Introduction

Riding on the back of advances in technological and digital innovation, increased consumer expectations and universal aspiration for financial inclusion, financial technology ("FinTech") is rewriting the scope and roles of traditional financial methods and institutions. By leveraging key technologies such as application programming interface, distributed ledger technology, biometrics, and, especially, artificial intelligence, FinTech is fast becoming a way of life.1

From asset management to investing, lending, and payment, financial services are now more accessible and more affordable than ever. It is no wonder, then, that the FinTech sector has attracted some of the most significant investments in the past years. In 2018, African FinTech companies raised about $357 million, with startups in Kenya, Nigeria and South Africa accounting for the largest share.2 And then in 2019, major FinTech firms raked in over half a billion dollars in funding, with a number of Nigerian FinTech firms raising $360 million within a single month in a particularly impressive influx period.3

But while FinTech continues to thrive in Africa's unique financial and economic ecosystem and continues to improve financial inclusion, certain concerns (chief of which is FinTech's implications for privacy and data protection) brew in the background, and many consumers—and regulators—seem to be getting carried away on a wave of technological optimism.

Here is the issue: FinTech products are data generators—they routinely collect personal data (such as users' name, location records, bank account details, and email addresses) and sensitive data (such as information relating to ethnicity, race, religious belief, credit information, and online banking credentials). "The sheer volume of the information increases its sensitivity, because over time a FinTech company may generate a very detailed and complete picture of an individual."4 Even "[d]ata that people would consider as having nothing to do with the financial sphere, such as their text messages [and call logs], is being used at an increasing rate [by FinTech companies to provide financial services]."5

Meanwhile, privacy and data protection are core interests protected in many constitutions, major legislative documents, and international treaties—interests that FinTech may be abusing, to the detriment of the entire financial system.

Financial Technology, Privacy, and the Issue of Trust.

As FinTech's number and growth continue to explode, the volume of data available—consumers' personal and financial information—has also grown. Capitalizing heavily on the improvement in mobile device usage and internet penetration rate, FinTech firms continue to deploy high-tech, low-cost products to expand the reach of financial services to every corner of the continent: this means that they have access to vast amount of rare, qualitative data (and insights into consumers' earning, behaviour, preferences, etc.)

The ability to mine data for insights—and the resultant capacity to render hyper-personalized users' experience—is one of FinTech's biggest advantages. But despite the convenience they offer, FinTech's approach to consumer data is evolving into a major disadvantage, mostly because, besides the lofty goals of driving financial inclusion and making finance invisible, FinTech firms now seek to generate revenues by exploiting users' data in ways that violate the most basic principles of privacy. For instance, to access their services, many FinTech products give consumers little choice on how their data is collected or used; many terms of use contain 'take-it-or-leave-it' clauses; agreements framed as privacy policies are actually 'lack-of-privacy' policies, and products packaged and promoted as free, cost consumers their personal and financial information.

More worrisome is the fact that as demand for big datasets by banks, large corporations, and multinational firms grow, several indications suggest that many FinTech firms have now resorted to analyzing customers' information and selling it to third parties often without a valid credit bureau license or customers' consent.

This business model is, naturally, birthing a new form of distrust, with many consumers admitting to intentionally falsifying personal information and data. As consumers become aware that the same products that give them near-complete control over their finances also enable the mass collection, analysis, and sale of their data to third parties, who then exploit insights derived from the data to influence their spending behaviour, a chilling effect is being created.

Case in point: a recent survey revealed that more than half of respondents (55%) would avoid handing personal data to a company they know to have been selling or misusing data without consent, and over two thirds (69%) said they would completely boycott a company that repeatedly showed no regard for protecting their data.6 In the short- and long-run, this growing wave of consumer distrust does not bode well for the FinTech sector or for a financial system built largely on trust.

Financial Technology and the Nigeria Data Protection Regulation

Prescribing the minimum data protection requirement for the collection, storage, processing, management, operation and control of personal data7 in Nigeria, the Nigeria Data Protection Regulation (the "NDPR" or "Regulation") is yet the most advanced piece of legislation on data protection in Nigeria. It applies to all transactions intended for the processing of personal data, and to the actual processing of personal data in respect of natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent.

