with personal data is called 'processing'. This includes the collection, storage, consultation and deletion of personal data.

In most cases, we receive your personal data from you. For example, when you use our services. It may also happen that we do not receive your personal data directly from you, but through other parties:

• We use data from public sources, for example for relationship management. This can include public registers such as the trade register of the Chamber of Commerce and the Cadastre, newspapers, social media and the internet, or we hire a detective agency if we can no longer reach you.
• In addition, we purchase datasets from third parties to be able to approach our customers in a personalized way. Examples of these purchased data are socio-demographic data or interests divided into categories. We currently purchase datasets from EDM/GeoMarktprofiel and Companyinfo. We only do this if we have a legitimate interest. This can also be a commercial interest. We will always comply with the applicable privacy legislation.
• We can receive information about you from third parties to whom you have given permission to share this information with us.
• Are you applying for a mortgage with us? Then we can get your personal data from your intermediary, the Mortgage Guarantee Fund, the Cadastre, the Credit Registration Office (BKR) and the notary. These are personal data that are relevant to your mortgage application. We can also receive personal data from them during the term of your mortgage, for example if you notify us of a change of address or to provide your current property value.
• We receive data from other (financial) institutions and partnerships in the context of combating fraud, terrorism and money laundering.

We process your personal data on the basis of a number of grounds. Personal data may only be processed if there is a valid reason for doing so. These reasons are laid down in the General Data Protection Regulation (GDPR) and are called grounds for justification. Your personal data is processed by us on the basis of the following grounds for justification:

• to perform a contract; for example, if you open an account or take out a mortgage with the bank.
• to comply with legal obligations; for example, because we have to share your data with the Tax Office.
• if you have given consent. Good to know: you can easily withdraw your consent at any time. If you withdraw your consent, it will apply from that moment on. An example of processing for which you can give consent is 'Insight into your money'. This shows, among other things, how much money you spend on groceries and what income and expenses you can still expect this month.
• to safeguard our legitimate interests, for example to assess whether you can repay your mortgage or loan, to improve our processes, to ensure the financial sector remains healthy, or to be able to send you relevant tips and offers. We only process your personal data on this basis if we can demonstrate that our legitimate interests outweigh your privacy interest. It may also occur that we process your data because someone else has a legitimate interest, for example if someone has purchased a product from you, transferred money to you, you have not delivered the product and a report has been filed.

To establish and maintain a relationship with you
If you want to become a customer with us, we need your personal data. This allows us to verify and confirm your identity. We are legally required to do this. We do this based on your identification document. To verify the authenticity of the ID document, we use special software that checks the document for authenticity features. For some products or services, we also need other personal data from you, such as income information, the value of your home, whether you live together, and whether you have debts.

We also have to investigate whether we can accept you as a customer. This is legally required. For example, we check whether you are listed in one of the (incident) registers. Are you applying for credit? Then we also need to check your creditworthiness. For this, we also use personal data that we receive from others, such as the Credit Registration Office (BKR).

As long as you are a customer with us, we process your personal data. This is necessary to be able to execute the agreement with you or to think along with you so that we can provide you with the best possible information, services and possibly advice. We have a duty of care, which means we have to take into account changes in your situation.
Of course, we administer these personal data carefully and update them if anything changes.
We also need your personal data to manage your products and execute your payment and other (financial) instructions. This can include personal information, but also the value of your home, account balances and transactions. We only process this personal data when it is necessary to properly fulfill our role as a financial service provider.

As an insurance intermediary, we sometimes also process data about your health. For example, if you want to take out a disability or life insurance policy. For property insurances, such as a car insurance, we ask you about your criminal history. We provide this personal data to the insurer to assess the risk and determine the premium.
We only process this personal data if it is necessary to properly fulfill our role as an intermediary and do not use it for anything else.

To protect the security and integrity
We consider it important to safeguard the security and integrity of the financial sector, of you and of ASN Bank. This includes combating fraud and money laundering. We do this to protect you and our other customers. But also to protect other financial institutions and their customers.

