DISCUSSION NOTE Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting NOVEMBER 2018 Finance, Competitiveness & Innovation Global Practice © 2018 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. RIGHTS AND PERMISSIONS The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org CONTENTS Acknowledgments ii Acronyms and Abbreviations iii 1 INTRODUCTION 1 2 SCOPE AND DEFINITIONS 3 3 CONSUMERS’ VIEWS ON SHARING THEIR PERSONAL INFORMATION 4 4 HOW USAGE OF NEW FORMS OF DATA IN FINANCIAL SERVICES BRINGS BENEFITS TO CONSUMERS 5 5 INTERNATIONAL STANDARDS RELEVANT TO BIG DATA AND FINANCIAL CONSUMER PROTECTION 6 5.1 Core Financial Consumer Protection Principles 7 5.2 Privacy and Data Protection 8 5.3 Credit Reporting 9 6 FINANCIAL CONSUMER PROTECTION PRINCIPLES, NEW FORMS OF DATA CHALLENGES, ISSUES, AND RISKS 12 6.1 Consent 12 6.2 Product and Price Segmentation and Potential Discrimination 13 6.3 Comparability of Financial Services and Products 15 6.4 Security 16 6.5 Accuracy and Reliability of Data 17 6.6 Crossborder Data Flows 17 7 CONCLUSION 19 BOXES AND FIGURES Box 1 Emerging Approaches to Address Consent-Related Issues 14 Box 2 Insurance, an Area Where Big Data Could Become a Potential Source of Discrimination 16 Box 3 Recently Issued Regulations and Guidance That Address Concerns about the Usage of New Types of Data from Multiple Sources 18 Figure 1 The General Principles for Credit Reporting 10 Figure 2 Mobile Scoring Methodology 10   i ACKNOWLEDGMENTS This discussion note is a product of the Financial Inclusion, Infrastructure & Access Unit in the World Bank Group’s Finance, Competitiveness & Innovation Global Practice. The note was prepared by Rosamund Clare Grady, Fredesvinda Fatima Montes, and Marco Traversa. Douglas Pearce provided overall guidance. The team is grateful for peer review comments received by Margaret Miller and David Medine. The team benefited from discussion and consultation papers, and from presentations and discus- sions at events and conferences, including the Responsible Finance Forum VIII (April 2017) and the Consultative Group to Assist the Poor and International Telecommunications Union’s joint data-pri- vacy and digital-finance workshop, “Two Data-Driven Financial Inclusion Business Models and Implications for Data Privacy” (April 2016). The team gratefully acknowledges useful comments received from members of the International Committee on Credit Reporting (ICCR), the Interna- tional Financial Consumer Protection Organistion (FinCoNet), and the G20-OECD Task Force on Financial Consumer Protection. The team thanks Naylor Design, Inc. for design and layout assistance, and Charles Hagner for edi- torial inputs. Finally, this report would not be possible without the generous support of the Netherlands’ Ministry of Foreign Affairs. ii ACRONYMS AND ABBREVIATIONS APEC Asia-Pacific Economic Cooperation ARCO access, rectification, correction, and opposition DFS digital financial services FCP financial consumer protection G20 Group of Twenty G20 DFI HLPs G20 High-Level Principles for Digital Financial Inclusion G20 FCP HLPs G20 High-Level Principles on Financial Consumer Protection General Principles General Principles for Credit Reporting Good Practices Good Practices for Financial Consumer Protection GSMA GSM Association ITU International Telecommunications Union KYC Know Your Customer OECD Guidelines OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data   iii 1 INTRODUCTION The objective of this discussion note is to provide an analytics, many other types of new data, beyond tradi- overview of consumer-related benefits and risks arising tional credit-reporting frameworks, are currently being from the usage of new types of data, beyond traditional used and processed for the provision of financial services. credit-reporting frameworks, for the provision of financial services, while also aiming at identifying areas for further New technologies, combined with the usage and process- research. The note was developed primarily by synthesiz- ing of new types of small-, medium-, and large-volume ing discussions about new forms of data—including big data, can support financial inclusion and bring benefits to data–related financial consumer protection (FCP) issues— financial consumers. New sources of data, as well as new both in the various international forums in which the ways of processing such data, are a key contributor to the World Bank Group is represented and in consultation and explosion in the accessibility of convenient and tailored discussion papers. Special regard has been given to the digital financial services (DFS) to served, underserved, and likely benefits and risks for consumers in developing coun- unserved consumers. They are being used to; tries and emerging markets. Consideration has also been • Design and market “consumer-centric” (digital) finan- given to international FCP standards and good practices. cial services for the unbanked; Technological innovation in the financial sector is a global • Create credit scores for consumers without a formal and rapidly growing phenomenon, with particular rele- credit history or with limited credit hiostry; vance for developing economies and emerging markets. • Meet and facilitate compliance with “Know Your Cus- The use of new technologies is changing how financial tomer” (KYC) requirements; products and services are being designed and delivered, vastly increasing the potential number of users by allow- • Price financial services to reflect the risk profile of indi- ing for access even in remote, rural locations while reduc- vidual consumers; and ing the cost of services. These innovations are especially • Minimize the risk of fraud. relevant for developing economies and emerging mar- kets, encouraging them to embrace digital financial-inclu- On the other hand, issues may arise, as there is a great sion strategies, with all their potential for economic variety of personal information that may be used and pro- growth and poverty reduction.1 cessed in this context. First, traditional financial services providers generally have access to conventional forms of A key part of this technological innovation is the usage of highly organized, readily searchable, structured data, new types of data and data-processing tools, including big including client data—credit history and scores, IDs, data, in the provision of financial services. While the most demographics, and survey data—as well as transactional talked-about issue is “big data,” focusing on data sets that data. Second, technological advancements allow the are characterized by exponential growth in volume, vari- usage of other forms of data that are new in the sense that ety, and velocity and that are the subject of advanced data they either have not (until recent times) been used by financial services providers or are not necessarily related Arjuna Costa, Anamitra Deb, and Michael Kubzansky, “Big 1.  to the use of financial services. They include, for example, Data, Small Credit: The Digital Revolution and Its Impact on social-media data and data about the usage of e-money, Emerging Market Consumers” (Omidyar Network, 2016), 6. air time, online search and shopping habits, utility pay- See also Tavneet Suri and William Jack, “The Long-Run Poverty and Gender Impacts of Mobile Money,” Science 354, ments, psychometric data, Internet-based entertainment no. 6317 (December 9, 2016), 1288–1292. services, devices connected to the Internet of Things, and   1 2   Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting data used to determine insurance-related risks. The power Bank for International Settlements, the Consultative Group of some of this data—such as information on business to Assist the Poor, the Better Than Cash Alliance, the U.S. cash-flow and sales history, which is available through Consumer Financial Protection Bureau, the GSM Associa- e-commerce platforms—has created opportunities for tion (GSMA), the European Banking Authority, and the new entrants to financial services. Some of these “new International Monetary Fund, among others, have pro- types of data” may also be unstructured (such as emails, vided guidance and launched workstreams on this topic. texts, audio files, digital pictures, videos, and messages). For example, the GSMA’s Code of Conduct for Mobile And, finally, public sources of data are also available from Money addresses transparency of data, user choice and courts and bankruptcy records, all forms of media, and control, data minimization, fraud management, and secu- electoral rolls, which could also be exploited and taken rity.4 The Better Than Cash Alliance’s Digital Payments into consideration in big-data analytics. Guidelines also call for clients’ digital data to be kept con- fidential and secure.5 Importantly, the G20 High-Level Given the lack of a framework, risks for financial consum- Principles for Digital Financial Inclusion (G20 DFI HLPs) ers are growing in nature and scale as the use of these state: “Digital technology also enables the generation and new types of data expands. The recent increase in the analysis of vast amounts of customer and transaction data aggregation and analysis of huge volumes of diversely (‘Big Data’), which introduces its own set of benefits and sourced personal information, and the speed with which it risks that should be managed.”6 is processed, create the risk that individuals will be defined by reference only to data and algorithms, rather than per- While there is existing guidance on the use of personal sonal information. More specifically, key risks include the data and recognized financial consumer rights in existing following: uninformed and meaningless consumer con- frameworks and international standards, there is a need to sent to the use of personal information; illegal discrimina- examine the frameworks and their adequacy in relation to tion; unfair price segmentation; lack of transparency about this phenomenon in the financial sector. Relevant issues the collection, use, and disclosure of personal informa- may include those relating to consumer and data protec- tion; insufficient data security (the greater the volume of tion, privacy, credit reporting, competition, and discrimina- data being stored, the greater the risks); and failure to tion. In addition, sectoral standards and regulations provide effective access and correction and com- covering aspects of payment systems, credit information, plaints-handling mechanisms. The potential for these risks and data analytics might also include provisions on the to cause harm is greater where consumers have low levels massive use of data from different sources. Generally, of financial capability, as is the case in many developing robust data-protection standards cover only some of these economies and emerging markets. issues, and even where such standards are robust, a key aspect to consider is the implementation of existing rules A further factor affecting the growth of benefits and risks and principles, particularly relating to FCP, data privacy, is the rapidly expanding use of smartphones to deliver and credit reporting, in the context of big data. Finally, DFS. As of December 2016, there were around 2 billion beyond the application of rules and principles, this phe- smartphones globally, and this number is expected to rise nomenon poses challenges to responsible authorities to 4 billion by 2020, with much of the growth in emerging both within the national context and internationally and markets and developing economies.2 This growth is requires firm collaboration between them,7 as even where fueled largely by the decreasing cost of smartphones, regulatory frameworks exist, issues are likely to stretch the which generate valuable data that can facilitate cheaper, supervisory capacity of relevant regulators. more tailored financial services, and many economies are recognizing this potential.3 Code of Conduct for Mobile Money Providers, Principle 8 (GSMA, 4.  2015), available at https://www.gsma.com/mobilefordevelop- Given the increased usage of new types of small-, medium-, ment/wp-content/uploads/2015/10/Code-of-Conduct-for- and large-volume data and considering its potential bene- Mobile-Money-Providers-V2.pdf fits and risks, there has been growing international focus Responsible Digital Payments Guidelines, Guideline 7 (Better Than 5.  