The Intrusiveness of Money lending Apps in Nigeria
By Malan Faya
The coronavirus (COVID-19) pandemic’s far-reaching impact on the global economy has been significant. Evidence of this impact include city lockdowns, disruption in supply chains and manufacturing, sharp reduction in crude oil prices, restriction on large gatherings, disruption of the financial markets, local and international travel restrictions, cancelations of large sports and entertainment events, companies enforcing unpaid leaves, job loss and salary cuts.
To cushion the adverse impact of the pandemic, a rising number of cash-strapped Nigerians are turning to digital lenders to sort out their financial needs since access to loans from the traditional financial institutions is often problematic and herculean. This reality is why digital lending startups have emerged with growing influence in the last couple of years. These startups have simplified the lending process, allowing customers to secure loans remotely and in a matter of minutes. With over 122 million internet users in the country, digital lending has unlocked easy access to loans for a large segment of Nigeria’s population like never before.
As a result of the growing need for financial assistance from these lending apps, most users hardly or never take out time to read the terms and conditions and the privacy notices of these digital lending apps.
In this Article, I examine some randomly selected online lending platforms, with a view to analyze, and highlight some areas of stringent practices and violations of the Data Protection Principles.
Why online lending platforms?
The major reasons for the growing popularity of digital lending platforms as an alternative source of credit are highlighted below:
- Online access
Digitalization allows consumers to register on an online lending platform from their mobile phones or computer, fill out a loan application, and upload the necessary documents—all in a matter of minutes. Unlike traditional banks which take days to apply, process and approve loans, digital lending platforms reduce this time to just a few minutes as their processes are largely driven by automation. Online lending platforms also have substantially lower operating costs compared to banks.
- Availability of Credit Data
Online lending platforms leverage credit data—they can assess a borrower’s creditworthiness within minutes based on the data given by the customer or pooled from third-party sources. These platforms tap into various data points and apply predictive models and algorithms to derive useful insights on the borrower to assess their creditworthiness and ability to repay the loan.
Digital lending platforms offer borrowers a flexible credit line which are usually considered small-value, short-term loans. Also, borrowers can take up these loans without any collateral and then repay their loans through flexible means. Such collateral-free personal loans enable not only individual borrowers but also small businesses to access funds to meet their needs whenever necessary.
Digital lending and data protection in Nigeria
Digital lending in Nigeria comes in a variety of models, such as mobile phone apps, mobile money wallets, and payroll lending, as well as through banks or mobile network operators. The services generally offer small-value, short-term loans. Today there are about 20 online lending platforms in Nigeria that offer small-value, short-term loans to individuals or SMEs, without any collateral. While many of these digital lending platforms are expanding access to credit and deepening financial inclusion, a number of these platforms are also operating outside the principles of fair and lawful processing of personal data as required under the Nigeria Data Protection Regulation (“Regulation”) and other relevant provisions on data protection in Nigeria.
The digital lending process
The digital lending process starts with the onboarding of a borrower. The digital lending platform collects information about the borrower to verify their profile, cash flow and repayment record; validates the borrower where he or she is found to be eligible; and then disburses the loan. Whenever repayment is eventually due, the digital lending platform collects the principal sum as well as the agreed interest. Before a borrower is given any credit or loan, the borrowers’ creditworthiness will be assessed. When a borrower downloads the loan app and completes registration, the lender assesses the borrower’s creditworthiness with the help of the borrower’s digital footprint. The loan app assesses a number of variables including mobile phone-based data, such as call and SMS records, mobile money transaction history, contact data, social media data, internet browsing history, geolocation data, and other smartphone information, to determine a credit score and loan amount. The decision derived from this personal data is referred to as “alternative data”.
While borrowers generally “consent” to the use of their data for obtaining loans, it is hard to imagine that they read the full privacy notice, and terms and conditions to understand what personal data the lender may have access to and use.
Often, borrowers skip past privacy notices, and terms and conditions of products. This could be sheer human nature or perhaps because these privacy notices, and terms and conditions are either too complex or too long. If the users of these loan apps could really take out some time to read these privacy notices, and terms and conditions, most of these users would be shocked to discover what they are really getting themselves into. Reading these privacy notices and terms would reveal to the intending app user what data would be collected, how much data would be retained, how long the data would be held, how the data would be secured, whom the data would be shared with, and who would be liable if the data were accessed by an unauthorized party or otherwise used in a way that harmed the borrower. But by often failing to do so, many loan app users end up making themselves vulnerable to the consequences of bad practices by these digital lending platforms.
For organizations that process personal data, the Regulation requires such organization to provide data subjects with information on how their personal data is processed. This typically takes the form of a privacy notice. However, while going through the privacy notices of a few online lending applications that operate in Nigeria, some online lenders either do not have a privacy notice or even where they have one, the privacy notice is not comprehensive enough to explain how a user’s personal data is processed. For example, the screenshot below contains the privacy notice of an online lender that operates in Nigeria:
Online lenders need to know that a privacy notice is a public document that explains how personal data is processed on their platforms and services. Article 2.5 of the Regulation has provided a detailed instruction on how to create a privacy notice, placing emphasis on writing the privacy notice in a clear and simple language that users (data subjects) can understand and easily access. Privacy notices should not be hidden in a link at the bottom of a form where few people are likely to see it. The notice is a statement of transparency.