To do this, we process personal data. This allows us to participate in partnerships with public parties and other (financial) institutions. We also participate in and manage a number of registers. Details about an incident and your identifying data are recorded in these registers. Of course, we never do this just like that, and a registration is always checked against the rules of the GDPR.
If we decide to record your data in one of the registers, we will inform you about this. Except when that is not allowed, for example because the police ask us not to inform you in the interest of their investigation. Do you disagree with this registration? Then you can object to this or request to correct or delete your data.

If you want to become a customer with us or take out a new product with us, we will check whether you are listed in these registers.

Not everyone within the bank is allowed to check these registers, only authorized employees. These employees only receive a notification after a check whether you are registered or not. Only a select group of employees know why you are listed on a list and the details thereof. These people are part of the Security Affairs department. Based on a balancing of interests, it is decided whether the bank can accept you as a customer or grant a new product. The bank may impose additional conditions in this case.

The Incident Administration
Situations may arise that require extra attention from the bank because they may be relevant to the bank's own security. We call these 'incidents'. We record these incidents in our internal incident administration, which serves as the 'memory' of the bank. By recording and storing this data, we can take adequate measures if we think it is necessary.
External parties do not have access to this incident administration and it is only internally accessible to authorized employees.

The IVR
The incident administration is linked to an Internal Reference Register (IVR). Your identifying data is only entered in the IVR if we believe the incident you as a customer are involved in is serious enough. By recording your data in the register, we can warn our internal departments. This warning is for internal use only and is not communicated to external parties.

The BOVA list
If we have had to terminate our relationship with you as a customer or have rejected you as a customer based on the Wwft, your data (full name and date of birth) will be included in our internal BOVA list. For example, when you have not provided us with sufficient information about the source of your money. This registration, like the IVR, is only for internal use and is only accessible to a limited number of authorized bank employees. When you apply for a new product with one of our brands, a signal is given to the person handling the application that a previous customer investigation is available.

The EVR
In addition to the previously mentioned internal systems and lists, an External Reference Register (EVR) has also been developed. This is an early warning system that has external effect. The affiliated financial institutions can check whether someone has ever been involved in (an attempt at) fraud or poses a threat to the safety of the banking sector in another way. The use of the EVR is subject to rules laid down in the Protocol Incident Warning System for Financial Institutions (Pifi). You can find this on the website of the NVB. Here you can read more about how this works. NVB protocol incident warning system (PIFI) The rules that determine how the banks can use the external warning system have been approved by the Dutch Data Protection Authority.

For the security of ASN Bank's shops, offices and buildings
ASN Bank uses camera surveillance. This is to secure our stores and office buildings/facilities. We do this to protect our employees and you as a customer/visitor. Camera images are not stored for longer than 4 weeks unless there is a criminal offense. In the event of a criminal offense, the data is retained until the incident has been dealt with.

To comply with legal obligations
We have to comply with various laws. From these laws we have to register certain personal data and in some cases also pass it on to the government. For example, from the Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft) we have to establish and verify your identity.
Furthermore, we are legally obliged to keep personal data up to date. That is why we check the quality of our personal data with random samples. We process the results in reports, but these are never directly traceable to individual customers.

To carry out marketing activities and customer research
To serve you well, we process personal data for marketing activities. We can, for example, inform you by post, telephone or email about our products and services. We know which products you have from us, and in some cases which pages of our website you have visited.
Based on this data, we can offer you targeted offers about our products and services. We do this with our own communication channels, but also with personalized ads on apps and websites of other parties, and via social media. For this we use cookies and similar techniques, among other things. We divide our customers into different categories so that we can inform everyone in a targeted and personal way. This way you always get the most relevant information from us.
Are these commercial messages for services and products that are similar to the services and products you purchase from us? Then we can send you these messages without you having previously given us permission. However, you always have the right to object to the use of your personal data (https://www.autoriteitpersoonsgegevens.nl/themas/basis-avg/privacyrechten-avg/recht-van-bezwaar) for a commercial purpose. You can do this via the settings in the Mobile Banking App and at the bottom of an email message by unsubscribing. You can also change these settings in "my environment" via "Self-Service" under "Message Preferences", and via the contact details (Contact Opportunities - Customer Service - ASN Bank) on the website. If you do this, we will no longer send you commercial messages in the future.

