Nairobi, Kenya - “The point of today is to get everyone much smarter on a topic that we all know is important but most of us have probably done very little to address. I want to be responsible, I want to do right by my borrowers - but what does that look like?” -Daniel Goldfarb, CEO, Lendable
When Lendable adopted the Responsible Finance Forum’s Guidelines for Responsible Investing in Digital Financial Inclusion in June, we strongly felt the need to translate these principles into actionable implementation steps for ourselves and other fintech companies. Since the beginning, our partners like the Shell Foundation have encouraged us to think critically about what responsible lending means for us, and FMO - Dutch Development Bank took this to the next level by partnering with us to launch a series of workshops around responsible lending. The first, Data Privacy and Data Security for Alternative Lenders, took place in Nairobi on September 18th.
As we’ve talked about previously, cheap mobile phones, productized CRMS, and data service companies across sub-Saharan Africa have created an abundance of data for lending companies to work with. Yet best practices around how to collect and manage this information to ensure consumer protection are not always clear. As Aarti Shah, Director of the Cobalt Partners, stated during the workshop, “We’re in a fast moving sector. We’re talking about micro-finance on mobile phones. We’re talking about technology that is moving so fast, and where the money to be made is so big, regulation is always going to be lagging behind.”
So where can lending companies turn for guidance in the absence of regulation? Thankfully we had two experts, Rafe Mazer (MazeCo) and Hildah Nduati (World Bank), plus a fantastic panel featuring Aarti Shah (Cobalt Partners), Caroline Mulwa (Association for Micro-Finance Institutions Kenya), and Fidelis Muia (Kenya Bankers Association), to walk us through some places to start.
“We want to think about data privacy not as a burden, but as something that can reduce harm and create new opportunity,” Rafe Mazer, Independent Consultant at MazeCo said. Throughout the workshop, the experts emphasized that being proactive about data privacy and security can create opportunities for both individual companies and the sector. Thinking early and often about data privacy allows companies to build brand value for customers, investors and regulators.
In light of the draft bills around data privacy that have come out in Kenya, regulation was a key topic of discussion. Rafe Mazer walked us through GDPR’s focus on data protection by default and design, the Indian law’s digital consumer lockers, and similarities and differences in the two versions of Kenya’s bill.
Despite the increasing regulation being implemented around the world, not one person in the audience could name a law that they felt was a perfect example of what data privacy regulation should look like. Rafe Mazer built on this point saying, “when we just cut and paste, we end up with bad policy.” Yet we all agreed that good regulation designed with practitioners needs and constraints in mind can bring clarity, certainty and stability. Kenya’s potential legislation could enable leadership at alternative lending companies to fully understand the steps they need to take and create a key role for government as an educator, to both consumers and to companies, on what’s expected of them.
We spent an equal amount of time discussing the benefits of empowering customers through creating access to information. Here, we walked through three principles for consumer data control - awareness, access, and usage - and built examples of ways to implement these in a user-friendly way on a feature phone.
Just like customers who understand the terms and conditions of the products they sign up for, customers who have access to their data become better borrowers as they can take control of their financial situation and financial identity.
We live at a time of data abundance. More data is a good thing: it has had a big impact on alternative lending and the financial products it has given consumers access to. As a sector, however, we need to ensure that we are collecting the data we need, for a purpose that the consumer understands, and storing it securely.
As Hildah Nduati, Cyber Security Consultant for Digital Financial Services at the World Bank, framed during her discussion, identifying and understanding potential risks often serves as the best place to start when it comes to thinking about addressing data privacy and security issues.
One of the key risks discussed pertained to the use of third-party contractors who are often privy to alternative lending companies’ data. Whether collections contractors or analytics service providers, many of us use external servicers at some point. How closely do we vet these providers to ensure our customer data is secure? What standards do we hold them to and how do we ensure these are being met?
Rafe Mazer made some suggestions here, including ensuring that third-party providers have time-bound access, promise to no further porting of the data, and are reporting back new information collected. As Fidelis Muia said, as lending companies, “[we] have to be responsible for the whole chain, from the person collecting the data and the data [we] collect, how it’s transmitted to [our] systems, and how it’s transmitted back.” As we are all liable for what happens with the customer information entrusted to us, we need to make sure we understand how all third-party servicers are using and storing our customer’s data, and that these practices are in line with our own policies and standards.
Another risk discussed was data fraud. Of primary concern here is the risk of insider threats. “Insider threats top the list … the group most implicated is administrators and other privileged users, who are in the best position to carry out a malicious breach, and whose mistakes or negligence could have the most severe effects to the organization,” Africa Cybersecurity Report 2017. We need to take steps with internal data systems to ensure that only individuals who have authority to view information can do so.
Relatedly, we discussed outages as the number one opportunity for internal and external data fraud. There is a clear need here for companies to assess what the internal IT security risk is and implement steps to mitigate this risk. In a study conducted by CGAP in 2015, inability to transact due to network or service downtime was rated as the highest key risk areas for consumers of digital financial services that could decrease the level of trust of consumers and potential consumers. Similarly, the UNCDF’s Mobile Money for the Poor (MM4P) in Uganda found that non-users in urban areas cited an unstable network as the number one barrier to non-users starting to use mobile money.
To mitigate these risks, Hildah Nduati left us with multiple frameworks (below) to start assessing internal data security risks in our organizations. These involve looking at the level of harm, the damage it could create, and the severity of its impact on the organization.
By understanding the risks and their potential harm to our customers and businesses, companies can leverage the available resources for data security and ensure customer information is kept safe.
We’re grateful this workshop created the opportunity for dialogue around data privacy and security as such an important topic not only for our companies, but also for the borrowers who share their data in exchange for access to credit every day. More importantly, we’re excited about how we, as lending institutions committed to acting responsibly, can work together to make these best practices a reality within our organizations. As Jeroen Harteveld from FMO said during the workshop, “We believe that responsible lending is the key to building a sustainable business.”
Throughout the workshop, our conversation around needs and constraints for working on data privacy and security in the alternative lending sector surfaced some next steps, including:
Use the CBK Guidelines on Cyber Security for Payment Service Providers as a framework for data privacy and data security policies in the absence of regulation. Drafting internal policies sooner rather than later will make it easier when regulation is passed. We can all go a step further to ensure consumer protection for end-borrowers in all that we do.
Share feedback with regulators on the operational challenges and opportunities of different components of the draft bills. Lending companies will be hugely impacted by various components of the bill, and regulators want the input of practitioners. In particular, we can share input on areas that may not have a big impact on consumer privacy but would be especially difficult for practitioners to implement. (Data localization was one topic of discussion here).
Everyone agreed that sharing learnings, policies, and templates would be helpful. We also agreed that it’s difficult to raise your hand when you’ve messed up. Whether anonymous or in small forums - let’s talk about it!
Lendable, FMO, our experts Rafe Mazer and Hildah Nduati, and our panelists including Aarti Shah, Caroline Mulwa, and Fidelis Muia are all available as resources - reach out and continue the work we started here. From Lendable’s end, we’re excited to share that together with FMO, will also be bringing this workshop to Lagos next month.
A special thanks to FMO - Dutch Development Bank for their support in making this series of workshops on responsible lending possible.