By Muhindo Morgan

Africa’s financial exclusion/divide remains wide; two thirds of adults in Sub-Saharan Africa don’t have access to formal financial services. Arguably, Africa is managing to narrow the gap through effective and innovative basic technologies such as mobile money payment and transfer systems. In 2021, the mobile money ecosystem was valued at US$701.4 billion with a total of about 621 million accounts and a customer growth of 17%. 

The success story of mobile money has attracted investment deals valued above U.S.$ 2Billion  capturing three thirds of investments in the startup ecosystem. The World Bank considers financial inclusion as an enabler for at least 7 of the 17 United Nations’ sustainable development goals (SDGs). The potential and exponential growth of the mobile money ecosystems informs the ambitious regional and domestic regulation establishing structures to further exploit Africa’s financial technology potential.

One of the greatest (infru)structures that is going to shape money remittances, payments and access to capital for small business and families is the Pan African payment and settlement system (PAPSS) operating under the African Continent free Trade Area agreement (AfCFTA). It pushes to break border barriers when it comes to money remittances and transfers. 

Noteworthy, the payment and settlement systems operating under the PAPSS, will have to feed on big (consumer) data to manage, minimize financial business risks and for the stability of the financial market, therefore African Union member states will need to open up on their data sharing and transfer legislations.

Whereas the world bank recommends standards that can be implemented in domestic laws under Bali Fintech Agenda paper, to achieve the ambitious goals under the PAPSS, there must be a regional legal instrument that sets standards for data flow and data governance at a continental level since it is one of the identified risks in the ecosytem.  The Malabo convention is a silver bullet to achieve this, since it offers a sufficient balanced space for economic and data protection and privacy interests which is key for both players in the digital and especially financial ecosystem. That notwithstanding, the convention has not been ratified by the required number of member states to make it operational.

Noteworthy, a half of the African States have since enacted data protection laws regulating data sharing and incorporating best practice to both protect data and privacy of consumers and the digital market without stifling innovations such as ‘reputation collaterisation’ which rely on personal data.

Personal data including financial information is creating a “gateway” to access to financial services/products including credit by relying on credit referencing and credit scoring tools enabled by collated and curated financial information. Today in Uganda, without valuable assets but with a creditworthy reputation, families and small and medium enterprises are able to access unsecured financial facilities that would otherwise only be available to propertied individuals. However, this has been ongoing without a clear regulatoy legal and institutional frameworks. 

On 21^st October, 2022, Bank of Uganda issued a directive to its supervised financial institutions to transit from financial cards to National Identification numbers/cards or alien cards as a mandatory requirement under section 66 of the Registration of Persons Act, 2015; a law that establishes Uganda’s National Identification Registration Authority, a statutory body mandated to process, issue out and manage national identification system as a way of streamlining the credit services industry.

Subsequently, the central bank updated and issued regulations on credit reference business through the financial institutions (credit reference bureau) Regulations, 2022. This legal regime ambitiously expands the scope of credit reference bureau business in the country and enables the sharing of personal and financial information among the actors involved providing credit facilities within and outside Uganda.

This means that there is going to be big volumes of personal data (existing on national identification systems) and financial information available to facilitate access to financial services including unsecured loans to financial consumers in Agriculture and small scale businesses from within and without.

The foregoing development is not without a number of data protection and privacy and other human rights concerns.  

Whereas credit reference and scoring are fronted as enablers of access to financial products, they have the effect of exacerbating discrimination; for example, defaulters in the ecosystem maybe labeled high risk consumers just like well performers may be labeled low risk, but a self-preserved persons without financial information like financial and employment history are likely to be discriminated against since credit reference and score tools are based on the variables above.

Personal data may be procured for credit reference and scoring purposes looking at the individual’s financial history, but later be repurposed by the actors in the credit reference market player to directly market credit products  to consumers labeled “low risk”.

The Regulations require mandatory data localisation which can only be waived with permission of the Central Bank.The digital economy is based on free flow of data principle, which is important for the realisation of AfCFTA goals. Data localisation is enimical to the PAPSS ambitious goals that have the potential of facilitating financial inclusion through credit referencing. 

Lastly, consent as conceived by the law, is a key element that permits the processing of personal data by data controllers that would otherwise be forbidden. When consent is validly provided by the data subject, data controllers are released from the restrictions provided by the law in a fashion that has been described as an ‘opt-in system”, yet both the Data protection and Privacy Act and the credit reference regulations don’t restrict the collection and processing of consumer data so long as, such data is collected and/or processed as legal or contractual obligation or right respectively here in Uganda. Even though the regulatory framework was different, the concept of informed consent remains ambiguous therefore susceptible to regulatory arbitrage. 

Whereas consent is important at every entry of the data cycle, a legal framework that takes it away, and the reality that it is impossible for credit consumers to withhold it in the face of unfair terms and power imbalances, puts collateralization of personal data in a precarious situation by exposing it to unscrupulous and bad practices yet the financial market boundaries are breaking loose into one of the biggest free trade market in the world.

The consequence is that, the regulator must redefine what informed consent is and strictly implement and enforce the principles of minimality, adequacy and accuracy, accountability and transparency, quality of information, participation and data security as safety valves against abuse of consumers’ special information like financial information since the consequences of such abuse to an individual can be grave; as a result of profiling leading to an assumed reputation that can lead to discrimination, prejudices and stigmatization and widen the financial exclusion gap. 

MORGAN MUHINDO

Legal Tech and Digital Rights Consultant at

Enset tech limited.

morgan@ensetlaw.com