Eric Chu and Laurel Morrison

Global fintech investment reached $37.9 billion in the first half of 2019. In China, the market size of the country’s online financing peaked at more than US$150 billion in transaction volume. In Sub-Saharan Africa, mobile money operators such as M-Pesa and MTN Money continue to drive financial inclusion. Massive amounts of personal and financial data are generated each day, with global data expected this year to grow to 44 zettabytes.  With the explosion of data comes concerns about protecting consumers’ data privacy. Consumers are increasingly concerned about the safety of their personal information, with recent breaches, namely when: Cambridge Analytica harvested personal Facebook profile data for political purposes; Equifax exposed personal credit bureau information of more than 147 million customers; and peer-to-peer (P2P) lending began to collapse in China from its peak level of 4,000 to 1,000 platforms—leading to massive loss of consumers’ savings. In developing countries, challenges such as  weak financial literacy, lack of familiarity with technology and data protection issues, a high percentage of non-smart phone users, and language differences have further compounded the difficulty of formulating data privacy protection practices.

Data Privacy Regulations are Evolving Globally

In the United States, data privacy protection exists at the national level for specific sectors or populations, e.g., health and children. Different states have enacted (sometimes conflicting) legislation with different scopes. California is a leader in this area and passed the first data privacy legislation at the state-level in 2003. The state followed up with the more comprehensive California Consumer Data Privacy Act in 2018, which will go into effect in 2020. The new California law aims to shift the balance from businesses collecting and controlling consumer data to consumers having the right to decide what happens to their data.

The European Union passed the General Data Protection Regulation (GDPR) in 2016 and began its implementation in 2018. Notably, GDPR imposes obligations on all organizations that collect data related to people in the EU. It is the first regulation to have such a far-reaching scope. GDPR lists the privacy rights of individuals as:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights concerning automated decision making and profiling

Financial services and technology companies, especially those outside of the EU, have had to completely rewrite data protection rules to make sure they are in compliance with GDPR or risk paying massive fines to the EU. To ensure compliance and continued access to the EU market, emerging markets are legislating to conform to GDPR. These markets include, among others: Ghana, India, Kenya, Mauritius, Argentina, Brazil, Chile, Colombia, Mexico and Peru.

In addition to GDPR, the EU also regulates payment services and payment service providers through the Payment Services Directive (PSD2, Directive (EU) 2015/2366). The rules aim to better protect consumers when they pay for goods and services online. They also promote the use of online and mobile payments through open banking and strive to make inter-European payments easier. This also includes the single euro payments area (SEPA), which establishes and harmonizes tools and standards for euro payments made across Europe. The idea is that cross-border euro payments in Europe should be as simple as domestic payments.

Australia and New Zealand have robust personal data protection regulations that are similar to GDPR.  Australia recently began to implement its Consumer Data Right scheme, which specifically gives Australian greater control and choice over how their personal data is used and disclosed as well as the ability to request data in a usable form and transferable form. This is especially relevant to the fintech sector as Australia just recently began implementing open banking, which allows consumers to securely give service providers access to their financial information for better customer experience and new revenue streams. A governance organization called Payments NZ is responsible for developing and managing open banking APIs in New Zealand.

In China, much of its data protection has a national security and state access component, as is the case for the 2017 Cybersecurity Law. The law contains a framework that regulates internet security, protection of private and sensitive information, and safeguards for national cyberspace sovereignty and security. The framework focuses on the state’s responsibility to ensure a secure cyber infrastructure and space, although it also places the responsibility on network operators to protect personal private information, defined as any information collected by any means that could be used to identify a person. Subsequent guidelines on the law signals the Chinese government’s intent to tighten regulatory hold on all information-related sectors, including fintech.

