Research increasingly demonstrates that poor customers, just like other customers, value their privacy and care deeply about the protection of their personal data. But what do providers think about obtaining, using, storing and sharing personally identifiable information? Last year, CGAP interviewed 26 innovative and data-centric financial services providers in South Asia, Southeast Asia, Latin America and Sub-Saharan Africa, including banks, mobile money providers and companies that provide credit scoring and merchant services. We asked them what role customer data plays in their businesses and what they are doing to ensure the privacy and security of the data they collect. Here’s what we learned.
Data are a guarded asset
Providers often regard their data as a valuable competitive asset, and they take steps to protect it. Data regulations, where they exist, often drive these protective measures. But all providers have reason to invest in security due to the possibility of a data breach and the desire to preserve their competitive advantages. These drivers of business practices provide an opportunity for regulators to act because it means that incentives are aligned between providers and their customers. For example, providers might be willing to accept more robust and potentially expensive data governance standards imposed by regulators if the benefits to them — safer digital assets — are emphasized.
Data sharing is not as widespread as often assumed
Despite the hype around big data’s potential to transform finance, we found that getting access to transactional, phone use or demographic information held by third parties (especially mobile network operators) remains a frustration for many young businesses. When mobile network operators do sell access, the prices may not be commercially feasible for start-ups. Some of the providers we spoke with have changed their business models due to pricing issues, decreasing their reliance on third-party data.
Many firms also recognize that relying on a third-party source for data creates a risk for their business. The rise of smartphones represents an opportunity to bypass reliance on the large datasets of established providers and obtain data directly from consumers.
Communicating about privacy is not a priority
Providers told us that communicating to customers about privacy does not rank highly on their list of priorities. Given customers’ limited attention span and the relative importance of communicating product value, instructions and pricing, privacy does not always rise to the top. Moreover, low literacy levels and mobile delivery already make it difficult to explain how a user’s data will be used. These findings support the idea of moving beyond a notice and consent model, which is based on the assumption that users understand how the provider intends to use their data.
Limited data retention is not being considered
Most of the providers we interviewed were not thinking about limiting data retention. In part, this may reflect the fact that many of them are young companies. But it may also be because regulations are not always in place to force providers to develop official policies. Where data regulations do exist, some mandate that data be retained for only as long as necessary for the associated service. At the expiration of the retention period, firms must delete or anonymize the data. With the expansion of increasingly cheap data storage, firms may be less concerned about holding data longer than necessary unless regulations force them to destroy or anonymize. However, retention of data presents privacy and security risks.
Many firms are start-ups and may be angling for acquisition by larger companies. In this case, customer records could be transferred to a separate business entity without the consent or even awareness of customers. Providers may need to think more carefully about data retention and the handling of data throughout the lifecycle of their businesses.
Cross-sector data governance principles could provide value
Although existing principles such as the GSMA Code of Conduct for Mobile Money Providers, the Smart Campaign and the Better Than Cash Alliance's Responsible Digital Payments Guidelines cover elements of privacy, providers said they could benefit from a more focused set of voluntary standards related to privacy and data protection. Due to the growing trend of bundling financial services with other products, it may be more effective to develop standards that could apply to and be adopted by all types of data-centric service providers. These standards could also include principles related to data sharing and data standardization, which would enable new business models based on third-party data to operate responsibly. Some firms also emphasized the need for guidance on best practices in information security and privacy, including data retention.
In sum, we see some disconnects between how strongly customers feel about their data and the way providers weigh privacy and protection concerns against other commercial objectives. At the same time, there are opportunities to improve data security by leveraging the motivation of providers to guard their competitive assets. As regulators develop stronger data protection frameworks, listening to providers' perspectives can help them to identify potential "win-wins" and areas where stricter rules and principles are necessary to protect consumers.