ITU-T Focus Group Digital Financial Services
                                                      Recommendations







                Title of recommendation       Further data protection provisions for consideration
                Working Group                 Consumer Experience and Protection

                Theme                         Data protection
                Audience for recommendation   Regulators





                Regulators may also consider the following provisions to protect consumer data privacy: Require that customers
                have the right and the ability to access, verify, and correct their data; require DFS providers have adequate secu-
                rity provisions in place and promptly notify customers in the event of breaches or other security issues affecting
                customers; establish clear DFS provider liabilities in cases of data mishandling, data misuse, or failure to adopt
                reasonable security measures for data the provider holds; consider mandating retention limitations, whereby
                data may only be retained for a specified time period after its collection or use, after which it will be properly
                destroyed; and take steps to ensure customers have the right and ability to port their data from one provider to
                another and that data is interoperable across providers and platforms to make this practical.

               A key area of consumer concern is data security.  Two recent episodes highlight the problem.  In India, between
               three and six million ATM cards have been hacked , exposing financial institutions to millions of dollars in
                                                          62
               potential losses and undermining consumer confidence in the payment system.  It has also been revealed that
               half a billion Yahoo! email users worldwide were affected by a serious data breach .  While many of them
                                                                                      63
               reasonably expected that their email service provider would have sufficient data security measures in place to
               prevent this from happening, or would have at least let them know once the breach had been discovered so
               they could take steps to limit the damage, neither was the case. In 2015, a study was conducted by University
               of Florida  that found serious security shortcomings with a number of mobile money apps, leading the authors
                       64
               to recommend “that dramatic improvements to the security of branchless banking applications are imperative
               to protect the mission of these systems.”  Accordingly, in order to reinforce confidence in DFS, it would be
               appropriate for regulators to mandate DFS providers have adequate security provisions in place and, when a
               breach is discovered, promptly notify affected customers who could then take steps to protect themselves.
               Imposing clear DFS provider liabilities in cases of data mishandling and misuse, or failure to adopt reasonable
               security measures would create important compliance incentives.

               Another important protection that can benefit providers and consumers is limiting how long customer
               information can be retained, requiring data be properly destroyed after a specified time period following
               collection or use.  If data is not on hand, it cannot be compromised, thus protecting consumers from the
               consequences of a security breach and providers as well, since breaches can result in reputational harm as
               well as liability and associated legal expenses.

               Regulators can take other data protection measures as well, such as Kenya’s , credit-reporting laws which give
                                                                             64
               consumers the right to access their information, dispute it if incorrect or incomplete, and have it corrected.
               Providing access and correction rights to DFS consumers benefits everyone.  Inaccurate negative information
               in DFS provider files can result in denials of credit to creditworthy consumers.  Letting those consumers see
               their information and have a chance to correct it can result in more credit approvals and increased file accuracy.

               Finally, customers could be given the right and ability to port their data from one provider to another.  Customer
               data would need to be maintained in a form that is interoperable across providers and platforms in order to



               62   Scroll.in, ATM security breach: Economic affairs secretary asks people to not panic, promises swift action, Updated Jan. 3, 2017
                  http:// scroll. in/ latest/ 819702/ atm- security- breach- economic- affairs- scretary- asks- people- to- not- panic- promises- swift- action
               63   Lord, B.. Yahoo! An Important Message About Yahoo User Security (2016) https:// yahoo. tumblr. com/ post/ 150781911849/ an-
                  important- message- about- yahoo- user- security
               64   Reaves, B., Scaife, N., Bates, A., Traynor, P, Butler, K. R.B. University of Florida, Mo(bile) Money, Mo(bile) Problems: Analysis of
                  Branchless Banking Applications in the Developing World (2015) http:// www. cise. ufl. edu/ ~butler/ pubs/ sec15a. pdf



                94