on this phenomenon. The Group of Twenty (G20), the Cash Alliance, 2016), available at https://www.betterthancash. org/tools-research/case-studies/responsible-digital-payments- World Bank’s Finance and Markets Global Practice, the guidelines G20 High-Level Principles for Digital Financial Inclusion, Principle 6.  5 (Global Partnership for Financial Inclusion, 2016), available at See, for example, https://marketrealist.com/2016/12/ 2.  https://www.gpfi.org/publications/g20-high-level-principles- smartphones-changing-ems-business-landscape digital-financial-inclusion. See, for example, recommendations from the various committees 3.  See, for example, “Joint Committee Discussion Paper on the Use 7.  of the Government and Reserve Bank of India, which are working of Big Data by Financial Institutions,” (European Securities and on financial inclusion and recommending linking data generated Markets Authority, European Banking Authority, and European by unique personal identifiers to credit bureaus. Insurance and Occupational Pensions Authority, 2016). Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting   3 2  SCOPE AND DEFINITIONS tions, chat sites, online shopping habits and transaction histories, gaming sites, use of Internet-based entertain- In recent years, financial services providers have begun ment services, virtual currency transactions, utility pay- using and processing different types of data to make ments, and data from the Internet of Things. Information financial services and products more cost-efficient and tai- on shipping and delivery times, consumer reviews, lored to consumers’ needs. Given new technological complaints data, mobile money transaction volumes, advancements, including the advent of FinTech, and the and other data relevant to small businesses run by indi- uptake in electronic transactions and electronic com- viduals is also relevant. merce, more and more consumers are generating data that is in turn being processed and used by financial ser- Beyond the three Vs, big data is also characterized by vices providers and FinTech. While no single definition of advanced data analytics and related algorithms. Examples data is used, it can include small, medium, and big data, include using algorithms to find correlations in a form of as well as both unstructured and structured data. It can be machine learning; collecting and analyzing all available data on electronic payments or remittances recipients, as data, rather than, for example, sampling the available well as social-media data and other types of data, includ- data randomly; and repurposing data—that is, using data ing Internet searches, online shopping, and so forth. The provided for one purpose for another (using social-media issues presented in this background document cover all data for marketing purposes, for example).11 types of data and are not limited just to big data, although given its complexity, it deserves special attention. Additionally, the term big data covers both structured and unstructured data. Unstructured data has been usefully Given big data’s increased relevance, continued usage, defined as “referring to information that either does not and complexity, and considering that definitions vary across have a pre-defined data model and/or is not organized in sectors, regulatory bodies, and countries, it is important a predefined manner.”12 Examples given include emails, to define big data before commencing the analysis. text files, audio files, presentations, digital pictures and videos, images and messaging, as well as potentially the Definitions typically focus on the three Vs—the volume, underlying sources of metadata.13 Structured data, on the velocity, and variety of the collected data and the related other hand, has been defined as (in summary) “informa- advanced processing techniques. The Gartner definition tion with a high degree of organization, such that inclusion is often quoted in this context: “Big data is high-volume, in a relational database is seamless and readily searchable high-velocity and/or high-variety information assets that by simple, straightforward search-engine algorithms or demand cost-effective, innovative forms of information other search operations.”14 processing that enable enhanced insight, decision making and process automation.”8 Governments and regulatory For the purpose of this document, the consumer is under- authorities have adopted and used similar definitions. stood as a person or a micro- and/or small enterprise Below is a more detailed explanation of the three Vs:9 whose data may be collected, used, and disclosed for personal or business purposes. • Volume. Although there are diverging views about the total volume of new data created on the web, an often- cited estimate is that at least 2.5 exabytes are gener- See, for example, the definition used in “Joint Committee 9.  ated every day, and it’s predicted that 40 zettabytes Discussion Paper.” will be created by 2020.10 This shows that an immense To put this in context, an exabyte has been estimated as 1 trillion, 10.  amount of data is being produced and accumulated, 600 billion books, or about 3,000 times the content of the Library and that the amount is growing very rapidly. of Congress. Another statistic to note: By 2025, there could be up to 75.4 billion devices connected to the Internet (up from 15.4 • Velocity. This refers to the rate at which data is gen- billion in 2015). Louis Columbus, “Roundup of Internet of Things Forecasts and Market Estimates, 2016,” Forbes, November 27, erated. 2016, available at https://www.forbes.com/sites/louiscolumbus/ 2016/11/27/roundup-of-internet-of-things-forecasts-and- • Variety. This term refers to the wide range of data market-estimates-2016/#b65fac4292d5 being collected, analyzed, and used. Examples include “Big Data and Data Protection” (Information Commissioner’s 11.  traditional data from financial transactions as well as Office, 2014), 9. data from social-media networks, psychometric testing, Michelle Nemschoff, “A Quick Guide to Structured and 12.  air-time usage, mobile phone and email communica- Unstructured Data,” Smart Data Collective, June 28, 2014, available at http://www.smartdatacollective.com/michelenem- schoff/206391/quick-guide-structured-and-unstructured-data. See “Big Data” in the Gartner IT Glossary, available at http:// 8.  13. Nemschoff, 2014. www.gartner.com/it-glossary/big-data. See also https:// “Structured vs. Unstructured Data,” BrightPlanet, June 28, 2012, 14.  esas-joint-committee.europa.eu/Publications/Discussion%20 available at http://www.brightplanet.com/2012/06/ Paper/jc-2016-86_discussion_paper_big_data.pdf structured-vs-unstructured-data/. 4   Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting CONSUMERS’ VIEWS ON SHARING 3  information is shared with third parties. Nevertheless, THEIR PERSONAL INFORMATION most mobile-application users with privacy concerns (52 percent) would still use the application. Lastly, 60 percent While the usage of new and different form of data may of mobile users want a consistent set of rules to apply to bring advantages for financial inclusion and enhance any company accessing their location, regardless of how product suitability, recently conducted surveys suggest they obtain this information.17 that consumers have different attitudes toward sharing personal information to receive a better offer. Surveys Another survey, conducted in 2016 by the Omidyar Net- conducted by the Boston Consulting Group, GSMA, the work, showed that more and more consumers use their International Telecommunications Union (ITU), and the phones to make financial transactions and consider phone Omidyar Network show that, overall, consumers care usage–related data as personal and sensitive. In selected about their data. Despite this, they are often likely to developing economies, a high number of consumers, consent to sharing their data without reading the terms over 30 percent, use their phones to make financial trans- and conditions first, and the extent to which they may actions, and over 80 percent consider emails, calls, and be willing to share certain types of information varies texts as personal and sensitive data, while over 70 percent significantly. consider financial and medical data as private. Interest- ingly, in order to get a loan more easily, 70 percent of As consumers are asked more and more often to share consumers would share data on mobile-phone usage and their data, it can be inferred that, while they consider cer- bank accounts, but only 60 percent would be willing to tain data private and sensitive, the majority believes that share data on social-media activity. Overall, as for the sharing is part of everyday life. A Boston Consulting Group 2014 GSMA survey, 80 percent believe that the existence survey conducted in 201315 showed that consumers see and adoption of good, clear policies and procedures gov- data related to their phone and financial-services usage as erning data privacy would increase their trust in a financial moderately to extremely private (89 percent and 65 per- institution. cent, respectively), but less than 50 percent of consumers see social-network data and information about purchases Finally, the recommendations of the March 2017 ITU-T as moderately to extremely private. Having this in mind, Focus Group on Digital Financial Services also noted con- 78 percent of consumers understand that sharing data is sumer concerns about the sensitivity of their financial part of everyday life. information.18 The research referred to by the ITU indi- cates that consumers have concerns about how their infor- A similar survey focused specifically on mobile Internet mation will be used and shared, and fear that it may usage.16 It showed that while most consumers are con- expose them to “identity theft, embarrassment, and tax or cerned about sharing their data, a smaller proportion will criminal liability.”19 However, the report also notes that check what information is required to be shared and consumer attitudes vary from country to country.20 related policies and procedures before installing an appli- cation. However, a significant number of consumers would Although consumers’ behaviors and attitudes toward the like to have consistent data-protection and privacy-related sharing of information vary from one jurisdiction to rules. In fact, according to the survey, over 80 percent of another, some trends can be highlighted. The above sur- mobile Internet users worldwide had concerns about shar- veys suggest the following trends: (i) Consumers generally ing their personal information when accessing mobile see data related to the usage of financial services and applications and services. This number dropped to 65 phones as sensitive. (ii) Nevertheless, they will not neces- percent when only those mobile-application users who sarily check privacy policies and forms of consent before check what information an application wants to access accessing DFS. Finally, (iii) there is a demand for clarity and were taken into consideration. Similarly, 81 percent of consistency in applicable rules and policies. mobile users think it is important to be informed and to have the option of agreeing each time their personal See, generally, the overall results of the survey in “Mobile 17.  Privacy.” 15.  BCG Global Consumer Sentiment Survey, 2013 (Boston ITU-T Focus Group on Digital Financial Services, “Consumer 18.  Consulting Group, 2013). The survey was conducted in five Experience and Protection Recommendations,” chapter 5 of ITU European countries (Germany, France, Italy, Spain, and the Focus Group Digital Financial Services: Main Recommendations United Kingdom). (ITU, 2017), available at http://www.itu.int/en/ITU-T/ 16.  “Mobile Privacy: Consumer Research Insights and Consider- focusgroups/dfs/Documents/201703/ITU_FGDFS_Main- ations for Policymakers” (GSMA, February 2014), available at Recommendations.pdf http://www.gsma.com/publicpolicy/mobile-privacy- ITU-T Focus Group on Digital Financial Services. 