Time to Take Data Privacy Concerns Seriously in Digital Lending

Many new digital credit providers have emerged in Kenya, riding on the growth in mobile money use and the increased demand for quick, unsecured loans for the many Kenyans who do not have a steady source of income. While these lenders are expanding access to credit, they are operating outside regulation by any financial sector authority – and some key consumer protection concerns have started to emerge.

Human nature is such that we skip past the terms and conditions of products because they are too long, too complex or because we are in a rush. So consumers may be surprised at the terms they are agreeing to in some of these new loan products. For example, customers who borrow with Kopa Leo – a lender that operates via an app in the Android store and is not regulated by any financial sector authority – are warned that in the event that they default, their names will be published on the Kopa Leo platform and on their social media wall. The provider disclaimer states: “We understand that our customers have a right to privacy regarding the services received from us. However, where lending is concerned, such right to privacy can only be guaranteed when obligations are honored when due. To enable our business model [sic] weed out defaulters, we will be posting updates on defaulted payments in the format below on this page. This does not also limit us from sharing such information on other public pages including posting to your social wall. Defaulters will however be given a 7 days notice to make good their payment before such information is publicly shared.”

Kopa Leo is Swahili for “borrow today.” In this case, borrowing today could result in one being subjected to public shaming tomorrow through the provider’s channel.

This lender is also not subject to the requirement that regulated lenders face, which is to report to the credit bureaus in Kenya – a formal channel to share positive and negative borrower history in a safe and supervised manner. That means the manner in which positive or negative information on the borrower is disclosed is at the discretion of the lender. The Constitution of Kenya 2010 guarantees citizens the right to privacy and stipulates under Article 31 that “every person has the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed.” In the case of Kopa Leo, the provider could be in contravention of this provision if it were ever to publish a list of defaulters, a right it asserts in its terms of service.

The data collection and handling practices in this example may be extreme. However, a scan of the sector reveals a rise over the past two years in the number of digital finance providers that use app-based, web browser-based or USSD-based lending platforms and that are not regulated or supervised by the Central Bank (under the Banking Act or other laws) or other financial sector authorities (under the Banking Act or other enabling legislation). These lenders’ processes result in the collection of a lot of customer information, based on acceptance of terms and conditions by loan recipients that then permit the lender to sweep their information, including their call and SMS logs, their phone information and even their photos and Facebook contacts. It is often the case that consumers are not mindful of the fact that they are signing away their privacy rights. Such practices raise another concern regarding the adequacy of our existing laws and regulations and their capacity to address these kinds of risks to consumer welfare.

In Kenya, regulated entities that provide digital financial services are required to adhere to specific laws and regulations that offer some protection for customer personal information. This includes provisions under the National Payments Systems Act and accompanying regulations, as well as the Kenya Information and Communications Act and regulations. Provisions in these laws restrict the indiscriminate disclosure of customer information and spell out sanctions for noncompliance. However, given that many lenders in Kenya fall outside the purview of the current financial sector regulators, it is challenging to rein them in.

As a long-term solution and to further enhance its consumer protection framework, Kenya needs to pass a robust data protection law. The law should address the risks that are present in the financial services sector, including the rising share of services delivered digitally on the back of technological innovations that make financial products such as consumer lending just a click of the “terms and conditions” away.