“This agent is always reminding us to change our PINs from time to time, especially if we ever get to think that our PINs have been compromised. Also, he is constantly sharing information about the new ways the fraudsters are using to dupe people, so that we are aware and take care.”
Mobile money agents can play a protective role when it comes to customers’ data. Recent qualitative research in Uganda conducted by CGAP, in partnership with MicroSave Consulting (MSC), identified good practices for responsible agents in safeguarding their customers’ data and the role that providers can play in promoting these practices. Such practices are especially important given CGAP’s recent global research showing that data misuse and fraud have increased massively over the past several years.
How do responsible agents help safeguard customer data?
We heard from many customers that mobile money agents often advise them to protect their PINs by not sharing them with anyone (including a spouse) and changing them regularly and to keep their distance from other customers while transacting. Some agents have also installed video cameras to deter fraudsters and informed their customers on how they can avoid falling prey to scammers. We found that most of the customers interviewed have been targeted by fraudsters and some have lost money. “Fraud attempts are no big deal anymore since we are used to them. On average, we get one fraud phone call on a daily basis” said Joseph, a 40-year-old male customer we spoke with in Uganda.
Responsible agents ensure that customers form an orderly queue at their outlets, which are often small and can be easily crowded. This ensures the data privacy of customers as agents handle only one customer at a time. Some agents use a multi-fold gate at their kiosks, with space for only one customer by the counter, which serves to limit access to the agent’s logbook of customer transactions.
One innovative practice we learned about through our interviews was that some agents have joined local WhatsApp groups, helping them build an informal support group that can be used to share information about emerging fraud threats, data protection breaches and how to safeguard themselves and their customers. Providers also have their representatives join the WhatsApp groups to disseminate information on issues related to safeguarding customer data.
“I am aware of the mobile money guidelines around safeguarding customer information, keeping PIN safe, etc. I was informed of the guidelines and other rules to follow when I registered as an agent.”
What are some responsible practices of providers to promote data protection?
Mobile money providers, including Airtel and MTN, conduct mass media campaigns around protection from fraudsters and safeguarding PINs. Customers interviewed mentioned receiving SMS messages with such warnings, along with noticing advertisements by providers on TV and on the radio. Providers also give their agents various marketing collateral on PIN management. Some mobile money providers, such as MTN Uganda, have gained GSMA’s Mobile Money Certification, a global initiative based on independent assessments of a provider's ability to deliver secure and reliable services, to protect the rights of consumers, and to combat money laundering and the financing of terrorism. One important aspect of the Mobile Money Certification is to ensure data privacy and to protect customers against fraud.
As part of their adherence to Uganda’s Data Privacy & Protection Act of 2019 (DPPA), providers train their agents to collect only information relevant to the transaction. For example, sensitive information, such as customers’ religion or income, should not be requested to open mobile money accounts. We also heard about different types of mechanisms providers have put in place to identify, prevent, mitigate and investigate data misuse. For example, when sharing data with banks and partners, providers ensure that the data is anonymized to protect customer privacy. To investigate data fraud, mobile money providers regularly monitor transaction data and identify any data discrepancies in transactions.
What has been the role of the Uganda DPPA in strengthening customers’ data protection?
Mobile money providers strengthened their data protection practices after the implementation of the DPPA, which regulates personal data collection, processing, use, and disclosure, and applies to every person, entity or public body within or outside Uganda that collects, processes or holds personal data. As per the DPPA, providers have onboarded a dedicated Data Protection Officer who ensures adherence to the law. The Ministry of Information & Communications Technology (ICT) conducts monthly audits of providers to ensure compliance with the DPPA. Providers also levy penalties on agents based on the increased intensity of data misuse.
Gaps remain – what else can providers do to support their agents?
“Agents used to be rewarded if they had zero complaints, but this has been discontinued. There is no specific provision to incentivize agents for safeguarding data.”
While mobile money agents and providers in Uganda do a lot to promote and safeguard customer data, gaps remain, and data misuse and fraud are on the rise. Below are a few recommendations we have for providers on how they can continue to strengthen their agents’ data protection practices:
- During agent onboarding, train agents to be more transparent and share information with customers on how their data is used when customers subscribe to the service or buy a new SIM.
- Further emphasize data protection challenges and mitigation strategies during agent trainings, since agents do not typically receive focused training on customer data protection.
- Provide agents with additional support and marketing collateral on data protection, such as a ‘data protection communication toolbox’ for agents.
- Increase customer awareness on how their data is used and shared through more effective channels and content options for information dissemination to customers.
- Consider doing away with agent logbooks as agents already receive SMS confirmations of transactions, since logbooks can be a source of data exposure.
- Provide rewards and recognition to agents who receive minimum complaints about their conduct from customers. This will foster both competition and compliance of responsible practices among agents.
Want to learn more? Visit FinDev Gateway for the slide deck that provides further details on the findings.