Falling under the categories of 'data controllers' or 'data administrators/processors' (as defined in the Regulation), FinTech firms are bound by the requirements of the NDPR. As such, before they collect data from any consumer, they are required to notify the consumer of the specific reason(s) for which their data is being collected. Where the basis for processing the consumer's data is consent—which is usually the case—FinTech companies must ensure that the consent is validly obtained.8 For consent to be validly obtained, it must be freely given, specific, and unambiguous. Consent is deemed freely given where it has not been tied to the processing of personal data that is not necessary (or excessive) for the provision of a service.9

This means, for instance, that a consumer's location data should not be processed where the consumer simply needs to use a FinTech product to make payment at a supermarket. (Location data are especially tempting to collect because they represent one of the latest, and most important, information sources available to marketers and has also opened up $21 billion sales opportunities for advertisers, to whom the data is usually sold.)10

Now, typically, FinTech companies' justification for trading users' data fall under the consent metric. But consumers rarely ever consent to the sale of their data to anonymous third parties. Where they do, the consent is not always informed. Where it is informed, there is usually no real choice.

So, not only are FinTech firms failing on many of the metrics of lawful processing, as contained in the NDPR, FinTech products are also being built without privacy being a core feature—for instance, many FinTech products obtain users' consent automatically (such that as soon as one registers or uses certain features of a FinTech product, one is deemed to have given one's consent and to have accepted all the terms and conditions of use, which usually incorporates the privacy policy11); and those products that give users an "option" obtains users' consent through an "all or nothing" checkbox. It is also usual to find that neither the terms of use nor the privacy policy contains sufficient information showing the specific classes of data being collected, the specific purposes for which the data is processed, and the third parties with which the data is shared in the ordinary course of business.

Conclusion

Besides the fact that the NDPR's requirements are mandatory, FinTech companies should see the Regulation as an opportunity, not a threat. Not only does the law obligate FinTech firms to refrain from commoditizing consumers' data, it also forces companies to think about new, adjacent revenue streams. Again, it offers them a chance to obtain competitive advantage by making privacy a core value and a fundamental feature of their service offerings. Finally, being proactive about compliance could strengthen and build positive brand affinity among consumers.12

At the barest minimum, FinTech firms should collect data for legitimate purposes only; data processing must be consistent with the service being provided and must match users' reasonable expectations; and consumers should be given the option to determine which third parties their data should be shared. Also, FinTech firms must resist the temptation to commoditize and trade people's data, even where they have supposedly obtained consent. "Privacy should not be something [people] have to pay for. And companies offering 'free' services should not use them to mask data exploitation practices."13

Footnotes

1. EFInA FinTech Report, "Overview and Lessons Learnt from Global FinTech Landscape and Nigerian FinTech Landscape", EFInA (December 2018) https://www.efina.org.ng/wp-content/uploads/2019/04/EFInA-FinTech-Report-Global-and-Nigeria-Landscape.pdf

2. GSMA Intelligence, "The Mobile Economy, Sub-Saharan Africa 2019" https://www.gsmaintelligence.com/research/?file=36b5ca079193fa82332d09063d3595b5&download

3. Jake Bright, "Africa Roundup: Nigerian fintech gets $360M, mints unicorn, draws Chinese VC" TechCrunch (December 2019) https://techcrunch.com/2019/12/01/africa-roundup-nigerian-fintech-gets-360m-mints-unicorn-draws-chinese-vc/

4. Wendy Mee, "Big Data, Big Risk? Privacy and Security Tips for Fintech Companies" Blake, Cassels & Graydon LLP (September 2016) https://www.blakesbusinessclass.com/wp-content/uploads/2016/09/Privacy-And-Security-Tips-For-Fintech-Companies.pdf

5. Privacy International, "Fintech: Privacy and Identity in the New Data-Intensive Financial Sector" Privacy International (November 2017) https://privacyinternational.org/sites/default/files/2017-12/Fintech%20report.pdf

6. Michael Hocking, "Fake data: survey reveals extent of false data supplied by consumers" (PaymentEye, 2018) https://www.paymenteye.com/2018/02/08/fake-data-survey-reveals-extent-of-false-data-supplied-by-consumers/

7. Personal Data is "any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others.

8. It is important to note for the sake of clarity that the NDPR applies not only to FinTech companies, but to every data controller/processor, as defined in the NDPR.

9. Article 2, Paragraph 3 (d), Nigeria Data Protection Regulation

10. See generally Macha, Li, Foutz and Ghose, 'Privacy Preservation in Consumer Mobile Trajectories' (Working Paper January 8, 2020) https://mmacha.github.io/resources/GeoTargetingPrivacy.pdf Accessed 8 January 2020.

11. Clearly, this contradicts the law, which requires that consent must be obtained by a statement or by a clear affirmative action.

12. Rich Matta, "California's new privacy law is an opportunity, not a chore" (December 2019) https://www.sfchronicle.com/opinion/openforum/article/California-s-new-privacy-law-is-an-opportunity-14911460.php

13. Valentina Pavel, "Our Data Future" Privacy International, (July 2019) https://www.privacyinternational.org/long-read/3088/our-data-future Accessed 12 December 2019

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.