The Free Software Foundation Europe's long-term payment provider Nexi has terminated the charity's contract without prior notice, halting recurring credit card and direct debit donations from more than 450 supporters.
Over the past few months, Nexi requested access to private data, which the FSFE understood to be specifically the usernames and passwords of its supporters. The organisation refused this request. All attempts to clarify why the data was necessary and legal were met with vague explanations relating to a general need for risk analysis.
The charity was informed on 10 March that its contract had been cancelled on 7 March due to a failure to meet a deadline to fulfil the data request. This deadline was not communicated beforehand, despite the FSFE being a Nexi customer for 15 years.
The FSFE says it provided Nexi with large amounts of financial documentation as part of a security audit, including private information of executive staff, and answered all their questions. The organisation drew a line when private companies demanded access to the sensitive and private data of supporters.
Nexi's explanation differs sharply
Nexi Germany GmbH told heise online that the situation arose in the context of updating its KYC procedure, which could not be completed due to a lack of response from the client. The payment provider said it would never ask for other users' login credentials or passwords. In this specific case, Nexi merely requested test login credentials to verify the portal and ensure users could cancel their access to avoid subscription traps.
Nexi apologised for what it called a misunderstanding and said its customer service team would contact the FSFE.
Impact on the charity and donors
The FSFE has prepared a transition to a new payment provider, but existing supporter accounts cannot be migrated automatically. This means affected donors must take new action to continue their support. The FSFE has warned that some people may not read the notification emails, and losing their financial support will affect the organisation's work for free software.
The dispute highlights a broader tension in the fintech industry. KYC procedures, which comply with fraud prevention requirements imposed by financial regulators like the German financial regulator BaFin, increasingly require payment providers to scrutinise their customers. Yet the methods used to complete these checks, and the deadlines imposed, remain subject to interpretation and can sometimes lead to unintended consequences when communication breaks down.
The FSFE is one of several sister organisations to the United States-based Free Software Foundation, along with the Free Software Foundation India and the Free Software Foundation Latin America. The FSFE distanced itself from the original FSF when it learned that Richard Stallman had returned in 2021, although it still works alongside the American organisation.
The FSFE has updated all donation pages on its website with the new payment provider.