Financial Consumer Data Protection
Financial Consumer Data Protection
Data privacy and protection is an important aspect of financial consumer protection and increases in significance as digitalisation of financial services increases.
Given that digitalisation is the ongoing rave and definitive face of banking and financial services and the game shaping disruptive and transformative phase of financial innovation, the need for data protection is more important than ever.
There are indeed positive sides, including growth in financial inclusion through digitalisation. The ability to construct a digital trail and profile of the underserved may reduce credit risks, for example. The process of digitalisation may also lower the cost to serve and mining of data may spur product innovation, new players and market development insights.
Likewise, digitalisation may open up new or more insidious risks, including novel types of theft or fraud, discriminatory profiling that promotes financial exclusion, digital security incidents, manipulation of consumer’s choices and behaviour, identity theft and so on.
The results of a survey reported in the June 2021 Policy Tracker about the widespread ignorance, non-observance and even serial breaches of the data protection and privacy regulation in Nigeria is concerning. The report reveals that: “Only 30 percent of Nigerian businesses are aware of the Nigeria Data Protection Regulation (NDPR) and privacy laws. Up to 45 percent of businesses allow third-party access to customer data to share content on social media (62 per cent), gather analytics on their website visitors (35 percent) and for digital ad platforms. SME’s raised concerns with NDPR, either because it increased complexity (36 percent) or their cost of governance (34 percent), although all businesses are required by it to appoint a Data Protection Officer (DPO).”
The report about lack of awareness of the NDPR may possibly be overcome with more publicity and public education. However, one wonders whether the ease with which third parties are allowed to access customer’s data will materially reduce with more knowledge of the requirements of regulation.
Apparent hard-nosed commercial imperatives of survival or business models viability seems to drive the negative behavior. Is it practically feasible to expect the extant regulatory regime based on self-reporting and targeted enforcement action to effectively police, talk less change, market conduct and business behavior? Is the cross section of players even sufficiently knowledgeable and capable of taking adequate measures against cybercrime and other morphing cybersecurity risks?
The practical and negative cost implications of compliance signposted by SMEs also raises concerns about the feasibility and practicality of the current regulatory strategies and processes. How can regulators effectively police such a wide market of players? How can they do so in the face of deep and pervasive financial, technological or digital and other illiteracy? How realistic is it to expect informed consent to data collection from such consumers?
These questions again make relevant the note on new approaches to data protection by CGAP (Consultative Group to Assist the Poor). CGAP observes that: “In countries where literacy rates are low, language barriers high, and connections unreliable, customers are even less able to give informed consent.” It remarks that the informed consent model of data protection is western oriented and perhaps institutionally unsuitable for emerging and developing economies.
Suggested policy options include placing responsibility for data protection on providers rather than consumer consent. They suggest two options: allowing consumers to directly access their data and to correct and port data free of charge or allowing consumer representatives (associations, for example) to review consumer’s data profiles and assess algorithmic models, so as to obviate any bias that drives financial exclusion. They also suggest that financial sector stakeholders may pool their resources to establish shared, regional cybersecurity resource centers.
It is a moot point whether these policy options are innately sufficiently practical or optimal in side-stepping the strictures raised against the current regime of protection. However, they spur us to critically review existing approaches and invite innovation to address the difficult issues of public policy or “wicked problems”of data protection. They at least suggest that more evidence-based approaches, greater sensitivity to institutional and cultural context and more innovative thinking, may be required for effectively confronting the issues of digitalisation, data protection and financial consumer protection.
Professor Olawale Ajai is Policy Lead at the Sustainable and Inclusive Digital Financial Services Initiative