Digital Lending and Data Privacy in Kenya
Prior to 2020, digital lending witnessed an unprecedented rise and growth in Kenya. According to a 2019 FSD report, the boom was fuelled by widespread use of mobile phones, high demand for credit and a lax regulatory environment. Digital lenders fall into two main categories: mobile banking loans(i.e. loans by licensed banks such as M-Shwari) and digital loans (i.e. loans granted by unregulated firms like Tala and Branch). The regulatory environment made it very easy for unregulated providers to enter the market. By 2020, Kenya had over 120 digital lending platforms.
When the pandemic hit, the Central Bank of Kenya withdrew authorisations granted to unregulated digital lenders as third party credit information providers to Credit Reference Bureaus (CRB). This was a huge blow to digital lenders who heavily rely on CRBs to determine creditworthiness. In a sense, digital lending by unregulated firms came to a grinding halt.
Parliament is now considering ways of regulating digital lending in Kenya through the Central Bank of Kenya (Amendment) Bill 2021. When passed, the law will provide a much needed lifeline for unregulated digital lenders in Kenya. However, more regulatory challenges lie ahead. A good case in point being the new Data Protection Act which is set to heavily impact digital lending.
What is digital lending?
Digital lending entails extension of loans to customers through digital channels. Before digital lending became a thing, lenders offered loans to customers based on their credit scores or profiles. To determine creditworthiness, they looked at things such as past credit history, income sources, financial statements, history of default etc. The appraisal process was often time-consuming and favoured people with steady income sources and a good loan repayment history.
In contrast, digital lenders determine creditworthiness using a combination of the traditional customer data and alternative data. Alternative data includes data generated by a customer through digital interactions including browsing history , call logs, messages, GPS data and communication patterns. This data is analysed using a mix of AI, machine learning and automation technologies to derive a customer’s credit score and to set loan limits. The use of technology leads to a faster and much more convenient lending process.
Digital lending is attractive not only to existing customers but also to first-time borrowers who would otherwise be locked out due to lack of a credit history.
Data privacy in digital lending
The transfer of personal data and financial information through digital channels raises data privacy concerns. For example, in 2019/2020, the use of non-financial data by digital lenders caused great indignation and public outcry among Kenyans. Debtors accused digital lenders of using mined phone data to engage in debt shaming practices such as informing their family, friends and employers of the existing debt. The CBK also decried this intrusive practice revealing that it had led to mental anguish and suicide among affected persons.
The most effective way to address data privacy concerns is through a robust legal and regulatory framework. Kenya enacted its first Data Protection Act on 25th November 2019. However, its implementation only kicked off this year due to the delayed appointment of the Data Commissioner – the regulator and person responsible for enforcement of the Act.
For digital lenders, the Act revolutionises the way in which firms handle personal data. It curtails the misuse of data by introducing stringent compliance obligations and standards. The risk of non-compliance is high as data owners (also known as “data subjects”) now have a right to lodge complaints with the Data Commissioner. In addition, the Data Commissioner has power to impose fines and criminal sanctions. For instance, the Data Commissioner can levy an administrative fine of up to Kes. 5 Million or 1% of a firm’s gross annual turnover. Apart from the regulatory risks, a firm can also suffer reputation risk emanating from eroded consumer confidence and trust.
Let us now consider ten ways in which things are set to change for digital lenders.
1. Transparency and fairness in data collection and processing
- the types of data collected
- methods of collection
- the purposes for collection
- the lawful basis for collection
- how the data will be processed
- how the data will be shared and stored
- the period of data retention
The policy should be easily accessible to the customer on the digital lending platform i.e. the website and mobile app.
Overall, digital lenders cannot mine data from a customer’s phone or digital device unless they have informed the customer. Apart from that, lenders must specify all the data that they intend to collect and how they intend to use it. The proposed use should be in line with the reasonable expectations of the data subject. For example, it is a reasonable expectation that you obtain my name and phone number for purposes of entering into the lending contract. It may also be reasonable for you to collect some of my phone data for purposes of credit scoring. However, it is unreasonable for you to mine my data and obtain contacts of third parties so you can use them to pursue my outstanding debt. The level of specificity required means that a lender must have a very good handle on how it collects and processes data.
2. Transparency and fairness in credit scoring
In digital lending, credit scoring involves making decisions by automated means. The Act (and its supporting draft regulations) has introduced a host of new requirements relating to automated decision making. In summary, the lenders must:-
- inform customers that credit scoring involves automated processing
- provide meaningful information about the logic involved in processing
- explain the significance and possible consequences of the processing to customers or regulators
- ensure the prevention of errors, bias and discrimination
- process personal data in a way that prevents discriminatory effects
- ensure that a customer can obtain human intervention and express their point of view
These requirements demand a review and alignment of existing credit scoring technology to the requirements of the law.
3. Effective management of data processors
A data processor is a person or firm that processes data on behalf of a data controller. On the other hand, a data controller is a person that determines the purpose and means of collecting data. In the context of digital lending, the digital lender is often a data controller because it determines the purpose and means of collecting data. The lender often uses sub-contractors to process data on its behalf. For example it will appoint debt collectors to collect outstanding debt. In that case, the debt collector is the data processor.
The Act requires that a data controller and processor must have a written agreement in place outlining key obligations of the parties.