19.  consumer-research-insights-and-considerations-for- ITU-T Focus Group on Digital Financial Services. 20.  policymakers. Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting   5 HOW USAGE OF NEW FORMS 4  national authorities, governments, and regulators act pro- OF DATA IN FINANCIAL SERVICES actively to increase the usage of electronic payments (for BRINGS BENEFITS TO CONSUMERS example, through the digitization of certain large-volume payment streams) and financial inclusion.27 For example, This section analyzes the different ways in which new banks in Indonesia and Hong Kong use predictive model- forms of data have been used and how they have been ing to identify potential fraud and alert consumers almost beneficial to consumers of financial services. New types instantly.28 The analysis looks at either the “purchase- of data, in particular big data, and the related analytics related data” or customers’ habits and behaviors. provide financial services firms with new opportunities to use greatly expanded data sets, and to combine histori- This phenomenon further allows markets and consumers cal data with real-time data when designing and market- to be analyzed ever more precisely, using millions of data ing financial products. The potential benefits are points, and for increasingly tailored financial services and numerous. Examples include the following: use of big prices to be offered to consumers. For example, financial data by financial services providers for client profiling;21 services providers can use all this new data to assess the putting in place better market-segmentation practices; product needs of a consumer, his or her risk profile and assessing credit risk, including scoring models;22 identify- financial means, and even to establish whether a con- ing and mitigating risks and delivering more tailored sumer may be willing to pay more for a given product than products;23 assessing and preventing fraud in insurance other consumers. Products and services can thus be claims;24 and, finally, facilitating compliance with regula- designed to suit the needs of individual customers better, tory requirements, including meeting KYC compliance and offerings can be priced on an individual-risk basis. requirements.25 Further, one of the most frequently cited and common As mentioned, the increased uptake of mobile phones advantages brought by analytics of this data is the possi- and electronic financial services is generating an enor- bility of developing credit scores for people who are not mous amount of data. Not only does this provide new covered by traditional credit information systems, such as multiple data sources, but the large volume enables big- credit bureaus or credit registries. While access to credit data analytics that in turn can be used to identify con- “is a critical element of private sector–led growth,”29 sumer behaviors better and to monitor and prevent fraud. according to the Global Findex only 11 percent of the As identified by several reports and studies,26 electron- world’s adult population borrowed formally in 2014 (this ic-payment transactions have increased substantially over percentage drops to 9 percent in low-income countries, 8 the years. This trend is expected only to increase as percent in lower middle-income countries, and 10 percent in upper middle-income countries), and over 27 percent of firms globally identify access to finance as a major con- 21.  Examples of new client-profiling technologies include Kopa straint.30 This shows that many individuals and firms face Cash, which provides mobile phone–based loan approvals to significant constraint in accessing formal credit. This is M-Pesa account holders within minutes and advises on its partially due to the fact that many financial services pro- website that social media is used in its operations. Nedbank makes widespread use of social-media analytics to enhance viders are reluctant to provide credit due to poor infra- the experience of its banking customers. structure and limited coverage of credit information 22. Examples include Sesame Credit Management, which creates systems. Many individuals have no credit history. In fact, in credit scores for consumers and small businesses; Kreditech, which processes more than 20,000 data points per application countries where coverage is higher or where credit market using artificial intelligence built into private credit-scoring infrastructure is stronger (on account of insolvency regimes, technology; Cignifi, which uses mobile-phone data, messages, commercial courts, or movable collateral registries), more and payments information to create credit scores; and Lenddo, which allows an organization to use its presence on social individuals and firms receive credit.31 Given these con- networks such as Facebook, LinkedIn, Google, Yahoo, and Twitter to prove its identity and creditworthiness. 23. See https://www.forbes.com/sites/bernardmarr/2015/12/16/ 27.  See, generally, Committee on Payments and Market Infrastruc- how-big-data-is-changing-the-insurance-industry-forev- tures, “Payment Aspects of Financial Inclusion” (World Bank er/#7008b703289b Group, September 2015), section 3.1.2.4, available at http:// 24.  The South African insurer Santam has developed a new, faster www.bis.org/cpmi/publ/d133.pdf. system for processing claims based on big data to score claims 28.  “Leveraging Data and Analytics for Customer-Centricity and for fraud risk. Innovation” (The Asian Banker, April 2013), section 3, available 25.  Tradle in the United States uses block-chain technology to at https://www.theasianbanker.com/assets/media/dl/ bridge internal and external financial networks to accomplish whitepaper/SAP_WP_2013_1.pdf user-controller KYC portability or Trulioo. 29.  Doing Business 2017: Equal Opportunity for All (World Bank 26.  See “Global Payment Systems Survey 2015: Accounts and Group, 2017), 58. Access” (World Bank Group, 2016), available at http://pubdocs. 30.  Enterprise Surveys, World Bank Group, available at http://www. worldbank.org/en/504871475847684346/GPSS-UFA-Note- enterprisesurveys.org/. October2016.pdf 31. See, generally, Doing Business 2017, 52–64. 6   Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting straints and issues, the usage of big data for credit-scoring Practices);37 (iii) the G20 DFI HLPs;38 and (iv) the 2011 Inter- purposes represents an opportunity to provide credit to national Committee on Credit Reporting’s General Princi- unserved and underserved. Many financial services pro- ples for Credit Reporting (General Principles).39 Reference viders and FinTechs—in developing economies and is also made to data-protection standards where applica- emerging markets32 as well as high-income countries33— ble, such as the 2013 OECD Guidelines on the Protection are turning to these new data sets and their analytics to of Privacy and Transborder Flows of Personal Data (OECD develop credit and offer different types of credit products Guidelines);40 the 2009 International Conference of Data to financial services consumers to address information Protection and Privacy Commissioners’ Madrid Resolu- asymmetry–related issues. tion;41 the Asia-Pacific Economic Cooperation (APEC) Pri- vacy Framework;42 and the Convention for the Protection Many financial services providers are also using big data of Individuals with Regard to Automatic Processing of Per- to identify consumers and meet regulatory requirements. sonal Data (Convention 108) of the Council of Europe.42 Around 18 percent of respondents to the Global Findex 2014 survey cited lack of necessary documentation as a It is important to underline that there is not a single set of barrier to having a formal account.34 While there are international standards, guidelines, and best practices on many costs associated with offering financial services, FCP. Rather, there are various international standards, including delivery costs in rural and remote areas, com- guidelines, and codes that apply either generally or to pliance costs also play a role in making delivery more specific issues or sectors.43 Nevertheless, the standards expensive. In order to comply with regimes aimed at referred to above cover the issues that seem most rele- combating money laundering and the financing of ter- vant in a context where multiple new sources of data, rorism, including KYC requirements, and to lower com- beyond traditional credit-reporting frameworks, are being pliance costs, many financial services providers are using used and processed. big-data tools.35 Finally, it is important to underline that such principles may often be difficult to implement, particularly in low-ca- 5 INTERNATIONAL STANDARDS RELEVANT TO BIG DATA AND FINANCIAL CONSUMER 37. Available at https://openknowledge.worldbank.org/ handle/10986/28996?locale-attribute=en PROTECTION 38. Available at https://www.gpfi.org/sites/default/files/G20%20 High%20Level%20Principles%20for%20Digital%20 This section outlines aspects of key FCP standards, Financial%20Inclusion.pdf including data-privacy and credit-reporting principles, 39. Available at http://documents.worldbank.org/curated/ en/662161468147557554/General-principles-for-credit- that are applicable or relevant in a context where multi- reporting ple new sources of data are being utilized and processed. 40. Available at http://www.oecd.org/internet/ieconomy/ The principal standards considered are (i) the G20 High- oecdguidelinesontheprotectionofprivacyandtransborderflow- sofpersonaldata.htm Level Principles on Financial Consumer Protection (G20 41. Available at https://icdppc.org/wp-content/uploads/2015/02/ FCP HLPs);36 (ii) the 2017 edition of the World Bank’s The-Madrid-Resolution.pdf Good Practices for Financial Consumer Protection (Good 42. Available at https://rm.coe.int/1680078b37. 43. For example, see International Standards on the Protection of Personal Data and Privacy: The Madrid Resolution (Interna- 32.  See for example, Catherine Cheney, “How Alternative Credit tional Conference of Data Protection and Privacy Commissioners, Scoring Is Transforming Lending in the Developing World,” November 2009); APEC Privacy Framework (Asia-Pacific Devex, September 8, 2016, available at https://www.devex. Economic Cooperation, 2005); General Principles for Credit com/news/how-alternative-credit-scoring-is-transforming- Reporting (World Bank Group, September 2011), prepared by lending-in-the-developing-world-88487. a task force coordinated by the World Bank; and Responsible Digital Payments Guidelines (Better Than Cash Alliance, July For example, see Christina Farr, “Kabbage Brings Its Quick Fix 33.  2016). Other examples include Committee for Payments and Loans to UK Merchant,” VentureBeat, February 16, 2013, Markets Infrastructure and the World Bank Group, “Payment available at https://venturebeat.com/2013/02/16/kabbage- Aspects of Financial Inclusion” (Bank for International brings-its-quick-fix-loans-to-uk-merchants/. Settlements, April 2016); Global Standard-Setting Bodies and Asli Demirguc-Kunt et al., “The Global Findex Database 2014: 34.  Financial Inclusion: The Evolving Landscape (Global Bringing the 2 Billion Unbanked into the Formal Financial Partnership for Financial Inclusion, March 2016); and Basel System,” Findex Notes, no. 2014-2 (April 2015), available at Committee on Banking Supervision, “Guidance on the http://pubdocs.worldbank.org/en/113791483565360488/ Application of the Core Principles for Effective Banking N2UnbankedV5.pdf Supervision to the Regulation and Supervision of Institutions http://financialservices.mazars.com/the-use-of-big-data-tools- 35.  Relevant to Financial Inclusion” (Bank for International to-improve-the-effectiveness-for-amlcft-and-kyc-policy/. Settlements, March 31, 2016). 