We choose a personal approach and find your opinion important. This way we measure the effect of a campaign and use the outcome to improve our communications. We only do these kinds of analyses with the personal data we really need.

We process personal data to develop new products or services, or to improve existing products or services. We do this, among other things, through customer research, such as an online survey or an interview. For a study, we invite a number of customers to participate. We usually work with a specialized market research agency for this. The results of customer research are always processed anonymously.

If you do not want us to approach you for marketing activities and/or customer research, you can adjust this in the "my environment" via "Self-Service" under "Message Preferences", and via the contact details (Contact Opportunities - Customer Service - ASN Bank) on the website of the ASN Bank brands or you can contact us.

To protect your and our (financial) interests
We consider it important to adequately protect your and our interests. We try to recognize the behavior of fraudsters. For example, we monitor whether suspicious or unusual payments are being made. If your payment card is suddenly used differently than we are used to from you, we can warn you, block your bank card or stop the payment. This helps us to prevent fraud and to detect any suspects.

We process your personal data to assess how large our buffer for setbacks should be, and to monitor (internal) risks and business processes.

If you contact us or we contact you, we can make notes of these conversations. This way, we can always find out what was discussed. We can also take into account any personal circumstances that you have shared with us by telephone or via chat. These telephone conversations are recorded and can be used for training and quality purposes. Telephone and chat conversations are never kept longer than necessary for the purpose for which they were recorded.

And have you placed a investment order by telephone? Then we also use the recordings as evidence. The bank stores telephone conversations and other forms of electronic communication about the investment services for 5 years. After that, they are destroyed. A competent authority can request to extend the retention period to 7 years. Within this retention period, you can also request the telephone conversation from us.

For your and our financial resilience
We believe that as a bank, we have our own responsibility in preventing financial problems for our customers. We take this responsibility very seriously. We use our knowledge, experience, and data to make you more financially resilient. Personal data helps us to estimate potential payment risks in advance. This allows us to help you in time to prevent any payment difficulties and thus make a strong case for your financial resilience.

Analyzing transaction data can help us with this. This allows us to see at an early stage whether there are potential financial difficulties, so that we can intervene in time. When we process personal data such as transaction data for this purpose, we do so in the belief that we are helping you. Profit maximization or other commercial interests are never our goal. In doing so, we always carefully weigh two considerations: the importance of increasing your financial resilience on the one hand and the protection of your privacy on the other.

For statistical purposes
We can share personal data with a third party, such as Statistics Netherlands (CBS), for example, to calculate how we are doing in relation to other banks/institutions in achieving the climate targets of the financial sector. This is always done as anonymously as possible. If that is not possible, we pseudonymize the personal data as much as possible. Of course, we only share personal data that is truly necessary to achieve the goal.

We can share your personal data with other parties. We do this, for example, because we are legally obliged to do so, because it is necessary to perform the agreement we have with you, or because we engage another party.

Service providers
For some activities, we engage external service providers. For example, for the delivery of your account statements, sending (service) messages, the IBAN-Name Check, for customer surveys and the delivery of your Digipas. But also for the maintenance of part of our (IT) infrastructure. We only use external service providers that we have screened. Furthermore, we agree on appropriate security measures to protect your personal data.

It may be necessary for our business operations or our service provision to share your data with notary offices, bailiffs, curators, administrators and selected real estate agents and/or appraisers. This mainly concerns contact details, contact information and property information.

Our starting point is that we cooperate with service providers who process personal data on our behalf within the European Economic Area (EEA) (the EEA consists of: the EU countries, Norway, Iceland and Liechtenstein). After all, there is an equal level of privacy protection within the EEA.

