3
AFI GUIDELINE NOTE ON DATA PRIVACY FOR DIGITAL FINANCIAL SERVICES
EXECUTIVE SUMMARY This Guideline Note has been developed by AFI’s Digital Financial Services Working Group (DFSWG) and the Consumer Empowerment and Market Conduct Working Group (CEMCWG). The digital financial services (DFS) market is being transformed at an exponentially fast rate, fueled by FinTech enabled data processing developments. These changes have led to innovations in the design and delivery of DFS products, which in turn help achieve financial inclusion goals and their poverty alleviation and economic growth benefits.
FURTHER READING AFI Policy Model on Consumer Protection for Digital Financial Services (2020) (Principle 2.1) > View here
AFI Policy Framework for Responsible Digital Credit (2020) (Principle 6) > View here
Conversely, these innovations raise significant data privacy issues for data subjects - data privacy for digital financial services (DP4DFS). Of particular concern are the likely financial capability and technology challenges of data subjects in a financial inclusion context. The purpose of the Guideline Note is to provide nonbinding guidance for a comprehensive, risk- based and proportionate policy and regulatory framework for DP4DFS. The focus is on privacy issues applicable to DFS, rather than traditional financial services. This is because most privacy issues arise in the DFS context. However, the Guideline Note may also be relevant more broadly. The Guideline Note builds on earlier AFI knowledge products, which cover data privacy and protection issues. See especially the guiding principles relating to data privacy and protection in the AFI Policy Model on Consumer Protection for Digital Financial Services (2020) (Principle 2.1) and in the AFI Policy Framework for Responsible Digital Credit (2020) (Principle 6). Other relevant AFI Knowledge Products are mentioned elsewhere in the Guideline Note and all are listed in Annex 5. A wide range of policy and regulatory guidance applicable to DP4DFS has been synthesized for the purposes of the Guideline Note. As well as the AFI knowledge products mentioned above, the sources considered include a diverse cross section of national regulatory frameworks and international standards, guidelines and good practices. Related research and commentary from international organizations, academics, and experts has also been considered.
The result of this work has been the development of the following Guiding Principles. The Key Recommendations for each Guiding Principle are included later in this Guideline Note.
PILLAR 1: DP4DFS POLICY AND REGULATORY FRAMEWORK 1.1 Guiding Principle: Establish governance and consultation arrangements 1.2 Guiding Principle: Assess current DFS legal and regulatory framework and market 1.3 Guiding Principle: Establish overarching policy and regulatory principles 1.4 Guiding Principle: Develop DP4DFS legal framework
PILLAR 2: DATA CONTROLLER AND PROCESSOR OBLIGATIONS 2.1 Guiding Principle: Require effective DP4DFS internal governance arrangements 2.2 Guiding Principle: Establish overarching data processing principles 2.3 Guiding Principle: Create model for informed and effective consent 2.4 Guiding Principle: Require Data Protection Officer where appropriate
