Get Consultation

Fintech, Data Protection and Compliance

Our Articles

Fintech, Data Protection and Compliance in Africa: A Regulatory Response

By GITTEL AYUK Esq.

Introduction

Data Protection (DP) is not a new topic in Africa. However, the rise and proliferation of Fintech Start-Ups in Africa has prompted new conversations on the collection and usage of data. Concurrently, new and more robust compliance standards are being carved out daily in a bid to balance regulations with existing disruptive trends of Data collection, analysis and usage brought about by Fintech. The idea of a more robust compliance standard for DP in Africa Fintech space is because; firstly, Fintech has ushered in new financial products and customer experiences, hence; new ways of receiving, keeping, processing and transferring data. Secondly, most Fintech products in Africa are beyond the existing regulatory framework for traditional financial services. To this effect, the recent wave of legislative enactment on data protection serves as a regulatory response to the used cases of data in the African Fintech Space.

Used Cases of Data in the African Fintech Space

The Fintech Space is championed by major players like Mobile Network Operators (MNOs), Traditional Financial Institutions (TFIs) and Non-Traditional App-based lenders (NTABLs) . These players offer diverse products and services ranging from payments, Digital Banking, savings and loans to blockchain and cryptocurrency. Given the new model of these Products and service, the means of accessing, collecting, analysing, processing and usage of customer data has also taken a new turn. Most of these services are so interconnected and often integrated with one another making access to and sharing of customer personal information easier. For example, banks and payment start-Ups in Africa largely make use of Mobile Money Services (MMS) which are operated chiefly by MNOs. Also, Open Banking now operates in some African Countries which allows the sharing of customers’ information between Banks and third-party Fintech companies. Consequently, making data handling and movement within the African Fintech space more sensitive and complex. This has called for a more robust and specific approach to regulatory Compliance on data Protection for Fintechs in Africa.

Regulatory Compliance on Data Protection

Recently, many African countries are adopting stricter and more specific approaches to regulatory Compliance on Data Protection. Their preferred model has been the adoption of Laws following the European Unions’ General Data Protection Regulation (GDPR). Data protection Laws in Africa, Recently, many African countries are adopting stricter and more specific approaches to regulatory Compliance on Data Protection. Their preferred model has been the adoption of Laws following the European Unions’ General Data Protection Regulation (GDPR).[1] Data protection Laws in Africa, though specific to each country have some common tenets. These include the authorization or license to process personal data, the establishment of Data Supervisory Authority (DSAs), imposing specific obligations on Data controllers and data processors before during and after their existence as well as outstanding penalties for breach of their obligations. Given the interconnected nature of Fintechs, the body of Laws regulating their activities in Africa is largely multi-dimensional. Data protection Laws in Africa work hand in gloves with laws on Anti-money laundry, cybersecurity, cybercrimes and electronic transactions.[2] In a nutshell, data protection laws in Africa brings out data protection as a duty of both regulators, but more specifically

[1] Witney Schneidman, Dan Cooper, Mosa Mkhize & Shivani Naidoo, December 13, 2021, Tech Regulation in Africa: Recently Enacted Data Protection Laws, Available at, https://www.covafrica.com/2021/12/tech-regulation-in-africa-recently-enacted-data-protection-laws/.

[2] Aissatou Sylla, February 2022, Recent developments in African data protection laws – Outlook for 2022, Hogan Lovells,  Available at, https://www.engage.hoganlovells.com/knowledgeservices/news/recent-developments-in-african-data-protection-laws-outlook-for-2022_1_1.

Data Protection and the duty of trust

The relationship between customers and Financial Service Providers (FSPs) is a fiduciary one. Because of this trust, customers easily hand over their information to the FSP without fear of any breach. Customers divulge personal data ranging from names, telephone contacts, identification details, physical and email addresses,[1] credit card and social security numbers to their FSPs. While in possession of customers’ personal data, the FSP owe the customer the duty to safe guard such information to the exclusion of every third party. Such duty translates into strict obligations on the part of the FSP to have adequate security architecture that ensures that customers data are well stored and managed, safe from compromise of any sort. The FSP are therefore subject of tight scrutiny and compliance measures from the governments.

Challenges to Data Protection

While Fintech in Africa is revolutionary in terms of economic growth and financial inclusion, the consequences on how customer data is handled are far reaching. This is because as Fintech evolves, newer risks and means of data breach and theft evolve. Globally, the cryptocurrency markets for example, has witnessed the loss of approximately $2.9 billion to hackers between 2014 and 2021[2]. According to the African Cybersecurity Centre, “Several thousands of small or medium-sized financial institutions, Fintechs or financial inclusion actors still have a long way to While Fintech in Africa is revolutionary in terms of economic growth and financial inclusion, the consequences on how customer data is handled are far reaching. This is because as Fintech evolves, newer risks and means of data breach and theft evolve. Globally, the cryptocurrency markets for example, has witnessed the loss of approximately $2.9 billion to hackers between 2014 and 2021[1]. According to the African Cybersecurity Centre, “Several thousands of small or medium-sized financial institutions, Fintechs or financial inclusion actors still have a long way to go, starting from more comprehensive sectoral data on threats to feed board’s awareness”[2] Breach of customer information have far reaching effects for both the customers and the FSP. While customers may suffer huge financial losses on one hand, FSPs risk even greater consequences ranging from a damaged and irreparable reputation to loss of sensitive data and huge legal actions[3]. This makes the role of the government in the regulation of Fintech Start-Ups very instrumental. Their role is seen in the placement of regulatory compliance standards which all Fintech Start-Ups as well as MNOs and TFIs operating in Fintech must comply to. All over Africa, Nations are beginning to enact Laws on Data protection and Privacy in order to address concerns that have been brought about by new trends in the financial industry. 

[1] Tech Monitor, March 7, 2022, The Biggest Cryptocurrency hacks of all times, Available at, The nine biggest crypto hacks of all time – Tech Monitor.

[2]  Jean-Louis Perrier, August 1, 2021, What are the cybersecurity challenges for the African Financial Sector?

African Cybersecurity Resource Centre, Available at, https://cyber4africa.org/articles/what-are-the-cybersecurity-challenges-for-the-african-financial-sector/

[3] MetaCompliance Marketing Team, February 25, 2020m % Damaging Consequences of A Data Breach, Available at, https://www.metacompliance.com/blog/5-damaging-consequences-of-a-data-breach/.

[1] Understanding Data Protection in the Financial Service World, TCS BANCS Research Journal, Pp. 31, Available at, Understanding-Data-Privacy-in-the-Financial-Services-World.pdf (tcs.com).

[2] Tech Monitor, March 7, 2022, The Biggest Cryptocurrency hacks of all times, Available at, The nine biggest crypto hacks of all time – Tech Monitor.

Conclusion

Fintech Start-Ups have given a new outlook to data protection in Africa.  With new methods of accessing, storing, processing and usage of data, Fintechs have sprouted a new wave of regulatory compliance measures. Through data protection laws, a more specific approach is adopted in protecting Customer personal information. Notwistanding the outstanding legal parameters for data protection, data theft and breaches still continue to threaten the very existence of the Fintech industry in Africa. To this effect, a collective effort of both Regulators and Fintech Companies need to be devised to provide better data protection architecture for the benefit of both customers and the Fintech operators.