Consumer & Data Protection: A New Approach to Intersecting Risks

New data trails combined with data analytics capabilities can bring financially excluded and underserved consumers, such as women, into the formal financial system.  This opportunity is accelerating with the adoption of open banking, open finance, and ultimately open data. However, data misuse in financial services, including identity theft, is one of the fastest-growing consumer risks according to recent CGAP research. 

These recent trends show an increasing connection between the types of risks posed by the use of consumers’ data with traditional consumer protection risks, such as debt collectors disclosing private information to third parties to coerce payments as seen in India, or lenders taking unfair advantage of less digitally literate, low-income borrowers by offering high-interest loans. The same goes with financial service providers’ potentially using biased algorithmic tools to make lending decisions, which can result in discrimination as well as potential loss of privacy for consumers and their networks.

Worldwide internet user attitudes regarding online identity theft as of January 2023 (Graph source: Statista)

Two issues that are often treated separately

Traditionally, financial consumer protection and data protection risks have been treated as separate concerns, posing different problems with different laws and regulators. In a digital economy, particularly for financial services, the collection, use, and disclosure of data is key. 

Since consumer protection and data protection are viewed by many regulators and providers as completely different concerns, there has not been a comprehensive regulatory approach to address the intersection of these two areas in ways that consider the needs of vulnerable consumers.  Some countries might have a mix of agencies with jurisdiction over consumer and data protection, including financial sector authorities, telecom regulators, consumer protection agencies, and data protection authorities which may lead to diverse institutions working on the same issue in a fragmented manner, and to some confusion for consumers who seek recourse. 

The regulation and supervision of data and consumer protection requires a new approach

What’s needed is a responsible finance ecosystem approach in which all different authorities involved with the protection of consumer data in the financial sector work together to regulate the market in a way that ensures the responsible use of consumer data.  There are several ways to do this. 

The first step is for different regulators and supervisors to recognize the nexus of interests between them. Next is to acknowledge there may be different authorities with different and potentially overlapping jurisdictions in this space. The challenge is to create a level playing field across market participants and make sure that none of them fall through regulatory cracks. One option is the adoption of an omnibus consumer protection/data protection law as well as the creation of an omnibus regulator. The latter would have the benefit of creating a level playing field for competing service providers. However, given that in many cases this would be a major political/legal undertaking, the most common option might be for existing agencies to coordinate their efforts, such as through memoranda of understanding. At the international level, standard-setting bodies (SSBs) could help create a broad framework for regulating at the intersection of consumer and data protection.

Another step toward creating a responsible ecosystem would involve different authorities jointly monitoring the market to protect consumers and their data and identify issues that need to be solved by policymakers, providers (including industry associations), customers, and market facilitators.  Financial authorities can use existing market monitoring tools (MMT) such as regulatory reports and complaints analysis, mystery shopping, and phone surveys to identify how consumers’ data is being used, e.g., to assess whether data was being used in an unfair or biased way, such as by improperly considering gender, race, or religion.

Developing an ecosystem perspective and bringing together various stakeholders could have the benefit of promoting innovation. For example, financial regulators may consider the creation of regulatory sandboxes for privacy that bring together key public and private actors together. 

Other actors in the digital finance ecosystem have an important role to play

CGAP’s research in Kenya and India has demonstrated that consumers care deeply about how their data is used – even to the extent of their willingness to pay higher loan rates to lenders that protect their data.  As a result, it is in providers’ economic interest to promote the proper handling of data. In addition, by better protecting consumer data, providers will increase trust which in turn will improve service usage and enrollment of new customers.

Merging consumer and data protection issues paves the way for industry-wide initiatives to build in consumer and data protection by design. For instance, Aftech, an Indonesian fintech association has developed a number of codes of ethics, including one for data protection, in a local language. In Colombia, the banking association Asobancaria has developed a Certified Expert on Data Protection course as part of their capacity development activities for members. It would be worth exploring how industry associations can create codes of conduct that tackle both consumer protection and data protection together.  

Merging consumer and data protection issues paves the way for industry-wide initiatives to build in consumer and data protection by design.

At the global level, the GSMA’s Mobile Money Certification already includes consumer data protection as a dimension, and we see the same in the SPTF Digital Finance Standards. Consumer associations can also foster better consumer data protection through their diverse sensitization and digital finance education campaigns with consumers. For example, CUTS International has undertaken several initiatives at the intersection of data protection and consumer welfare such as evidence-based research, advocacy, and capacity building.

As part of an ecosystem approach, providers, authorities, funders, investors, and consumer organizations could work together to establish model principles of data protection. These principles could include fair algorithmic design to avoid bias and take advantage of alternative data, a focus on data accuracy and correction mechanisms which can be critical to consumers, and consideration of how to balance the benefits and risks of giving consumers greater control over the use and sharing of their information.

Conclusion

Protecting vulnerable consumers and their data requires a more holistic approach than what is currently in place. Many countries are still considering whether or not to adopt data protection laws. Likewise, there are many jurisdictions that do not have comprehensive consumer protection laws in place. Thus, there is an opportunity to leapfrog and address the synergies between consumer and data protection in new legislation and collaboration mechanisms.

New regulations and industry codes of conduct could address the intersection of consumer and data protection, requiring notice of data practices generally, such as data sharing, limitations on permissible uses of consumer data, the right to access data and have it corrected if erroneous, adoption of appropriate security measures, and redress in cases of harm, as well as greater disclosure of terms and prohibitions on deceptive trade practices. In a digital finance ecosystem, particularly for financial services where trust is critical, the proper collection, use, and disclosure of data is key.  Strengthening consumer and data protection by taking a comprehensive approach to developing the financial ecosystem will help meet this need.