Using the debt collectors example, digital lenders must sign a data processing agreement with all its debt collectors. This should be done before the debtors book is transferred to the debt collector. The agreement should outline the scope, purpose and nature of the debt collector’s processing activities. For example, the agreement should define methods for reaching out to debtors including the appropriate timing and the messaging. In addition, the agreement should spell out the lender and debt collector’s obligations including data security and data retention obligations. Finally, the agreement should give the lender the power to audit and inspect the debt collector’s data processing activities.
4. International data transfers
The the Data Protection Act imposes restrictions on some data flows out of the country. Therefore, digital lenders need to understand the circumstances under which transfer of data is permissible and the conditions that must be met before such transfer can take place. In particular, a restricted data transfer cannot take place unless the digital lender:-
- proves to the Data Commissioner that the lender has put in place adequate safeguards with regards to security and protection of the personal data.
- proves to the Data Commissioner that the data will be transferred to jurisdictions with commensurate data protection laws and that the recipient of the data is bound by those laws.
- informs the data subject of the safeguards and implications of the cross-border transfer and obtains the data subject’s consent to transfer the data outside the country.
- safeguards the data from misuse or unintended disclosures by the recipient.
- enters into a cross-border agreement with the recipient of personal data.
5. Facilitating data subject rights
One of the key features of the the Data Protection Act is that it gives data owners the right of control over the use of their data. To this end, the Act grants data owners certain rights over their personal data. These include rights of access, rectification, erasure, objection and restriction to processing of personal data. Consequently, digital lenders must ensure that data subjects can exercise the rights when necessary. For example, a customer may request the lender to delete or erase all personal data after repayment of a loan. The digital lender must respond to the request either by complying or by declining the request and giving reasons for the refusal. The supporting regulations for the Act have defined time-limits for responding to the requests which in most cases is within 14 days.
To avoid getting caught out, the digital lender must know where the information is stored and have a guiding policy for responding to all requests .
6. Privacy by design and by default
Privacy by design and by default is a concept that requires digital lenders to think about data protection and privacy issues at the design or conceptualisation stage. In other words, in before you roll out a system or process, you should ensure that it integrates privacy compliance. Apart from being a mandatory requirement under the Act, it is an effective tool for compliance with the fundamental data protection principles outlined in the Act.
For a digital lender the picture of success may be one where the lender:-
- proactively manages privacy-invasive events before they occur.
- only collects and uses personal data that is relevant for their circumstances.
- ensures that the digital lending platform is automatically protected from personal data loss such that customers do not have to take any further action to protect their privacy.
- avails its privacy policies to the customer prior to processing customer data.
- offers strong privacy defaults, user-friendly options and controls and respects user preferences.
- respects data subject rights.
- guarantees security of personal data.
- retains data for specifies periods of time and thereafter disposes the data from its records.
- effectively manages any third parties handling personal data on their behalf.
Digital lenders intending to market their products directly to existing or prospective customers cannot do so without obtaining the consent of the customer. For consent to be valid, it must be express, free, specific informed and it must involve clear affirmative action on the part of the data subject. Digital lenders often use direct marketing channels such as sms or email marketing for promotions. The consent requirement demands that they have appropriate mechanisms in place to seek consent or opt-ins from customers. They must also provide customers with an easy way of opting out of the promotional communication. For more on the digital marketing requirements, please see our previous article.
8. Personal data breach management
As many digital lenders know, data security is a major risk to their business operations. They constantly face threats both from within their organisation or from external forces such as hackers. The Act has now brought data security into sharp focus as it requires digital lenders to report data breaches in instances where there is a real risk of harm to data subjects. For example, if there is a breach leading to loss of customer contact details and loan amounts, the digital lender must report such breach to the regulator. A report must be made within seventy two (72) hours of becoming aware of an incident. Additionally, they must receive and, if necessary, report data breaches from data controllers within forty eight (48) of occurrence. The tight timelines mean that the digital lenders need to have a coordinated response management system in place.
9. Data Protection Impact Assessments (DPIA)
If a lender wishes to introduce or review a process or technology in such a way that it impacts the privacy of its customers, a Data Impact Assessment should be carried out. A DPIA is a tool used assess privacy risks emanating from a given project, technology or process and develop appropriate risk mitigation measures. If the DPIA determines that the project poses too many high risks, the lender must consult with the Data Commissioner before rolling it out. The Data Commissioner can make additional recommendations for risk mitigation or disallow the use of the technology altogether. The need consultation with the regulator means that a digital lender cannot afford to overlook the importance of conducting thorough DPIAs.
10. Registration with the Data Commissioner
The Act and its supporting regulations provides for annual registration of firms engaged in collection, use and processing of personal data. Although some firms are exempt from this requirement, the draft regulations provide that firms engaging in the provision of financial services must be registered. If the current draft regulations become law, digital lenders will fall under the purview of the Data Commissioner meaning they cannot afford to fail in compliance.
The Data Protection Act is set to revolutionise digital lending privacy in Kenya. Debtor shaming and collection of data from undisclosed sources will become a thing of the past. Digital lenders should take time to understand their compliance obligations and to develop an appropriate privacy compliance program.Disclaimer: The information on this blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no advocate-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional advocate, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date. While the blog is revised on a regular basis, it may not reflect the most current legal developments.