In an era where data is becoming ever more valuable, open finance gives consumers control over their personal financial data so that they may benefit from more suitable and better-targeted financial services. Under open finance, consumers can direct the transfer of their data from banks and other financial institutions (data holders) to fintechs and other financial innovators (data users) who can use this data to develop new products and services that are well-suited to consumer needs. However, this unprecedented ability to move entire financial histories both empowers consumers and poses risks.
CGAP believes open finance can advance financial inclusion by allowing fintechs and other types of financial institutions to offer products and promote financial behaviors that alleviate some of the pain points experienced by low-income customers in emerging and developing markets (EMDEs). And if open finance legal frameworks are designed to advance financial inclusion, this can support the development of financial services use cases that serve low-income populations in EMDEs and bolster an inclusive data ecosystem.
Why are EMDE consumers most at risk?
The potential for consumer risk should not be overlooked. For example, data users might pass on data to another party without consumers having much control over that data or assurance that it will be used in their best interest. Also, in the wrong hands, data could be used to commit fraud or cause harm in other ways. This and other types of data misuse could undermine consumers’ trust in open finance and lead to low adoption.
In EMDEs in particular, low-income individuals face specific challenges regarding data. For instance, written notices of information practices should explain how data will be used and shared, but some individuals in EMDEs may be less literate and therefore not able to fully understand the risks associated with such data transfers or give fully informed consent. Further challenges to notice and consent include the importance of providing disclosures in the multitude of languages in a country. In addition, many individuals access financial services via small communications devices that make notices difficult to read and save.
Given their circumstances, such consumers – despite evidence that they value the privacy of their personal information – may feel disempowered and as though they have no choice but to agree to certain data practices, even if they are not in their best interest. Fintechs and other financial sector providers may not have any specific legal obligations regarding the handling of consumers’ data, either because they are outside the financial services regulatory perimeter or there is no applicable data protection law. This has led to some instances of a fast and loose approach to handling consumer data in the name of monetization and quick profits.
Minimum data protections ensure consumers are safeguarded
It is therefore not surprising that one of the key design elements of an inclusive open finance framework – as well as a foundational element of a much broader inclusive data ecosystem – is data protection regulation. In our technical note that was published in February 2023, we identify minimum data protections required to ensure consumers are protected and that open finance succeeds. These include:
Notice:
Providers should inform consumers in plain and simple language of what data is being collected, for what purposes, how the data will be used, and for how long. Given the complexities of open finance, such notice should also clearly state with which third parties the providers will share this data and how consumers can control their data.
Consent:
Notice is not sufficient; consumers need to give informed consent to the handling of their sensitive financial data and its transfer to data users. Consumers should be able to easily withdraw consent.
Use Limitations:
Data should only be used for its intended purposes, as set out in any notice, and not in ways that do not benefit the consumer.
Data Minimization:
Providers should collect only what they need for the intended purposes and keep the data only for as long as it is needed for those purposes.
Access/Correction:
Since open finance data can be used to both approve and reject applications for essential financial services, consumers need to be able to review the data that is being used, dispute any inaccuracies, and have such inaccuracies corrected.
Security:
Reasonable security measures should be put into place to keep the transmission, storage and usage of consumer financial data safe.
Redress:
When problems arise with how their financial data is handled, consumers need to have a place to submit complaints and be assured that their claims are investigated and resolved in a timely manner. This can be done by the government, through court proceedings, or informally with providers, but the procedure should be clear and easy for an open finance consumer to activate.
Usually, these provisions are enshrined in a comprehensive national data protection law, such as the GDPR in the EU and the LGPD in Brazil, and are implemented by a data protection authority. In certain instances, such as India’s Account Aggregator rules, it is the open finance regulation that contains the relevant provisions. However, many countries, including the majority of the EMDEs, do not have such types of laws or regulations. Furthermore, even if a country has a general data protection law, it may not address specific issues raised by open finance, such as onward data transmission to third parties and liability for breach, while open finance regulation may be incomplete from a data protection perspective.
As argued in our recent paper, in the absence of a general data protection law, regulators should review sectoral legislation to see the extent to which these minimum provisions are covered. To the extent there are gaps, the relevant data protections could be built into new laws and regulations that create the open finance ecosystem in the country. This approach may not be able to cover all the relevant minimum provisions, but, over time, either open finance or data protection laws could expand minimum data protections to ensure the complexities of open finance are covered and customers are adequately protected. Only when consumer data is adequately protected can regulators ensure that an open finance framework truly supports financial inclusion and an inclusive data ecosystem.