Finance, Competitiveness, and Innovation Global Practice, World Bank Financial Institutions Group, International Finance Corporation Financial Consumer Protection and Fintech: An Overview of New Manifestations of Consumer Risks and Emerging Regulatory Approaches Fintech and the Future of Finance Flagship Technical Note Financial Consumer Protection and Fintech: An Overview of New Manifestations of Consumer Risks and Emerging Regulatory Approaches Fintech and the Future of Finance Flagship Technical Note © 2022 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW, Washington DC 20433 Telephone: 202-473-1000; Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy, completeness, or currency of the data included in this work and does not assume responsibility for any errors, omissions, or discrepancies in the information, or liability with respect to the use of or failure to use the information, methods, processes, or conclusions set forth. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be construed or considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, all of which are specifically reserved. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. Contents Authors and Contributors vi Acronyms vii Executive Summary 1 1. Introduction 5 1.1 Fintech-Related Consumer Risks and FCP Regulation 5 1.2 The Aims of this Note 6 1.3 Fintech Products Covered 7 1.4 Areas Outside Scope 8 2. Cross-Cutting Risks and Related Regulatory Approaches 9 2.1 Gaps in Regulatory Perimeter 10 2.2 Fraud or Other Misconduct 13 2.3 Platform/Technology Unreliability or Vulnerability 17 2.4 Business Failure or Insolvency 18 2.5 Consumers Are Not Provided with Adequate Information 21 2.6 Product is Unsuitable for a Consumer 30 2.7 Conflicts of Interest and Conflicted Business Models 34 2.8 Risks from Algorithmic Decision-Making 38 2.9 Data Privacy 39 3. Implementation Considerations 42 3.1 Importance of Country Context and Striking an 42 Appropriate Balance 3.2 Assessing the Market, Consumer Experiences, and the 42 Current Regulatory Framework 3.3 Determining the Right Regulatory Approach, Including 43 Considering Alternatives 3.4 Effective Supervision and Awareness-Building Will Also 45 Be Critical to Impact 3.5 Complementary Measures 46 Appendix 1: Overview of Consumer Risks and Regulatory 47 Approaches by Type of Fintech Product Bibliography 58 List of Tables Table 1. Fintech Products Discussed in This Note  8 Authors and Contributors This note is part of a series of technical notes developed for the “Fintech and the Future of Finance” report, a joint effort by the World Bank and the International Finance Corporation (IFC). This note is a product of the Financial Inclusion and Consumer Protection Team within the Financial Inclusion, Infrastructure, & Access Unit of the World Bank Group’s Finance, Competitiveness, & Innovation Global Practice. This project was led by Erik Feyen and Harish Natarajan (both World Bank) and Matthew Saal (IFC) under the overall guidance of Jean Pesme, Mahesh Uttamchandani, and Anderson Caputo Silva (all World Bank) and Paolo de Bolle and Martin Holtmann (both IFC). Alfonso Garcia Mora (IFC, formerly World Bank) provided guidance at inception and during earlier stages of the report. This note was prepared by Gian Boeddu and Jennifer Chien (Senior Financial Sector Specialists, World Bank) and is based on a recently published World Bank Policy Research Paper titled Consumer Risks in Fintech—New Manifestations of Consumer Risks and Emerging Regulatory Approaches1 written by Gian Boeddu, Jennifer Chien, and Ivor Istuk (Senior Financial Sector Specialists, World Bank) and Ros Grady (Consultant, World Bank). The team thanks Machimanda A. Deviah (World Bank) for editorial assistance, Maria Lopez (World Bank) and Sensical Design for design and layout, Elizabeth Price, Melissa Knutson and Nandita Roy (all World Bank) and Henry Pulizzi and Elena Gox (both IFC) for communications support, and Michael Geller and Arpita Sarkar (both World Bank) for overall coordination. 1. Available at https://documents.worldbank.org/en/publication/documents-reports/documentdetail/515771621921739154/ consumer-risks-in-fintech-new-manifestations-of-consumer-risks-and-emerging-regulatory-approaches-policy-research-paper. Financial Consumer Protection and Fintech Acronyms APR Annual Percentage Rate ASIC Australian Securities and Investments Commission BdP Banco de Portugal CAK Competition Authority of Kenya CGAP Consultative Group to Assist the Poor DFSA Dubai Financial Services Authority EBA European Banking Authority FCA Financial Conduct Authority (UK) FCP Financial Consumer Protection FinCoNet International Financial Consumer Protection Organisation FSP Financial Service Provider GDPR General Data Protection Regulation IMF International Monetary Fund MNO Mobile Network Operator P2P Peer-to-Peer P2PL Peer-to-Peer Lending PSD2 Directive 2015/2366 on Payments Services 2015 (EU) RBI Reserve Bank of India SEC Securities and Exchange Commission (USA) T&C Terms and Conditions WBG World Bank Group All dollar amounts are U.S. dollars unless otherwise indicated. vii Financial Consumer Protection and Fintech Executive Summary Fintech2 is increasingly recognized as a key enabler worldwide for more efficient and competitive financial markets, and for expanding access to finance for traditionally underserved consumers. As noted in the Bali Fintech Agenda,3 launched in October 2018 by the World Bank Group (WBG) and the International Monetary Fund (IMF), fintech can support economic growth and poverty reduction by strengthening financial development, inclusion, and efficiency. The critical challenge for policy makers is to harness the benefits and opportunities of fintech while managing its inherent risks. Some of these risks are new. But many represent new manifestations of existing risks due to the technology that supports and enables fintech offerings, from new or changed business models, product features, and provider types, and from greater consumer accessibility to sometimes unfamiliar or more complex financial products.4 For example, a rapid expansion of the peer-to-peer lending (P2PL) market in China in the first half of the 2010s was followed by significant platform collapses, incidents of fraud, and platform operator misconduct, which caused significant losses to consumers.5 While digital microcredit has expanded access to credit in some developing economies, countries such as Kenya and Tanzania have seen large numbers of borrowers unable to repay loans due to irresponsible lending practices.6 Similarly, while there was significant uptake of electronic money (e-money) in many developing markets, this has been accompanied by a rise in a variety of risks for consumers, including potential loss of funds due to fraud and unscrupulous fee-charging. Such negative experiences, in addition to causing direct harm to consumers, may also lead to greater mistrust of fintech and the financial sector, overall. The COVID-19 pandemic has further accelerated the widespread transition of consumers to digital financial services and fintech, highlighting their significant benefits while also demonstrating how risks to consumers can increase in times of crisis and economic stress. For example, reports from Indonesia indicate that individual lenders/investors have been adversely affected by risky loans made through P2PL platforms, as have been borrowers who obtained such loans, and are now struggling to get lenders/investors to restructure them.7 Significant numbers of low-income consumers have faced difficulty repaying existing debts due to the pandemic.8 Small enterprises have been severely affected by widespread closures and safety measures to slow the spread of COVID-19, thus decreasing enterprises’ profitability and impeding repayment obligations.9 This in turn exposes their investors to increased risk of loss from their investments. In addition, significant increases in fraudulent app-based digital microcredit lenders have been observed during COVID-19 lockdowns.10 2. For the purposes of this note, fintech refers to advances in technology that have the potential to transform the provision of financial services, spurring the development of new business models, applications, processes, and products. See World Bank Group and International Monetary Fund, Bali Fintech Agenda, 12. 3. World Bank Group and International Monetary Fund, Bali Fintech Agenda. 4. For an overview of risks and benefits in a digital financial services context, see G20/OECD Task Force on Financial Consumer Protection, “Financial Consumer Protection Policy Approaches.” 12–14. 5. See, for example, Duoguang, “Growing with Pain,” 42; Owens, “Responsible Digital Credit,” 8–9; Huang, “Online P2P Lending,” 77; Hornby and Zhang, “China’s Middle Class.” 6. For example, a 2017 MicroSave study found that 2.7 million Kenyans were blacklisted in credit reference bureaus in the past three years; 400,000 of these for amounts of less than $2. See MicroSave, “Where Credit Is Due.” 7. See, for example, Faridi, “P2P Fintech Lending Sector in Indonesia.” 8. For example, 76 percent, 80 percent, and 89 percent of low-income survey respondents in Ghana, India, and Kenya, respectively, indicated they were late in making loan repayments since the pandemic began. See BFA Global, “Dipstick Surveys.” 9. See, for example, Gibbens, “Helping Small Businesses.” 10. https://www.centerforfinancialinclusion.org/combating-the-rise-in-fraudulent-fintech-apps 1 Financial Consumer Protection and Fintech Authorities responsible for financial consumer protection (FCP) regulations are increasingly faced with the challenge of developing or adapting regulations that may be necessary to address risks to consumers generated by fintech. The task of regulators in developing countries is even more difficult if they tackle this new challenge while having to implement a baseline FCP regulatory framework.11 In a recent survey, regulators identified their limited internal technical expertise as the foremost impediment to regulating and supervising “alternative finance” (such as P2PL and equity crowdfunding) effectively.12 This note provides (1) an overview of new manifestations of consumer risks that are significant and cross-cutting across four key fintech products: digital microcredit, P2PL, investment-based crowdfunding, and e-money;13 and (2) examples of emerging regulatory approaches to target such risks. This note is based on a more detailed recently- published WBG Policy Research Paper titled Consumer Risks in Fintech—New Manifestations of Consumer Risks and Emerging Regulatory Approaches. The research paper delves more deeply into each of the four key fintech products and their associated risks. The appendix provides an overview of product-specific risks for which more information can be found in the research paper. The primary focus and objective of this note, and the paper on which it is based, is to inform authorities’ development of regulatory policy. The examples included here are intended to assist regulators considering potential FCP regulatory approaches to fintech. However, it is hoped that the discussion of manifestations of consumer risks in a fintech context can also assist authorities with related key areas, such as market conduct supervision. The key consumer risks and corresponding regulatory approaches discussed in this note include the following: • Factors, such as the novelty and opaqueness of fintech business models, responsibilities of fintech entities in the context of those business models, a lack of consumer familiarity with, and understanding of the new offerings can lead to heightened risks of fraud or misconduct by fintech entities or third parties. Platform finance (P2PL and investment-based crowdfunding) poses risks to consumers; both lenders/investors and borrowers. Lenders/investors may face losses due to the conduct of platform operators or related parties, such as fraudulent lending or investment opportunities, misappropriation of funds, or facilitation of imprudent lending or investment to generate fee revenue for the operator to the detriment of consumers who will ultimately bear resulting losses. Consumers borrowing from such platforms may similarly suffer harm from the resulting imprudent lending. Holders of e-money face risks related to agent misconduct, including charging of unauthorized fees, splitting transactions to earn more commissions, and “skimming” into agent accounts. Regulatory approaches to addressing such risks include: vetting of fintech entities during the authorization stage; risk management and governance obligations for platform operators; imposing clear responsibility and liability on providers for the conduct of persons acting on their behalf; placing targeted obligations on platform operators to safeguard consumers’ interests regardless of business model (such as requiring P2PL platform operators to undertake creditworthiness assessments even if they are not themselves the lender); warnings and provision of other key disclosures to consumers regarding the risks associated with fintech products; and segregation of client funds. • Certain characteristics of fintech business models can lead to conflicts of interests between consumers and fintech entities. For example, business models heavily dependent on fees generated by new lending business can give rise to perverse incentives for fintech entities to act in a manner inconsistent with the interests of their consumers, such as P2PL platforms or digital microcredit providers focusing on loan quantity over quality to maximize fee-related returns. Such risks can be exacerbated in markets where fintech entities are attempting to grow their revenues and size 11. For an overview of key elements of an FCP regulatory framework (being an element of a broader legal and supervisory framework for FCP), see, for example, World Bank Group, Good Practices, 14, 68, 102, and 140. 12. World Bank Group and CCAF, Regulating Alternative Finance, 63. 13. Selected as examples of fintech offerings that may address some of the most basic needs of first-time, and thus inexperienced, financial consumers—namely, making payments, borrowing, or saving or investing money—as well as representing different stages in the development of fintech product offerings and corresponding regulatory and policy frameworks that surround them. 2 Financial Consumer Protection and Fintech quickly. Potentially harmful conflicts can also arise where fintech entities are empowered to take decisions affecting the risk of loss on loans, but where that risk is borne by consumers—such as a P2PL or crowdfunding platform operator assisting with loan or investment selections without performing adequate due diligence. Corresponding regulatory approaches include placing positive obligations on fintech entities to manage and mitigate conflicts of interest, to act in accordance with the best interests of their consumers, to undertake adequate assessments regardless of business model, and to prohibit business arrangements that encourage conflicted behavior. • Consumers may face a heightened risk of adverse impacts due to platform or technology unreliability or vulnerability. Consumers may be more vulnerable to cyber fraud when acquiring fintech products than when accessing financial products through more traditional channels as interaction with providers is largely or exclusively via digital and remote means. Platform or other technology malfunctions can have adverse impacts on consumers ranging from inconvenience and poor service to monetary loss and loss of data integrity, the risk of which may increase due to heavier reliance on automated transaction processing. Regulatory approaches to addressing such risks include specific obligations on fintech entities to address technology and systems-related risks and risks associated with outsourcing. • Some fintech entities may be at greater risk of business failure or insolvency than established financial service providers (FSPs), due to inexperience, untested businesses, and market factors affecting long-term viability. This can mean that consumers, whose funds are held or administered by a fintech entity, face correspondingly greater risk of loss if the provider becomes insolvent or the business ceases to operate. Consumers may risk losing their committed loan principals and investment funds or repayments and earned investment returns that are being held or administered by a P2PL or crowdfunding platform that fails. Insolvency of e-money issuers or banks holding e-money floats similarly puts client funds at risk, especially where there is no deposit insurance. Regulatory approaches to address such risks include requirements for client funds to be segregated from other funds held by a fintech entity and requiring that fintech entities have in place business-continuity and resolution arrangements. • The digital environment poses inherent challenges for disclosure and transparency, amplified by the novelty of fintech product offerings and consumers’ lack of experience with such products. Information provided via digital channels may not be appropriately formatted to assist in understanding or retention by consumers. Poor design of user interfaces may hamper consumer comprehension or exploit behavioral biases by concealing or underplaying “negative” aspects such as risks and costs. Fintech can also give consumers access to products, such as P2PL or crowdfunding investment opportunities, to which they may previously have had limited or no exposure, thus making clear and understandable information even more essential for good decision-making. Approaches to address such issues include requirements to disclose key information in a consistent and clear format, on a timely basis, and in a manner that can be retained by consumers. Behavioral insights can also be utilized to disclose information via digital channels in a manner that aims to increase the likelihood of consumer comprehension. • Consumers face potentially heightened risks when acquiring fintech products due to their lack of sophistication or inexperience. With the development of fintech, consumers increasingly have access to novel and complex financial products, but they may lack the knowledge or experience to assess or use these products properly. For example, platform finance enables more individuals to act as investors and lenders. This has positive implications for financial inclusion but can present enhanced risks for ordinary consumers new to assessing more complex opportunities. Potential regulatory approaches include setting limits on individual investments, such as overall caps on how much an individual may borrow through a P2PL platform or how much money a company can raise on a crowdfunding platform, or limitations on specific types of investors or exposures; targeted warnings to potential investors; requiring consumers to confirm that they understand the risks they are undertaking; and cooling-off periods. Risks may also arise with respect to digital microcredit products being offered to consumers that are unsuitable and unaffordable. Regulatory approaches include requiring effective creditworthiness assessments and applying product design and governance principles, particularly where automated credit scoring is utilized. 3 Financial Consumer Protection and Fintech • Use of algorithms for consumer-related decisions is becoming particularly prevalent in highly-automated fintech business models. Consumers may face a range of risks as a result, such as discriminatory or biased outcomes. Emerging approaches in this context include applying fair treatment and anti-discrimination obligations to algorithmic processes; putting in place governance frameworks that require procedures, controls, and safeguards on the development, testing, and deployment of algorithms to ensure fairness; auditing requirements; and providing consumers with rights regarding how they or their information may be subjected to algorithmic decision-making. It is not the intent of this note to suggest that all risk mitigants it discusses should be implemented. For any regulator contemplating implementing the kinds of regulatory measures discussed in this note, it will be important to prioritize and take a risk-based approach, to tailor regulatory approaches to country context, and to balance the need for consumer protection with the resulting impact on industry and market development and innovation. It would not necessarily be advisable for a country to implement all of the regulatory measures discussed in this note immediately or to transplant approaches from other jurisdictions without adjustment. This note also summarizes a range of key implementation matters for regulators to consider. 4 Financial Consumer Protection and Fintech 1. Introduction 1.1 Fintech-Related Consumer Risks and FCP Regulation Within the broader digital financial services space, the umbrella term fintech (financial technology) represents particularly novel product or service offerings that leverage technology. While there is no universally accepted definition of fintech, a broad interpretation recently posited by the World Bank Group (WBG) and International Monetary Fund (IMF) describes fintech as advances in technology that have the potential to transform the provision of financial services, spurring the development of new business models, applications, processes, and products.14 Fintech is increasingly recognized as a key enabler for financial sectors worldwide, enabling more efficient and competitive financial markets while expanding access to finance for traditionally underserved consumers. In October 2018, the WBG and IMF launched the Bali Fintech Agenda, a set of 12 policy elements aimed at helping countries harness the benefits and opportunities of fintech while managing its inherent risks.15 As noted in the Bali Fintech Agenda, fintech can support potential growth and poverty reduction by strengthening financial development, inclusion, and efficiency. Recent analysis by the IMF also points to the potential for digital finance to assist in mitigating economic impacts of the COVID-19 pandemic.16 Along with its benefits, fintech also poses a range of risks to consumers that need to be mitigated for fintech to truly benefit consumers. Some of these risks are new, but many represent new manifestations of existing risks—resulting from the technology supporting and enabling fintech offerings with new or changed business models, product features, and provider types—and also due to greater consumer accessibility to sometimes unfamiliar or more complex financial products.17 For example, a rapid expansion of the P2PL market in China in the first half of the 2010s was followed by significant platform collapses and incidents of fraud and platform operator misconduct that caused significant losses to consumers.18 While digital microcredit has expanded access to credit in some developing countries, countries such as Tanzania and Kenya have seen large numbers of borrowers unable to repay their loans.19 Similarly, while there has been significant uptake of electronic money (e-money) in many developing markets, the rise in its use has been accompanied by a rise in risks for consumers, including potential loss of funds due to fraud and unscrupulous fee-charging practices. The COVID-19 pandemic has further accelerated the widespread transition of consumers to digital financial services and fintech, highlighting their significant benefits while also demonstrating how risks to consumers can increase in times of crisis and economic stress. For example, reports from Indonesia indicate that individual lenders/ investors are currently being adversely affected by risky loans made through P2PL platforms, as are borrowers who 14. See World Bank Group and International Monetary Fund, Bali Fintech Agenda, 12. 15. World Bank Group and International Monetary Fund, Bali Fintech Agenda. 16. IMF, Promise of Fintech. 17. For an overview of risks and benefits in a digital financial services context, see G20/OECD Task Force on Financial Consumer Protection, Financial Consumer Protection Policy Approaches, 12–14. 18. See, for example, Duoguang, “Growing with Pain,” 42; Owens, “Responsible Digital Credit,” 8–9; Huang, “Online P2P Lending,” 77; Hornby and Zhang, “China’s Middle Class.” 19. For example, a 2017 MicroSave study found that 2.7 million Kenyans were blacklisted in credit reference bureaus in the past three years, 400,000 of these for amounts of less than $2. See MicroSave, “Where Credit Is Due.” 5 Financial Consumer Protection and Fintech obtained such loans but are now struggling to have lenders/investors agree to restructure them.20 Significant numbers of low-income consumers are facing increasing difficulty in repaying existing debts due to the pandemic.21 Small enterprises have been severely affected by widespread closures and safety measures designed to slow the spread of COVID-19, decreasing their businesses’ profitability and impeding their ability to honor repayment obligations.22 This in turn exposes their investors to increased risk of loss from their investments. The COVID-19 pandemic has also increased the demand for digital payment services such as e-money in preference to cash. Reasons for this include the impact of lockdowns on both consumers and merchants; the dissemination of emergency relief, welfare payments, and other forms of welfare support via digital platforms; reductions in fees for payment services; a disinclination to use cash because of the perceived risk of virus transmission via paper money; and central banks encouraging consumers to use digital payment services and merchants to accept them.23 With increased momentum for digital financial services generated by the crisis, it is important that regulatory measures also address potential increases in risk. For example, prior to new P2PL rules coming into effect, Korean (Republic of) authorities announced a lowering of the limits they would place on how much individual lenders/ investors could invest, taking into account increased levels of credit risk amid the COVID-19 crisis.24 Recognizing the increased need for accessible funding, some regulators have introduced temporary adjustments to existing crowdfunding regulations to facilitate and speed up the process of raising funds.25 Authorities responsible for FCP are increasingly faced with the challenge of developing or adapting FCP regulation as may be necessary to address risks to consumers generated by fintech. Regulators are having to consider whether and what adjustments they may need to make to established FCP approaches, or whether new innovative approaches are required, to mitigate manifestations of consumer risks resulting from fintech. In a recent survey on alternative finance such as P2PL and investment-based crowdfunding, regulators identified their limited internal technical expertise as a major impediment to regulating such activities effectively.26 The task of regulators in developing countries is even more difficult if they are attempting to tackle this new challenge while having to implement baseline FCP regulatory frameworks at the same time. 1.2 The Aims of this Note This note provides (1) an overview of new manifestations of cross-cutting consumer risks across four key fintech products (digital microcredit, P2PL, investment-based crowdfunding, and e-money) and (2) examples of emerging regulatory approaches to mitigate such risks. Each identified risk tends to be relevant to all or most of the four fintech products discussed, although the way relevant risks manifest may vary between the products. The note provides an overview of these issues and is based on a more detailed WBG Policy Research Paper titled Consumer Risks in Fintech— New Manifestations of Consumer Risks and Emerging Regulatory Approaches,27 which discusses these risks and regulatory approaches in more detail (and explores risks unique or more specific to particular fintech products). 20. See, for example, Faridi, “P2P Fintech Lending Sector in Indonesia.” 21. For example, 76 percent, 80 percent, and 89 percent of low-income survey respondents in Ghana, India, and Kenya, respectively, indicated they were late in making loan repayments since the pandemic began. See BFA Global, “Dipstick Surveys.” 22. See, for example, Gibbens, “Helping Small Businesses.” 23. See, for example, IMF, “Digital Financial Services and the Pandemic.” See also Jurd De Girancourt, “How the COVID-19 Crisis May Affect Electronic Payments.” 24. Bae, “S. Korea to Place Investment Cap.” 25. See, for example, SEC, “Facilitating Capital Formation and Expanding Investment Opportunities.” 26. World Bank Group and CCAF, “Regulating Alternative Finance,” 63. 27. Prepared by Gian Boeddu, Jennifer Chien, and Ivor Istuk (Senior Financial Sector Specialists, WBG) and Ros Grady (Consultant, WBG) and available at https:// documents.worldbank.org/en/publication/documents-reports/documentdetail/515771621921739154/consumer-risks-in-fintech-new-manifestations-of-consumer-risks- and-emerging-regulatory-approaches-policy-research-paper. 6 Financial Consumer Protection and Fintech Examples of regulatory approaches are drawn from country examples and international literature. While international practice is converging on FCP regulatory approaches to address some risks, measures can differ significantly or are still in the developmental stage for other risks. A range of emerging examples have been included to assist regulators in developing their own regulatory approaches in a rapidly developing field. The note does not cover all consumer risks and corresponding regulatory approaches common to traditional and fintech products. In 2017, the WBG published the latest edition of its Good Practices for Financial Consumer Protection (WBG FCP Good Practices 2017),28 which addresses this broader range of baseline, and equally important, risks and mitigants across financial product categories in both traditional and fintech contexts.29 The note, and the research paper on which it is based, are complementary to the WBG FCP Good Practices 2017 in assisting policymakers to develop and implement FCP regulation that address new manifestations of risks affecting consumers. This note discusses fintech-related risks from a retail consumer perspective. In particular, it identifies and discusses risks that have potential adverse impacts for retail consumers (typically individuals or micro, small, and medium enterprises) when acquiring and using fintech offerings, especially the kinds of risks that authorities increasingly consider warrant regulatory intervention. Some risks, such as in relation to gaps in the coverage of FCP regulation or impacts from the use of algorithms, are discussed separately in the context of their root causes to help readers understand them, but with the ultimate aim of addressing the potential consumer harm that can result. The note also discusses implementation considerations for regulators seeking to address consumer risks arising from fintech (see section 4). In addition, while the note’s focus is on regulatory approaches, not market conduct supervision, the important complementarity of supervision is highlighted in this section. 1.3 Fintech Products Covered This note covers four key fintech products: digital microcredit, P2PL, investment-based crowdfunding and e-money (as defined in table 1 below). These fintech products were selected for two reasons. First, they are examples of fintech offerings that address some of the most basic needs of first-time, and thus inexperienced, financial consumers (of particular relevance in developing countries)—namely, making payments, borrowing, or saving or investing money. Second, they represent different stages in the development of fintech product offerings and corresponding regulatory and policy frameworks that surround them, ranging from more established examples such as e-money offerings to more recent developments such as P2PL and crowdfunding. There are other emerging products and service offerings that are not covered in this note for which further research insights would be beneficial, such as robo-advice, insurtech, and ‘banking as a service’ offerings. 28. World Bank Group, Good Practices. 29. See also OECD, G20 High-Level Principles on Financial Consumer Protection and the various published Effective Approaches to Support. 7 Financial Consumer Protection and Fintech Table 1. Fintech Products Discussed in This Note Fintech product Meaning for the purposes of the note Digital microcredit Credit products that are short term, low value, accessed via mobile devices, and typically involve automated credit scoring and fast approval. Peer-to-peer lending Provision of credit facilitated by online platforms that match borrowers with lenders, (P2PL) encompassing a range of options: • from platforms that facilitate consumers to become direct lenders of individual loans • to platforms that allow consumers to invest in individual loans, or in pools or portfolios of loans indirectly, and are exposed to the credit risks of the loans without being the lender of record. Investment-based The connecting and matching of primarily small enterprises seeking to raise investment crowdfunding finance by issuing securities (debt or equity) to prospective, primarily retail, investors (the crowd) through online platforms. Electronic money A store-of-value product with the following characteristics: (e-money) • It is a digital representation of a fiat currency (legal tender) • It is a claim against the provider • It can be redeemed at face value on demand • It is accepted as a means of payment by persons other than the provider. Source: World Bank staff. 1.4 Areas Outside Scope The note discusses manifestations of risks that, when addressed through regulatory measures, are typically appropriately addressed through FCP-specific regulation and dealt with by market conduct regulators. There are a range of other areas of risk not covered in this note that may affect the public, and thus consumers, more broadly and can overlap with FCP—all of which governments should consider as part of a comprehensive strategic approach to fintech in their jurisdictions. These include money laundering and the financing of terrorism, prudential concerns and requirements (including capital and liquidity requirements intended to address risks that can affect consumers), gender-based and other discrimination, and areas of structural disadvantage affecting consumers. Effective credit reporting and scoring arrangements are also key to addressing certain consumer risks in connection with unfair lending in a digital microcredit and P2PL context. However, these warrant their own separate detailed consideration and are not discussed in the note. 8 Financial Consumer Protection and Fintech 2. Cross-Cutting Risks and Related Regulatory Approaches This section provides an overview of the following cross-cutting risks, and their corresponding regulatory approaches: • Gaps in regulatory perimeter: Consumers of fintech products may receive less protection than consumers of traditional financial products if there are gaps in the coverage of their country’s existing FCP regulation and financial sector oversight. • Fraud or other misconduct: Factors such as the novelty, opaqueness, or complexity of certain fintech business models and fintech entities’ responsibilities, as well as the lack of consumer familiarity, can lead to new or heightened risks of loss from fraud or misconduct by FSPs or third parties. • Platform/technology unreliability or vulnerability: If a fintech platform or other systems underpinning a fintech offering are unreliable or vulnerable to external threats, they may expose consumers to heightened risks of loss and other harm. • Business failure or insolvency: Consumers whose funds are held or administered by a fintech entity may risk losing those funds if the entity becomes insolvent or their business ceases to operate, and factors such as inexperienced entrants and riskier or novel business models can increase such risks. • Consumers not being provided with adequate information: The standard risks arising from consumers not being provided with adequate product information can be heightened when new types of pricing, product features, and risks are introduced, or where digital channels for communication pose challenges to consumer comprehension. • Product unsuitability: Fintech can increase access to riskier or complex financial products to consumers that may lack knowledge or experience to assess or use them properly, leading to greater risks of harm due to product unsuitability. • Conflicts of interest and conflicted business models: Fintech business models may give rise to conflicts of interest under new circumstances not foreseen by regulators or expected by consumers. • Algorithmic decision-making: The use of algorithms for consumer-related decisions is becoming particularly prevalent in highly automated fintech business models and some scoring decisions may lead to unfair, discriminatory, or biased outcomes. • Data privacy: This is a particularly crucial consideration in relation to fintech offerings, given their highly data-driven nature. 9 Financial Consumer Protection and Fintech 2.1 Gaps in Regulatory Perimeter 2.1.1 Risks to Consumers Consumers of fintech products may risk receiving less protection than consumers of traditional financial products due to gaps in the coverage of their country’s existing FCP regulation. The practical risk for consumers from such gaps is that fintech entities may not be obliged to address the range of consumer risks discussed in this note and that consumers do not have access to measures such as complaint-handling mechanisms because they do not extend to fintech offerings. A country’s existing FCP rules may not extend to fintech products and thus may not protect consumers due to the nature of the products or, even where a fintech product is equivalent to a traditional offering, due to the nature of the providers or their business arrangements. If a country’s regulator lacks the power to regulate or supervise fintech companies, it can hamper efforts to address such gaps. Gaps in regulatory coverage frequently result from a fintech product not fitting easily within existing regulatory concepts. Even if the core nature of the product is familiar, key aspects may differ significantly from those of traditional products, such that the fintech product does not fit clearly within categories contemplated by current FCP regulation. For example, in the case of P2PL—while platform operators may provide services to individual lenders/investors akin to traditional investment services (such as acting as an intermediary, operating a collective investment scheme, or providing financial advice) —the novelty of P2PL arrangements has at times generated uncertainty around whether and how P2PL is subject to existing investor protection laws.30 Gaps in regulatory coverage of fintech offerings also frequently arise from regulation that covers financial products or services only provided by traditional providers, such as banks. This is sometimes referred to as institution-based regulation. In contrast, activity-based regulation focuses on the activity being undertaken, rather than the provider undertaking it. For example, in the case of digital microcredit, the core product—a loan—is the same as offered in a traditional credit context, with product differences usually relating only to distribution channel, pricing, and other features. However, the novel nature of the lender offering the digital microcredit—such as a non-financial entity or an app-based lender—may not fall within the existing authority of any financial sector regulatory body. Similarly, consumer peer-to- peer (P2P) loans are often unsecured amortizing loans, very similar to personal installment loans provided by traditional lenders such as banks and finance companies. The key innovation in P2PL is in giving prospective borrowers technology- facilitated access—specifically through online platforms—to potential lenders that they did not have before. Although private individuals may be the lenders of record, they may not be subject to existing requirements in an institution-based framework and in any case are unlikely to be as well placed as the platform operator to meet FCP requirements. Another example arises from the challenges in regulating e-money products offered by mobile network operators (MNOs). These entities may be regulated in relation to their core business by a telecommunications regulator. However, in an institution- based model, their e-money activities are not necessarily regulated by the financial services regulator (such as the authority responsible for the payments system). A leading example of these challenges existed with the M-Pesa product in Kenya when it was initially offered by an MNO. Gaps can still arise in regimes that adopt activity-based approaches if these are not sufficiently flexible to address differences between traditional and fintech business models. For example, the EU Directive 2008/48 on Consumer Credit Agreements, which mandates a range of FCP obligations for non-mortgage consumer lenders, applies to lenders only if they are lending as part of their trade, business, or profession. In a P2PL business model, where the platform operator 30. For example, as noted below, earlier in the development of the U.S.’s P2PL market, the securities regulator felt compelled to issue a cease-and-desist order against a major P2PL platform to strongly signal the applicability of existing securities legislation. 10 Financial Consumer Protection and Fintech facilitates lending by third parties, the operator would not be the regulated as the lender, given they are not the lender of record, despite controlling important aspects of the lending and being better placed to comply with relevant requirements. A country’s framework may not cover providers that offer cross-border services to consumers. A country’s regulation may extend only to financial products offered by providers within the jurisdiction, rather than products offered to consumers in the jurisdiction regardless of the location of the provider. While such a gap may not affect only fintech offerings, the ease with which fintech products may be offered through digital channels increases the potential impact of this gap. For example, in a digital microcredit context, consumers may access services of app-based lenders operating from outside their jurisdictions, making it difficult for authorities to monitor such activities. Similarly, a foreign-based crowdfunding platform could be soliciting and promoting investments to potential retail investors across borders. 2.1.2 Regulatory Approaches Applying FCP requirements by activity, rather than by type of institution, can help ensure that fintech entities are subject to FCP obligations regardless of their institutional type or business model. In the case of digital microcredit, countries that apply credit-related licensing and conduct regulation to all consumer credit-related activities, rather than to specific credit institutions, are better able to cover all models of digital microcredit, regardless of whether such activities are undertaken by bank or non-bank lenders, MNOs, some other kind of entity, or a combination of actors. Similarly, in the case of e-money, a range of jurisdictions apply an activities-based approach to licensing requirements for e-money issuers, allowing only licensed entities to offer such products, whether they are traditional banks or similar institutions or other kinds of entities. A few examples include Malawi,31 the Philippines,32 and Mexico.33 A focus on activities, rather than entity types, may also assist regulators in identifying and addressing consumer risks more comprehensively. An activity-based approach to regulatory policy may help regulators focus on risks that arise from each activity from a consumer perspective, regardless of the entity that engages in them. Some countries have addressed coverage gaps by incorporating FCP rules into new frameworks for specific fintech products, separate from existing FCP requirements. There are many examples of regulatory frameworks developed for e-money that incorporate FCP rules. Under Ghana’s Payment Systems and Services Act,34 the only entities that can engage in “electronic money business” are licensed banks and licensed non-banks. The Malaysian Financial Services Act35 takes a similar approach. Under that Act, no person can carry on a business of issuing a “designated payment instrument” (which includes “electronic money”) unless it is approved by Bank Negara Malaysia. The Chinese authorities have issued a separate regulatory framework to cover P2PL activities.36 Nigeria, among a range of jurisdictions that have taken a similar approach, is in the process of developing a crowdfunding-specific regulatory framework.37 Many countries have taken a hybrid approach, bringing fintech products within some existing FCP regulatory frameworks while also developing separate rules to address specific issues or concerns. Reasons for doing so vary; for example, adopting a hybrid approach may be considered more expedient in their domestic legal context or more effective to address consumer issues. Mexico introduced a new overarching Financial Technology Institutions Law38 (sometimes referred to as its Fintech Law) to cover fintech areas such as investment-based crowdfunding and P2PL. The 31. Payment Systems (E-Money) Regulations 2019 (Malawi), s. 5. 32. BSP E-Money Circular 2009 (Philippines), s. 3. 33. Financial Technology Institutions Law 2018 (Mexico), art. 11. 34. Payment Systems and Services Act 2019 (Ghana). 35. Financial Services Act 2013 (Malaysia). 36. The People’s Bank of China and nine other government bodies jointly introduced a new framework in 2015 by initially issuing “Guiding Opinions on Promoting the Healthy Development of Internet Finance” and supporting a range of additional rules, such as the Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China). 37. See the SEC’s Proposed Rules on Crowdfunding (U.S.). 38. Financial Technology Institutions Law 2018 (Mexico). 11 Financial Consumer Protection and Fintech law introduced some FCP requirements and allows regulators to issue additional FCP rules. However, Mexico already had in place a range of FCP requirements applicable to other financial institutions, such as the Law on Transparency for Financial Services.39 Fintech entities regulated by the Financial Technology Institutions Law are also subject to these existing requirements. In the case of investment-based crowdfunding, while many countries’ existing capital-markets regulatory frameworks cover investment activities, adjustments have been made to focus specifically on the nature of the participants in crowdfunding and their investment offerings. A country’s FCP regulator may lack the mandate to extend FCP rules to institutions that it does not already regulate. Until such a mandate can be extended, a short-term solution may be to leverage powers of other regulators, such as those responsible for general consumer protection. In Kenya, the Competition Authority of Kenya stepped in to issue rules on disclosure for digital financial services (including digital microcredit) for all providers, including those not regulated by financial sector authorities, to address pervasive concerns observed throughout the market.40 Similarly, telecommunications authorities may be in a position to apply FCP requirements to MNOs entering the fintech space. While none of these approaches are necessarily ideal (and may raise difficulties in ongoing monitoring and enforcement), they could possibly be leveraged to achieve incremental progress in putting in place protections for consumers. Where such approaches are employed, close coordination will be necessary between sectoral authorities. For activity-based coverage of FCP rules to be effective, the regulatory framework needs to incorporate concepts that are sufficiently broad and flexible to cover new and developing business models and entity roles. Some jurisdictions have found that broad concepts in existing legislation, such as relating to lending or investment activities, were effective in automatically extending regulation to new fintech offerings. Australian consumer credit legislation already regulated any “credit activities” involving consumers carried out as part of a business, including not only the provision of credit but also the provision of a range of credit-related assistance to consumers or acting as an intermediary between a lender and a consumer. It therefore was deemed to apply already to new P2PL platforms’ intermediation activities.41 Explicit guidance may sometimes be used by regulators to clarify that existing rules already cover fintech activities. In the United States, the securities regulator chose to send a strong signal to industry that the 1933 Securities Act42 already applied to investment-related activities in a P2PL context by entering into a cease-and-desist order against a major P2PL platform for not complying with the Act.43 Some authorities have considered it necessary to introduce new concepts into legislation to capture fintech activities adequately. In the case of P2PL in the United Kingdom, existing rules were amended to provide for a new category of regulated firms undertaking the activity of “operating an electronic system in relation to lending.”44 Indonesia introduced a new category of activity referred to as “information technology–based loan services.”45 Regulators also started adjusting existing investor-protection laws to reflect the nature of issuers and investors in the context of investment-based crowdfunding.46 Regulators would ideally seek to avoid limiting descriptions of regulated activities to particular business models, so as to allow for further market development while avoiding the creation of new gaps. Nevertheless, these are likely to require continued monitoring and adjustment over time. 39. Law on Transparency for Financial Services 2007 (Mexico). 40. Mazer, “Does Transparency Matter?” 41. See National Consumer Credit Protection Act 2009 (Cth), ss. 6 and 29 (requirement to be licensed if undertaking credit activities). The Act also applies a broad range of conduct and disclosure obligations when engaging in credit activities involving consumers. 42. 1933 Securities Act 15 USC § 77a. 43. Lo, “If It Ain’t Broke,” 88–89. 44. Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (SI 2001/544) (U.K.), art. 36H, and FCA, FCA’s Regulatory Approach, para 2.8. 45. Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), Chapter II, Part 4. 46. See, for example, Australia, Corporations Amendment (Crowd‑sourced Funding for Proprietary Companies) Act 2018, https://www.legislation.gov.au/Details/ C2018A00106. 12 Financial Consumer Protection and Fintech 2.2 Fraud or Other Misconduct 2.2.1 Risks to Consumers A fundamental concern for consumers with respect to fintech products, and transacting through digital means more generally, is suffering losses from fraud or other misconduct by FSPs and third parties. The circumstances under which such losses may arise are myriad, such as internal theft of funds, identity theft, or phishing. Potential perpetrators include FSPs themselves, their employees, agents, merchants, business partners and service providers, and external actors. These perpetrators, and the data or facilities being affected, may be located remotely (such as in the cloud) and even internationally, creating additional enforcement and evidence gathering difficulties. Holders of e-money, for example, face the key risk of agent fraud, among other fraud risks. While not unique to e-money, agent-related fraud can be a significant risk, given the potentially extensive reliance on such agents. This can include agents charging unauthorized fees, splitting transactions or encouraging multiple accounts to earn more commissions, transferring account holders’ funds to their own accounts, and “skimming” small amounts into their own accounts when processing a transaction.47 Some of these risks can arise when consumers share their security credentials with an agent and if an agent assists a consumer with a specific transaction. They are especially likely to occur if the consumer has a low level of digital capability and needs assistance to process a transaction. There have also been a number of significant incidents of fraud and misconduct involving P2PL and investment- based crowdfunding platforms. For example, extensive P2PL platform failures in China resulted in significant losses for many consumers,48 with severe financial and personal impacts.49 Some major failures were due to internal fraud, such as a platform that turned out to be a Ponzi scheme (with mostly fraudulent loan listings), causing almost 900,000 individual lenders/investors to lose the equivalent of $7.6 billion.50 Investor fraud can similarly be perpetrated through crowdfunding platforms by issuers or by platform operators themselves. Issuers may try to defraud potential investors through fraudulent business proposal and plans, by concealing facts about their business history or management, or simply through misleading promotion techniques. Consumers may also be subject to fraud from the platform operator, such as sham or misleading offers. The extent of these risks can depend on the types of post-investment services the platform operator provides, such as whether the platform holds or receives client money, undertakes payment services (for example, channeling payments from issuers to investors), or if the platform operator represents investors through a nominee structure or runs a secondary market for issued securities. Risks also arise from crowdfunding trading platforms and bulletin boards used in secondary markets for the exchange of information about crowdfunding securities. Of course, there may also be a risk of entirely fraudulent crowdfunding sites. Lenders/investors involved in P2PL are also at risk of losing funds provided to fraudulent borrowers, while fraudulent apps pose risks to digital microcredit borrowers. The fraud may involve borrowers (or purported operators) absconding with the relevant funds as soon as they are provided or borrowers providing incorrect information about their ability to repay a loan (such as information about their income). For digital microcredit, consumers face risks from fraudulent lending apps that solicit application fees or personal data but fail to provide any credit. 47. Buku and Mazer, “Fraud in Mobile Financial Services.” See also ITU-T Focus Group on Digital Financial Services, “Commonly Identified Consumer Protection Themes,” s. 3.3. 48. See Huang, “Online P2P Lending,” 77. 49. Hornby and Zhang, “China’s Middle Class.” 50. Owens, “Responsible Digital Credit,” 8–9. 13 Financial Consumer Protection and Fintech 2.2.2 Cross-Cutting Regulatory Approaches Authorization and Vetting Requirements Requiring fintech entities to be vetted prior to licensing or registration can be an important mechanism to filter out unscrupulous entities that are more likely to commit fraud or engage in other misconduct. Such vetting, as well as scrutinizing for any prior criminal history or other history of bad conduct, may also examine the ability of entities and their management to deal with the risk of internal or third-party fraud and misconduct. Ideally, such requirements are accompanied by awareness campaigns encouraging consumers to deal only with licensed or registered entities. As discussed above in the context of regulatory perimeter gaps, many jurisdictions require e-money issuers to be licensed or registered. Some countries, such as Australia51 and Portugal, require the licensing or authorization of all providers of consumer credit, which effectively means that all digital microcredit providers must be licensed or authorized. Licensing or registration is being rapidly adopted internationally in relation to P2PL. For example, this was recommended by the European Banking Authority (EBA) in the European Union,52 and some European jurisdictions already had such regimes. Recent reforms in China mean that P2PL platform operators are required to go through multiple stages of authorization, including vetting.53 As noted above, the United Kingdom introduced in its new rules, the activity of “operating an electronic system in relation to lending,” which requires authorization. Crowdfunding authorization approaches similarly vary across jurisdictions. Some jurisdictions, such as the European Union54 or the U.S.,55 have created specific bespoke categories for crowdfunding platform operators, while others, such Australia,56 Dubai,57 and Nigeria,58 apply existing categories of authorized firms as the bases for licensing crowdfunding activities. Vetting requirements to support authorization frameworks generally focus on good reputation and adequate knowledge and experience/qualifications of fintech entities and their management as the main principles to be followed when authorizing their activities. As the EBA notes in relation to P2PL platforms, this could comprise checking that individuals managing a platform meet appropriate standards for competence, capability, and integrity.59 This should be the case both when first applying for authorization and on an ongoing basis while they continue to be authorized. The Reserve Bank of India (RBI) requires P2PL operators to ensure that they meet fit and proper criteria at the time of their appointment as well as on an ongoing basis. In Dubai, senior managers and directors of investment-based crowdfunding platform operators must pass fit and proper criteria, including that they must have recognized knowledge and experience and be of good professional repute.60 Risk Management and Governance Requirements Regulators are increasingly subjecting fintech entities to general risk-management and governance obligations that often apply to traditional providers.61 Such obligations are generally intended to be flexible and set expectations on fintech entities that adjust to the characteristics of their business and circumstances. For example, fintech entities in the United Kingdom are subject to several overarching obligations (known as the “Principles for Business”) that apply to authorized firms. One is that they must take reasonable care to organize and control their affairs responsibly and 51. The Australian regime includes certain very specific and technical exemptions not relevant for the purposes of this discussion. 52. EBA, “Opinion of the European Banking Authority,” para 70 and 71. 53. Peer-to-Peer Lending Information Intermediaries of Guangdong Province—Detailed Implementation Rules for Recordation and Registration (Exposure Draft issued on February 14, 2017). See also Huang, “Online P2P Lending,” 73–74. 54. EU Regulation 2020/1503 of October 7, 2020 on European crowdfunding service providers for business, art.12. 55. Regulation Crowdfunding (U.S.A.), Rule 227.400. 56. Corporations Act 2001 (Cth) (Australia), s. 738C. 57. Regulatory Law 2004 (Dubai), art. 42(1), and Dubai Financial Services Authority (DFSA) Rulebook (Dubai), GEN 2.2.8. 58. SEC’s Proposed Rules on Crowdfunding (Nigeria), art. 4 (e). 59. EBA, “Opinion of the European Banking Authority,” para 70 and 71. 60. Regulatory Law No. 1 of 2004 (Dubai), art. 42, and DFSA Rulebook (Dubai), GEN 5.3.19, GEN/VER48/04-20. 61. As noted earlier, this note is not intended to cover prudential concerns and requirements. Of course, it is the case that these overlap with consumer risks and FCP rules. For example, for a discussion of the relevance of capital requirements to operational risks, see World Bank Group, “Prudential Regulatory and Supervisory Practices,” 17–19. 14 Financial Consumer Protection and Fintech effectively, with adequate risk-management systems.62 Drawing from this principle, the U.K. Financial Conduct Authority (FCA) has issued more extensive general obligations and guidance with regard to risk management.63 Mexico’s Financial Technology Institutions Law similarly makes demonstrating implementation of controls for operational risk a key aspect of being authorized as a fintech operator, as well as, more specifically, fraud prevention.64 Technology-related and cyber risk-management requirements are also an essential mitigant to address fraud risk that arises from vulnerabilities affecting a fintech platform or other systems. These are discussed below in the context of platform and technology unreliability and vulnerability risks. Regulators have also been mandating the reporting of large-scale fraud and security breaches to assist their response. For example, the European Union,65 Ethiopia,66 and Kenya67 require reporting of such events, related to payment products, to the regulator. The European Union’s Directive 2015/2366 on Payments Services (PSD2) also requires that users be informed of any security incident that “may have an impact” on their financial interests.68 Liability and Responsibility for Staff and Agents While providers to some extent may be liable for the conduct of persons acting on their behalf under general laws (for example, of employment or agency), regulators frequently consider it necessary to impose clear responsibility and liability for such matters on the principal. For example, Ghana’s Payment Systems and Services Act makes a principal liable for all acts of an agent “in respect of the agency business” and explicitly states that this liability applies even if the acts are not authorized by the agency agreement.69 Warnings and Information for Consumers Some jurisdictions impose requirements on providers to warn consumers about risks associated with fintech products. These requirements frequently cover more than fraud-related risks and are discussed in more detail in the section on information-related risks below. Segregation of Client Funds Requirements that consumers’ funds be segregated from other funds held by a fintech entity, and held with appropriately regulated institutions, can also mitigate to some extent against risk of losses due to fraud. Such segregation can make it more difficult for funds to be misappropriated, such as in the context of fraudulent schemes internal to the entity. These regulatory measures are discussed in more detail below in the context of risks of loss that may arise due to entity insolvency or business failure. 2.2.3 Other Product-Specific Regulatory Approaches Regulators have also been implementing requirements seeking to address specific circumstances under which fraud may arise in relation to particular products. Key examples of such mitigants in an e-money and broader payment-transactions context include requirements for authenticating transactions and limitations on consumer liability for unauthorized transactions. These are often balanced by obligations on consumers to report relevant incidents and take 62. FCA Principles for Businesses—October 2020 (U.K.), 2.1.1R (Principle 3). 63. FCA Senior Management Arrangements, Systems and Controls Sourcebook—October 2020 (U.K.), 4.1.1R and 7.1.3R. 64. Financial Technology Institutions Law 2018 (Mexico), art. 37. 65. EU Directive 2015/2366 on Payments Services 2015 (EU) (PSD2), art. 96. 66. Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020 (Ethiopia), s. 13.(2)1. 67. National Payment System Regulations 2014 (Kenya), s. 29(2)(b) and (c). 68. PSD2, art. 96(1). 69. Payment Systems and Services Act 2019 (Ghana), s. 86(1). 15 Financial Consumer Protection and Fintech certain precautions within their control. For example, the European Union’s PSD2 mandates “strong customer authentication” (defined in some detail to include the use of two or more independent elements—that is, two-factor authentication) as a means to mitigate the risk of fraudulent transactions. Ghana’s Payment Systems and Services Act requires a provider to “ensure” that a transaction against an account is authorized by the account holder.70 The European Union’s PSD2 also places a cap on consumer liability for unauthorized transactions of €50 unless there is fraud or gross negligence by the consumer.71 However, the provider may not be liable if notice of an unauthorized transaction is not given in a specified period.72 Users must be advised of their obligation to report events such as lost or stolen mobile devices or compromised security credentials “without undue delay” and be provided with “appropriate means” to make such reports.73 The European Union’s PSD2 also places the burden of proof on the provider if they want to show a consumer’s liability for all or part of an unauthorized transaction.74 In some fintech business models, consumers may potentially suffer loss due to fraud by external participants facilitated by platform operators, such as fraud by issuers on investment-based crowdfunding platforms or borrowers on P2PL platforms. In such cases, an important mitigant is to require appropriate due diligence by platform operators. The level of thoroughness and efforts required of platform operators varies among jurisdictions. It can range from platform operators simply being expected to satisfy themselves that a fraud is highly unlikely in a particular case to expecting operators to examine the appropriateness of issuers’ business plans. In the U.S., a crowdfunding platform operator (funding portal) needs to deny access to an issuer if there is reasonable basis to believe that the issuer or the offering presents potential for fraud or otherwise raises concerns about investor protection.75 However, there is no obligation for a funding portal to fact-check the business plan of an issuer. In the United Kingdom, the FCA does not prescribe due-diligence requirements for platform operators but requires that platforms disclose to investors the level of due diligence undertaken. Platform operators are also under a general duty to exercise skill, care, and diligence and act in the customers’ best interests.76 In Australia, platform operators have to check the identity and eligibility of the issuer, whether managers are fit and proper, and the completeness and legibility of the offer document.77 Dubai and Malaysia have more stringent requirements. In Dubai, an operator must conduct extensive due diligence on each issuer before allowing the use of its service.78 Malaysia’s requirements, while less detailed, do require the platform operator to verify the issuer’s business proposition in addition to conducting background checks to ensure the issuer, its management, and its owners are fit and proper.79 Requirements for assessing prospective borrowers on P2PL platforms, discussed in the section below dealing with product suitability, would also be relevant in mitigating potential fraud risk by such borrowers. FCP regulatory measures against fraud should of course be additional to a country’s financial crime measures under anti-money laundering/countering the financing of terrorism laws and general criminal laws. Ideally, financial sector regulators should closely monitor the incidence of such activities in consultation with other national agencies and implement FCP mitigants, particularly where risks may be more appropriately dealt with, or borne by, fintech entities, rather than consumers. 70. Payment Systems and Services Act 2019 (Ghana), s. 20(2). 71. PSD2, art. 73 and 74. 72. PSD2 2015, art. 71(1). Here the relevant period is 13 months, but this should not be considered the norm. 73. PSD2, art. 51, 69, and 70. 74. PSD2, art. 72(1). 75. Regulation Crowdfunding (U.S.A.), Rule 227.301. 76. FCA Consultation Paper 18/20 (U.K.), 4.21 and 4.22. 77. Corporations Act 2001 Pt 6D.3.A—Crowd Sourced Funding, 738Q (5). 78. DFSA Rulebook (Dubai), COB 11.3.6. 79. Guidelines on Recognized Markets SC-GL/6-2015(R3-2019), Rule 13.05. 16 Financial Consumer Protection and Fintech 2.3 Platform/Technology Unreliability or Vulnerability 2.3.1 Risks to Consumers If a fintech platform, or technology underpinning a fintech, is unreliable or vulnerable to external threats, it may expose consumers to heightened risks of loss and other harm. Consumers already face some level of risk—when acquiring traditional financial products or services—from interruptions or failures in an FSP’s processes and systems. However, these risks are likely to be particularly high in a fintech context, given the extent of reliance on technological processes that, in some cases, may be relatively new. A working group of the Bank for International Settlements’ Committee on the Global Financial System relevantly noted, for example, that fintech credit platforms may be more vulnerable than banks to certain operational risks, such as cyber risk, due to their reliance on relatively new digital processes.80 Another aspect that can give rise to additional risk is significant reliance on third-party providers, with potential disruption of outsourced services. Reliability can also be affected by broader connectivity and telecommunications infrastructure issues affecting a country, although measures to address these are outside scope of this note. Such unreliability or vulnerability can have a range of adverse impacts on consumers, ranging from inconvenience and poor service to monetary losses due to third-party fraud or loss of data integrity. It could mean, for example, that e-money transactions cannot be initiated or completed as expected, that credit repayments due under P2PL or digital microcredit facilities are not processed in a timely manner, that there are delays in receiving loans, or that crowdfunding investors do not receive the financial returns to which they are entitled. Consumers may lose funds, incur additional charges (such as late-payment fees and penalty interest), or forgo gains if transactions cannot be completed on time or correctly. Platform or technology vulnerability may also contribute to third-party fraud due to vulnerability to cyber risks. In a recent large-scale fraud in Uganda, hackers reportedly broke into the systems of Pegasus Technologies, which processes mobile money transactions for entities such as MTN Uganda, Airtel Money, and Stanbic Bank.81 2.3.2 Cross-Cutting Regulatory Approaches General Risk Management Requirements As discussed above in the context of mitigants against fraud risks, regulators are increasingly subjecting fintech entities to general risk-management and governance obligations. The expectations imposed by such requirements would clearly also target the need for fintech entities to address risks related to platform and other technology unreliability and vulnerabilities. Targeted Risk-Management and Operational Reliability Requirements Regulators are increasingly making FSPs, including fintech entities, subject to specific obligations targeting technology and systems-related risks and reliability issues. In Indonesia, a P2PL platform operator must meet a range of obligations with regard to its information technology and the security of that technology, including resilience to system interference and failures.82 Requirements include rules on establishing a disaster recovery center, acquisition and management of information technology, and incident management and implementation of security measures. In the case 80. Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 26. 81. See, for example, Kyamutetera, “Hackers Break Into Mobile Money System.” See also Stanbic Bank Uganda, MTN Uganda, and Airtel Uganda, “System Incident Impacting Bank.” 82. Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 25; Financial Services Authority Circular Number 18/SEOJK.02/2017 Regarding Information Technology Risk Management and Management in Information Technology-Based Lending (Indonesia). 17 Financial Consumer Protection and Fintech of e-money issuers, the European Union’s PSD2 requires that payment service providers have appropriate mitigation measures and control mechanisms to manage operational (and security) risks, and that they report to the regulator about these risks at least annually.83 In Malaysia, e-money issuers must comply with detailed requirements including for comprehensive and well-documented operational and technical procedures to ensure operational reliability and a robust business-continuity framework, including a reliable back-up system.84 Ghana goes so far as to specify that an e-money issuer (or a payment service provider) ensures “high quality performance of at least 99.5 percent service availability and accessibility.”85 Outsourcing-Related Risk Management Given the extent to which fintech entities may outsource a range of their activities to third parties,86 an important risk-management obligation would be to take appropriate steps to avoid the resulting additional operational risk. In the case of P2PL platform operators, for example, in India the RBI’s rules set out obligations for operators to ensure sound and responsive risk-management practices for effective oversight, due diligence, and management of risks arising from outsourced activities.87 This could be achieved by making fintech entities remain legally responsible to consumers for outsourced functions—as contemplated, for example, by the European Union’s crowdfunding regulation.88 2.3.3 Product-Specific Regulatory Approaches Regulators have also been implementing regulatory requirements addressing how reliability and vulnerability issues may affect specific fintech products. In the case of e-money, regulators are mandating time frames within which transactions must be processed—such as the European Union’s PSD2 requirement that payments be credited to the payee by the end of the business day once received.89 Requirements that users be notified of service interruptions have also been introduced in a range of jurisdictions to assist consumers to mitigate the impact. For example, Ghana requires that e-money users be notified within 24 hours of service disruptions or anticipated disruptions.90 2.4 Business Failure or Insolvency 2.4.1 Risks to Consumers Consumers whose funds are held or administered by a fintech entity may risk losing the funds if the entity becomes insolvent or the business ceases to operate. The fact that many fintech entities are relatively new entrants in the financial sector increases these risks. The nature and extent of such risks also depend on the particular fintech business model employed, as well as the fintech product and the applicable regulatory framework. Consumers participating in P2PL as lenders/investors may risk losing their committed loan principals, or repayments owed to them, that are being held or administered by a platform operator that goes insolvent or fails. Borrowers can also face risks of losing funds under such circumstances. For example, when consulting on proposed regulatory reforms for P2PL in the United Kingdom, the FCA said it considered P2PL platform operators to present a high 83. PSD2, art. 95. 84. Bank Negara Malaysia, Guideline on E-Money 2016 (Malaysia), ss. 8.2–8.5. 85. Payment Systems and Services Act 2019 (Ghana), s. 45(1). 86. See, for example, ASIC, Survey of Marketplace Lending Providers: 2016–2017, para 21. 87. RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 17 and Annex VI. 88. EU Regulation 2020/1503 of October 7, 2020 on European crowdfunding service providers for business, art. 9(3). 89. PSD2, arts. 83–87. 90. Payment Systems and Services Act 2019 (Ghana) s. 45(2). 18 Financial Consumer Protection and Fintech risk of consumer harm, given they may hold or control client funds before lending to borrowers.91 Likewise, a borrower may miss out on receiving funds intended for them from lenders/investors as a result of the operator’s insolvency. The EBA has pointed out the risk of lender/investor funds not being transferred to the intended borrower if the platform is not required to hold appropriate regulatory authorizations and have in place adequate arrangements to safeguard such funds.92 Depending on the legal relationships between the parties, borrowers may also suffer losses when the repayment of loans they make through the platform fail to reach lenders/investors. Consumers acting as lenders/investors risk suffering losses in the event of a P2PL platform operator’s business failure (regardless of cause) even if their assets are ringfenced from the operator’s insolvency as already discussed above. Business cessation can mean that individual loans that remain viable may not continue to be administered properly, causing corresponding losses. An investor can suffer considerable harm if a P2PL platform ceases to provide management and administration services. In practical terms, this can mean an individual lender/investor not receiving some or all repayments for the loans that they made or invested in through the platform, unless they retrieve payments directly from borrowers themselves. An investment-based crowdfunding platform’s failure can similarly leave investors without services essential to realizing the full value of their investment. The extent and nature of such risk depend on factors such as whether the platform holds client money, undertakes payment services (for example, channeling payments from issuers to investors), represents investors through a nominee structure, or runs a secondary market for issued securities. Loss of access to such services from the operator due to temporary or permanent platform failure can cause financial loss as well as operational detriment to investors. If an e-money provider becomes insolvent then, depending on the way funds are held and controlled, funds may be insufficient to meet the demands of e-money holders or other unsecured creditors. This is a particular concern with e-money not considered a “deposit” protected under banking laws and without the benefit of deposit insurance. Operational failure may also make it difficult for consumers to retrieve their funds. 2.4.2 Regulatory Approaches Segregation of Client Funds A key mechanism to address the risk of loss of funds due to mishandling by or insolvency of P2PL and crowdfunding platform operators, is the requirement that client funds be segregated from other funds held by them. According to the EBA, for P2PL arrangements, the main alternatives entail either the platform operator be appropriately authorized and regulated (such as, with regard to capital requirements) to hold client funds before being allowed to handle them. Or, the operator must ensure that a separate, appropriately regulated entity handles funds on investors’ behalf.93 Both the RBI94 in India and Otoritas Jasa Keuangan (OJK), the Indonesian Financial Services Authority,95 have mandated that P2PL platform operators operate separate escrow accounts for client funds.. In the United Kingdom, the platform operator is required to deposit investor funds at an appropriate institution (that is, a bank), keep records and accounts, and conduct appropriate internal and external reconciliations so they can always distinguish between funds held for different clients.96 Recent reforms in China mandate separation of platform owners’ funds from those of lenders/investors and borrowers. Similar measures can be seen internationally, relating to the handling of investor funds by investment-based crowdfunding platforms. In the U.S., platform operators are prohibited from holding, possessing, or handling investor funds (or securities). 91. FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.19. 92. EBA, “Opinion of the European Banking Authority,” para D3 and 43. 93. EBA, “Opinion of the European Banking Authority,” para 79–80. 94. RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 9(1). 95. Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology-Based Loan Services (Indonesia), art. 24. 96. FCA, “FCA’s Regulatory Approach to Crowdfunding (and Similar Activities),” para 3.34–3.36. Also, see FCA Client Assets Sourcebook—October 2020 (U.K.), 7, and FCA Senior Management Arrangements, Systems and Controls Sourcebook—October 2020 (U.K.) 4.1.8ER. 19 Financial Consumer Protection and Fintech In France, crowdfunding platforms may neither receive funds directly from investors (except for payment of their own fees) nor receive securities from issuing companies.97 Requirements for issuers to isolate and ringfence funds paid by e-money holders are well-recognized core regulatory mitigants for e-money arrangements. Regulators typically also require safeguarding client funds in holding institutions. There are many country examples of such requirements. Malawi’s Payment Systems (E-Money) Regulations require that an e-money service provider maintain a trust account at banks with no less than 100 percent of outstanding balances and no more than 50 percent may be held in any one bank. The funds in the trust account must be unencumbered and must not be intermediated.98 In some cases, trust account (or equivalent) obligations apply only to non-bank issuers; banks that issue e-money have lesser obligations (presumably because of the prudential regulations that already apply to them). For example, in Tanzania banks that are e-money issuers have to open a “special account” to maintain funds deposited by non-bank customers issued with e-money. In order to protect e-money customers’ funds deposited in banks, some countries require safeguarded funds to be held in more than one bank when they reach a certain threshold. In Kenya, if the relevant amount is over KES100 million, then the funds must be held in a minimum of two “strong rated banks” with a maximum of 25 percent in any one bank.99 Another approach taken by some jurisdictions is to extend deposit insurance to e-money accounts or corresponding custodial accounts at deposit-taking institutions or, if deposit insurance is not applicable, to make sure that consumers are aware of the fact that no deposit protection is being applied to their accounts. In Ghana, an e-money holder is eligible for protection under the Ghana Deposit Protection Act provided their balance is within the prescribed threshold.100 In the U.S., the Federal Deposit Insurance Corporation has rules to the effect that the deposit insurance scheme covering a pooled account held for the purposes of a prepaid card program will pass through to the individual card holders under certain conditions.101 Business Continuity Arrangements Regulators have been requiring fintech entities to put in place business continuity arrangements to ensure the continued administration of consumers’ funds and investments in the event of platform failure. These arrangements typically require plans to be developed that will allow continuation of post-investment services in case of a wind-down of a platform. In France, P2PL platform operators are required to enter into a contract with a third-party payment institution to ensure such business continuity.102 The EBA suggests that—to address relevant risks in the case of permanent, rather than temporary, platform failure—platform operators should be required to have resolution plans in place allowing loans to continue to be administered.103 In Dubai, an operator must maintain a business-cessation plan that sets out appropriate contingency arrangements to ensure the orderly administration of investments in case it ceases to carry on its business. Also, the operator must review its business-cessation plan at least annually to take into account any changes to its business model or the risks to which it is exposed. E-money regulatory frameworks also frequently have business continuity requirements. For example, PSD2 require applicants for authorization as payments institutions to provide a description of business-continuity arrangements, including clear identification of critical operations, contingency plans, and a procedure to test and review adequacy and efficacy of those plans regularly.104 97. For a discussion on fund-segregation requirements, see also World Bank Group, “Prudential Regulatory and Supervisory Practices, 19. 98. Payment Systems (E-Money) Regulations 2019 (Malawi), Part IV. 99. National Payment System Regulations 2014 (Kenya), s. 25(3) and Fourth Schedule. 100. Payment Systems and Services Act 2019 (Ghana), s. 46. 101. See https://www.federalregister.gov/documents/2016/11/22/2016-24503/prepaid-accounts-under-the-electronic-fund-transfer-act-regulation-e-and-the-truth-in-lending- act#footnote-150%E2%80%89151-p83947. 102. Havrylchyk, “Regulatory Framework,” 26. 103. EBA, “Opinion of the European Banking Authority,” para 69. 104. PSD2, art. 5 (1)(h). 20 Financial Consumer Protection and Fintech Record-Keeping Requirements Record-keeping arrangements are also a mitigant in this context, although they are broadly more crucial to support the integrity of a fintech entity’s business operations. P2PL platform operators in the United Kingdom are subject to general requirements, as authorized firms, to keep orderly records of their business, including all services and transactions undertaken. Other examples in the e-money context are requirements to maintain records and accounts for e-money activities that are separate from other business activities. Malaysia has such a requirement, in addition to a general requirement to have adequate information, accounting systems, and a proper reconciliation process and accounting treatment for e-money transactions.105 Risk-Management Requirements Risk-management and governance obligations of the kinds already discussed above may also reduce risks that can lead to business failure and their impacts on consumers. 2.5 Consumers Are Not Provided with Adequate Information Fintech introduces a range of new manifestations of risks for consumers with respect to information disclosure and transparency. As is often the case with traditional offerings, information about pricing, risks, and terms of fintech products may be incomplete or insufficiently clear. These traditional risks to consumers are heightened when consumers are unfamiliar with new types of pricing and fees, product features, terms and conditions (T&C), and risks related to fintech products. Crucially, the digital format of delivery poses inherent challenges to consumer comprehension that can require specific mitigation measures. 2.5.1 The Risk of Inadequate Information Being Provided to Consumers Consumers often receive incomplete or unclear information on pricing when obtaining fintech products. A 2015 survey of regulators in 15 developing countries found that limited disclosure of costs was the highest market-conduct concern for regulators with respect to digital microcredit.106 Disclosure of pricing for digital microcredit products is often incomplete and not transparent; different and complex methods are used to convey pricing. As a result, it is difficult for consumers to understand the full costs of a digital microcredit product or to compare across providers. Fees and charges are often not communicated clearly. Disclosure of fees and charges for third-party services has also been found to be frequently incomplete with respect to digital microcredit. Fees and charges associated with services provided by P2PL platforms (for example, loan origination, loan servicing) and fees for e-money transactions (such as cash-in and cash-out) have also frequently been noted to be opaque. Beyond pricing, consumers may get inadequate access to the full T&C of a fintech product. Information about e-money product features such as available transaction types and elements, points of service, and transaction and balance limits are necessary for consumers to be able to select products that best meet their needs. Full T&C are often not easily accessible over digital channels, particularly on feature phones. Given the limited space available to convey information, providers may favor displaying appealing information, providing incomplete information about consumer obligations, or merely referring to T&C to be found elsewhere. 105. Bank Negara Malaysia Guideline on Electronic Money (Malaysia), ss. 7.2 and 8.4. 106. Thirty-one percent of respondents selected limited disclosure of costs as the main market conduct and consumer protection issue, followed by high costs of digital microcredit (14 percent), limited suitability and misleading advertising (14 percent), and data security and privacy (12 percent). See AFI, “Digitally Delivered Credit: Policy Guidance Paper.” 21 Financial Consumer Protection and Fintech Incomplete information about risks related to fintech products poses a particular concern given the novelty of fintech products and the lack of experience of retail consumers. For example, traditional risks related to non-repayment of loans can be heightened when the typical users of digital microcredit lack understanding of borrower obligations. Similarly, in the case of P2PL, consumers acting as lenders/investors may lack understanding of loan-related risks or perceive them as equivalent to risks of other investment types. E-money users may lack understanding of the security and technology- related risks related to e-money. With platform finance, the lack of adequate information about risks and returns of potential investments combined with overreliance on the platform can harm investors. P2PL platform operators may not have the systems to gather sufficient information about loans being offered necessary to produce appropriate disclosures regarding risks and returns. Crowdfunding issuers tend to be smaller businesses about which limited information is available. Consumers investing in either kind of platform may not appreciate the significance of the lack of data while assessing the risk of their investments. They may be attracted to platform finance as a new form of investment but lack familiarity with the true nature of risks associated with the new types of investment products offered via such platforms. Consumers would lack the resources necessary to analyze investments fully themselves and may also place excessive reliance on a platform operator’s risk assessments or loan or investment selection, which may be of varying quality. Inadequate information can lead consumers to choose inappropriate products that ultimately harm them. For example, experiencing poor transparency, such as unexpected fees or not understanding the terms of a loan, correlated with higher levels of late repayments and defaults of digital microcredit in Kenya and Tanzania.107 A lack of adequate information about key aspects of P2PL and crowdfunding, such as costs, risks, and rights and obligations, can increase the risk that investors will make decisions that are uninformed or imprudent, which may lead to unexpected losses or consumers overpaying for their investments. In the United Kingdom, the FCA has expressed concern about customers being misled by comparative cost claims and missing out on services that are better suited to their needs.108 If information from different fintech entities cannot be compared easily, consumers may find it difficult to compare offerings or to realize differences when switching between providers. For example, methods used by P2PL platform operators to calculate risk-adjusted net returns may vary considerably between platforms due to a lack of common standards.109 Platform operators also may not make sufficiently clear the methodology used to make such calculations. In addition to the aforementioned risks related to inadequate upfront information, a lack of key information on an ongoing basis also poses risks to consumers. This includes lack of adequate information about the ongoing status of investments for platform finance investors, hampering their ability to adjust to changes and compounding the risks from their lack of understanding and familiarity of such investments. E-money users may not be provided with sufficiently detailed transaction receipts or periodic account information, making it difficult for them to track their accounts and identify any fraudulent activity or mistaken transactions. 2.5.2 Regulatory Approaches for Inadequate Information Fundamental good practices for disclosure and transparency remain highly relevant to fintech products. Providing excessive information can easily overwhelm consumers and is not the solution. Effective disclosure requires key information provided up front, access to fuller details, and the information provided in a format and manner that enhances comprehension and allows for comparison. International good practice on disclosure generally indicates that fintech entities should be required to provide clear and sufficiently comprehensive information on pricing and fees, product features, T&C, and risks and returns. Regulators may sometimes benefit from being prescriptive regarding what information is deemed the 107. Kaffenberger and Totolo, Digital Credit Revolution. 108. FCA’s General Standards and Communication Rules for the Payment Services and E-money Sectors in Policy Statement PS 19/3 2019 (UK), paras 3.18 to 3.24. 109. For example, see Lenz, “Peer-to-Peer Lending,” 695. 22 Financial Consumer Protection and Fintech most critical for upfront disclosure for fintech products to ensure it is consistent and adequate across all providers. In the U.S., the lender of record for a P2P loan is subject to the prescriptive provisions of the Federal Truth in Lending Act110 and its implementing Regulation Z,111 which apply to other lenders. Many of the e-money regulatory frameworks, such as Kenya’s, also include disclosure and transparency requirements, so as to disclose fees and charges and other T&C to consumers on taking up the product and also to require public disclosure of fees and charges.112 Adaptations and enhancements are likely to be necessary to address unique aspects of fintech offerings. Standardized total cost indicators already in use in relation to traditional credit products, such as annual percentage rate and total cost of credit, have been shown to help consumers select lower-cost loan products.113 Giving such indicators prominence when conveyed via digital channels could assist consumers in making borrowing decisions. Similarly, to ensure adequate access to information, e-money issuers could be required to disclose fees and charges for e-money via agents, branches, and websites114 and to require disclosure of both upfront fees and charges and transaction-based fees.115 Mandating Content of Terms and Conditions Authorities may seek to mandate the content of contractual T&C for fintech products and ensure that these cover all key aspects for consumers. P2PL platform operators in Brazil must include information on the rights, obligations, and responsibilities between investor, borrower, and platform in P2P loan agreements.116 Countries such as Kenya117 and the Philippines118 require that e-money issuers provide a written agreement to each consumer covering the terms of the service and any related fees. Requiring Summaries and Targeted Disclosures A summary of key T&C can be an important transparency measure (in addition to ensuring that consumers are given access to full T&C). This can take on added importance in the context of digital channels, where consumers may find it more difficult to review full T&C, or the speed of transacting creates less propensity to do so. For example, when conducting sales of retail banking products and services via digital channels, financial institutions in Portugal are required to “prominently present information on the basic features of the banking product or service and of other elements deemed relevant, such as fees and expenses that may be applicable, on the main screen or webpage of the marketing platform, using larger characters, information boxes, pop-ups, simulations, overviews or other similar means.”119 Additional approaches to counteract the difficulties in conveying full T&C via mobile channels include making the full T&C easily accessible to customers on an ongoing basis120 or requiring public disclosure of standard T&C.121 Disclosure requirements that address and highlight key risks and their consequences, and other key aspects for consumers’ decisions, are particularly important for fintech products given their novelty and consumers’ lack of 110. Truth in Lending Act 1968 15 USC § 1601 (U.S.A.). 111. Truth in Lending (Regulation Z) 12 CFR Part 1026 (U.S.A.). 112. National Payment System Regulations 2014 (Kenya), s. 35(1). 113. Busara Center for Behavioral Economics, “Pricing Transparency.” 114. Examples of such requirements can be found in Kenya, Malawi, and Malaysia. See National Payment System Regulations 2014 (Kenya), s. 35(1)(a); Payment Systems (E-Money) Regulations 2019 (Malawi), s. 21(3)(e); and Bank Negara Malaysia Guideline on Electronic Money 2016 (Malaysia), s. 9.3 (i). 115. For example, the EU Payment Services Directive 2015 (PSD2) requires that all charges be disclosed to the consumer before the contract is entered into and before a transaction is initiated. 116. National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil). 117. National Payment System Regulations 2014 (Kenya), ss. 41(1)(a) and (2). 118. BSP E-Money Circular 2009 (Philippines), s. 4(G). 119. BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 120. ASIC’s guidance on good practices for digital disclosure discusses the importance of clients being able to keep a copy of disclosed information so that they can access the information in the future. This can include the ability to save either a digital copy or a hyperlink to disclosed information on a website that continues to be accessible for a reasonable period of time. See ASIC, Facilitating Digital Financial Services Disclosures. 121. For example, Kenya’s National Payment System Regulations 2014 require publication of terms and fees (rates) and display at “all points of service,” s. 35, and Bank Negara Malaysia Guideline on Electronic Money 2016 requires that terms and conditions must be available through various channels, including on the issuer’s website, in brochures, and on registration forms, s. 9.3. 23 Financial Consumer Protection and Fintech familiarity with such products. For digital microcredit, this includes highlighting the consequences of late payments and defaults, while e-money risks may relate to mistaken authorizations, fraud, or security. For platform finance, key matters for consumers’ decisions can include knowing about risks affected by the role of platform operators as well as about factors the can affect their returns. P2PL operators in China are required to provide a range of information to the general public (including information about the platform operator and their past and current loans) as well as to prospective lenders/ investors (including information about the borrower, relevant loan, and the operator’s risk assessment in relation to the loan).122 P2PL operators in Brazil must provide prospective lenders/investors with expected rates of return, taking into account expected payment flows, taxes, fees, insurance, and other expenses.123 Issuers on crowdfunding platforms are typically required to disclose information about the company; its ownership and capital structure; financial information; its business plan; the main risks facing the issuer’s business; and the targeted offering amount and intended use of proceeds. Warnings Obliging fintech entities to provide warnings or disclaimers in key contexts can highlight risks for consumers and assist in balancing out inappropriately optimistic perceptions. P2PL platform operators in the United Kingdom are subject to general rules on disclosure of past performance that they provide include a prominent warning that past performance is not a reliable indicator of future results.124 Brazilian authorities require P2PL platform operators to display on their website and in other electronic channels, as well as in promotional materials, a prominent warning that P2P loans constitute risky investments and are not subject to deposit insurance.125 In some jurisdictions, warnings are also coupled with acknowledgments from lenders/investors. For example, in India the RBI requires P2PL platform operators to obtain explicit confirmation from a prospective lender/investor that they understand the risks associated with the proposed transaction, that there is no guarantee of return, and that there exists a likelihood of loss of the entire principal in case of default by a borrower.126 However, it would also be important to ensure that any such warnings or acknowledgments are not seen by regulators or fintech entities (or misunderstood by consumers) as reducing the onus on fintech entities to comply with their obligations and address relevant risks where appropriate. Ongoing Disclosure Requirements Requiring ongoing provision of key information is intended to address risks such as that consumers may lack awareness of the latest activity related to their fintech product or service or of key changes made to contractual terms after acquisition of the product or service. For P2PL, such requirements include platform operators having to provide lenders/investors with ongoing information about their individual loans/investments, as well as matters relating to the platform arrangements that may affect those loans.127 Lenders/investors may also benefit from periodic updates on the general performance of the operator and notices of adverse events. Platform operators in China are required to disclose publicly within 48 hours if they have been affected by any of a range of adverse circumstances, such as bankruptcy events, cessation or suspension of business operations, or significant litigation, fraud, or other incidents affecting operations in a manner that may damage borrowers’ interests.128 E-money providers are variously being required to provide transaction receipts;129 to provide periodic statements and recent transaction details or make them easily accessible;130 and to notify 122. Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Information Intermediaries 2016 (China). 123. National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil). 124. FCA Conduct of Business Sourcebook—October 2020 (U.K.), 4.6; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.72. 125. National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 17. 126. RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 12(2). 127. For example, on a monthly or quarterly basis (depending on loan term), P2PL operators in China must provide to lenders/investors prescribed ongoing information relating to their individual loans, including changes to the borrower’s financial circumstances and repayment ability, any overdue repayments, and additional charges imposed on the borrower and other matters that may affect their position. See Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Information Intermediaries, 2016 (China), art. 9 and Attachment—Explanation on the Content of the Disclosure of Information. In the United Kingdom, operators must ensure that, at any point in time, a lender/investor is able to access a range of details of each of their loans, such as pricing, the borrower’s interest rate, a fair description of the likely actual return, taking into account fees, default rates, and taxation, and so on. See FCA Conduct of Business Sourcebook—October 2020 (U.K.), 18.12.31R. 128. Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Information Intermediaries 2016 (China), art. 10. 129. For example, Kenya requires the payment service provider “without undue delay” to provide the payer with a unique transaction reference and detail of the amount, payee and their account, and the debit. See National Payment System Regulations 2014 (Kenya), s. 35(3). 130. For example, in Ethiopia, at least the last 10 transactions must be available for viewing online. See Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020 (Ethiopia), s. 12(2). 24 Financial Consumer Protection and Fintech consumers of changes to T&C or fees and charges, a general requirement that should apply for all fintech products.131 In addition, mobile channels need not merely be viewed as obstacles to disclosure and transparency; they can in fact be leveraged for convenient, immediate, and direct messages and updates to consumers, such as reminders of upcoming payments or warnings about late-payment penalties for digital microcredit. 2.5.3 The Risk of Information Being Provided in a Poor Format Disclosing information in a clear and effective format is critical for consumer comprehension. As with any type of financial product, providing all relevant information but in a poorly designed format or manner can easily overwhelm consumers and make disclosure ineffective. This risk can be further heightened by lack of familiarity with the pricing and features of fintech products and services, inconsistent and incomplete methods of disclosing pricing and other T&C, and the challenges inherent in disclosing information clearly via digital channels. Fintech entities may use inconsistent practices to disclose costs. As noted above, costs associated with digital microcredit have been found to be disclosed frequently as either rates or monetary figures and using a variety of repayment periods. The proliferation of different and sometimes complex pricing methods can be confusing for consumers and, in some cases, has been actively employed by digital microcredit providers to disguise fees. Several unique challenges to disclosure and transparency arise due to the nature of digital channels. Particularly with respect to fintech products delivered via feature phones, practical limitations on the space to convey information as well as the varying appropriateness of different design formats, pose a challenge to transparency. Consumers may treat a transaction on a mobile phone less seriously than a transaction in a bank branch, attention spans may be more limited, and the desire for rapid transactions may be increased. Even where consumers are provided with relevant information, the information may not be provided in a form that allows them to retain it for future reference (a particular challenge with interactions over feature phones). The timing and flow of information disclosed via digital channels can also impede transparency. Consumers may not be given sufficient time to review information on a screen before it times out. Websites and app-based content may be difficult to navigate and may de-emphasize less appealing information. User interfaces and menus on mobile channels may be confusing and not user-friendly, hampering effective disclosure as and increasing the likelihood of consumers making mistakes when conducting transactions. 2.5.4 Regulatory Approaches for Poor Disclosure Formats Rules mandating greater standardization of pricing and fees are a developing area. The International Telecommunication Union Telecommunication Standardization Sector’s Focus Group on Digital Financial Services recommends that regulators should establish standard definitions for the cost and fees of digital microcredit, including all bundled services; require disclosure in line with these standard definitions to ensure consistency across offerings; and require clear, conspicuous, and understandable disclosure of financial and other consequences of early, partial, late, or non-repayment of digital loans.132 Plain language requirements, frequently applied to traditional products, are equally relevant to information disclosed on fintech products. There are various examples of requirements for “clear” and “understandable” terms with respect to e-money.133 Disclosure for fintech products should avoid excess technical jargon. For example, the FCA undertook an initiative to consider the changes required for effective digital disclosure that allow for innovation while ensuring compliance with existing rules. The FCA emphasized the need for providers to develop consistent terminology and reduce 131. For example, the Payment Systems and Services Act 2019 (Ghana) requires seven days’ notice of changes to fees and charges, which must be made through SMS or any other method approved by the Bank of Ghana, s. 45(9). 132. ITU-T Focus Group on Digital Financial Services, Main Recommendations. 133. See National Payment System Regulations 2014 (Kenya), s. 35(1); Payment Systems and Services Act 2019 (Ghana), s. 44(a). 25 Financial Consumer Protection and Fintech the complexity of language and technical jargon.134 Consideration may also be required on how graphic elements affect readability, particularly with respect to digital channels. In Portugal, best practices from Banco de Portugal (BdP) applicable to the sales of retail banking products and services via digital channels include that financial institutions “evaluate the use of graphic elements such as font size, color, icons and images in all information media, including on the screens of the marketing platform and in advertising, ensuring that those elements are not likely to affect the readability, understanding, and prominence of information.”135 Providing standardized information summaries/key-fact statements, typically via paper-based approaches, will require adaptation for digital channels. Approaches may need to vary depending on the level of standardization of the fintech product in question and the main channels via which the product is conveyed. For digital microcredit delivered via mobile phones, a summary of key T&C in a streamlined format may strike a sufficient balance between the limitations of devices and the need to ensure that key information is highlighted for consumers up front. Consumer testing on disclosure for digital microcredit in Kenya found that simpler versions of T&C led to better comprehension and more searching for products from other providers.136 Adapting disclosure requirements for mobile channels could involve breaking down information into bite-sized chunks in a more consistent manner across providers (for example, by fees, conditions, and risks). For example, the FCA has asked providers to do more to incentivize consumers to engage with information delivered in a digital environment, including by layering information as a means to guide consumers to digest each part easily, rather than including all information up front.137 Requirements regarding how key information should be positioned and given prominence, already established for paper documents, are increasingly being extended to digital channels. For example, disclosure requirements imposed by authorities in Brazil include an obligation that relevant information be displayed prominently on relevant electronic channels.138 P2PL requirements in China include that mandated disclosures be set out in dedicated, conspicuous sections of websites and equivalent electronic channels.139 Banco de Portugal specifically notes that institutions that sell banking products or services through digital channels “should ensure that the information provided in these channels about those products or services is appropriate in terms of content, form of presentation, and prominence, especially taking into account the marketing platform and the devices that bank customers may use to purchase these products or services.”140 Notably, this approach is specifically made to apply across all digital marketing platforms and devices. A range of approaches can be used to counterbalance some inherent limitations of digital disclosure. Prior to concluding transactions, providers could be required to give consumers access to additional channels, such as call centers, online chat, and agent/branch locations, to enable them to ask questions, clarify T&C, and obtain further assistance via live interactions with provider staff. For example, when conducting sales of retail banking products and services via digital channels, financial institutions in Portugal are required to assist customers to obtain further information by making available interactive tools such as a hotline or live chat, and chatbot.141 In Ghana, e-money issuers are required to explain the “product material” and “general product elements” to prospective clients and “ensure that prospective client understands the nature and form of the product T&C, features, and specifications.”142 The order and flow in which information is required to be provided can also help enhance transparency and comprehension. As noted by the FCA, it can be beneficial to approach disclosure as a “digital journey” with an engaging digital format for consumers to progress through the steps of a transaction.143 The Australian Securities and Investments Commission’s (ASIC) guidance on good practices for digital disclosure notes that providers should consider whether 134. https://www.fca.org.uk/publications/discussion-papers/smarter-consumer-communications-further-step-journey. 135. BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 136. Busara Center for Behavioral Economics, “Pricing Transparency.” 137. FCA, Feedback Statement FS16/10. 138. National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 17. 139. Banking Regulatory Commission Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Information Intermediaries 2016 (China), art. 3. 140. BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 141. BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 142. Payment Systems and Services Act 2019 (Ghana), s. 45(5). 143. FCA. “Feedback Statement FS16/10.” 26 Financial Consumer Protection and Fintech disclosure flows logically in a way that aids understanding of the product.144 There is international recognition of the need for appropriate prominence to be given to each aspect of a product, and that disclosure should not divert consumers away from less appealing information. In Kenya, the Competition Authority of Kenya (CAK) identified a particular issue; that consumers were not aware of charges for transactions via mobile wallets because providers were not disclosing costs of transactions until after consumers accepted transactions on their mobile devices. The CAK therefore issued guidelines requiring all providers to disclose fully all applicable charges to customers for mobile money services (including money transfers, microloans, and microinsurance) prior to completion of transactions.145 A survey of digital financial services users in Kenya found that the proportion of participants who could correctly estimate the cost of their last M-Shwari loan of KES200 went up from 52 percent before the CAK order to 80 percent afterward.146 Also in Kenya, consumer testing on disclosure of information for digital microcredit found that just moving the option to view T&C from the last option in the main menu for a digital loan product to its own screen increased its consumer viewing from 9.5 percent to 23.8 percent.147 Regulatory requirements are increasingly likely to be informed by behavioral insights, including how consumers access financial products in a digital environment. In the aforementioned consumer study on digital microcredit in Kenya, requiring an opt-out approach to viewing T&C increased the rate of viewing from 10 percent to 24 percent, and the resulting delinquency rate was 7 percent lower for borrowers who read the T&C.148 Approaches to increase the effectiveness of digital disclosure could include requiring elements such as user- friendly sequencing and specific screens and pauses to assist consumers absorb important information. Research by the European Commission indicates that adding intermediate steps that customers must pass through, such a “review screen” in the purchasing process, has resulted in consumers making more optimal loan choices.149 In Paraguay, lenders utilizing digital channels must provide consumers with a final option of rejecting or accepting the T&C prior to the conclusion of the loan contract and disbursement.150 When selling retail banking products and services through digital channels, financial institutions in Portugal must ensure that the sale proceeds only after customers have confirmed that they have read mandatory information documents to the end; and they must use visual and textual techniques to encourage customers to do so.151 Requirements could be used to ensure that user interfaces must be clear, user-friendly, and easy to navigate. ASIC guidance notes that digital disclosure should be easily navigable, providing a practical example of a menu feature in an app that allows consumers to immediately go to sections of the disclosure that are most important to them.152 Rules should ensure the same standards in quality of disclosure across different types of mobile phones and platforms. 2.5.5 The Risk of Unbalanced or Misleading Marketing and Promotional Information Marketing and promotional information for fintech products may be unbalanced or, in more extreme cases, be misleading. Unbalanced or misleading marketing is a core concern for regulators in any financial product context. Factors such as the novelty of fintech offerings for consumers, the impetus for providers to grow market share quickly, and entry into new and less sophisticated markets, could increase occurrence or exacerbate the impact of these practices. A European Commission study on the digitization of marketing and distance selling of retail financial services highlighted several poor practices, including emphasizing benefits while giving lower prominence to costs; key information that is missing or difficult to find, such as risks or costs; and presenting unrealistic offers (such as loans that are almost or completely free of charge) 144. ASIC. “Facilitating Digital Financial Services Disclosures.” 145. Based on World Bank conversation with Competition Authority of Kenya. The guidelines apply to financial services conducted through SIM cards, Unstructured Supplementary Service Data, and apps. 147. Mazer, Vancel, and Keyman, “Finding ‘Win-Win.’” 148. Mazer, Vancel, and Keyman, “Finding ‘Win-Win.’” Subsequent to this study, the digital microcredit provider in the study integrated research insights into its new USSD menus, including (1) separating finance charges from principal, (2) adding a line showing loan fees as a percentage, (3) adding a separate screen with late-payment penalties, and (4) creating active choice to view terms and conditions. 149. EC. “Behavioral Study on Digitalisation.” 150. Circular SB. SG. No. 00065/2015. 151. BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 152. ASIC. “Facilitating Digital Financial Services Disclosures.” 27 Financial Consumer Protection and Fintech while failing to mention the conditions attached to such offers.153 P2PL platform operators in China were observed to focus on aspects such as average returns if they appear attractive, without highlighting associated risks sufficiently.154 Adverse marketing practices observed in crowdfunding include promoting past performance without warning that it is not an indicator of likely future performance;155 highlighting benefits without equally highlighting potential risks; selectively choosing information to create an unrealistic optimistic impression of the investment; and watering down important information by comforting statements based on past records. The FCA has also expressed concerns about misleading advertisements by e-money issuers and other payment services providers that allege that their services are “free”156 even though fees are charged by intermediary service providers, and about non-bank providers that advertise themselves as offering “bank” accounts or imply that they are a bank. Marketing practices adopting particularly aggressive approaches or exploiting behavioral biases can be particularly problematic in a digital context. Some digital microcredit providers have been identified as aggressively marketing credit to consumers, such as via push marketing and unsolicited, preapproved offers. Aggressive marketing techniques include push SMS (that is, unsolicited text messages) with credit offers often sent to customers of MNOs or e-money services. Such practices exploit behavioral biases, such as present bias and loss aversion, and lead consumers to make impulsive decisions to take out loans without a clear purpose or to take out loans larger than necessary. Certain digital microcredit providers utilize digital channels for target marketing at times when consumers are vulnerable to making poor decisions, such as weekend evenings. Marketing techniques that exploit behavioral biases to entice consumers can be particularly impactful. Examples include marketing that encourages consumers to borrow the maximum amount possible, suggestions that loans can be repaid easily, or trivializing the seriousness of a loan. Providers may market loans by focusing only on the maximum amount that can be borrowed. A study in Latvia found that digital lenders encouraged consumers to disclose higher incomes to obtain larger loans.157 Aggressive advertising via “cute messaging” was noted by the International Financial Consumer Protection Organisation (FinCoNet) as undermining the seriousness of entering into a credit contract and distracting consumers from the high costs of loans.158 The remote nature of digital channels and the rapid speed of digital transactions increase the vulnerability of consumers to aggressive marketing practices. The lack of human interaction with provider staff, combined with the fact that consumers may be transacting from the comfort of their own homes, may result in consumers taking digital loans less seriously. In addition, digital microcredit can be advertised as “one-click” or nearly automatic. These factors may lead consumers to making hasty and poor decisions. 2.5.6 Regulatory Approaches for Unbalanced or Misleading Marketing and Promotional Information Policy makers continue to use warnings as a key mitigant, and some are shifting to more targeted warnings delivered at crucial moments in providers’ interactions with consumers. Nudges such as warnings to consumers of the risks of credit have been found to help improve decision-making.159 Short-term credit providers in Armenia must add legislated warnings to their disclosure material that inform customers of the high cost of the credit and encouraging them to shop around and assess their ability to repay. In the United Kingdom, high-cost, short-term credit must include a prominent risk warning and redirect consumers to resources from the authority in charge of debt advice.160 Similarly, requiring P2PL 153. EC. “Behavioral Study on Digitalisation.” 154. Duoguang. “Growing with Pain.” 49. 155. FCA. “FCA’s Regulatory Approach to Crowdfunding over Internet.” para 3.75. 156. FCA’s General Standards and Communication Rules for the Payment Services and E-money Sectors in Policy Statement PS 19/3 2019 (UK), paras 3.18–3.24. 157. The study found that 20 percent of consumers who had taken out credit were actively prompted by the digital application system to indicate a higher income. See FinCoNet, “Report on Digitalisation.” 158. FinCoNet. “Report on Digitalisation.” 159. EC. “Behavioral Study on Digitalisation.” 160. All examples from OECD, “Short-Term Consumer Credit.” 28 Financial Consumer Protection and Fintech platform operators to provide certain warnings or disclaimers in key contexts is being used to assist in balancing out inappropriately optimistic perceptions by consumers. Platform operators in the United Kingdom are subject to rules that require providing a prominent warning that past performance is not a reliable indicator of future results,161 while Brazilian authorities require that operators display—on their website, in other electronic channels, and promotional materials—a prominent warning that P2P loans are risky investments and are not subject to deposit insurance.162 In some jurisdictions, warnings are also coupled with acknowledgments from lenders/investors. In India the RBI requires P2PL platform operators to obtain explicit confirmation from prospective lenders/investors that they understand the risks associated with the proposed transactions, that there is no guarantee of return, and that there exists a likelihood of loss of the entire principal in case of default by borrowers.163 As noted previously, it would be important to ensure that any such warnings or acknowledgments are not seen by regulators or fintech entities (or, importantly, misunderstood by consumers) as reducing the onus on entities to comply with their obligations and address relevant risks where appropriate. In some instances, rules requiring marketing information to be balanced are being augmented by fair advertising requirements specific to fintech-related risks. Regulators often request issuers and crowdfunding platform operators, as well as promoters, to ensure that advertisements are not misleading or deceptive by overstating or giving unbalanced emphasis to potential benefits, creating unrealistic expectations, or not clearly or prominently disclosing information about the risks facing the issuer’s business or adverse information about the issuer. For example, P2PL operators in the United Kingdom are restricted from making inappropriate comparisons, such as making direct comparisons between investing money in P2PL and holding money on deposit.164 The Financial Markets Authority of New Zealand issued guidance on the application of general fair-dealing requirements to crowdfunding and P2PL products, focusing on balancing representations about risk and reward and providing performance information appropriately.165 Policy makers have sometimes decided that it is necessary to explicitly ban certain marketing practices. In Belgium, advertisements that focus on the ease of obtaining credit are prohibited.166 In the United Kingdom, payday lenders are specifically required to refrain from advertising that trivializes the nature of payday loans, including by encouraging nonessential or frivolous spending or unacceptably distorting the serious nature of such loan products.167 Rules in the European Union generally restrict marketing of services that consumers have not solicited.168 In Portugal, financial institutions must refrain from using pre-ticked boxes or graphic elements to lead customers to choose certain options when conducting sales of retail banking products via digital channels and they must also refrain from using terms such as “preapproval” or “pre-acceptance” during the sales process, as such terms give the impression that credit is easy to obtain.169 Regulators have also been implementing rules to address potentially misleading or incomplete information shared between parties through platforms. Regulators have begun to take steps to regulate crowdfunding platforms that support secondary markets or exchange of information about securities (bulletin boards), such as by requiring posters to disclose clearly if they are affiliated in any way with the issuer and by mandating that platform operators take reasonable steps to monitor and prevent posts on bulletin boards that are potentially misleading or fraudulent.170 Cooling-off periods within which investors can withdraw from investments without consequences are an additional consumer protection measure often applied by regulators. In the U.S., crowdfunding regulations permit 161. FCA Conduct of Business Sourcebook—October 2020 (U.K.), 4.6; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.72. 162. National Monetary Council Resolution Number 4,656 of April 26, 2018 (Brazil), art. 17. 163. RBI NBFC—Peer-to-Peer Lending Platform Directions 2017 (India), para 12(2). 164. FCA Conduct of Business Sourcebook—October 2020 (U.K.), 4.5.6R; FCA, FCA’s Regulatory Approach to Crowdfunding (and Similar Activities), para 3.74–3.75. 165. Financial Markets Authority of New Zealand, Fair Dealing in Advertising. 166. Consumer Credit Act 1991 (Belgium), art. 6. 167. Committee of Advertising Practice. “Trivialisation in Short-Term High-Cost Credit Advertisements.” 168. Directive 2002/65/EC on distance marketing of consumer financial services. 169. BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 170. For example, see SEC Regulation Crowdfunding (USA) and DFSA Rulebook (Dubai). 29 Financial Consumer Protection and Fintech investors to withdraw up to 48 hours prior to the deadline specified in the issuer’s offering materials.171 In Italy, the applicable cooling-off period starts on the day the investor subscribes to the offer and lasts for seven days after that investment decision. In Australia, a cooling-off period starts on the day the investor makes an application (subscribes to the offer) and lasts up to five days after making the application. In Dubai, retail investors may withdraw during a 48-hour cooling-off period that starts at the end of the commitment period.172 2.6 Product is Unsuitable for a Consumer 2.6.1 The Risk of Unsuitability Due to Lack of Sophistication or Inexperience Fintech can result in consumers getting increased access to novel and complex financial products—such as through P2PL and investment-based crowdfunding platforms—of which they may lack the knowledge and experience to properly assess. Even if consumers are provided with all feasible and appropriate information about the risks and other key features of a particular fintech product, lower financial capability or sophistication can nevertheless expose them to losses or other harm. This can be exacerbated when a fintech offering entails more complex or riskier aspects than traditional financial products that consumers may be familiar with. It may also be the case that a platform operator does not have sufficient information or understanding about a consumer’s lack of skills or sophistication. This may be due to a lack of effort or availability of data. Investment-based crowdfunding and P2PL platforms have enabled more individuals to act as investors and lenders to small enterprises and to other consumers. While causing a positive outcome due to their increasing access to finance, these products can also expose retail investors to risks of loss with which they may not be familiar when compared to more traditional investments they have dealt with previously. The assessment of investment and lending opportunities in the context of crowdfunding and P2PL can require a level of analysis and understanding of potential investees and borrowers that retail investors may not possess. Investor inexperience can also exacerbate other investing-related risks, such as excessive overall financial exposure (investing/lending too much of one individual’s net worth) or impacts from lack of control over the ultimate investment. Regulators have expressed concern that P2PL may expose investors to excessive losses due to their financial and other personal circumstances. Investors may also lack experience with how P2PL investments may perform in the longer term. The U.K. regulator noted recently that, while losses and defaults in the P2PL sector had been low, it was important to recognize that the sector was relatively new and had not been through a full economic cycle. When economic conditions tightened, losses on loans could increase.173 Consumers may also not appreciate the highly dispersed nature of crowdfunding investments, compared to the concentrated holdings of business owners and larger investors, so that the separation between the crowd and control over the management of investees is often high. This can create agency-related risks (and even moral hazard issues) to the detriment of the crowd, which may lack the skills and experience to address this. An oft-quoted benefit of digital microcredit is the expanding of access to credit for millions of low-income consumers; at the same time, it can heighten the risk of poor borrowing behavior and related negative consequences for consumers with limited prior experience with credit. Additional factors already discussed above, such as aggressive marketing, unsolicited offers for digital microcredit, and poor transparency regarding pricing, can 171. SEC Regulation Crowdfunding, General Rules and Regulations 17 CFR Part 227 (USA), Rule 402(a). 172. DFSA Rulebook (Dubai), COB 11.5.2. 173. FCA. “Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms.” (CP18/20), para 5.45–5.47. 30 Financial Consumer Protection and Fintech further cause inexperienced consumers to take up credit without considering the consequences effectively. For example, in some countries, a growing number of consumers are developing negative credit histories due to digital microcredit.174 2.6.2 Regulatory Approaches to Risk of Unsuitability Due to Lack of Sophistication or Inexperience Limits on Consumers’ Exposures Regulators are setting limits on individual investments to limit potential harm to retail investors from exposure to investments offered through P2PL and investment-based crowdfunding platforms. These lending/investing caps are being implemented on a variety of bases, ranging from overall caps to limitations on specific exposures. In Dubai, for example, an investment-based crowdfunding operator must ensure that a retail client does not invest more than $50,000 in total in any calendar year through its platform.175 In contrast, Australia has set an investment cap of AUD10,000 per annum per company without an aggregate investment cap. In India, the RBI has imposed both a cap of INR1 million on the total P2PL loans that a lender/investor may make and a cap of INR50,000 on a lender or investor’s exposure to any individual borrower.176 The implementation of monetary caps on P2PL appears to be widespread in the European Union.177 For example, in France, caps for individual lenders/investors of €2,000 per loan if interest-paying or €5,000 if interest-free apply, while Spain has prescribed limits on a per-loan and total-annual basis (of €3,000 and €10,000, respectively) for non-accredited investors. Some limitations are being set due to investors’ specific circumstances. The U.K. rules on direct financial promotions178 allow P2PL and investment-based crowdfunding platforms to communicate financial promotions directly only to retail investors that confirm that they will not invest more than 10 percent of their net investable assets unless receiving regulated financial advice.179 Some jurisdictions impose caps on the amount that an individual borrower may borrow through P2PL platforms or limit how much money a company can raise on a crowdfunding platform. In Australia, eligible companies are able to make offers of ordinary shares to raise up to AUD5 million through crowdfunding in any 12-month period.180 In Malaysia, an issuer may raise, collectively, a maximum amount of RM10 million through equity crowdfunding in its lifetime.181 P2PL rules in China impose a general obligation on platform operators to set limits on individual borrowers’ total loan balances with individual platforms and across platforms.182 Limits of ¥1 million and ¥5 million have been set for total loan balances of a natural person or a legal person, respectively, across multiple platforms. In India, the RBI has imposed a cap on the aggregate P2P loans taken out by a borrower at any point in time of INR1 million.183 Warnings and Disclosures Disclosure and transparency measures are important in helping to mitigate against additional risks faced by inexperienced or unsophisticated consumers, although such measures are unlikely to be a complete or even the main solution. For example, some regulators require platform operators to warn potential investors about risks affecting P2PL or investment-based crowdfunding offerings. These requirements are sometimes introduced specifically for fintech offerings and sometimes applied by extending existing requirements. Platforms in the United Kingdom have 174. For example, an estimated 500,000 digital borrowers in Kenya have been blacklisted by credit-reference bureaus. https://www.theeastafrican.co.ke/business/Should- digital-lenders-worry-as-clients-struggle/2560-5179802-fs8a8qz/index.html. 175. DFSA Rulebook (Dubai), COB 11.5.3. 176. RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 7. 177. See Lenz, “Peer-to-Peer Lending,” 699. 178. FCA Conduct of Business Sourcebook. July 2019 (U.K.). 4.7. 179. Platforms in the United Kingdom are required to classify investors to determine whether direct financial promotions for unlisted securities can be communicated to them (for example, links to an investment website or to an investment subscription form). Only retail investors that are certified as sophisticated investors, who certify as high-net-worth investors, who confirm that they will receive regulated advice, or those who confirm that they will not invest more than 10 percent of their net investable portfolio in unlisted securities may be the targets of a direct offer. 180. Corporations Act 2001 (Cth) (Australia), s. 738G(1)(d), s. 738G(2). 181. Guidelines on Recognized Markets SC-GL/6-2015(R4-2020) (Malaysia), 13.9. 182. Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions 2016 (China), art. 17. 183. RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 7. 31 Financial Consumer Protection and Fintech a general obligation to warn clients about risks associated with investments in financial instruments that now also apply to platforms.184 In Dubai, information displayed on platform websites must include warnings about the main risks of using crowdfunding platforms and consequences of risks, such as if there are defaults.185 Some regulators require platforms to obtain some level of confirmation regarding consumer understanding. In the United States, crowdfunding platform operators (funding portals)186 must ensure investors demonstrate that they understand the risks of crowdfunded investing. In some jurisdictions, the focus is on assessing the appropriateness of a product for a client, and level of understanding can be one of the elements required to be considered. This approach is discussed below in the context of suitability assessments. 2.6.3 Risk of Unsuitability Due to Inadequate Assessment or Product Design Fintech credit products offered with limited or no assessments of consumer circumstances, or without adequate consideration of the target market, may result in products that are unaffordable or not suitable for particular consumers. This risk already exists in the context of more traditional products but can be exacerbated by new factors in a fintech context. For example, digital microcredit providers may initially utilize blind “lend-to-learn” models that fail to consider repayment capacity sufficiently. Or, P2PL loans may be offered by platform operators with business models that cause them to be less concerned with assessing credit quality. As a result, borrowers may become over-indebted and lender/ investor-consumers may suffer losses. In the case of P2PL, lenders/investors may be heavily reliant on assessments by the platform to ensure that loans fit within parameters they are comfortable with,187 lacking the ability to assess this for themselves. Investments offered through crowdfunding or P2PL platforms may be inappropriate for certain retail investors. If an operator lacks the onus to assess a consumer’s risk appetite, experience, and financial circumstances, investments offered through crowdfunding or P2PL platforms may be inappropriate for certain retail investors. 2.6.4 Regulatory Approaches to Risk of Unsuitability Due to Inadequate Assessment or Product Design Affordability Assessment Many countries already have in place general obligations for lenders to obtain and verify information about a consumer’s financial circumstances for consumer credit and, in some instances, specifically for short-term, high-cost credit. Different approaches have been taken to impose such obligations, from principle-based to more prescriptive.188 In South Africa, providers are prohibited from “reckless lending” and from entering into a credit agreement without first taking reasonable steps to assess a consumer’s financial circumstances. A credit agreement is considered reckless if the provider did not conduct such an assessment, if the consumer did not understand the risks and obligations of the credit agreement, or if entering into the credit agreement would make the consumer over-indebted.189 Some countries employ more prescriptive measures to gauge affordability. In Japan, moneylenders (including fintech lenders) are prohibited from lending where the total amount of borrowing exceeds one-third of a consumer’s annual income.190 Such regulatory approaches also help to address risks related to conflicts of interest with respect to digital credit providers, which are discussed below. 184. FCA Conduct of Business Sourcebook—July 2019 (U.K.), 4.5, 4.5A. 185. DFSA Rulebook (Dubai), COB 11.3.1 to COB 11.3.2. 186. SEC Regulation on Crowdfunding introduced a new category of registered intermediary, a funding portal, that may facilitate transactions under the exemption, subject to certain restrictions. The statute and rules provide a safe harbor from broker-dealer registration under which funding portals can engage in certain activities conditioned on complying with the restrictions imposed by SEC’s Regulation Crowdfunding. For example, a funding portal may not offer investment advice or make recommendations; solicit purchases, sales, or offers to buy securities offered or displayed on its platform; compensate promoters and others for solicitations or based on the sale of securities; or hold, possess, or handle investor funds or securities. See https://www.sec.gov/regulation-crowdfunding-2019_0.pdf. 187. See, for example, ASIC, ”Survey of Marketplace Lending Providers” (Report 526), para 81–82; see also Committee on Global Financial System and Financial Stability Board Working Group, FinTech Credit, 26. 188. See, for example, FinCoNet, “FinCoNet Report on Responsible Lending.” 189. National Credit Act 2005 (South Africa), Part D. 190. Money Lending Business Act 1983 (Japan), art. 13-2. 32 Financial Consumer Protection and Fintech For P2PL, it is crucial that affordability assessment obligations apply to the entity in the best practical position to undertake such assessments, which is usually the P2PL platform operator, rather than the individual consumer. For example, in the United Kingdom, FCA introduced rules that require a platform operator to undertake creditworthiness assessments, similar to those that need to be undertaken by a traditional licensed lender.191 The rules set out detailed requirements for information that should be obtained and verified about the borrower’s income, expenditure, and other circumstances for the purpose of such an assessment by the platform operator and also how the assessment should be made.192 India’s RBI has similarly imposed obligations on platform operators to undertake credit assessment and risk profiling of borrowers and to disclose the results of these to prospective lenders/investors.193 Product Suitability Requirements to assess appropriateness of products are being applied across a range of fintech contexts. In the case of investment-based crowdfunding, these requirements frequently include collecting information from prospective investors to confirm their understanding of the risks involved with intended transactions and whether selected projects are suitable for their profiles. New EU regulation on crowdfunding requires that platform operators run an entry knowledge test on their prospective investors and that these prospective investors simulate their ability to bear loss.194 In the United Kingdom, when a retail client is not receiving investment advice, a platform must undertake appropriateness assessment before the client can invest. The operator is required to determine whether the client has the necessary experience and knowledge to understand the risks involved in the opportunity being offered.195 The FCA has included guidance with its new rules that a range of multiple-choice questions that avoid binary (yes/no) answers for operators to consider asking prospective P2PL investors. Questions address matters such as the client’s exposure to the credit risk of the borrower, the potential loss of capital, and that investing in P2PL is not comparable to depositing money in savings accounts.196 Product Design and Distribution While product suitability requirements focus on interactions with individual consumers, emerging regulatory approaches on product design and distribution can help ensure appropriate design of fintech products and reduce risks to consumers before such products even enter the market. A recent World Bank publication discusses the increased emphasis by authorities on legal requirements that govern how retail financial products should be designed and distributed so they are appropriate for their target market, supported by product intervention powers granted to regulators.197 Australia, the European Union, Hong Kong SAR, China, South Africa, and the United Kingdom, for example, all have such frameworks or are developing them. The main focus of such regimes is on requiring FSPs to put in place product oversight and governance arrangements designed to ensure that financial products meet the needs of consumers in target markets. Common elements of such regimes include the following: • Governance standards: Requiring FSPs to establish and implement clear, documented product oversight and governance arrangements overseen by senior management. • Target market assessments: Requiring FSPs to undertake an assessment of the target market for which the product is being developed. There may also be a need for product testing before the product is launched. • Distribution arrangements: Requiring FSPs to ensure distribution channels are appropriate for consumers in the target market for a product. • Post-sale product reviews: Periodically requiring FSPs to review a launched product and related disclosure materials. 191. FCA Consumer Credit Sourcebook, October 2020 (U.K.) 5.5A. 192. FCA, “Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms” (CP19/14), para 4.1–4.6. 193. RBI NBFC—Peer to Peer Lending Platform Directions 2017 (India), para 6(1). 194. EU Regulation 2020/1503 of October 7, 2020 on European crowdfunding service providers for business, art. 21. 195. FCA Conduct of Business Sourcebook, October 2020 (U.K.), 10. 196. FCA Conduct of Business Sourcebook, October 2020 (U.K.), 10.2.9G. 197. Boeddu and Grady, Product Design and Distribution; FinCoNet and the G20 Task Force are also undertaking detailed research on policy and supervisory approaches to financial product governance with a report expected to be published in 2021; see FinCoNet, “FinCoNet Annual General Meeting.” 33 Financial Consumer Protection and Fintech Such regimes may include or be complemented by product intervention powers. These allow regulators to impose restrictions on the marketing, distribution, or sale of specified products and can be used where there is evidence that a financial product has resulted or will likely result in significant detriment to retail clients that cannot be remedied in any other way. Such regimes are starting to be applied to digital credit products. For example, the EBA specifically highlights that it would be good practice for providers to give further attention to “the risks that consumers might face due to the increasing use of digital channels by financial institutions —for example, exposing consumers to market practices that exacerbate behavioral biases—when improving their product oversight and governance processes.”198 Digital microcredit lenders in Ghana are required to present and demonstrate their product, identified risks, and risk-mitigation strategies to a panel at the Bank of Ghana for assessment and approval before launching a product.199 Potential measures to address risks include requiring providers to place greater focus on customer segmentation200 and to target and sell only those digital microcredit products that are suitable and appropriate for the interests, objectives, and characteristics of target segments.201 2.7 Conflicts of Interest and Conflicted Business Models 2.7.1 Risks to consumers Certain characteristics of fintech arrangements discussed in this note can be conducive to conflicts between the interests of consumers and providers with significant adverse impacts on consumers. Such conflicts often arise in traditional financial product and service settings, but new or changed fintech business models may give rise to conflicts under new circumstances not foreseen by regulators (or expected by consumers), as well as produce new variations of typical conflicts. Fee-revenue models underpinning some fintech businesses can give rise to perverse incentives for fintech entities to act in ways inconsistent with the interests of their consumers. Some P2PL platforms earn origination fees by facilitating new loans, while consumer investors bear the loss if those loans are made imprudently.202 Some P2PL platform operators also receive additional revenue streams from charging debt-collection fees to pursue delinquent loans on behalf of investors. Such arrangements can give rise to a conflict between investors’ interests in ensuring adequate credit assessments of all loans and an operator’s potential loosening such standards to enable more borrowers to qualify for loans that generate additional fees and market share.203 The resulting conflict can also have an adverse impact on borrowers if they are approved for unaffordable loans. This can also be the case in digital microcredit business models where a digital lender’s profitability is heavily dependent on generating upfront facilitation fees (which may be significant relative to the size of digital loans) or other fees that are not necessarily affected by loan quality and less dependent on interest income from repayments. A lender may accept high loss rates as a cost of doing business, focusing on growing loan volumes—facilitated by high-speed, low-contact digital loan distribution—rather than loan quality. Such potentially harmful conflicts are frequently the result of a business model in which the fintech entity is empowered to make key decisions affecting risk of loss that is borne by consumers. For example, the financial benefits that an investment-based crowdfunding platform operator derives from publicizing crowdfunding offers and 198. EBA, Second EBA Report. 199. AFI, “Digitally Delivered Credit: Consumer Protection Issues.” 200. McKee et al., “Doing Digital Finance Right.” 201. FinCoNet, “Guidance to Supervisors on Digitalization.” 202. See, for example, Owens, “Responsible Digital Credit,” 18, and The Economist, “Created to Democratise Credit.” 203. Oxera, “Crowdfunding from Investor Perspective,” 25; FCA, “FCA’s Regulatory Approach to Crowdfunding (and Similar Activities),” 43 and 45. 34 Financial Consumer Protection and Fintech ensuring their success may incentivize them to behave in ways contrary to the interests of prospective investors. The platform operator may not perform due diligence on prospective offers to a required standard, as this may result in having to decline hosting that offer, or the operator may be reluctant to assist investors in exercising cooling-off rights to cancel their investment, affecting the success of an offer. As another example, in some P2PL models where a consumer invests in a portfolio of loans rather than individual loans, the platform operator may have the right to change, from time to time, the loans that make up that portfolio. A lack of alignment between the operator’s ability to make such changes and the investor’s interests may mean that the operator does not exercise these rights in ways that always ensure that an investor’s interests are protected. The operator may not properly take into account the up-to-date value of the loans being reassigned to ensure that the investor is not exposed to greater risk or loss. This may be because the operator wishes to avoid operational cost or effort or to transfer changed risk to the investor (for example, when facilitating the transfer of pre-funded loans initially arranged by the operator or related party or choosing to favor some investors over others in such transfers).204 Business models heavily dependent on generating certain fees, often volume-based, may also incentivize fintech entities to encourage consumers to engage in detrimental behavior. Digital lenders in a range of jurisdictions have been found to encourage consumers to continue rolling over loans or to take up multiple loans. Even if a digital lender is exposed to the risk of loan defaults, they may opt to focus on loan quantity rather than quality to maximize fee-related returns. While such practices have always been present in the financial sector, they are highly enabled by the digital nature of fintech, which allows providers to reach exponentially more customers at much lower costs. Providers may also be incentivized to offer refinancing to consumers struggling to repay a loan through a new loan that a borrower may perceive as staving off default but, in fact, causes them to incur additional fees and ultimately even greater debt. Paying sales-based commissions to agents of e-money issuers may encourage them to recommend one provider over another regardless of whether the product is suitable for the consumer. Remuneration structures for fintech entities’ staff and agents may encourage them to engage in behavior inconsistent with the interests of the consumers they deal with. Such remuneration is variously referred to as “conflicted remuneration” or “perverse incentives.” In the context of e-money arrangements, for example, sales-based commissions may encourage agents to not act in the best interests of consumers when recommending e-money providers or products. An agent may recommend one provider over another primarily because of the higher commissions involved, regardless of whether the product is suitable for the consumer’s financial needs, objectives, or capacity. Business models that allow fintech entities or affiliated parties to compete with consumers may give those entities unfair advantages, such as insider knowledge, and incentivize conduct that prejudices the interests of consumers. On an investment-based crowdfunding platform, for example, the operator or their affiliates may invest in offers hosted on the platform, or they may hold an interest in entities making offers through the platform or in investors taking up that offer. The way that the operator assesses such offers or represents them to prospective third-party investors may be affected by such underlying interests.205 A P2PL platform may similarly allow the platform operator or their affiliates, as well as the public, to invest in loans offered through the platform. The operator or affiliate may then enjoy advantages over ordinary investors. Such advantages may include, for example, better or prior access to loan selection or access to information, not available to other investors, about prospective borrowers and how they have been assessed. This may allow the operator or affiliate, for example, to relegate investors to choosing from lesser-quality loans.206 204. FCA, “Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms,” (CP18/20), para 4.42–4.46. 205. See, for example, Dentons, “SEC Adopts Final Rules,” 12. 206. FCA, “Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms.” (CP18/20), para 5.39–5.40. 35 Financial Consumer Protection and Fintech 2.7.2 Regulatory Approaches General Conflict-Mitigation Obligations A key mitigant for potential consumer harm from conflicts are obligations on fintech entities to manage and mitigate conflicts that arise from their activities. This well-established mitigant places an onus on providers to identify and implement practical measures to address conflicts. Typical obligations of this kind would require fintech entities to implement adequate policies and procedures and effective organizational and administrative arrangements designed to prevent conflicts of interest from harming the interests of the consumers they deal with. Such obligations encompass expectations that fintech entities take appropriate steps to identify and manage, or prevent, conflicts of interest within their business, such as conflicts between the interests of their management, staff, or agents and those of consumers, and even conflicts that their business model and platform arrangements may create between different clients. For example, crowdfunding platform operators in Dubai are required to take reasonable steps to ensure that conflicts, and potential conflicts, between themselves and clients as well as between clients are identified and prevented or managed in such a way that the interests of a client are not harmed, and all clients are treated fairly and not prejudiced by any such conflicts. If an operator is unable to prevent or manage a conflict, they must decline to provide relevant services to a client. In Italy, platform operators are similarly obliged to prevent any conflicts of interest that may arise in the management of platforms from having a negative effect on the interests of investors and ensuring equal treatment of recipients of offers, who are in identical conditions. They must prepare, implement, and maintain an effective policy on conflicts of interest, defining the procedures to be followed and measures to be taken to prevent or manage such conflicts.207 Conflict-management obligations are often part of the general obligations that apply to entities licensed or otherwise authorized to provide financial products or services in a jurisdiction. For example, in Australia a P2PL platform operator—as the holder of an Australian credit license—would be subject to a general obligation to have in place adequate arrangements to ensure that its borrower consumers are not disadvantaged by any conflict of interest that may arise wholly or partly from credit activities engaged in by them, their staff, or agents. They would also be subject to a similar obligation to their consumer investors as the holder of the financial services license that covers their investment activities.208 In the United Kingdom, one of the “Principles for Business” applying to all authorized firms would require fintech entities to manage conflicts of interest fairly, both between themselves and the consumers they deal with, as well as between consumers.209 However, it would also be important to ensure that such general conflict-mitigation obligations cover fintech entities comprehensively, regardless of the basis on which any licensing or authorization framework applies. Compulsory disclosure of conflicts more generally may go some way toward mitigating their impact on consumers. However, as demonstrated by regulators developing a range of substantive conflict-management obligations for providers, there is increasing recognition that it is difficult for consumers to be able to avoid or mitigate the impact of conflicts, even if they are aware of them. Consumers may also paradoxically place more trust in providers after they reveal conflicts, rather than less. Conflicted Remuneration Restrictions and Transparency An important mitigant for conflicts driven by incentives are requirements for fintech entities to have in place policies that ensure their internal remuneration arrangements do not encourage conflicted behavior. In the context of digital microcredit or P2PL, such obligations could include ensuring that incentives for staff undertaking or overseeing credit assessments (or designing those credit assessments, such as where these are automated) are not based solely on volume and take into account loan quality and overall performance.210 207. Consob, Resolution no. 18592 (as amended), art. 13. 208. National Consumer Credit Protection Act 2009 (Cth) (Australia), s. 47(1)(b), and Corporations Act 2001 (Cth) (Australia), s. 912A(1)(aa). 209. FCA. Principles for Businesses. October 2020 (U.K.), 2.1.1R (Principle 8). 210. For example, see FinCoNet, “Guidance to Supervisors on Setting of Standards,” and World Bank Group, “Good Practices,” C8: Compensation of Staff and Agents. 36 Financial Consumer Protection and Fintech Disclosure of remuneration—such as sales-based commissions paid to e-money agents or financial interests that a crowdfunding platform operator has in an issuer offering securities on their platform—may sometimes help mitigate risk of conflicted remuneration. This is particularly the case where consumers would rely on advice or recommendations from provider staff or agents without realizing these may be influenced by incentives. For example, in the U.S., crowdfunding platform operators acting as intermediaries must clearly disclose the manner in which they are compensated in connection with offers and sales of securities undertaken through their platform.211 Duties to Act in Consumers’ Best Interests Duties for fintech entities to act in accordance with the best interests of their consumers can also act as a key mitigant for potential consumer harm from conflicts. If a conflict arises between the entity’s interests and those of a consumer, such a duty would require them to adjust their conduct to place the consumer’s interests first. In Australia, for example, a P2PL platform operator would be required to act in the best interests of investors when their platform arrangements constitute a managed investment scheme.212 Sometimes such a duty is framed less onerously but still requires that appropriate regard be paid to consumers’ interests. In the United Kingdom, one of the “Principles for Business,” which authorized firms must adhere to, is to pay due regard to the interests of their customers.213 These kinds of duties seem to be imposed more commonly in relation to some types of financial products or services, such as investment- related services or financial advice. For example, under a new EU regulation on crowdfunding, platform operators are subject to a duty to act honestly, fairly, and professionally in accordance with the best interests of investors.214 Obligations Targeting Specific Conflicted Circumstances Regulatory requirements targeting specific circumstances may sometimes be necessary, in addition to general conflict-mitigation obligations, to address root causes of conflicts or harms effectively. Requirements for digital lenders and P2PL platform operators to undertake a proper creditworthiness assessment, as already discussed above, would help address lax lending practices that may arise as a result of business models that depend on loan volumes, rather than loan quality, to generate revenue. A need for targeted obligations was similarly identified by the U.K. regulator to mitigate the risk of conflicts leading to inappropriate loan pricing by P2PL platform operators with interests that diverge from those of consumers. Such operators are obliged to have a mechanism in place to ensure that pricing offered to investors accurately reflects the credit risk of the borrower. This was viewed as important, both when setting interest rates (for new loans) and when calculating the current value of loans (interest and principal) for loans being transferred to an investor.215 Restrictions may need to be placed on aspects of fintech business models that significantly increase the likelihood of consumer harm from conflicts, such as arrangements that allow fintech entities or their affiliates to compete with their consumers unfairly. Many regulators have implemented restrictions on crowdfunding platform operators, and their affiliated parties, investing in issuers whose offers are hosted on their platforms, as a way to avoid conflicts of interest that may arise with other investors using the platform. Proposed crowdfunding rules in the European Union would prohibit platform operators from having any financial participation in crowdfunding offers that they host. Affiliates of an operator (such as shareholders holding 20 percent or more of share capital or voting rights, managers and employees, or any persons directly or indirectly controlling the operator) also would not be permitted to invest in such offers. In Dubai, any officer or employee of a crowdfunding platform operator (or their family members) is restricted from investing or issuing via the platform or to have financial interest in any issuer or investor. Some regulators have placed caps on such investments—in Malaysia, operators are permitted to have shareholdings in issuers hosted on their platform of up to 30 percent, accompanied by public disclosures. The U.S., on the other hand, allows operators to invest in issuers 211. SEC Regulation Crowdfunding (U.S.A.), Rule 227.302 (d). 212. Corporations Act 2001 (Cth) (Australia), s. 601FC(1)(c). 213. FCA Principles for Businesses, October 2020 (U.K.), 2.1.1R (Principle 6). 214. EU Regulation 2020/1503 of October 7, 2020 on European crowdfunding service providers for business, art. 3(2). 215. FCA, “Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms,” (CP18/20), para 4.38–4.41. 37 Financial Consumer Protection and Fintech selling securities through their platform, but only if the financial benefit they derive is compensation for their services and consists of the same class of securities, on the same terms, as those that the public receives. This concession was viewed as helpful in raising the profile of crowdfunding campaigns.216 In some jurisdictions, similar restrictions have been placed on P2PL platform operators or their associates investing in loans facilitated by their platforms. For example, regulations in China limit operators to intermediating loans made directly between lenders/individuals and borrowers and prohibit operators from giving any loans themselves. Indonesian regulations similarly prohibit operators from acting as lenders or borrowers.217 Regulators may also find it necessary to prohibit certain specific financial benefits. For example, to ensure that prospective investors on crowdfunding platforms are offered investment opportunities on a neutral basis, new EU rules prohibit platform operators from paying or accepting any remuneration, discount, or non-monetary benefit for routing investors’ orders to particular offers.218 2.8 Risks from Algorithmic Decision-Making 2.8.1 Risks to Consumers The use of algorithms for consumer-related decisions is increasing in financial markets overall, but is becoming particularly prevalent in highly-automated fintech business models.219 In the case of the fintech product examples discussed in this note, this is particularly relevant to credit-scoring decisions for digital microcredit and P2PL. Consumer risks that arise as a result of algorithmic scoring decisions may lead to unfair, discriminatory, or biased outcomes. 2.8.2 Regulatory Approaches This is a cutting-edge area with limited examples of regulatory approaches implemented to date. However, general principles for algorithmic accountability are emerging around the key principles of fairness, explainability, auditability, responsibility, and accuracy. Emerging regulatory approaches relevant to fintech include applying fair treatment and anti- discrimination obligations to algorithmic processes; rules on safeguards for the development, testing, and deployment of algorithms, and for auditability and transparency for consumers.220 For example, the EBA guidelines on loan origination and monitoring require that when using automated models for creditworthiness assessment and credit decision-making, financial institutions should have in place internal policies and procedures to detect and prevent bias and ensure the quality of input data.221 Financial institutions in Portugal are explicitly required to inform bank customers of situations where their creditworthiness assessments rely exclusively on automated decision-making processes, particularly artificial intelligence models, in order to allow customers to exercise their rights under the European Union’s General Data Protection Regulation (GDPR).222 216. SEC Regulation Crowdfunding (U.S.A.), Supplementary Information, 163. 217. Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions, 2016 (China), art. 10. 218. EU Regulation 2020/1503 of October 7, 2020 on European crowdfunding service providers for business, art. 3(3). 219. This topic is interlinked with the data privacy risks discussed above, as algorithmic scoring in fintech relies on alternative data and Big Data analytics. 220. See, for example, Hong Kong Monetary Authority, “Consumer Protection; EBA, Final Report on Guidelines,” s. 4; GDPR, art. 22. 221. EBA. Final Report on Guidelines. 222. BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. 38 Financial Consumer Protection and Fintech 2.9 Data Privacy 2.9.1 Risks to Consumers Data privacy is obviously a crucial consideration relative to fintech offerings, given their highly data-driven nature. Business models for fintech offerings often revolve around the innovative use of Big Data223 and alternative data to target consumers for product offerings, assess product applications, or design products. Alternative data may include, for example, data on airtime, use of mobile data, use of mobile money, call patterns, social media activity and connections, internet use and browsing history. Such data may be purchased from third parties or obtained from a consumer’s phone. While such innovative data sourcing and analysis can, for example, expand access to finance for consumers for whom limited formal data is available, they also raise new, complex data privacy concerns, such as regarding informed consent and legitimate uses. This section briefly touches on data privacy from a fintech consumer’s perspective and its relevance to financial consumer risks and interaction with FCP regulation. It is not intended to be an exhaustive discussion on privacy risks.224 While critical for financial consumers, data privacy risks typically involve considerations beyond a financial consumer lens and are ideally addressed through regulatory approaches that go beyond sector-specific regulation. Consumers may lack awareness or understanding of how and what data about them is collected or used, not assisted by common approaches to notifications and consent. As already discussed, delivery of information through digital channels, such as through feature phones, and the speed with which fintech products are acquired can make it difficult for consumers to process information adequately, including data privacy-related notifications. Importantly, the complexity of data-sharing relationships underlying business arrangements, and the uses to which such data may be applied (such as algorithmic decision-making), can make it inherently more difficult for consumers to understand privacy- related disclosures and their implications. Further, as highlighted in a previous World Bank publication on new forms of data processing, there are practical limitations of consent-based data privacy models that are exacerbated in the digital context and the greater complexity of data and uses.225 The previous World Bank paper also discusses a range of risks that can arise as a result of new forms of data processing for providing financial services that are highly relevant in a fintech context, such as use of data to discriminate inappropriately between consumers and impacts on consumers due to inaccurate data or data breaches. Importantly, individuals may be affected by fintech-related data privacy issues regardless of whether they are ever customers or prospective customers of fintech entities. Personal information may be subject to data mining, purchasing, or analytics regardless of any existing or prospective consumer relationship, such as for product development or marketing research. There is an increasingly wide array of data brokers and data analytics companies (often outside financial sector regulation). Data privacy risks are not confined to the financial sector, given how data travels through and is exchanged and handled across different sectors. FCP regulation by itself can struggle to address such issues because of sectoral boundaries, hence the need for a whole-of-economy/ jurisdiction approach to data privacy regulation, as reflected in regimes such the European Union’s GDPR.226 223. Big Data refers to high volumes of different types of data being produced with high velocity from a high number of various types of sources are processed, often in real time, by IT tools such as powerful processors, software, and algorithms. 224. For further discussion of these issues see, for example, OECD, “Financial Consumer Protection Policy Approaches,” and Grady et al., “Financial Consumer Protection.” 225. Grady et al. “Financial Consumer Protection and New Forms of Data.” 226. EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation/GDPR). 39 Financial Consumer Protection and Fintech 2.9.2 Examples of Regulatory Approaches Without seeking to set out a full range of elements to comprehensively mitigate data privacy risks, the following are internationally emerging examples of data privacy regulatory measures relevant to fintech:227 • Coverage of alternative data: It is important that definitions of personal data (or equivalents) are sufficiently broad and flexible to cover alternative data and, in particular, that they reflect the increasing ability to identify individuals from data. Data associated with individuals can include, for example, information about internet or other electronic network activity (such as browsing and search histories, stored locally or with providers), geolocation data, and inferences drawn from such information to create a profile about an individual relating to matters such as (as referenced for example in California’s recently implemented Consumer Privacy Act)228 their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.229 California’s Consumer Privacy Act defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”, and then provides a non-exhaustive list of examples, including the kinds of data described above.230 • While consent will likely continue to be a key element of data privacy frameworks, there is a clear shift away from bundled, overarching consent toward models requiring more active, granular, and targeted consent. For example, the European Union’s GDPR notes that separate consent should be obtained for different personal data- processing operations where appropriate.231 • There is also increasing recognition that consent-based approaches to data privacy are useful but likely insufficient. An emerging approach puts greater focus on personal data being processed for legitimate purposes. The GDPR requires that personal information be collected for explicit, specific, and legitimate purposes and not processed in a way incompatible with such purposes.232 Some commentators suggest that under some circumstances, policy makers could consider being more prescriptive regarding what qualifies as, and what are the boundaries of, legitimate use. For example, access to contacts and personal data to threaten customers (as opposed to using such data for lending decisions) could be banned.233 • Data minimization and privacy-by-design requirements are becoming increasingly important. The GDPR requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purpose for which data is being processed and kept for no longer than necessary for the purposes for which the personal data are processed.234 This is also reflected in other data privacy frameworks, such as in Australia and Canada.235 • Similar to provider liability requirements for the behavior of agents, providers are being given greater responsibility regarding the data practices of third parties that they contract. In some frameworks, this is more implicit, based on concepts of controls, but it seems likely to be increasingly more overt. For example, a draft data privacy bill proposed in the U.S. (the Consumer Online Privacy Rights Act) includes provisions that require providers to exercise reasonable due diligence in selecting service providers and conduct reasonable oversight of them to ensure compliance with data-protection rules on service providers and third parties.236 The GDPR already focuses on this through, for example, responsibilities placed on data controllers for the actions of data processors. 227. See also, for example, the discussion of data privacy in a DFS context in OECD, “Financial Consumer Protection Policy Approaches.” 228. Consumer Privacy Act of 2018 (California, U.S.A.). 229. Consumer Privacy Act of 2018 (California, U.S.A.), s. 1798.140(o)(1)(K). 230. Consumer Privacy Act of 2018 (California, U.S.A.), s. 1798.140(o). 231. GDPR, Recital 43. 232. GDPR, art. 5(1). 233. MicroSave. “Making Digital Credit Truly Responsible.” 234. GDPR, art. 5(1). 235. Also see OECD, “Financial Consumer Protection Policy Approaches.” 236. Bill on Consumer Online Privacy Rights Act, s. 2968, 116th Congress. December 2019 (U.S.A.). 40 Financial Consumer Protection and Fintech • In jurisdictions such as the European Union, individuals are being given a range of additional data-related rights, allowing them to exercise greater access to and control over their data. The GDPR, for example, provides for a right to data portability,237 enabling individuals to obtain and transfer their personal data between providers for their chosen purposes and a broad “right to be forgotten”—facilitating individuals’ ability to have personal data about them erased and to prevent further processing.238 237. GDPR, art. 20. 238. GDPR, art. 17. 41 Financial Consumer Protection and Fintech 3. Implementation Considerations A regulator contemplating implementing the regulatory measures discussed in this note will have to tailor regulatory approaches to country context and balance the need for consumer protection with the impact on industry, market development, and innovation. This section summarizes a range of key implementation issues for regulators to consider.239 3.1 Importance of Country Context and Striking an Appropriate Balance Although this note identifies a range of potential regulatory measures to address relevant risks, it is not the authors’ intent to suggest that all regulatory measures be implemented in all situations. Rather, the note provides authorities an overview of a range of regulatory measures from which they could select approaches best suited to their particular circumstances. Some regulatory measures discussed in this note can impose significant compliance costs on industry participants. A proportionate, risk-based approach will therefore be needed. It is important for a regulator contemplating implementing regulatory measures to strike an appropriate balance between the need for consumer protection and the resulting impact on industry and market development, including potentially harming access to finance. For example, as high-profile incidents of lender/investor losses and other consumer harms have affected P2PL in a number of countries, authorities deemed it necessary to significantly increase obligations and restrictions on participants to mitigate the risk of such harms occurring in the future. Reactions to this have been mixed. Media reporting in the United Kingdom suggests, for example, that platform operators themselves hope significant reforms by the regulator will help restore the sector’s damaged reputation by weeding out weaker, less compliant competitors.240 By contrast, some industry participants in China have expressed concern that major reforms implemented by the Chinese authorities may stifle the sector and cause remaining players to significantly change their businesses to their detriment.241 3.2 Assessing the Market, Consumer Experiences, and the Current Regulatory Framework Policymakers should first seek to develop a good understanding of their country’s fintech market and, more broadly, its financial sector. Effective stakeholder consultation, at consumer and industry level, will be essential. Within each fintech category available or entering a country’s financial sector, a range of business models may be being utilized, with different types of providers, operating models, product features, digital channels, and current and prospective customer bases and target markets. These differences will influence the risks being faced by consumers as well as how they can best be addressed. 239. For a detailed discussion and country examples, see also G20/OECD Task Force on Financial Consumer Protection, “Financial Consumer Protection Policy Approaches.” 240. Megaw, “Peer-to-Peer Groups;” Makortoff, “Peer-to-Peer Lender.” 241. Deng and Yu, “Business Is Withering.” 42 Financial Consumer Protection and Fintech A regulator’s research to inform its regulatory policymaking should include understanding consumers’ issues and experiences. This includes focusing on both consumer expectations and experiences in relation to fintech products, and financial products more broadly, in the context of their needs and circumstances, and in relation to potential measures, including but not limited to regulation, that may be able to address risks and concerns that consumers face. Information for these purposes can be gathered from a variety of sources, including market research; consumer focus groups and meetings with providers, consumer and civil society representatives, and experts and other industry participants; complaints data; and supervisory activities. For example, BdP decided to first better understand the digital credit market in Portugal before issuing any new rules. BdP took a range of practical steps, such as requiring providers to provide information (via a structured questionnaire) on how consumer credit products are being offered through digital channels. BdP also held bilateral meetings with individual providers during which providers demonstrated the contracting flows via online or mobile channels. These were then discussed and suggestions provided by BdP when process revisions seemed necessary. Based on identified best practices and behavioral economics, BdP issued a set of recommendations in July 2020 on how institutions should comply with their duties when selling retail banking products and services through digital channels.242 Countries such as Australia, Ireland, and the United Kingdom have conducted industry reviews of high-cost, short-term lenders as part of market monitoring activities, in some cases leading to the introduction of new rules. More broadly, the FCA, for example, undertakes a periodic “Financial Lives” survey to understand the financial products that consumers hold, their experiences engaging with FSPs, and their attitudes when dealing with money and the financial sector.243 In their ongoing development of regulatory policy, regulators, where feasible, should also leverage information obtained from industry engagement through arrangements such as regulatory sandboxes. As discussed in a recent WBG note, for example, the benefits of such arrangements for regulators can include providing an evidence base from which to make policy and help define, create, or amend regulation.244 In parallel, the existing regulatory framework should be assessed for gaps, including in relation to baseline FCP issues and effectiveness. While this note discusses new or changed manifestations of consumer risks, as already mentioned, equally important baseline consumer risks and corresponding regulatory measures apply across financial product types. Regulators should consider whether their existing frameworks address these baseline risks effectively, as well as new manifestations of consumer risk resulting from novel aspects of fintech products. This review should include any existing FCP rules and other measures that may act as mitigants. In addition, given the breadth of consumer risks due to fintech products of the kinds discussed in this note, the assessment should include a review of a broader range of rules, including those concerning data privacy, credit reporting and scoring, general consumer protection, and digital channels to determine overlaps and potential inconsistencies of proposed mitigants. Regulators should also seek to understand the effectiveness and impact of existing rules to inform decisions on whether and how to develop new regulation. 3.3 Determining the Right Regulatory Approach, Including Considering Alternatives Policymakers should devise an appropriate policy strategy and prioritize actions based on a deep understanding of the market and consumers in their jurisdictions and an assessment of existing regulation. It may be more appropriate to add targeted rules to existing FCP laws or it may be necessary to develop standalone rules. Policymakers may also determine that it is preferable to address topics selectively or in a staged manner. Experience from other countries 242. Based on discussion with BdP. See BdP Circular Letter No. CC/2020/00000044 on best practices applicable to the selling of retail banking products and services through digital channels. Also see BdP Circular Letter No. CC/2018/00000004 for form of questionnaire. For further details, see G20/OECD Task Force on Financial Consumer Protection, “Financial Consumer Protection Approaches.” 243. FCA. “Financial Lives Survey.” 244. World Bank Group. “Global Experiences from Regulatory Sandboxes.” 43 Financial Consumer Protection and Fintech reveals that policy makers frequently address at least some fintech-related consumer risks with a piecemeal approach, most likely out of necessity. Factors affecting prioritization may include, for example, the need to address risks that have the most significant and immediate impact on individual consumers or consumer populations in a particular market. They may also depend on the stage of development of particular fintech offerings in the market and their accessibility to consumers. Ultimately, the optimal solution will depend largely on country context. A combination of approaches will likely be necessary to comprehensively address the key risks posed to consumers, regardless of the approach taken. A staged or step-by-step approach can be employed, as it is also likely that continual adjustments will need to be made, given the rapidly evolving nature of fintech innovation and the cutting-edge nature of some approaches discussed here. Regulators should also carefully consider the coordination and cooperation with national and international authorities needed to assist regulatory development and implementation and ultimately achieve policy aims. Close coordination between fellow domestic financial sector authorities is likely to be essential, even more so if multiple authorities are responsible for FCP regulation of the financial sector and fintech entities. This is likely to be needed for a range of reasons, including to ensure consistency in approaches, mutual assistance with supervision and enforcement, and effective complementary initiatives (such as initiatives to foster financial sector innovation and improve financial inclusion and capability). It could also help in increasing knowledge and capacity within each institution and with broader government communication and engagement with industry and consumers. Coordination with authorities having related responsibilities (such as telecommunications regulators) is also likely to be important for similar reasons. Some areas of regulation, such as rules governing the use of algorithms, may also require coordination beyond the financial sector. Cross-border cooperation between authorities may be necessary, given the increasing ease with which foreign fintech entities may engage with consumers in other countries. Such coordination may be needed, for example, to promote consistent policy approaches across borders and to develop cooperative arrangements to ultimately assist with supervision and enforcement. It would also assist more broadly with knowledge sharing, including on regional and international market developments. Given the increasingly cross-border nature of FSPs internationally (which is an issue that, of course, goes beyond fintech entities), greater harmonization and, to the extent possible, regional coordination of regulatory efforts could be beneficial. For example, efforts have been undertaken in the East African community to develop a common framework for SIM card registration for the explicit purpose of limiting mobile money fraud.245 Another possible approach would be to regulate domestic agents or intermediaries of foreign fintech companies, an approach utilized in the case of remittances and crypto-assets, for example.246 Regulators should be cautious about imposing unnecessarily prescriptive regulation. A regulator may determine legitimately that certain topics and issues with regard to relevant consumer impacts and industry practices are better addressed through more detailed rules. However, it can be useful to start from the premise of developing regulation that is based on principles and more general provisions, including supported by guidance, and to adopt more prescriptive regulation only when necessary. Setting principles for industry allows providers with more flexibility and ideally places less restriction on innovation, but practices will of course need to be appropriately monitored via supervisory activities. Monitoring and testing the effectiveness of approaches (including both positive impacts for consumers and compliance costs for providers) and maintaining communication with industry will help determine the right balance in the long run. Regulators should also consider when complementary, non-regulatory measures may be more appropriate as an alternative to, or until, regulatory measures are developed. For example, encouraging development of industry standards and codes of conduct may assist in establishing industry familiarity with acceptable practices. It may also assist in addressing consumer risks more quickly, particularly where FCP regulatory capacity is limited. Of course, this would also depend on the oversight and enforcement mechanisms that support such initiatives. 245. Baku and Mazer. “Fraud in Mobile Financial Services.” 246. A similar approach is utilized in the case of remittances, where domestic regulation applies to agents that originate or disburse remittances, as well as for crypto-assets, where intermediaries that facilitate the exchange from crypto to regular currency are subject to domestic anti-money laundering/countering the financing of terrorism requirements. 44 Financial Consumer Protection and Fintech There is currently debate regarding the appropriateness of establishing differentiated regulation based on the type, size, and complexity of entities’ operations. However, it has been noted that, on a behavioral level, specific products and services may carry similar risks for the consumer, regardless of the institution providing them, and thus should be regulated accordingly.247 Regulators should pay careful attention to the nature and level of risks in their market when determining the appropriate level of legal obligations they may impose to address them. Regulators are increasingly building proportionality into FCP requirements themselves, rather than seeking to predetermine such proportionality in advance. For example, regimes imposing obligations on FSPs to implement financial product oversight and governance arrangements increasingly provide for these arrangements to be proportionate to the nature, scale, and complexity of the FSP’s business and relevant consumer risk and product complexity.248 A potential pitfall that countries should seek to avoid when adopting separate frameworks for traditional and fintech activities of a similar nature is different substantive treatment under different sets of FCP rules. This can distort competition and encourage regulatory arbitrage. 3.4 Effective Supervision and Awareness-Building Will Also Be Critical to Impact Effective supervision of regulatory measures and monitoring of fintech developments and consumer risks, more broadly, will be essential for underlying policy objectives to be achieved. While a discussion of FCP/market conduct supervisory practices and approaches is outside the scope of this note, it is important to acknowledge that changes in markets, products, and participants fostered by fintech developments equally present a range of challenges and new issues for supervisors.249 Supervisors will need new strategies and new technological tools to monitor financial sectors expanding and changing due to fintech entrants and offerings, including as-yet-unregulated providers and changed businesses of some already-regulated entities. New publications by the World Bank and FinCoNet explore developments of market conduct supervisory technology (suptech) tools that could assist supervisors in such contexts.250 Supervisors will need to analyze information from an expanding range of sources, including consumer-side research, monitoring of social and traditional media, activity on digital platforms, and various types of industry-side data.251 Supervisors will need adequate resourcing and capacity. For example, some commentators claim that effective implementation of new P2PL regulations in China has been hampered by the lack of resources for supervising authorities, leading to practical obstacles such as delay of registration approvals and lack of guidance.252 While this should not be used to avoid the need for adequate resourcing, a realistic assessment of available resources would be one factor to be considered when planning eventual implementation of new regulatory measures. Issues can also arise due to lack of clarity of regulator responsibility and authority for new types of innovative providers. Such issues may need to be addressed, and heightened coordination may need to be pursued among both financial and non-financial sector authorities as well as on a cross-border basis. It will also be important for supervisors to build internal capacity and expertise, ensuring that they have the increasingly multidisciplinary capabilities needed to understand and deal with fintech-related risks. 247. ASBA and IDB, Consumer Protection, 21. 248. See Boeddu and Grady. “Product Design and Distribution.” 10 and 23. 249. See, for example, ASBA and IDB, “Consumer Protection,” 41–52; FinCoNet, “Guidance to Supervisors on Digitalisation.” 250. World Bank Group. “Next Wave.” FinCoNet. “SupTech Tools.” 251. For example, see FinCoNet, “Guidance to Supervisors on Digitalisation”. 252. Reuters. “Regulatory Problems.” 45 Financial Consumer Protection and Fintech 3.5 Complementary Measures A range of complementary measures will need to accompany regulatory measures. Regulatory measures are often necessary but are by no means the only measures that will be required. For example, complementary measures will be needed to increase consumers’ digital and financial literacy and to increase awareness and understanding among market participants of responsible practices. Awareness building and efforts to improve financial capability for both consumers and industry will also be essential to support the positive impact of regulatory measures, as well as address consumer risks more broadly. For example, it will be imperative to ensure as much as possible—through measures such as awareness campaigns and financial capability initiatives and tools—that consumers adequately understand product benefits and risks and their rights and responsibilities. It will similarly be essential to promote fintech entities’ awareness and understanding—through measures such as regulator guidance and capacity-building and training efforts—of consumer expectations, risks, and issues, as well as of their responsibilities to consumers, again not limited to legal responsibilities that may be specified in regulation but also reflecting fair practices more generally. 46 Financial Consumer Protection and Fintech Appendix 1: Overview of Consumer Risks and Regulatory Approaches by Type of Fintech Product The following table is an excerpt from the recently published WBG Policy Research Paper titled Consumer Risks in Fintech—New Manifestations of Consumer Risks and Emerging Regulatory Approaches.253 The research paper provides more detailed information on the risks and regulatory approaches summarized in this note. The paper covers four types of key fintech products: (1) digital microcredit, (2) peer-to-peer lending, (3) investment-based crowdfunding, and (4) e-money. Digital Microcredit Risks to consumers Regulatory approaches Disclosure and transparency: • Require prominent disclosure of both total cost metrics and clear breakdown of costs Content of disclosure • Require disclosure of key T&C in channel being used for transaction • Information about pricing is incomplete and • Indicate specific T&C that must be disclosed in not transparent (for example, range of different transaction channel methods used to convey pricing, finance charges • Require access to full T&C, including after not disclosed separately from principal and fees for transaction completed. third-party charges not disclosed) • Inadequate access to complete information about terms and conditions (T&C)—for example, links to full T&C provided at separate location. Format of disclosure: • Encourage greater standardization in presentation of fees/pricing • Lack of standardized format for costs • Require plain language without technical jargon or • Information conveyed via mobile phones in a format graphical elements affecting readability or manner that does not facilitate comprehension • Require standardized presentation of information • Consumers may not be able to retain information. adapted for digital channels (for example, bite- sized chunks of info provided in a consistent manner) • Provide secondary layers of information for further details 253. Available at https://documents.worldbank.org/en/publication/documents-reports/documentdetail/515771621921739154/consumer-risks-in-fintech-new-manifestations- of-consumer-risks-and-emerging-regulatory-approaches-policy-research-paper. 47 Financial Consumer Protection and Fintech Digital microcredit continued Risks to consumers Regulatory approaches • Provide offline channels to obtain further info and assistance and the ability to access information for future reference. Timing and flow of information: • Require order and flow of information to enhance transparency and comprehension, providing an • Key information such as pricing provided after intuitive “digital journey” through a transaction completion of a transaction process • Less appealing information may be de-emphasized. • Require disclosure of pricing and key T&C earlier in the transaction process • Leverage behavioral insights to encourage consumers to engage with information (for example, require confirmation to move to next stage of transaction). User interfaces: • Require user interface be user-friendly and easy to navigate, including on low-end mobile devices • User interface may not be user-friendly, with • Encourage consumer testing of user interfaces complex menus that are difficult to navigate. • Require providers to provide guidance to consumers on user interfaces. Marketing practices via remote channels: • Require explicit warnings on risks of short-term, high-cost credit, and information on alternatives to • Push marketing and unsolicited offers encourage such loans and helpful resources impulse borrowing • Ban sales practices that focus on ease of obtaining • Exploitation of behavioral biases (for example, credit, trivialize credit, or target vulnerable encouraging borrowing of maximum amount consumers possible, trivializing loans) • Slow down process of transacting digitally to allow • Misleading ads targeting vulnerable consumers consumers more time for reflection and deliberation (for example, emphasizing benefits, hiding risks, (for example, intermediate steps/screens, adding a unrealistic offers with hidden conditions, marketing review screen) or appropriate cooling-off period on weekend evenings) • Require loan options be presented in manner that • Remote nature of digital channels and rapid speed is beneficial (or at least neutral) to consumers of transactions increase consumer vulnerability. and not exploitative (for example, banning default selection of maximum loan size, pre-ticked boxes that lead customers to sub-optimal options). Unfair lending: • Require providers to assess the ability of prospective customers to repay loans and grant • High prices for digital microcredit loans only where they are affordable to potential • Mass marketing to consumers with little borrowers assessment of individual consumer circumstances • Impose requirements that limit rollovers and or ability to repay (“lend-to-learn” model) multiple borrowing to decrease risk of over- • Certain business models based on high loss rates indebtedness 48 Financial Consumer Protection and Fintech Digital microcredit continued Risks to consumers Regulatory approaches (for example, large late fees relative to size of loan) • Require enhanced monitoring of loan portfolios, • Poor practices such as rolling over loans or particularly where automated credit scoring is encouraging multiple borrowing utilized • Abusive debt collection practices utilizing mobile • Apply product design and governance rules to phone and social media data to contact relatives, digital microcredit, including designing processes friends, and colleagues. and customer acquisition plans to ensure that potential harms and risks to consumers are considered and mitigated • Adapt debt collection rules to prevent abusive debt collection practices utilized by digital lenders. Algorithmic scoring: • Apply fair treatment and anti-discrimination rules to algorithms • Biased outcomes due to poor algorithm design, • Require appropriate procedures, controls, and incomplete or unrepresentative input data, biased safeguards during development, testing, and input data deployment of algorithms to assess and manage • Discrimination based on proxies reflecting sensitive risks related to bias and discrimination attributes • Require regular auditing of algorithmic systems by • Consumers unaware or powerless regarding use external experts of algorithm • Ensure transparency to consumers on use of • Regulators lack technical expertise to evaluate algorithms algorithmic systems; proprietary nature of • Provide consumers with the right not to be subject algorithms. solely to automatic processing and the right to request human intervention. Regulatory perimeter (cross-cutting issue): • Ideally, establish activity-based framework covering all providers of digital microcredit (banks, • No level playing field for different types of providers, mobile network operators, non-bank lenders) often with weaker rules for non-bank lenders • Where activity-based approach is not feasible, be • Regulatory gaps for app-based lenders, who may opportunistic and build off of existing rules and not be covered by any regulatory authority and/or powers to cover non-bank microcredit providers may be based in another country. • Coordinate with domestic and international regulatory authorities • Consider regulating domestic agents and intermediaries of foreign fintech companies • Pursue complementary, non-regulatory measures, including industry codes of conduct and work with mobile platforms to establish and enforce rules in key areas for app-based lenders • Address gaps in the coverage of cross-border fintech activities, consider range of measures— including applying a country’s FCP requirements (and regulators’ mandates) to fintech providers dealing with consumers in that country, regardless 49 Financial Consumer Protection and Fintech Digital microcredit continued Risks to consumers Regulatory approaches of where the providers are based. Also consider supporting coordination and cooperation between authorities to assist with enforcement of relevant requirements. Peer-to-Peer Lending Risks to consumers Regulatory approaches Risks for both lenders/investors and borrowers Gaps in regulatory perimeter: • Apply FCP requirements on an activities basis (lending and investment-related services), rather P2PL is not adequately covered by a country’s FCP than by institution type regime, and borrowers and lenders/investors receive • Extend existing FCP requirements to P2PL and, even less protection than applies to traditional lending. where necessary, introduce additional FCP rules for P2PL • Issue regulatory guidance to address uncertainty regarding the application of existing FCP requirements to P2PL. (Also, see approaches to address cross-border risks, summarized above in the context of digital microcredit). Fraud or other misconduct: • Impose licensing/registration, vetting, and competence requirements for operators and Fraud or other misconduct by P2PL platform operators, related parties related parties, or third parties. • Require operators to have in place adequate risk management and governance measures • Require operators to segregate consumers’ funds and deal with them only in prescribed ways • Consider compensation funds. (Also, see below for approaches to address platform/ technology vulnerability risks that may facilitate fraud). Platform/technology unreliability or vulnerability: • Require operators to have in place adequate risk management and governance Platform/technology unreliability or vulnerability that • Require operators to comply with targeted causes or facilitates loss, inconvenience, or other risk-management and operational reliability harms. 50 Financial Consumer Protection and Fintech P2PL continued requirements, including for technology-related risks and outsourcing • Impose specific competence requirements on operators in matters such as information technology–related risks. Risks to consumers Regulatory approaches Business failure or insolvency: • Require operators to segregate consumers’ funds, hold them with an appropriately regulated entity, Business failure or insolvency of operator, causing and deal with them only in prescribed ways loss, such as of lenders’/investors’ capital or future • Require operators to have in place business income on loans or borrowers’ committed loan funds continuity and hand-over/resolution arrangements or repayments. • Require operators to comply with record- keeping measures to support business continuity arrangements • Impose vetting and competence requirements on operators and related parties. Inadequate credit assessments: • Impose creditworthiness assessment requirements on operators regardless of whether or not they are Inadequate credit assessments increasing the risk of the lender of record. losses from borrower defaults for lenders/investors and over-indebtedness for borrowers. Conflicts of interest: • Impose general conflict mitigation obligations on operators Conflicts of interest between platform operators (or their • Require operators to comply with duties to act in related parties) and lenders/investors or borrowers, consumers’ best interests leading to operators and related parties to engage in • Require operators to meet obligations regarding conduct not in the interests of their consumers: fair loan pricing and fees and charges-setting policies consistent with consumers’ interests • Conflicts of interest leading to imprudent lending • Place restrictions or prohibitions on operators or assessments by operators their associates investing in loans facilitated by • Conflicts of interest leading to unfair or inappropriate their platforms loan pricing • Impose creditworthiness assessment requirements • Conflicts of interest from intra-platform on operators regardless of whether or not they are arrangements causing operators to engage in the lender of record. conduct favoring related parties over consumers. 51 Financial Consumer Protection and Fintech P2PL continued Risks to consumers Regulatory approaches Additional risks for lenders/investors Inadequate investment-related information: Inadequate investment-related information: Lenders/ Investors are not provided with adequate investment- related information, including: • Inadequate upfront information when considering • