> Posted by Rafe Mazer, Financial Sector Specialist, Government & Policy, CGAP
World Consumer Rights Day is March 15. To celebrate, this week we’ll be sharing posts that explore the importance of client protection and initiatives that strengthen responsible practices in providing financial services. Given the tremendous growth of mobile phone-based financial services, it’s fitting that the theme of this year’s day is “fix our phone rights.”
The rapid expansion of mobile financial services in many emerging markets has created new consumer protection issues and challenges. One of these involves consumers’ digital data, and how this data is stored, used, and communicated to the consumer.
The implications of mobile financial services for data privacy are far-reaching and a topic of much recent conversation in the financial inclusion and consumer protection space. At a recent CGAP/Microfinance Opportunities/Citi Foundation roundtable on big data the discussion over privacy of mobile data and informed consent—making sure consumers truly understand and accept product terms before enrollment—proved to be one of the liveliest discussions of the day.
Focusing strictly on the behavioral dimensions of this debate, two important issues to consider are:
- How to effectively disclose to consumers in a salient way the complex subject of how their personal data will be used.
- Consumers often have a general preference for protection of their data, but this conflicts with the reality that in order to use a product they often must agree to let it track and share their information. So in practice, consumers will often consent to data sharing conditions that do not reflect their preferences because they do not want to be denied access.
Informing base-of-the-pyramid consumers on data privacy issues can be challenging because it requires educating individuals on their “digital footprints,” a topic that is both complex and, for many of these consumers, brand new. CGAP has been exploring this challenge in Tanzania with First Access through field testing of informed consent approaches. First Access is a data analytics firm that works with lenders to use financial and mobile data to predict credit risk for base of the pyramid financial consumers. Our research together is seeking to determine appropriate methods for informing borrowers in Tanzania how their data will—and will not—be used by First Access. Since few people understand that using their mobile phone creates data records, our research began by exploring how Tanzanians conceive of privacy in general, probing on financial, personal, and social information, and how individuals share and protect this information in their family, business, and community.
In-depth individual interviews revealed that consumers are generally comfortable with sharing information if it will help them secure a loan they could not access otherwise. However, it also brought into focus a few key messages that would help customers understand and trust First Access’ services more fully. This includes making clear that:
- Their mobile phone records will never be shared by First Access with anyone else
- First Access will never read the content of consumers’ text messages or listen to phone calls
- First Access will never ask them for their PIN or bank account details (this is important so consumers could easily identify a potential phishing scam where the caller purports to be from First Access)
Consumers also noted that, even if they would allow their mobile phone records to help with the credit evaluation process, they would still appreciate the option to receive a follow-on text with more information or to call a First Access hotline before agreeing to the use of their mobile phone records for credit scoring.
CGAP and First Access are currently field-testing this approach to informed consent with urban and rural Tanzanian consumers through alternative wording for SMS messages and educational materials. The objective is to maximize consumer understanding and protection of data.
The challenge of consumers wanting data privacy protection, while also frequently relinquishing these rights at the slightest barrier to access presents a much trickier behavioral challenge to address than informed consent. A recent GSMA survey on consumer perceptions on mobile privacy found that while “83 percent of mobile internet users have concerns about sharing their personal information when accessing the internet or apps from a mobile phone,” “8 out of 10 users agree to privacy notices without reading them because they tend to be too long or legalistic.” We can all relate to this—whether it is clicking “I agree” on iTunes’ multi-page terms of service without reading it so we can download a new album, or signing the form in the doctor’s office in a rush so we don’t have to wait any longer to get the visit over with.
It may not be enough to rely on disclosure and informed consent as the sole approach to making sure consumers’ data is secure and their privacy preferences are respected. The behaviors described in the GSMA survey might be too common and the information asymmetries between providers and consumers may be too great. For consumer protection measures to be effective for mobile financial services then, providers may need to ascribe to a higher standard than just obtaining consumer consent through a click of the mouse or punch of the keypad, and seek to truly understand what consumers know, don’t know, and are comfortable with, as First Access is seeking to do with their usage of mobile phone records.
Perhaps a better standard is for the provider at least to ensure the consumer has a certain minimal understanding of how their personal information will be used, and ideally the right to opt out of this usage of their information up-front or at any later date. Achieving this may also require standardized disclosures and consent formats for data usage and data sharing across types of financial service providers, so consumers consistently see the same forms. Some regulators might see the need to go one step further, by prohibiting use of the multi-page, legalistic disclosure forms that both confuse the consumer and absolve them of reasonable responsibilities to handle customers’ personal information with care and consideration.
Image credit: Michele Smorgon
Have you read?