Page 100 - ITU-T Focus Group Digital Financial Services – Recommendations
P. 100
ITU-T Focus Group Digital Financial Services
Recommendations
Title of recommendation Further data protection provisions for consideration
Working Group Consumer Experience and Protection
Theme Data protection
Audience for recommendation Regulators
Regulators may also consider the following provisions to protect consumer data privacy: Require that customers
have the right and the ability to access, verify, and correct their data; require DFS providers have adequate secu-
rity provisions in place and promptly notify customers in the event of breaches or other security issues affecting
customers; establish clear DFS provider liabilities in cases of data mishandling, data misuse, or failure to adopt
reasonable security measures for data the provider holds; consider mandating retention limitations, whereby
data may only be retained for a specified time period after its collection or use, after which it will be properly
destroyed; and take steps to ensure customers have the right and ability to port their data from one provider to
another and that data is interoperable across providers and platforms to make this practical.
A key area of consumer concern is data security. Two recent episodes highlight the problem. In India, between
three and six million ATM cards have been hacked , exposing financial institutions to millions of dollars in
62
potential losses and undermining consumer confidence in the payment system. It has also been revealed that
half a billion Yahoo! email users worldwide were affected by a serious data breach . While many of them
63
reasonably expected that their email service provider would have sufficient data security measures in place to
prevent this from happening, or would have at least let them know once the breach had been discovered so
they could take steps to limit the damage, neither was the case. In 2015, a study was conducted by University
of Florida that found serious security shortcomings with a number of mobile money apps, leading the authors
64
to recommend “that dramatic improvements to the security of branchless banking applications are imperative
to protect the mission of these systems.” Accordingly, in order to reinforce confidence in DFS, it would be
appropriate for regulators to mandate DFS providers have adequate security provisions in place and, when a
breach is discovered, promptly notify affected customers who could then take steps to protect themselves.
Imposing clear DFS provider liabilities in cases of data mishandling and misuse, or failure to adopt reasonable
security measures would create important compliance incentives.
Another important protection that can benefit providers and consumers is limiting how long customer
information can be retained, requiring data be properly destroyed after a specified time period following
collection or use. If data is not on hand, it cannot be compromised, thus protecting consumers from the
consequences of a security breach and providers as well, since breaches can result in reputational harm as
well as liability and associated legal expenses.
Regulators can take other data protection measures as well, such as Kenya’s , credit-reporting laws which give
64
consumers the right to access their information, dispute it if incorrect or incomplete, and have it corrected.
Providing access and correction rights to DFS consumers benefits everyone. Inaccurate negative information
in DFS provider files can result in denials of credit to creditworthy consumers. Letting those consumers see
their information and have a chance to correct it can result in more credit approvals and increased file accuracy.
Finally, customers could be given the right and ability to port their data from one provider to another. Customer
data would need to be maintained in a form that is interoperable across providers and platforms in order to
62 Scroll.in, ATM security breach: Economic affairs secretary asks people to not panic, promises swift action, Updated Jan. 3, 2017
http:// scroll. in/ latest/ 819702/ atm- security- breach- economic- affairs- scretary- asks- people- to- not- panic- promises- swift- action
63 Lord, B.. Yahoo! An Important Message About Yahoo User Security (2016) https:// yahoo. tumblr. com/ post/ 150781911849/ an-
important- message- about- yahoo- user- security
64 Reaves, B., Scaife, N., Bates, A., Traynor, P, Butler, K. R.B. University of Florida, Mo(bile) Money, Mo(bile) Problems: Analysis of
Branchless Banking Applications in the Developing World (2015) http:// www. cise. ufl. edu/ ~butler/ pubs/ sec15a. pdf
94