36. Available at https://www.oecd.org/g20/topics/financial-sector- reform/48892010.pdf. 6 Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting   7 pacity environments and/or where changes in the finan- use of key summary documents. In a context where cial sector are fast-paced. The principles have been multiple types of data are being collected and pro- developed by different organizations and multilateral cessed, it becomes especially important that data-pri- bodies and provide a framework to ensure privacy and vacy and data-sharing policies are disclosed along with data protection. However, not only have many jurisdic- product features and comparability, as the more such tions transplanted the frameworks into their national data is used to provide personalized offers, the more legal frameworks in different ways, but key aspects of the difficult it will be for consumers to compare products. principles are difficult to implement effectively, particu- • Fair treatment and business conduct. Consumers larly in environments where institutional capacity is low. and investors should be treated fairly and respect- As shown in section 6, these difficulties are heightened in fully; they should not be the subjects of discrimina- a context where multiple new data sources are being tory, misleading, or abusive treatment. Both the G20 used and processed. FCP HLPs (Principle 3) and the 2017 edition of the Good Practices refer to these standards. The 2017 5.1  Core Financial Consumer Protection Principles edition of the Good Practices also provides that unfair terms and practices should be prohibited and closely Provided below is a brief high-level synthesis of FCP monitored by the relevant authority. In a context standards potentially relevant to big data. where several different types of new data are being • Legal and regulatory framework. Firstly, it is import- collected and processed, these standards are likely to ant that a proportionate, risk-based FCP legal and reg- mean that there should be a focus on the terms of ulatory framework is in place that both applies to all privacy consents and on company policies and proce- service providers equally and covers key consumer pro- dures followed when dealing with personal informa- tection issues. The G20 DFI HLPs refer to the need to tion. When large volumes of data are collected and “establish a comprehensive approach to consumer and used for a wide variety of purposes, it is especially data protection that focuses on issues of specific rele- important that such standards are in place to protect vance to digital financial services” (Principle 5). The consumers with limited financial capability and tech- G20 FCP HLPs also emphasize the need for FCP to be nological capacity. an integral part of the legal framework (Principle 1). The • Product suitability. Products should be designed 2017 edition of the Good Practices provides further with consumer needs in the target market in mind, details for the different types of DFS that are covered. and the financial needs and capacity of a consumer • Institutional mandate and resources. It is important should be considered before a financial service is pro- that the relevant regulators have both a clear, ade- vided. The G20 FCP HLPs (Principle 6) and the 2017 quate, and non-overlapping mandate (or at least that edition of the Good Practices reflect these standards. there is coordination if they are overlapping) and the While new multiple forms of data allow for more tai- required financial-sector skills and expertise, as well as lored and, hence, more suitable products to be pro- the necessary capacity, tools, and resources. Further, vided, it is important that the data used is relevant the relevant FCP regulator should have formal mecha- and accurate and that the product meets the needs nisms for consultation and coordination with other rel- and capacity of the consumer. This is particularly evant regulators on policy and supervision issues important in the context of credit products: A credit (including privacy, telecommunications, and financial facility should be provided only after a reasonable sector–specific regulators). Both the G20 FCP HLPs assessment is made of the consumer’s ability to repay (Principle 1) and the 2017 edition of the Good Prac- it. Further, this is even more important when new tices stress these points. types of data, beyond traditional credit reporting, are used not to provide products that are suitable to • Disclosure and transparency. Consumers should be users, but to maximize profits. provided with accurate, simple, and clearly expressed information about the features, risks, terms, and prices • Customer mobility. Consumers should be able to of financial services (including how their personal infor- transfer a financial facility to a new provider without mation will be handled). Both the G20 FCP HLPs (Prin- unreasonable difficulty. In light of a growing interna- ciple 4) and the 2017 edition of the Good Practices tional focus on the issue, the 2017 edition of the Good confirm these points. These FCP standards further Practices specifically provides that regulators should establish that such information should be given in a ensure that rules forbid anti-competitive practices and timely and user-friendly manner and that, where possi- enable customer mobility. To facilitate such mobility, it ble, the format should be standardized through the is especially important that consumers are able to 8   Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting request the transfer of their personal information from data processing should occur only “after obtaining the one financial services provider to another, and that the free, unambiguous and informed consent of the data information is transferred in a useful format.44 subject” (subject to limited exceptions).47 The APEC Privacy Framework also refers to the need for consent • Privacy and data protection. A consumer’s personal to the collection of personal information (where appro- information should be kept confidential and secure, priate).48 Finally, while Convention 108 does not and used only if accurate and with consent (subject to include a similar principle, it goes beyond the consent applicable law). The G20 FCP HLPs (Principle 8) and principle, specifying that data undergoing automatic the 2017 edition of the Good Practices cover this processing shall be stored safely and for a legitimate aspect of data protection and privacy. The G20 FCP purpose, forbidding any other use beyond that spe- HLPs also refer to the need for consumers to be cific purpose.49 Convention 108 further specifies that informed about data-sharing, access, and correction certain categories of sensitive data cannot be pro- rights and to have inaccurate or unlawfully collected cessed automatically, regardless of whether the user data deleted. The revised Good Practices also pro- has given consent or not, unless national legislation vides guidance on the lawful collection of data, the provides appropriate safeguards. The relevant catego- usage and storage of such data, and sharing such data ries include “personal data revealing racial origin, with third parties. A more detailed analysis of key political opinions or religious or other beliefs, as well as data-privacy principles is provided below. personal data concerning health or sexual life.”50 • Security of data. Another key principle relating to 5.2 Privacy and Data Protection data privacy and FCP is the need for financial consum- As mentioned above, beyond the core FCP principles, ers’ data to be kept safe and secure. The OECD Secu- more specific and important data-protection principles rity Safeguards Principle provides for security safeguards are directly relevant to financial consumers in a context in as follows: “Personal data should be protected by rea- which multiple data sources are being collected and used. sonable security safeguards against such risks as loss Below is a summary of the key data-privacy principles: or unauthorized access, destruction, use, modification or disclosure of data.”51 The Madrid Resolution places • Informed and meaningful consent. Consent is a fun- stronger emphasis on security issues, containing sepa- damental principle concerning data privacy and FCP. rate principles on security measures and the duty of Different standards, however, define and deal with confidentiality.52 In particular, there is an obligation to consent differently. The OECD Data Collection Princi- protect personal data with the appropriate technical ple provides that “there should be limits to the collec- and organizational measures to ensure the data’s tion of personal data and any such data should be integrity, confidentiality, and availability. There is also obtained by lawful and fair means and, where appro- an obligation to inform data subjects of significant priate, with the knowledge or consent of the data sub- data breaches. Similarly, Convention 108 also provides ject.”45 Similarly, the OECD Use Limitation Principle for “appropriate security measures against accidental refers to the need for consent if data is to be used for or unauthorised destruction or accidental loss as well purposes other than the original purpose of collec- as against unauthorised access, alteration or dissemi- tion.46 The Madrid Resolution, through its General nation.”53 The APEC Privacy Framework contains simi- Principle of Literacy, provides that, as a general rule, lar requirements (though with less details) in Principle VII, “Security Safeguards.” The EU General Data Protection Regulation to this extent also 44.  introduces the concept of data portability, see Regulation (EU) • Access, rectification, correction, and opposition 2016/679 of the European Parliament and of the Council of 27 (ARCO) rights. Another key issue relating to data pri- April 2016 on the Protection of Natural Persons with Regard to vacy, FCP, and new types of data is consumers’ right to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, Recital 20: “(1) access the data collected and to request rectification The data subject shall have the right to receive the personal data and cancellation of such information. To this extent, concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another 47.  Madrid Resolution, Principle 12(a). controller without hindrance from the controller to which the 48. APEC Privacy Framework, Principle 18. personal data have been provided, where: a) the processing is 49. Convention for the Protection of Individuals with Regard to based on consent pursuant to point (a) of Article 6(1) or point (a) Automatic Processing of Personal Data (Council of Europe, 1981), of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); Article 5(b). and b) the processing is carried out by automated means.” 50. Convention 108, Article 6. Guidelines Governing the Protection of Privacy and Transborder 45.  51. OECD Guidelines, Principle 11. Flows of Personal Data (OECD, 2013), Principle 7. 52. Madrid Resolution, Principles 20 and 21. 46.  OECD Guidelines, Principle 10. 53.  Convention 108, Article 7. Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting   9 the OECD Individual Participation Principle, in sum- able to enforce those rights, especially where custom- mary, provides consumers with the right to find out if a er-recourse systems are not clearly stated, and especially data controller54 has information about them; to obtain where data is held in the cloud and/or is unstructured that data within a reasonable time, in an intelligible data. It is also important that data can be accessed in a form, and at a charge that is not excessive; and to chal- usable form.63 lenge the data and, if successful, to have the data • Accuracy and reliability of data. The OECD Data erased or corrected.55 The Madrid Resolution contains Quality Principle (Principle 8) provides that data col- similar principles dealing with the right of access and lected should be relevant to the purpose for which it is rights to rectify and delete.56 Further, the Madrid Reso- to be used and should be “accurate, complete and lution Data Quality Principle provides that when data is kept up-to-date.” The APEC Privacy Framework has no longer necessary for the legitimate purposes of col- similar provisions (Principle 21). The Madrid Resolution lection, then it should be deleted or rendered anony- Data Quality Principle also requires that data always be mous.57 The additional safeguards of Convention 108 accurate and sufficient and kept up to date. Like other provide for similar rights and also specify that data principles, Convention 108 requires that data files be used for a purpose not allowed by law needs to be accurate and up to date (Article 5). erased.58 The APEC Privacy Framework has detailed provisions on access and correction rights in Part V. There are, however, broad exceptions to these general 5.3  Credit Reporting principles. They include the right to refuse a request Finally, to analyze principles relevant to FCP and big data where granting access would involve unreasonable completely, it is important to look at credit reporting and business expense, where the information should not the applicable principles. The General Principles address be disclosed because of legal or security reasons, or the use of credit information and other relevant data in where access could jeopardize confidential commer- credit-reporting systems. These systems involve the collec- cial information or violate another individual’s privacy.59 tion of credit data and other relevant information from mul- tiple sources, resulting in the elaboration of credit reports ARCO rights have also been covered by international or other products that are based on data analytics, such as principles that go beyond data protection, including key credit scores. Figure 1 summarizes the principles and gives financial sector–related principles, as they are essential guidance for interpreting each principle when big data is data-protection rights. As highlighted in the recent G20 being used for making risk-based credit decisions. The DFI HPLs, “Consumers also need to have transparent, General Principles contain provisions allowing providers of affordable and convenient access and correction rights.”60 credit-reporting services to collect and process “all the rel- ARCO rights are especially relevant in a DFS context when evant information needed to fulfill their lawful purposes,” an individual’s data is held, or can be accessed, by multi- and requiring data to be kept, to the extent possible, “free ple institutions and the data may be in many different of error, truthful, complete and up to date.”64 forms.61 Consumers may not know who is holding, or has access to, their data,62 for what purpose it is being used, Applying these principles when using new types of data where it is being held or by whom, or the nature and beyond credit reporting to evaluate individuals’ credit- scope of the data that is being held. And even if individu- worthiness may be challenging. Particularly when devel- als do know all this information, they are not likely to be oping credit scores, recent trends show that new credit risk/credit-scoring tools make extensive use of big data.65 54.  Data controller has been defined as “a party who, according to This new trend brings new opportunities to consumers national law, is competent to decide about the contents and use who have no credit history or “thin files,” making them of personal data regardless of whether or not such data are collected, stored, processed or disseminated by that party or by unserved or underserved. Figure 2 shows the develop- an agent on its behalf.” The OECD Privacy Framework (OECD, 2013), chapter 1, annex. OECD Guidelines , Principle 11. 55.  Omer Tene and Jules Polonetsky, “Big Data for All: Privacy and 63.  56.  Madrid Resolution, Principles 16 and 17. User Control in the Age of Analytics,” Northwestern Journal of 57.  Madrid Resolution, Principle 9. Technology and Intellectual Property 11, no. 5 (2013), 239. 58.  Convention 108, Article 8. 64.  General Principles, Principle 1. 59.  APEC Privacy Framework, Principles 23–25. For the purpose of credit scores to evaluate creditworthiness of 65.  individuals, big data includes information generated by See the G20 DFI HLPs, Action Item, Principle 5. 60.  traditional business activities and from new sources—such as Again, this raises the issue of who should be considered the 61.  electronic-payments data from point-of-sale terminals, bank “data controller” in this context. automated-teller machines, mobile-network operators, and Again, this raises the issue of who should be considered the 62.  utilities—combined with social media (Facebook and Twitter “data controller” in this context. posts and YouTube videos) and geodemographic data. 10   Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting FIGURE 1: The General Principles for Credit Reporting GPII GPIII GPIV Data processing: Governance Legal and GPV security and and risk regulatory Cross-border GPI Data efficiency mangement environment data flows Credit reporting Credit The governance The overall legal Cross-border systems should reporting arrangements of and regulatory credit data have accurate, systems should credit reporting framework for transfers should timely and have rigorous service providers credit reporting be facilitated, sufficient data— standards of and data should be clear, where including security and providers should predictable, non- appropriate, positive— reliability, and ensure discriminatory, provided that collected on a be efficient accountability, proportionate and adequate systematic basis transparency and supportive of data requirements from all reliable effectiveness in subject and are in place appropriate and managing the consumer rights. available sources, risks associated The legal and and should retain with the business regulatory this information and fair access to framework should for a sufficient the information include effective amount of time by users judicial or extra- judicial dispute resolution mechanisms Source: Own elaboration based on the General Principles. FIGURE 2: Mobile Scoring Methodology MNO Lender BANK Geographic, demographic, Offer financial & social data 6 Credit Limit 5 1 4 Customer’s data** Consent* 3 Inquiry 2 * Customer consents to sharing mobile usage data ** Usage for given period shared one Source: First Access, World Bank Financial Infrastructure Week, 2015. Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting   11 ment of scoring models using nontraditional data cap- needed as well. Also, the number of vulnerabilities tured from different sources, and a discussion of the increases as the number of different players grows, all relevant principles is provided below. of whom have different technologies, networks, soft- ware, and security policies for access to and use of such • Data. Data used for credit-reporting principles needs data. Finally, as the data chain increases and number of to be reasonably accurate. Considering that in this players becomes larger, it becomes difficult to address context, data could be pulled from a wide variety of vulnerabilities and to develop communications and an sources, General Principle 1 is extremely relevant. To adequate remedy protocol. Implementing a right to cover potential risks of inaccuracy, it provides that object to the use of information for certain purposes “credit reporting systems should have relevant, accu- might require specific guidelines enabling the adop- rate, timely and sufficient data—including positive— tion by at least key data sources. collected on a systematic basis from all reliable, appropriate and available sources, and should retain • Governance and risk management. In this analysis, this information for a sufficient amount of time.”66 This another important aspect of credit reporting is the rel- principle could be applied not only to credit-reporting evant governance arrangements. In fact, when evaluat- systems per se but also to providers of credit-informa- ing creditworthiness of individuals, “governance tion services, such as Fintech companies developing arrangements for credit reporting service providers scores, or lending platforms with embedded scoring and credit reporting data providers should ensure models in their systems. Accuracy problems emerge timely and accurate disclosure of relevant matters when small and big amounts of structured and unstruc- related to the entity and its activities” (General Princi- tured data are pulled from multiple sources and the ple 3). This issue includes (i) the legal framework sup- information is not updated on a systematic basis from porting the activities of such institutions, (ii) the types the same sources. Also, some of this information will of entities that may become users of the scores devel- be self-reported by the data subjects. When all this oped and the conditions under which they use such information is merged and used to develop credit services, (iii) the rules and procedures for collecting scores, the following questions arise: and processing such data, (iv) the uses of data, and (v) – Lawfulness of data collection and compatible pur- mechanisms for identifying and mitigating risks involv- poses, and the role of consent when the purpose of ed in the activity. In addition, another transparency rule data collection is neither specifically covered under relates to the protocol established to dispute errors in the law nor compatible with the original purpose of data used to develop the scores. In traditional cred- data collection. it-reporting systems, it is easy to identify and assign accountability to the data controllers. In an environ- – How to define and ensure enforcement of data-re- ment where data is pulled from different sources in a tention periods. dynamic manner, this chain of accountability becomes – In the case of open sources such as application pro- more opaque. gramming interfaces (API), would this information be considered public information? • Legal and regulatory environment. The big-data effect has often raised concerns about the potential risk to • Data-processing security and efficiency. Like data pri- consumer privacy when data is combined, resulting in vacy–related principles, the General Principles also precisely tailored consumer profiles. The data sets may cover data security but expand on the security of the be vast, but they can be used to identify individual processing of data and its efficiency. The relevant prin- needs, habits, and financial patterns accurately. Con- ciple establishes that “credit reporting systems should sumers, however, are often unaware that they are gen- have rigorous standards of security and reliability and erating data that affects analytical models. General be efficient and protect data against any loss, corrup- Principle 4, on the legal and regulatory framework, tion, destruction, misuse or undue access” (General includes guidelines on consumer rights. Rules regard- Principle 2). Although difficult, it might be necessary to ing the protection of data subjects/consumers should assign a line of accountability when data is pulled from be clearly defined. At a minimum, these rules should many different sources and captured through a dynamic include ARCO rights defined as “(i) the right to object database. In this case, data-sharing agreements to their information being collected for certain pur- between the different parties might be necessary. Evi- poses and/or used for certain purposes, (ii) the right to dence of consumers’ choices regarding the collection, be informed on the conditions of collection, process- processing, and further use of their data might be ing and distribution of data held about them, (iii) the right to access data held about them periodically at 66. General Principles, Principle 1. little or no cost, and (iv) the right to challenge accuracy   11 12   Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting of information about them.”67 The General Principles and has great potential to increase access to financial recognize consumers’ consent when third parties services, but its use can also pose FCP challenges, issues, access their data although the GPs also call for the col- and risks and can introduce new challenges to the appli- lection of information—including positive data—in a cation of the standards discussed. This section provides comprehensive manner. In an open environment where an analysis of these issues, with practical examples pro- the data controller is difficult to identify and the pur- vided where relevant. pose of data use might differ completely from the pur- pose of data collection, consumers’ choice regarding 6.1 Consent