Digital lending is a fairly new concept that is steadily gaining popularity in Kenya. It relies on consumer behavioural data, for example, type of phone, location, contacts, apps, and mobile money transactions, which is collected as one uses a mobile phone. Digital lending apps are not classified as financial institutions under the Banking Act and the Microfinance Act and as such, they have operated without direct regulatory oversight. However, digital lending apps are now subject to the Data Protection Act (DPA) that was enacted in 2019. They are also subject to the consumer protection laws, overseen by the Competition Authority of Kenya. Providing consumers with product information, including terms and conditions before taking digital loans are some of the ways in which regulators have sought to regulate digital lending apps .

As part of a continued study on the impact of digital identities in society, CIPIT recently studied the privacy and data protection practices of digital lending apps in Kenya. The research was undertaken with support from Privacy International and sought to determine what data is collected by digital lending apps, permissions granted to the apps by users and the compliance to the DPA.

Highlights

The apps selected for the study are apps that are accessible within Kenya and easily downloadable from the Google Play Store. The study determined the permissions that each app required at installation and an analysis of privacy policies and data-sharing policies was also done. A fiddler proxy server tool was set up with a physical device (Google Pixel) to collect the data by intercepting the web traffic. The data collected included application programming interface (API) endpoints that the applications were sharing data with on the launch of the application.

Some of the findings included that:

• All the apps read contacts, location, and network connectivity data.
• All the apps inform borrowers that the verification of their identity and/or phone numbers is carried out.
• The apps study borrowers’ behaviour. They also share data obtained with third parties such as data analytic companies.

Arising issues

The launch was attended by various partners who included Dr. Tom Fisher from Privacy International, Linda Bonyo, Lawyers Hub, Victor Kapiyo- KICTANet, and Bernard Mugendi of Kenya Human Rights Commission (KHRC). Together with participants, they shared reflections on various aspects of digital lending apps and data protection, such as:

1. Increased use of technology in financial services

The use of technology in financial services presents limitless possibilities e.g. ease of access, more personalized service, greater convenience. Fintech is disrupting services models and regulatory structures, not just in Kenya but the world over. With this comes prevalent risks that impact on consumer privacy, data protection, security, and exclusivity. Most companies are still of the opinion ‘all data is credit data.’ In 2020, the IMF suggested that web search history should be used to determine credit score. This goes to show the impact of financial identity extends far beyond the financial sphere and as such, there is a need to look into the possibility of fintech regulation.

2. Sector-specific regulations

There are challenges which are unique to the digital lending space thus the need for sector-specific regulations. For example, the regulation of APIs in the fintech industry especially in regards to sharing data across internal systems and users. Policymakers and regulators need to determine what compliance of the DPA would look like in the digital lending space.

3. Bloatware in inexpensive smartphones

Smartphone companies like Xiaomi have ventured into the digital lending space. Xiaomi launched a digital lending app ‘Mi Credit’ in 2019 for piloting in India. The app comes pre-installed in new Xiaomi devices and is targeted to millennials. The app design presents potential privacy risks to the target users. The eventual impact on digital lending is an important space to look at.

4. Data commercialization

Consumers may not be aware of what data is being collected and how the data is used. Most companies and more emerging business models currently perceive consumer data as an asset and this could very well encourage data commercialization. As such, consumers and regulators need to be more careful on who accesses what data, how the data is being used and to what extent.

The full report is available here.