Establish Customer Identity, Data Privacy and Security Standard

Potential Actions for Signatories are based on recent industry examples, and are not intended to be used as a compliance checklist given digital financial services standards are still evolving.  Rather, examples of potential actions should be used for a more comprehensive due diligence assessment, and an opportunity for Signatories to develop new products and solutions for customers. Signatories may test, refine and adapt current industry evidence so as to be more relevant to their digital financial services investments, business models, market context, among other factors.
Examples of potential actions:
  • Encourage and support the development and use of customer identity and authentication systems for
    KYC/AML as relevant.
  • Promote and support customers’ personal data privacy rights, as well as informing customers about those
    rights, including which data will be collected or shared, when, with whom, for what purpose, for how long and
    with which associated risks.
  • Strengthen approaches for informed consent. For example, to use customer data only for the purpose
    specified at the time the information is collected, unless explicitly agreed with and understood by the
  • Mitigate consumer risks such as data/analytics which could be used for explicit discriminatory purposes.
  • Encourage and support investees to collect consumer data on an opt-in basis. If applicable, to strive for a
    balance between consumer-controlled vs. provider-proprietary data. Increasing customers’ control and use of
    their digital data record could reduce the need for different lenders to collect extensive personal data.
  • Collaborate with investees, other investors and other stakeholders to develop new data use standards for
    digital credit which are consumer-friendly and enhance competition, for example (CGAP 2017): (i) consent and
    use restrictions (e.g. restricting use of data to a per-transaction basis, having clear user consent, and
    prohibiting sharing or sale of consumer transactional data by those who collect it without express and
    restricted consumer consent; (ii) easy, secure processes for customers to share their own data (e.g. encourage
    a neutral channel through which customers could export data from their transactional accounts in a
    standardized format); (iii) standards on what types of data should be shared vs. what should be kept private.