Responsible Digital Finance for Kenyan Merchants: Five Priorities

While basic mobile money transfers continue to grow globally, innovative players are offering second generation products that broaden the digital options available to businesses and consumers. Kopo Kopo, a company based in Nairobi, Kenya, enables more than 10,000 merchants to accept mobile payments from their customers. The company also recently launched a merchant cash advance service that uses an algorithm to calculate loan sizes based on a merchant’s transaction history and more than 150 other data-driven signals. As Kopo Kopo considers five consumer protection risk areas, they have identified key concerns and questions in each which they are working on addressing.  These questions and concerns are relevant for others entering this space as well, and should provide good fodder for thinking about consumer protection concerns as DFS products expand.

1. Fraud

Account takeover is a real vulnerability for any merchant account. If someone were to compromise the email address or phone number of a primary contact on the Kopo Kopo account, then they might be able to do a password reset to gain access to and even control over the merchant’s account. In turn, they could then change settlement details or initiate a bank transfer to get money out of the system.

Another potential problem area Kopo Kopo has identified occurs when a business owner gives their login credentials to an employee. This usually happens when a business owner isn’t very tech savvy and therefore leans on an employee for help with collecting digital payments and operating their account. This practice makes business owners vulnerable to employee fraud, since they have handed over their permissions as “Administrator” to someone else.

2. Customer recourse

People make mistakes. For instance, a merchant might enter the wrong bank account number when designating their settlement account. If this happens, their funds would be sent to an erroneous account outside their control, or caught in suspense by the recipient bank.

Merchants also experience problems that are outside of their control.  For example, a payment may be reversed or “rolled back” due to a network error, when goods and services have already been rendered. Merchants could experience an account takeover, or lose money due to external or internal fraud.

In these situations the provider must ask, what recourse is available to the merchant customer, and is it well-suited to the issues they are experiencing?  How quickly can an issue be resolved, who is responsible for resolving it, and where does the buck stop in terms of solving the problem? Questions related to recourse can become more complicated as the ecosystem grows.

Photo credit: Jay Bendixen, 2012 CGAP Photo Contest

3. Data privacy and protection

Kopo Kopo's customers electronically sign several agreements when registering, including a merchant services agreement, privacy policy, terms of service and, in some cases, sale and purchase agreement (for merchant cash advances), which specify the ways Kopo Kopo may use account information and data, and what rights merchants have in terms of data privacy. However, do merchants actually read and understand how these agreements could impact them and their businesses? More broadly, are Kopo Kopo’s agreements and policies in line with international best practice and do they make every reasonable effort to protect customers?

In light of a number of high-profile hacking incidences (Home Depot, JP Morgan Chase, Sony, Staples, Target, etc.), Kopo Kopo also considers whether it has adequately anticipated and mitigated cyber-crime. What mechanisms has Kopo Kopo put in place to detect and respond to a malicious attack, and is more needed?

Kopo Kopo is also thinking about internal policies that affect data privacy and protection.  For example, who has access to what customer information, and what can they do with it? Has Kopo Kopo adequately restricted access based on role and responsibility?  By way of example, Uber recently had to take disciplinary action against its New York management for tracking a journalist’s travel data without her permission. How could someone abuse access to Kopo Kopo’s database, and what steps does Kopo Kopo need to take to prevent that abuse?

4. Value-added services

Kopo Kopo's long-term vision is to build a "Business Operating System" for SMEs in emerging markets, which entails offering value-added services over and above payment acceptance. Upselling, therefore, is a big – if not essential – part of what Kopo Kopo does. As it offers these new services, it’s looking at whether it is making the new fees clear to the customer. Also, do its existing agreements account for these developing services, or does Kopo Kopo need to periodically update them? If the latter, what’s the best way to transparently communicate changes and associated fees?

5. Merchant misconduct

As part of consumer protection, Kopo Kopo also thinks about what happens when merchants act improperly. For example, a customer may make a payment to the wrong merchant number due to entry error, but the merchant may refuse to reverse the funds. What is Kopo Kopo’s responsibility in having the transaction reversed? What if the merchant account the money was sent to is dormant or the primary contact’s details have changed and no one is available to approve the reversal? Merchants may also charge unauthorized surcharges, and may or may not inform the customer about the extra fees.  What action should Kopo Kopo take in this situation?

Kopo Kopo is continuously thinking about and testing solutions to the above, but it’s intentionally identified more questions than answers. Ultimately, the answers to these and similar questions will vary by customer, market and service. What’s important is to realize that doing business digitally requires a different – and dynamic – strategy than doing business on paper.