For emphasis, every privacy notice should include at least the following details:
- What data is collected?
- How is the data collected?
- How will the data be used?
- How is the data stored?
- What are data subject rights?
- Whether cookies are being used
- How are cookies used?
- What types of cookies are used?
- How to manage cookies
- Changes to privacy notice
- If the data is shared and the identity of those it is shared with
- Contact information of a contact person, possibly the data protection officer if there is one
- How to contact the regulators
Collection of data
Traditionally, loan application is evaluated based on formal sources of data, such as bank statement, national ID card, utility bill, or residential address. Today the success of online lending is attributed to the use of predictive technologies and algorithms to interrogate and generate insights from consumers’ digital footprints, which is created while we are transacting and communicating online.
Digital lending platforms use various forms of non-traditional data—from users’ mobile phones, call logs and text messages to bill payments and browsing history, and trivial information such as sleeping habits, messaging habits, daily location pattern and social media behavior to assess a borrower risk and to determine the creditworthiness of the user.
As the CEO of Zest Finance and former Google CIO Douglas Merill famously said, “data that would have been considered irrelevant—or even absurd—to determining an individual’s credit risk is now leveraged for credit scoring: as the examples below show, how we arrange our phone’s contacts or even how often we call our relatives can become a factor in credit scoring”.
The insight gotten from a user’s personal data is used to make decisions, as well as to determine how likely applicants are to repay their debts. If it is shown that a user has low credit score, such person becomes a risky borrower, which either means the loan application will be denied, or the amount eligible to the borrower would reduce.
Below are screenshots of the privacy notice from three different digital lending platforms on the information they collect from users:
Another online lending application uses Facebook for authentication; (as seen below)—this is allowed under Facebook’s terms and conditions. This same app uses the behaviour of a user’s friends, in its decision-making process either to grant a loan application or not. One might be asking how this app is able to know who a user’s friends are? It is simple. Online lenders already have access to your Facebook friends and your call log to know who you contact regularly.
Poor data protection hygiene and digital lending
Now that we are aware of the kinds of data users of lending apps exchange for loans, the question one may ask is whether our browsing activities, call logs, social media pages and connection, text messages are required for giving out loans? For online lenders, the answer to the question will be in the affirmative because of the absence of a well-structured credit bureau system in the country.
It is interesting to know that most people do not care about their privacy, if the carefree attitude of app-based loan applicants in Nigeria towards sharing their personal information to access loan is anything to go by. They are often willing to disclose the information needed if it speeds up the loan process, which is one of the major selection criteria for most borrowers when it comes to choosing a digital lender. The obvious reason why many people do this is because they are desperate for the loan and may not have any alternative. Evidence suggests that a number of online lending platforms may have been exploiting consumers’ desperation.
The ability to process and analyze user’s personal data, which has the potential to unlock insights into any user creditworthiness also generates concerns about privacy. Interesting questions that should be asked are: Where should the line be drawn when it comes to the types of personal data online lenders should collect and use?
Terms and conditions.
To determine a user liability in case of a breach and the position of a borrower who defaults in redeeming the loan collected, I reviewed the terms and conditions of some digital lender apps.
Another observation from the T&Cs is the unfair collection practice. This is a key consumer risk which several online lenders abuse. This practice involves the excessive online or social media harassment by digital lenders towards borrowers and their contacts.
The fate of the borrower who defaults
Going by the terms and conditions, the digital lender has the right to notify anyone, through any means of the borrower’s indebtedness to the digital lender. A screenshot of such a clause is seen below. Digital lenders are found to be exploiting borrower’s personal information by accessing the information from the customer’s contact list and sending text messages to some of the customer’s contacts about the customer’s indebtedness and the inability to pay the debt owed. The Nigerian Data Protection Regulation frowns against the illegal processing of personal data. Though this data use is based on a contract, it does not appear to be consistent with the spirit of data privacy in the Regulation.
Conclusions and recommendations
In a society where financial inclusion and access to credit from traditional institutions is still a major challenge, lending apps provide great succor to many Nigerians. But the predatory practices of some of the lenders examined calls for closer scrutiny from regulators. Lenders must build privacy as default and into the design stage of their platforms, rather than as an afterthought. Privacy notices should genuinely reflect the honest practices of the lender and lenders should stay away from using dark design patterns as deception on users. On the other hand, users have the enormous responsibility of knowing what they are signing up for and should also be aware of their data privacy rights under the Regulation. They must pay more attention to the digital lender’s privacy notices and terms and conditions. Whenever a user’s right is violated or allegedly violated by a digital lending platform, users seek redress.