his/her own data might become more necessary and consent mechanisms, coupled with the concept of por- The question at the center of concerns around consent in tability could provide certain protection to consumers a big-data context is, How can informed consent be given when third parties use extensively their information. effectively? Consent is especially problematic when the intended purpose for using the data is unknown at the • Crossborder data flows. Finally, considering the DFS time of collection or is constantly changing and expand- context, crossborder data flows are relevant. The Gen- ing. Another barrier to giving effective consent is the like- eral Principles establish that “cross-border flows should lihood in a financial-inclusion context of high levels of be facilitated provided that specific requirements are illiteracy and low levels of financial capability, especially in place” (General Principle 5). In fact, while it is import- where deemed consent is provided for in lengthy terms ant to allow for crossborder data flows, it is important and conditions. Another issue is whether local laws impose that adequate frameworks are in place to ensure that restrictions on giving consent to especially sensitive data, consumers’ rights are adequately protected. Crossbor- such as data relating to health, religious or political affilia- der flows are even more relevant in a context where tions, or sexuality.68 multiple new sources of data are being utilized; it is important that adequate requirements are in place to Consent is especially important in the context where dif- protect the processing of such data. This principle is ferent types of data can be collected, used, and shared by aimed at facilitating the flow of credit information different providers and across borders. An analysis of the across borders when market conditions call for such terms and conditions of financial products conducted for flow. However, new methodologies developed to eval- this note shows that it is common practice to include uate creditworthiness of individuals and small and clauses that allow for (i) the transfer of data to subsidiaries medium-sized enterprises already involve the process- and partners (such as telecommunications companies that ing of data in different jurisdictions where the service is may be sharing the data with other financial services pro- provided or for the consumers’ data to be captured vider partners); (ii) the storage of personal information, and further exploited. including transactional, messaging, and call data, for up – The number of tools used to collect data are far to five years but limiting providers’ liability for data more numerous. breaches; and (iii) the transfer of data from certain jurisdic- – The number of jurisdictions involved in the data tions (not all jurisdictions, including ones with strong pro- processing is also larger. tection) to others for the purpose of processing such data. – Discussion of cloud computing and the need to identify a specific jurisdiction is intimately linked to The limitations on the consent model include: the identification of a data controller. • Standard “adhesion” contracts. Financial services contracts, and especially those formed digitally with- out any human interaction, are likely to be in a stan- 6 FINANCIAL CONSUMER dard form. Consumers do not have the right to opt out PROTECTION PRINCIPLES, NEW of such contracts or to negotiate them in any way. FORMS OF DATA CHALLENGES, Accordingly, the terms relating to personal information ISSUES, AND RISKS are usually provided on a “take it or leave it” basis. While the benefits of using and processing new types of • Length and complexity. Forms of consent are so long data can be substantial, the risks for consumers of finan- and complex that it is unrealistic to expect consumers cial services can be consequential. New data, beyond to read or understand them. traditional credit-reporting frameworks, allows for the delivery of more tailored financial services to consumers See, for example, Ira S. Rubinstein, “Big Data: The End of Privacy 68.  or a New Beginning?,” International Data Privacy Law 3, no. 2 67.  General Principles, Principle 4. (2013). Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting    13 • Incomplete information. All the information needed of the “contracts reviewed had clauses that permit the pro- to make an informed decision may not be provided to vider to share information with third parties, such as credit consumers.69 reference bureaus, law enforcement agencies (both domestic and international), regulators, provider agents, • Hidden forms of consent. The terms of a privacy con- lawyers, auditors, and subsidiaries . . . [including] for rea- sent are often unclear and hidden within lengthy terms sonable commercial purposes related to the provision of and conditions, implying that the user is unaware that services.”72 However, their ability to do so effectively is consent to the collection has even been given. more likely to be challenged by illiteracy, an inability to • Multiple consents. Consumers may be expected to understand complex and lengthy terms relating to the col- consider more than one form of consent when acquiring lection of multiple types of data, and the printing of the a product. For example, a corporate privacy policy, a consent terms in a language the consumer does not under- consent for the product provider, and a consent for any stand (for example, in English in a country that has multiple related partner (such as an e-wallet provider or a partner local languages). Further, such consumers are more likely bank providing credit) may all need to be considered. to be pressured into feeling that they have no choice but to agree to any form of consent if they want the product. • Lack of choice. Consumers do not have a meaningful choice if they want the product in question. Behavioral research shows that while consumers are interested in Product and Price Segmentation and Potential 6.2  the way their data could be used for loan determina- Discrimination tion, their overall need for a loan would supersede While the collection, usage, and processing of new types concerns for privacy.70 of data allow for better tailoring of financial services and • Opt out, rather than opt in. Use of information for, products, if the above-mentioned principles are not ade- say, marketing purposes may be permitted subject to quately respected, use of the data may lead to unfair an opt-out, rather than an opt-in, right, and consumers product and price segmentation (including discrimina- may not even be aware that they have this right. tion). As mentioned above, the FCP principles call exp ressly for a prohibition of unfair and abusive practices, • Consent after the event. Consent may be requested including discriminatory ones. Similarly, data-privacy stan- after the information has already been used. For exam- dards call for limitations on data collection, including in ple, social-media and air-time information may be some instance forbidding the usage of specific types of used to create a credit score that is used as the basis sensitive data, and requirements to tie data to the specific for an unsolicited offer of credit. purpose for which it was collected. • No expiry date. There is usually no expiry date to the consent, and consumers cannot be expected to main- Various concerns have been expressed about the use of tain the same preferences over time (especially given multiple new types of data to analyze and segment con- rapid technological developments in big data) or even sumers, including: to remember what they have agreed to.71 • Discrimination. There is the potential to be able to use big data to discriminate against consumers with partic- Limitations on the consent model are especially acute in a ular attributes, whether inadvertently or deliberately. financial-inclusion context. In some countries, consumers The U.S. Federal Trade Commission put the issue are increasingly being asked to provide wide-ranging con- another way, asking, “Big data: a tool for inclusion or sent to the use of personal information derived from big- exclusion?”73 One of the most fundamental human data sources with limited understanding. ITU research rights, and FCP principles, is that a person should not shows that in African countries, vague, complex, and bur- be unfairly discriminated against. The key point is that ied consent clauses are fairly common. In fact, 83 percent discrimination on any ground—including race, color, It is generally held that the information that should be provided 69.  ITU-T Focus Group on Digital Financial Services, “Review of DFS 72.  includes which data are collected, used, and shared; the User Agreements in Africa: A Consumer Protection Perspective” purposes for which data are used; which security measures are (ITU, January 2017), available at https://www.itu.int/en/ITU-T/ taken; who is processing the data and who is accountable; and focusgroups/dfs/Documents/01_2017/ITU_FGDFS_Report- user rights and how they can be exercised. Bart Custers, “Click on-Review-of-DFS-User-Agreements-in-Africa.pdf Here to Consent Forever: Expiry Dates for Informed Consent,” See, generally, “Big Data: A Tool for Inclusion or Exclusion? 73.  Big Data & Society, January–June 2016: 1–6, available at http:// Understanding the Issues” (Federal Trade Commission, 2016), journals.sagepub.com/doi/10.1177/2053951715624935. available at https://www.ftc.gov/system/files/documents/ 70.  See, generally, Costa, Deb, and Kubzansky, 2016. reports/big-data-tool-inclusion-or-exclusion-understanding- 71.  Custers, 2016. issues/160106big-data-rpt.pdf 14   Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting BOX 1 Emerging Approaches to Address Consent-Related Issues Given the limitations in the consent model, alterna- of consent for the processing of certain types of tives to the need for effective and informed con- data or for specific purposes. sent, and innovative ways to obtain consent, are • An expiry date for consents. Suggestions have being widely discussed and, to some extent, imple- been made that, given that consents are virtually mented. Below are key examples. never reviewed or renewed, there might be a lim- • Privacy by design. Put simply, this concept envis- itation period on the effectiveness of some forms ages building privacy into all stages of the design of consent. It is, however, acknowledged that such and architecture of information systems, business an approach will not solve all the issues with processes, and networked infrastructure. The informed consents.75 focus is on taking a proactive, preventive approach • An opt-in, rather than an opt-out, consent. The to the protection of privacy and the avoidance of recitals to the General Data Protection Regulation privacy harms. Created by the then information state that “silence, pre-ticked boxes or inactivity and privacy commissioner of Ontario, the concept should not therefore constitute consent.”76 rests on the following seven principles: 1. Proactive, not reactive; preventive, not remedial • Using simple messages to help consumers understand which data is being collected and 2. Privacy as the default setting for what purposes. Research by the Consultative 3. Privacy embedded into design Group to Assist the Poor has highlighted that 4. Full functionality—positive-sum, not zero-sum simple messages delivered via SMS may help 5. End-to-end security—full life-cycle protection customers understand concepts relating to the collection of new types of data and encourage 6. Visibility and transparency—keep it open them to consider data-protection issues. How- 7. Respect for user privacy—keep it user-centric74 ever, the research also showed that consumers are prepared to allow use of their data if it means • The EU General Data Protection Regulation. that they can obtain a loan.77 This is the leading example of a regulatory approach that requires privacy-by-design princi- Digital technology could also be used to facilitate ples. According to Article 25, “The controller shall the taking of informed consent. As seen in section . . . implement appropriate technical and organisa- 3, while many consumers care about giving meaning- tional measures . . . in an effective way . . . in order ful consent, they often provide it without reading the to meet the requirements of this Regulation and terms and conditions of their consent. To address protect the rights of data subjects.” these issues, consideration could be given to devel- • Minimal collection of information. This is the oping tools that provide for simpler, more clearly concept that only the minimal amount of data expressed, and highlighted forms of consent. Such should be collected. The General Data Protection tools could well be technology-based. They could Regulation has also implemented this principle. include a requirement for the use of standardized Article 5(1)(c) provides: “Personal data shall be . . . forms of consent, as well as the option of having ver- adequate, relevant and limited to what is neces- bal forms of consent that would be recorded by the sary in relation to the purposes for which they are financial services provider. processed (‘data minimisation’).” • Tiered consents. It may be more appropriate to 75. Custers, 2016. introduce a concept of tiered consent by which Regulation (EU) 2016/679 of the European Parliament and 76.  