Your data is also processed outside the EEA. Additional rules apply to this. This is because not all countries have the same strict privacy rules as within the EEA. If we cooperate with a service provider outside the EEA and the personal data is processed outside the EEA, we prefer to do so only with a service provider that is established in a country that, according to the European Commission, provides sufficient protection for the processing of personal data. If that country does not provide that protection, we only transfer personal data if other appropriate safeguards are offered. For example, if we contract on the basis of a model contract approved by the European Commission. You can request more information about the specific safeguards with a service provider outside the EEA via the contact details.

Competent authorities
We share your personal data with competent authorities such as the Tax Authorities, the Dutch Data Protection Authority, the AFM, DNB and the ECB. We only do this if we are legally obliged to do so or if there is another justification.

Intelligence services, benefit agencies, the Public Prosecution Service, the Police and the Tax Authorities can also request data from us. Based on their legal task, for example, they can request data from us. We are obliged to cooperate with this.

Employees in the financial sector fall under the Banking Disciplinary Law. In the context of a disciplinary case, it may be that personal data of customers must also be provided to the Banking Disciplinary Board.

We cooperate with other banks and public parties, such as the Public Prosecution Service, the National Police, the Financial Intelligence Unit and the Fiscal Information and Investigation Service. We do this, for example, to prevent and combat digital and undermining crime. Within these partnerships, we share information with each other. This allows us to stay quickly informed of relevant developments and get a more complete picture of possible digital threats. We track the IP addresses of website visitors. This allows us to better combat, detect, analyze and take immediate follow-up steps against cybercrime, such as malware, phishing, and cyber attacks.

When we share personal data with another party within these partnerships, of course we comply with the applicable privacy rules; we do not share more personal data than is strictly necessary to achieve the goal and ensure that the personal data is secured in an appropriate manner.

The Tax Authorities may request from us all personal data that is necessary to determine how much tax must be paid, such as account balances or the value of investment portfolios of our customers. Based on the Collection Act and the General Tax Act, we as a bank are obliged to provide this personal data to the Tax Authorities. Supervisory authorities such as the Authority for the Financial Markets (AFM), De Nederlandsche Bank (DNB), the Dutch Data Protection Authority (AP) and the European Central Bank (ECB) can also request personal data from us. For example, to check whether we comply with financial and privacy regulations.

Insurer
Are you taking out an insurance policy through us? Then we will share your personal data with the insurer. This allows them to further process the insurance. They also handle any claims for damages that you report to us. Have you entrusted an investment account to another lender? Then we periodically share an overview of the value development. This allows the employees of the foundation to see if the build-up is sufficient. Have you entrusted a policy or investment account to us in connection with a loan? Then we will periodically receive an overview of the value development. This allows us to see if this is sufficient.

Intermediaries
We also work with intermediaries. If you take out a product with us through an intermediary, we receive data about you through your intermediary. We also share signals (for example, about your interest rate or premium changes) with the intermediary during the term, so that they can serve you well.

We store personal data as long as necessary to achieve the purpose for which the personal data is processed. We have established a retention policy that outlines how we determine how long personal data must be retained. In some cases, there is a legal minimum period for retaining data. If this is not the case, we look at the purposes of the data processing and how long we need the data to achieve that purpose.

So the length of time we retain personal data varies. In most cases, it is 7 years after the end of the agreement or your relationship with us. Sometimes this period is longer, for example due to claims, lawsuits or investigations. But also for reasons of security or inquiries from the justice system. Sometimes we use shorter retention periods. For example, we retain prospect data for a maximum of 14 months.

We use profiling for various purposes. Here you can read what profiling is exactly, when we use it and why.

What is profiling?
Profiling is the automated processing of personal data to evaluate certain personal aspects. This could be analyzing economic situation, personal preferences, interests, reliability, behavior, location or travel behavior.

Under data protection law, profiling is generally not allowed, but there are exceptions.

