Improving Consumer Protection: It’s Time to Address the Cost Of DFS & Data Privacy

Industry experts chime in on how to improve consumer protection in the DFS ecosystem

This is a continuation of our industry consultative working group forum series. Previous articles have addressed DFS Infrastructure and Identity Management.

In August, principal actors in the digital financial services ecosystem attended our industry consultative working group forum.

The objective of the Forum was to create a platform for constructive debate of crucial policy issues impacting digital financial services and financial inclusion, with a view to identify practical reforms for enabling financial inclusion in Nigeria.

One of the themes discussed — Consumer Protection — is a significant trust inhibitor amongst the underserved. Below we have summarised a few varied viewpoints and recommendations from the ensuing deliberations.

COSTS OF DFS

For DFS to be attractive, it has to be easily accessible and affordable.

High transaction charges are a deterrent to financial services. DFS providers attribute their high costs-to-serve to the various compliance costs like licensing, capitalisation, staffing, etc. imposed on them by the regulators. Another contributory factor involves the costs associated with customer onboarding (account opening) as well as the multiplicity of account maintenance charges.

Also, financial services providers do not sufficiently disclose fees for their services.

On the demand side, due to multiple unstructured supplementary service data (USSD) sessions initiated to complete a single transaction, consumers accumulate a lot of charges. This also includes associated costs accrued during the lodgement of complaints and seeking redress, (for example multiple phone calls, emails and trips to the institution).

The Central Bank has established a consumer protection framework and a centralised consumer protection office with the goal of addressing such issues but it has been inadequate to serve the entire nation.

Recommendations

The elimination of unnecessary costs and charges needs to be a priority. But how? Some ideas are:

1. Compliance-related expenses should all fall to lower the cost-to-serve.

2. Establishment of maximum fee caps and prorated fees (by transaction value).

3. Mandatory zero-rated charges for the use of USSD services, particularly for Tier-1 customer transactions within their transaction threshold. In the instances where fees apply, and interchange arrangements apply, revenue share with mobile network operators (MNOs) and other players should be encouraged.

4. Regarding the non-disclosure of fees, amendments should require operators to disclose their costs and the actual cost-to-serve services to consumers. They should also emphasise consumer education and publication of charges with adaptation in local languages for effectiveness.

5. Regarding associated costs of reporting complaints, a policy amendment is due which would decentralise the management of customer complaints and utilise agent networks for last mile service provision instead.

Data Security & Privacy

Experts agree that trust is critical in the adoption of financial services, and especially DFS. Threats to the security of consumer deposits and information (privacy) engender a lack of trust due to the absence of proper data privacy and data protection legislation and active enforcement agencies. Issues such as data breaches, wrongful sale and distribution of customer and other prevalent data breaches are also yet to be properly addressed.

The information security risks of the USSD channel are also quite significant. For example, data dumps of USSD transmissions are accessible to select MNO staff in clear text form, i.e. all communications can be read by MNO employees. The apparent lack of data encryption means sensitive data including security credentials of account and wallet holders may be visible.

Recommendations

1. The provision of fidelity bond insurance in existing guidelines is acknowledged. However, enforced implementation across financial services is required.

2. Insurance against fraud for both the consumers and the financial institutions in the event of fraud should be maintained.

3. Information security enhancements require the introduction and enforcement of a legal framework for reporting infractions more transparently to deter breaches.

4. Elimination of unnecessary costs of identity verification.

5. Adequate supply of equipment that will empower operators to protect data from hacking, malware and other unauthorised access should be issued.

6. Imposition of stiff penalties on the sale or unauthorised handling of customer data/information is required.

7. Legislation on data protection should be introduced. The proposed data privacy and protection legislation should consider the following:

• Introduction of provisions that prohibit hacking, malware and other forms of unauthorised access.
• Stiff penalties for disclosure, sale or unauthorised use or handling of customer data.
• Data residency mandates which ensure encryption of data transmitted to overseas servers. To enhance the privacy frameworks in the ecosystem, the amendment of all guidelines for ecosystem operators should include disclosure obligations for data privacy breaches.

8. In addition to legislation on data privacy and protection, an agency with enforcement powers is also necessary.