of the Council of 27 April 2016 on the Protection of Natural consumers will be required to give different types Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, Recital 32. Ann Cavoukian, “Privacy by Design: The Seven Founda- 74.  Rafe Mazer, Jessica Carta, and Michelle Kaffenberger, 77.  tional Principles” (Information and Privacy Commissioner “Informed Consent: How Do We Make It Work for Mobile of Ontario, 2011), available at https://www.ipc.on.ca/wp- Credit Scoring” (Consultative Group to Assist the Poor, content/uploads/Resources/7foundationalprinciples.pdf. 2014), available at http://www.cgap.org/research/ publication/informed-consent-how-do-we-make-it-work- mobile-credit-scoring Source: Own elaboration based on different cited sources. Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting    15 sex, language, religion, political or other opinion, price differentiation could also be beneficial. Further, national or social origin, property, birth, or other sta- while regulatory interventions on pricing need to be tus—should not take place.78 These principles have approached cautiously, the authority noted that “reg- been reflected in equal opportunity laws globally, as ulatory interventions that stop short of direct setting well as in international standards concerning FCP. For or capping of prices appear to have had positive example, in an action item for Principle 5, the G20 DFI impacts in addressing problems arising from price HPLs state: “Require that data not be used in an unfair discrimination.”82 Examples cited of such interven- discriminatory manner in relation to digital financial ser- tions include the banning of joint credit and pay- vices (e.g., to discriminate against women in relation to ment-protection insurance. access to credit or insurance).” – The United States case: Research conducted in • Opaque algorithms that perpetuate biases and 2015 by the White House and the Federal Trade assumptions. As discussed above, both key FCP prin- Commission has indicated that the use of big data ciples and the General Principles provide that consum- may result in discriminatory pricing.83 This is because ers should be aware of the policies and procedures consumers tend to be associated with their network used to assess creditworthiness and the needs of of friends, relatives, and ethnicity. As a result, only financial consumers. Commentators also argue that certain communities (in particular, African American the algorithms used are opaque and may perpetuate communities) may be offered products at a higher biases and contain built-in assumptions that are not price. Research conducted in 2016 by the Federal valid and may be unfair.79 Trade Commission also highlighted the concern that “big data analytics could affect low-income, • Differential pricing or “price discrimination.” This is underserved populations, and protected groups” the practice of charging consumers’ different prices (especially in relation to credit and employment for the same product, without reference to cost con- opportunities).84 Other commentators have noted siderations or risk. The practice takes advantage of that, although there are arguments that algorithms the willingness of some customers to pay more with- can eliminate human biases, “an algorithm is only as out losing other more price-sensitive customers.80 good as the data it works with.”.85 The selection of The use of new types of data from multiple sources key attributes used in algorithms is also relevant as makes the practice much easier and cheaper, given search engines’ algorithms may learn to prioritize big data’s ability to provide increasingly segmented characteristics associated with a group on individuals customer information. The concern is that it may (e.g. minorities, women) more frequently than other result in unfair treatment of consumers (including characteristics not necessarily associated with those financial consumers). groups. Therefore, it might be useful to understand – Evidence from the United Kingdom. A study con- how meaningful are the correlations found by the ducted by the Financial Conduct Authority81 shows analytics tools based on big data. that both price discrimination and cross-subsidies are common practices across the retail financial services Comparability of Financial Services and 6.3  market in the United Kingdom. The Financial Con- Products duct Authority noted that there are potential compe- tition concerns and that vulnerable consumers may A fundamental FCP principle is having standardized dis- be harmed by the practice while recognizing that closure for selected products and services to enhance comparability. However, the delivery of personalized ser- 78.  International Covenant on Civil and Political Rights (Office of the vices can limit, if not render impossible, comparability High Commissioner on Human Rights, 1976), available at http:// among providers with different levels of information about www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx. the consumer. Although the issue has not been discussed See, for example, Megan Smith, DJ Patil, and Cecilia Muñoz, 79.  “Big Risks, Big Opportunities: The Intersection of Big Data and Civil Rights,” What’s Happening, May 4, 2016, available at https://obamawhitehouse.archives.gov/blog/2016/05/04/ Lukacs, Neubecker, and Rowan, 2016, 9. 82.  big-risks-big-opportunities-intersection-big-data-and- “Big Data and Differential Pricing” (Executive Office of the 83.  civil-rights President, February 2015), available at https://obamawhite- 80.  “Big Data and Differential Pricing” (Executive Office of the house.archives.gov/sites/default/files/whitehouse_files/docs/ President, 2015), available at https://obamawhitehouse. Big_Data_Report_Nonembargo_v2.pdf, and “Big Data: A Tool archives.gov/sites/default/files/whitehouse_files/docs/Big_ for Inclusion or Exclusion?” Data_Report_Nonembargo_v2.pdf “Big Data: A Tool for Inclusion or Exclusion?,” executive 84.  81.  Pete Lukacs, Leslie Neubecker, and Philip Rowan, “Price summary. Discrimination and Cross-subsidy in Financial Services,” Solon Barocas and Andrew D. Selbst, “Big Data’s Disparate 85.  Occasional Paper no. 22 (Financial Conduct Authority, Impact,” California Law Review 104 (2016). September 2016). 16   Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting BOX 2 Insurance, an Area Where Big Data Could Become a Potential Source of Discrimination Exceptions to discrimination laws generally allow that insureds will take less care of the insured property insurers to discriminate based on actuarial or statistical because they have insurance to cover the risk. This data on which it is reasonable to rely. The usage of new practice will also better enable insurers to understand, types of data coming from multiple sources means and price, the actions that consumers can take to that insurers can do this more efficiently. Being able to avoid risk—such as medical vaccinations for life insur- price insurance on a policyholder basis means low-risk ance or watering crops for crop insurance policies. customers do not have to subsidize high-risk custom- And they can help insurers monitor whether the ers, and adverse selection risks will be minimized. required actions have in fact been undertaken.86 These risks can make insurance markets fail or lead to insurance not being provided because of the risk that .  86 See, generally, Max N. Helveston, “Consumer Protection in insurers will be left with high-risk customers when low- the Age of Big Data,” Washington University Law Review 93, risk customers self-insure. Insurers may also be able to no. 4 (2016), available at https://openscholarship.wustl. price more effectively for moral hazard risk—the risk edu/law_lawreview/vol93/iss4/5/ Source: Own elaboration based on cited sources. widely,87 the concern here is that the increased personal- rity protocols would be appropriate (or how they could be ization of offers could limit consumers’ ability to compare enforced) in relation to this phenomenon where new types financial products and services.88 In fact, while more tai- of data are being collected from multiple sources, as it is lored financial services can be beneficial to consumers, if often unstructured and may be in multiple hands and juris- this is based on data that only one or a certain group of dictions. Innovations such as the India Data Locker, which financial services providers can access (for example, tele- allows for the secure storage of e-documents in personal communication/air-time data that only the e-money issuer lockers in the cloud, may be part of the solution but do not subsidiary can access), consumers may not receive or have cover the entirety of an individual’s personal information. access to comparable information for the relevant prod- Addressing security aspects in open environments, with a uct, as this is based on a particular set of data to which large number of institutions and users accessing such data, only certain providers can have access to. increases the level of difficulty. Further, the possibility of storing large amounts of data also increases potential; in Limited comparability and the possibility that certain pro- fact, the potential fall out of a cyber-attack could have a viders may retain a monopoly on the information of certain long term impact if personal data is used is not used in the consumers, or even categories of them, can ultimately hin- immediate term but in the future. der competition. While the overall goal of providing con- sumers with comparable information is to lower prices by There are numerous examples of security weaknesses that increasing competition, if the offer of a relevant financial affect consumers’ data. Among them is the Equifax data service is based on data to which only the provider has breach that occurred between March and July 2017 in the access, it can in turn have an adverse effect on competition United States and affected 143 million consumers and ultimately the prices that consumers pay. When this included in the credit bureau. According to the Federal phenomenon relates to a large group, or even the vast Trade Commission, hackers accessed “people’s names, majority of consumers, this can result in a monopoly, as only Social Security numbers, birth dates, addresses and, in one provider will effectively be able to offer the service. some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dis- pute documents with personal identifying information for 6.4 Security about 182,000 people.”89 The General Principles include Data security is clearly of prime importance in relation to guidelines to avoid or at least mitigate the loss, corrup- personal data. However, it is not clear what minimum-secu- tion, destruction, misuse, or undue access of data. In this 87.  The three European financial-sector regulators have begun Seena Gressin, “The Equifax Data Breach: What to Do,” 89.  