Payment provider cuts off open source charity in KYC dispute

The Free Software Foundation Europe (FSFE) has been cut off from its electronic payment provider Nexi Group, leaving the charity unable to process donations from around 450 supporters. The dispute centers on Nexi's request for what FSFE understood to be supporter usernames and passwords, which the charity refused to provide.

According to FSFE's latest blog post, the charity had been working with Nexi for 15 years when the payments provider began requesting access to private data. FSFE claims it refused the request and sought clarification on why this information was "necessary and legal," but received only "vague and unsatisfactory explanations relating to a general need for risk analysis."

On March 10, FSFE was informed that its contract had been cancelled on March 7 for failing to meet an unspecified deadline. The charity says this deadline was never communicated to them beforehand. As a result, automatic renewal donations from over 450 current supporters have been disrupted.

The timing is particularly problematic for FSFE, which has prepared a transition to a new payment provider but cannot automatically migrate existing supporter accounts. This means affected donors will need to re-establish their recurring contributions manually.

Nexi Group has provided a different account of the situation. A spokesperson told The Register that the requests were part of Know-Your-Customer (KYC) compliance checks required by the German financial regulator BaFin for fraud prevention. The company claims it contacted multiple customers, including FSFE, to carry out additional verification procedures.

Regarding the specific data request, Nexi stated: "Nexi would never, as a matter of principle, ask for other users' personal login details or passwords. In this specific case, Nexi merely requested test login details in order to properly check the portal and ensure that users can cancel their access, thereby avoiding subscription traps."

The company maintains that the process could not be completed due to a "lack of response from the customer," which ultimately led to contract termination. Nexi has reportedly reached out to FSFE to follow up on the misunderstanding.

This incident highlights the tension between financial compliance requirements and privacy concerns, particularly for organizations handling donor data. While KYC procedures are standard in the financial industry for preventing fraud and money laundering, the interpretation of what information is necessary and how it should be obtained remains contentious.

FSFE, founded in 2001, is one of several independent organizations supporting free software globally, alongside the Free Software Foundation India and Free Software Foundation Latin America. The group notably distanced itself from the US-based Free Software Foundation in 2021 following controversy over Richard Stallman's return to its board.

The disruption affects FSFE's ability to receive credit card donations through Nexi's system, though the charity has not specified whether other payment methods remain available. For a non-profit organization dependent on recurring donations, such interruptions can have significant operational impacts beyond just the immediate loss of processing capability.

This case also raises questions about the power dynamics between payment processors and their clients, particularly smaller organizations that may have limited alternatives for essential services like donation processing. The abrupt termination of a 15-year relationship without clear prior communication demonstrates how compliance requirements can create sudden operational crises for non-profits.

As FSFE works to transition to a new provider, the incident serves as a reminder of the complex regulatory environment facing organizations that handle financial transactions, even when their primary mission is charitable rather than commercial.