When do we use profiling?

Fraud prevention
Profiling is part of our fraud prevention. For security reasons, we cannot give details on how we do this.

Preventing money laundering and financing of terrorism
We take measures to prevent money laundering and the financing of terrorism. This is required by the Anti-Money Laundering and Counter-Terrorist Financing Act (Wwft). We have to monitor payment transactions for unusual transactions. We also monitor transactions that have a higher risk of money laundering by nature. If we suspect a transaction is related to money laundering or the financing of terrorism, we must report this to the authorities. To be able to do this effectively, we have to establish and maintain a risk profile of our customers, including you.

Risk analysis for customer and product acceptance
We use profiling when you want to become a customer or want to take out a product. For example, when you apply for a loan with us. We then conduct a risk analysis in advance. Certain characteristics can be an indication that you can easily repay the loan, such as the fact that you have a job. Or that there is a risk that this will not happen (on time) because you have debts. Based on your characteristics, we create a profile. We then compare this profile with other profiles and estimate how high the risk is that you can repay the loan. Based on this, we decide whether or not you can take out the loan.

Duty of care for an ongoing loan
As a bank, we have a legal duty of care towards our customers. This means that the supervisor expects us to do as much as possible to, for example, prevent customers from borrowing more than fits their budget. We also have to intervene at an early stage if a customer is at risk of getting into financial difficulties. To be able to identify such problems in time and thus fulfill our duty of care, we sometimes use profiling. For example, by compiling a list of the common characteristics of customers who have gotten into financial difficulties. These characteristics then form the profile. We then look to see if there are customers who fit this profile and how we can help these customers.

Direct marketing
We can profile to be able to offer you suitable offers and to ensure that you only receive offers from us that are relevant to you. For example, if you have a mortgage with us, we use profiling to prevent us from sending you offers for a mortgage. After all, you already have a mortgage. Based on various characteristics, we try to find out where your interests do lie. We then look, for example, at the age group and which products you have with us. We also use the information we have collected with tracking cookies for this purpose. Of course, we only do this if you have given permission to use tracking cookies. We then create a profile of a certain category of customers and look at which customers match that profile. Only those customers receive a commercial message that fits that profile.

Automated decision-making
We use profiling for 'automated decision-making': automated decisions are decisions made by computers instead of people. We do this if it is necessary in the context of an agreement with the bank, if the law allows it, or if you have given your consent yourself. You have the right to object. You can also ask us not to let the decision be made by computers anymore.

The privacy law stipulates that we may not make a fully automated decision if this has consequences for you. Or if it disadvantages you in another way. Of course, we comply with this. If we make a decision that has consequences for you, there is always an authorized employee of ours involved. Part of the process leading to the decision can be automated, but an authorized bank employee always makes the final decision. Based on a message you have received from us stating that automated decision-making has taken place, you can contact us.

AI is a tool that ASN Bank uses to carry out its activities as efficiently and effectively as possible. Think of quickly processing documents and analyzing texts. We use AI in an ethical manner. In addition, we ensure that the use of AI takes place within legal frameworks.

At the moment we process your personal data, you have various rights. Below we explain what rights you have and what they mean. On the website you can find exactly how you can exercise your rights and how you can submit a request to us. You will receive our response within 1 month after we have received your request. In some cases, we will ask you to provide more explanation about your request. We do this to ensure that we can answer your request as well as possible. In exceptional cases, we can extend the 1 month term to a maximum of 3 months. Of course, we will inform you about this in a timely manner.

Right to information
You have the right to receive information about how we deal with your personal data. This privacy policy informs you about what we do with your data. Sometimes this is not enough and we have to provide more information. For example, if we record your data in our incident registers. Then we will inform you personally, if that is allowed.

Access and rectification
You can ask us for an overview of your personal data (access). The purpose of this right is for you to be able to check whether your data is correct and complete. Are your personal data incorrect or incomplete? Then you can (have them) adjusted or supplemented (rectification).