looking at this issue. See, generally, “Joint Committee Discussion Consumer Information, September 8, 2017, available at https:// Paper.” www.consumer.ftc.gov/blog/2017/09/equifax-data-breach- 88.  See, generally, “Joint Committee Discussion Paper.” what-do. Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting    17 context, it suggests the adoption of measures and the fre- New types of structured and unstructured data coming quent review of the adequacy of such measures. The from multiple sources make accuracy-related issues more objective of these safeguards should be to contain, limit, relevant. For example, opinions, intentions, and historical and respond to data-security breaches. data may be collected, which can lead to problems in determining accuracy and currency, even though the data A key question that arises is whether traditional data-se- might be considered useful for marketing, product-devel- curity processes and procedures are adequate. It is ques- opment, and credit-assessment purposes. Different items tionable whether traditional security methods—access of data may be combined for a particular purpose without codes, authorization levels, firewalls, and so forth—will any item in itself being considered to be “complete” for still apply in a world of cloud computing and the collec- that particular purpose. tion of large amounts of structured and unstructured data. However, the vast scale of the different sources of 6.6 Crossborder Data Flows data as well as the large volume of big data make it diffi- cult to know what the minimum protocols to protect a Convenient online services that allow consumers to access consumer’s personal data should be, especially his or her products and services anywhere might also entail cross- financial data. border data flows. Building trust in the online environment is key and involves the collaboration of all participants, While it is unclear whether the examined principles are including consumers, data providers, service providers, adequate to address such issues, new principles and and authorities. In addition, common rules for interna- good practices are emerging. In particular, see the recent tional cooperation are also relevant in order to achieve G20 DFI HLPs, where an example of an implementing greater cooperation between authorities. Further consid- action item is to “develop guidance to ensure the accu- eration could be given to this aspect, as it involves the racy and security of all data related to: accounts and trans- need for a harmonized international approach to consum- actions; digital financial services marketing; and the ers’ rights, dispute-resolution mechanisms, accountability development of credit scores for financially excluded and for data errors, and data-security measures. In addition to underserved consumers. This guidance should cover both the challenges and risks cited under this section when traditional and innovative forms of data (such as data on implementing the General Principles and other data-pri- utility payments, mobile airtime purchases, use of digital vacy and FCP principles, the implementation of General wallet or e-money accounts, social media and e-com- Principle 5, which covers crossborder data flows, might merce transactions).” also involve a conflicting set of laws, a regulatory and supervisory vacuum, and suboptimal coordination between authorities. 6.5 Accuracy and Reliability of Data The data-protection standards referred to above, as well While frameworks may exist in a national context, given as the General Principles, emphasize the importance of the crossborder nature of online shopping and cloud ser- having accurate and reliable data. Implementing such vices, enforcement may be complicated. Given the inter- principles when data is obtained from a wide variety of national flow of data, it is likely that enforcement regimes sources can pose significant challenges, as data accu- and customer-recourse systems will not be clear, particu- racy and reliability may be harder to check. As seen in larly in developing countries and in cases where data is section 4, new types of data coming from multiple held in the cloud and/or is unstructured data. sources are generally used to assess creditworthiness when financial information about the borrower is absent It important to establish adequate international frame- either because he or she has recently entered the formal works and cooperation structures to address such issues. financial sector (for example, young people or newly Relevant questions that emerge when looking at these arrived immigrants) or because the credit information issues might be: Do local data-protection laws deal effec- system is not developed. The inherent risk with using tively with these issues? What international frameworks inaccurate and/or unreliable data is that the score/wor- and mechanisms could be set up? Is there a privacy/finan- thiness assessment may be erroneous, leading to poten- cial-sector enforcement authority that can address such tial risks of exclusion if the error is in underestimating the issues? Does that authority effectively coordinate with ability of the borrower to repay, or to potential risks of other regulators, such as financial services authorities and overindebtedness if the error is in overestimating the telecommunications regulators, both at the national and ability of the borrower to repay. international level? 18   Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting BOX 3 Recently Issued Regulations and Guidance That Address Concerns about the Usage of New Types of Data from Multiple Sources While legislation continues to be a key response to include biometric identifiers.93 Other key points in privacy risks, the focus on issues associated with the the regulation include (i) the “right to be forgot- usage and processing of new forms of data, in partic- ten,” meaning that individuals have the right to ular those concerning big-data analytics, is limited. request that their data be deleted when they no More and more jurisdictions have data-protection longer want it to be processed (subject to certain laws in place, and over 100 jurisdictions (around 50 of exceptions);94 (ii) “the right to data portability” (for which are European) have adopted data-privacy laws. example, between financial services providers); (iii) Nevertheless, these “new frameworks” are shaped “the right to know when one’s data has been around existing guidance and principles, discussed breached,” addressing concerns of cybersecurity above, which, as analyzed, do not fully cover the (this means that controllers will need to notify emerging issues discussed in this note. national supervisory authorities of data breaches, and data subjects will need to be notified of high- Despite this, in recent years some legislative, regu- risk breaches); and (iv) data protection by design latory, and other initiatives have begun focusing and by default. (See box 1.) more specifically on issues relevant to the usage of • Consumer Protection Principles: Consumer- new types of data coming from multiple sources. Authorized Financial Data Sharing and Aggre- • Examples of international initiatives. Between gation. On October 18, 2017, the Consumer 2012 and 2015, several national cybersecurity Financial Protection Bureau issued a new set of strategies were launched.90 In addition, APEC has principles that are not binding but are meant to begun to review its 2004 privacy framework, and provide guidance to a wide variety of stakeholders the International Conference of Data Protection on specific issues relating to data protection and and Privacy Commissioners has included “advanc- big data. In fact, the bureau recognizes that several ing global privacy in a digital age” among its stra- stakeholders are working on ways to access, aggre- tegic priorities for 2016–2018.91 gate, and use customers’ data, but it “believes that consumer interests must be the priority of all stake- • The EU General Data Protection Regulation. holders.”95 Hence, it issued the principles to One important aspect is that the regulation will explain its vision of how the data-aggregation mar- apply to all companies that target EU markets or ket can develop while also ensuring that customers consumers, broadening the range of controllers are protected. Key issues covered by the principles falling under its purview. Given the rise of geolo- include “(i) data scope and usability, (ii) control and calization applications, location and other types of informed consent, (iii) security, (iv) access transpar- online identifiers have been included in the defini- ency, (v) accuracy, and (vi) the ability to dispute and tion of personal data,92 and restrictions on the pro- resolve unauthorized access.”96 cessing of sensitive data have been expanded to 90.  For details, see OECD Digital Economy Outlook 2017 Regulation (EU) 2016/679, Article 9. 93.  (OECD, 2017), 225 and followings. Presumably, this provision is based on the “Right to Be 94.  91.  37th International Conference of Data Protection and Forgotten” decision of the European Court of Justice Privacy Commissioners, “Resolution on Conference’s (C-131/12). For a summary, see, generally, http://ec. Strategic Direction” (ICDPPC, October 27, 2015), available europa.eu/justice/data-protection/files/factsheets/ at https://icdppc.org/wp-content/uploads/2015/02/ factsheet_data_protection_en.pdf Resolution-on-Conferences-Strategic-Direction-2016-18. “Consumer Protection Principles: Consumer-Authorized 95.  pdf Financial Data Sharing and Aggregation” (Consumer 92.  Regulation (EU) 2016/679, Article 4(1). Financial Protection Bureau, October 2017). “Consumer Protection Principles.” 96.  Source: Own elaboration based on cited different sources. Financial Consumer Protection and New Forms of Data Processing Beyond Credit Reporting    19 7 CONCLUSION sultation with a broad range of stakeholders, including industry, regulators, consumer groups, academics, and The usage of new types of data coming from multiple international development agencies. On the regulatory sources has many benefits but also consumer risks, which front, this should include not just consumer and data-pro- need attention. It provides opportunities to expand tection regulators; financial-sector, telecommunications, access to financial services for financially excluded and and competition- and business-development agencies underserved groups, to deliver better-suited, better-tai- should also be involved in the discussion. lored products for consumers, and, ultimately, to reduce costs for providers, producing savings that can be passed There should also be close coordination between all rel- on to consumers. However, there are also serious con- evant international forums working on these issues. The sumer concerns to be considered and further researched. aim should be to monitor, oversee, and share informa- They include a broken consent model and potential tech- tion about relevant issues and possible solutions, with a nology solutions, price and market-segmentation prac- view to ensuring that consumers are adequately pro- tices that are potentially discriminatory, ARCO rights that tected while safeguarding the benefits arising from inno- are difficult to implement and enforce, and the need to vations. The World Bank recognizes that big data is an clarify acceptable security protocols. emerging issue and provides guidance in “Retail Pay- ment Services,” annex A of its recently issued 2017 edi- There is a clear need for more detailed examination of the tion of the Good Practices, as to how good practices implications for financial consumers, with a view to devel- relating to data protection and privacy can be applied in oping an appropriate industry and regulatory response. a big-data context.97 There should be a focus on deep empirical and analytical research to determine the actual harms and possible See “Retail Payment Services,” annex A of Good Practices for 97.  industry, regulatory, and supervisory solutions to the iden- Financial Consumer Protection, 2017 Edition (World Bank Group, tified issues. Any such research should involve wide con- 2017), Good Practice D1, explanatory notes.