Recently, a half billion Yahoo! users worldwide were affected by a serious data breach. Many likely expected their service provider to have sufficient data security to prevent their credentials from being stolen, or at least expected that the service provider would let them know once the breach was discovered so they could take steps to limit the damage. Sadly, that trust was misplaced.
Yahoo! is not the only mass-market company to be hacked, of course. Its breach just happens to be among the biggest so far in a long list of retailers and financial service providers, including some global brands like Target and JP Morgan Chase.
Socializing and shopping digitally is not without risks. Neither is doing one’s financial affairs digitally.
It is tempting to think that the inevitable risks of identity theft or loss of privacy are “first-world problems.” Who would bother to steal the identity of a market vendor in Kumasi or that of a baker in Kolkata? There must be more lucrative targets than their mobile wallets. And even if hackers or fraudsters are attracted to these targets, surely the benefits of digital financial inclusion would outweigh any potential security or privacy down sides for low-income people in developing economies. Right?
These questions might be harder to answer than we assume for at least two reasons.
First, there are cases of sizable privacy breaches and misuse of data in developing economies that involve the types of products promoted to lower-income people through financial inclusion efforts. Second, there is evidence that customers (including those typically targeted by our initiatives) can lose money as a result of security breaches and other data handling weaknesses, which must be factored in when assessing the potential benefits to them.
Just last month, for example, the story broke that at least 3.2 million debit cards in India had been compromised through bank ATMs by malware, which then infected the network of a major payments services provider. This would make it the largest breach of the Indian banking and payments system to date. The press reports that banks began receiving complaints from cardholders reporting loss of funds due to unauthorized access from parties in China and the United States. Each bank will reportedly be liable for the fraud as long as customers report suspicious transactions to their bank within a week and are not negligent with the handling of their security credentials.
In other parts of the digital finance world, worries and losses result from different data-related issues. For example, earlier this year a South African bank-telco mobile money partnership took a hit, and it was an inside job. Employees were able to take money from customers’ accounts through phony SIM swaps. A recent SMS survey of mobile money users, designed by CGAP and commissioned by the International Telecommunication Union for its Digital Financial Services (DFS) Focus Group, also found that 12% of Ghanaian and 17% of Filipino and Tanzanian respondents had lost money to fraud. Customers reported SIM swaps and other scams, some of which stemmed from unauthorized access to customer data (findings forthcoming).
As in other financial inclusion issues that involve trade-offs, the answer lies in the right mix of actions – by industry, regulators, consumers and others – that is balanced and will benefit all actors in the ecosystem in the long run. In a new CGAP occasional blog series on data privacy and protection, we will be highlighting relevant issues in financial inclusion and potential solutions that, if widely adopted, would build trust, strengthen confidentiality and safety, and improve value for customers, providers and societies.
The posts in this series will probe questions around four focus areas for CGAP’s new data protection work stream, such as:
- Consumers – What are the attitudes and preferences of base-of-pyramid consumers with respect to use of their data in obtaining and using financial services? How do their perceptions and actual experience of risks affect their behavior, including uptake and usage of financial service offerings?
- Providers – Which use cases and business models are the most innovative in using consumers’ personal data to acquire new customers and extend or expand services? Which merit our attention because they are popping up in multiple markets and scaling rapidly (such as the use of call records, mobile payments and other “alternative” data to score very small loans and manage credit risk)?
- Supply-side solutions – Are efforts to extend “privacy/security by design” becoming more technically feasible? Where do we see good, practical industry solutions in use, and what factors would drive more widespread adoption of such practices and standards?
- Policy and regulation – If market solutions fall short of adequately protecting low-income customers, which policy approaches are available and likely to be effective in developing countries? In particular, where no comprehensive data protection regime is in place, what action could other authorities with digital finance-related oversight – such as financial regulators, telco authorities or national identity authorities – take to improve data protection that also promotes inclusion, innovation and healthy competition?
We are optimistic that our field can rise to this challenge. CGAP is working with others to identify potential solutions where interests of DFS users and providers will be well-aligned and progress could happen quickly. This should include models where low-income consumers can benefit from their data and behavior and the digital trails they are creating. An example is enabling “data portability,” where customers could leverage a positive credit history with one lender to shop around for better offers. We are also starting to think about where standards might be needed.
Progress on the data protection front is critically important to ensure that financial inclusion innovation can continue to benefit low-income consumers in India, Africa and other markets where digitization and data-enabled financial services could make a difference. We look forward to supporting practical work in this area. Please share your experience and ideas!