Many of these data you can view when you log in to the "my environment", such as name, date of birth, residential and postal address, email address, phone number, transactions, communication and privacy settings, mobile devices and authorizations.

If you do not use the "my environment" or are looking for other personal data that we process about you, you can request access from us using the application form or the website (Personal data and your rights - ASN Bank). Indicate on the application form whether you are looking for specific personal data, otherwise you will receive the standard overview of your personal data.

Note: it is good to know that we do not provide the following data:

• Personal data of third parties (for example data of our employees), unless you are authorized to receive them;
• Transaction overviews. These are available in the "my environment". If you do not have a "my environment", please contact customer service;
• Confidential information regarding ongoing customer investigations and fraud;
• Agreements and (email) correspondence that you already have in your possession.

Right to erasure
You can ask us to delete your data. We cannot always comply with this request. For example, if we are required by law to retain your personal data.

Restriction
You can request to temporarily restrict the processing of certain personal data. This means that the processing of your personal data is temporarily suspended. We will then still keep them, but not use them. For example, because according to you the data is incorrect, we are wrongly using your personal data, you need your personal data but we no longer need it (for example if we no longer need your data but you need your personal data for the establishment, exercise or substantiation of a legal claim) or if you have objected to the processing of your personal data.

Data portability
You can ask us to transfer your personal data directly to you or another company. This applies to personal data that we have received directly and indirectly from you and that we process automatically with your consent or on the basis of an agreement with you. To the extent technically possible and in accordance with the legislation, we will transfer your personal data. Some data that you (indirectly) provided to us, you can view or download yourself. For example, an overview of your transactions via the "my environment" or the Mobile Banking App.

Objection
If we base the processing of your personal data on a legitimate interest, you can object to this. It is important to indicate why you object. We can then make a new assessment of whether your personal data may be used for that purpose. You will receive the outcome of this assessment and what arguments are behind it. If this assessment shows that your interest outweighs our interest, we will stop the relevant processing of your personal data.

You can always object to the creation of a personalized customer profile for marketing purposes. You can do this via the settings in the Mobile Banking App message and at the bottom of an email message by unsubscribing. You can also change these settings in the "my environment" via "Self Service" under "Message preferences", and via the contact details on the website (Contact options - Customer Service - ASN Bank).

Note: you cannot object to the fact that we process your personal data if:

• we are legally obliged to do so; or
• it is necessary to perform an agreement with you.

We can adjust this regulation. We do this, for example, if there are new data processing activities or if the law/our policy changes and this has consequences for the processing of your personal data. We therefore advise you to regularly review our privacy regulations. You will always find the most up-to-date version on this page.

For some apps or websites, you may receive an additional privacy regulation. This contains additional information about the protection of your personal data with the specific app or website.

Do you have questions about this privacy regulation or do you want more information about how we process your personal data? Then contact us (Contactmogelijkheden - Klantenservice - ASN Bank). Do you have a complaint about the way we process your personal data? You can contact:

• the special department within our customer service (Klachten - ASN Bank) that specifically deals with (privacy-related) questions and complaints, or
• our data protection officer (fg@asnbank.nl): You also always have the right to file a complaint with the Personal Data Authority.
• You can find all our other contact details on our website (Contactmogelijkheden - Klantenservice - ASN Bank).

If you suspect fraud has been committed or another incident has occurred with regard to your banking product(s), please contact our customer service (Klachten - ASN Bank).

Have you discovered a vulnerability in our systems? We would like to hear about that. With your help, we can improve our services.

What vulnerabilities can I report?
You can report issues related to our online services. For example:

• Cross-site scripting
• SQL injection
• Cross-site Request Forgery (CSRF)

Good to know: Have you received a false email, SMS or letter (phishing) or do you want to report another type of fraud? You can do this through the website (Meld fraude en incidenten - ASN Bank).

How do I report a vulnerability?
Everyone can report a vulnerability. Even if you are not a customer with us. Use our form on HackerOne for this.