In Africa, an attempt to harmonize individual privacy and state security concerns led to the adoption of the Convention on Cyber Security and Personal Data Protection in June 2014. Due to the complexities of its 54 member states and their respective cybersecurity contexts, the reception and ratification of the convention has been lukewarm at best. To date, only five African countries have ratified the convention. Individual states, namely Kenya, Mauritius, and Rwanda, have been establishing their own data protection policy and legislation.  Mauritius is a leader in data privacy protection law, which has since been replaced in 2017 to bring Mauritius in compliance with GDPR.  Mauritius’ law not only governs the work of the Data Protection Office but also regulates organizations that process and control data as well as defines the rights of individuals with regards to their personal data. The advanced development of the data protection regime serves Mauritius well in positioning it as the Africa Fintech Hub, with the aim of building an entire ecosystem to enable fintech to flourish on the continent.

In Latin America & Caribbean, while the Organization of American States adopted a data protection framework and recommendations to member states in 2015, GDPR has also propelled individual countries, to update their data protection regimes.  LAC countries that are already beginning to formulate data protection frameworks include Argentina, Brazil, Chile, Colombia, Mexico and Peru.

Balancing Data Access, Use and Privacy

Fintech and digital financial services companies increasingly offer financial products and services to individuals and entrepreneurs by collecting and storing vast amounts of customer data, comprising of both traditional as well as alternative data.  Traditional data includes client and agent data, collected from customers through registration or application processes; and third-party verification data such as from credit bureaus and public registries.  Alternative data captures more information from mobile network operator (MNO) call records and transaction purchases, voice calls, SMS messages, airtime use, and other services.  Social media also provides alternative data sources from sites such as Facebook, LinkedIn or Twitter which collect behavioral data about customers’ social networks, socioeconomic status, contact details among others.  A challenge in using both traditional and alternative data is that customers are not fully aware about how their personal data is being collected and used, nor of their rights beyond initial consent.

In recent years, opportunities and risks around big data analytics have centered on balancing consumer data access, use and privacy protection.  Consumers in both developed and emerging markets often provide consent without reading nor understanding their rights regarding their own data. Consent agreements are still too long, written in legalese, and hence unintelligible or too time consuming for the general user. Consent agreements provide insufficient consumer data protection or no opportunity for customers to negotiate their terms.  Consent agreements are agreed to in the process of acquiring the product or service which the consumer has already decided that they want or need. These challenges are increased exponentially in emerging markets with weaker financial and digital literacy, fragmented frameworks for consumer recourse, and fewer available products or services.

Going Beyond Consent

Going beyond initial consent enables consumers to control and minimize their data exposure, and this builds trust over time. One method,  Privacy by Design, approaches consumer data privacy as the default, and an integral part of the product or service design to ensure data protection throughout all levels of customer interaction. Another method is Data Minimization, highlighted in the GDPR, in which companies limit the personal data that is collected, stored, and used to be only that which is absolutely relevant and necessary. “India Stack” for example, involves a digital locker or cloud-based platform that can be accessed using an Aadhaar Universal ID assigned to individuals, and through biometric verification via retina and fingerprint scans. Through this locker, electronic copies of sensitive documents can be protected and stored with user-controlled access with approval or consent required to share any and all data.

Customer data is perhaps the most valuable asset for inclusive fintechs and digital financial services.  A new study by CGAP was recently conducted in Kenya, and India, which showed that consumers were willing to either pay more or wait longer for a loan if they were offered better data protection as compared to cheaper or faster loans that gave no or limited data protection.  Another CGAP study highlighted the importance of going beyond consent to protect customers’ rights, which is critical to build trust for the future of inclusive fintechs and digital financial services. Financial digital literacy and capability that empowers consumers to go beyond initial consent can be a positive step towards building customer trust and resilience when scaling digital financial products and services. With the right mix of business approaches that leverages financial education, inclusive fintechs and digital financial service providers could support the shift of data control to consumers while differentiating their product in increasingly competitive digital markets.

About the Authors: Laurel Morrison and Eric Chu are MA’20 candidates of the Global Human Development Program in the Walsh School of Foreign Service at Georgetown University.  Laurel is currently working on a Capstone Project to identify and evaluate remote country monitoring strategies at the World Bank. Eric is working on a Capstone Project to investigate the role of individual participation, agency and trust in the digital era. This post is part of a series to broaden partner collaboration and harness evolving experiences from co-founding, current and prospective Signatories of the Investor Guidelines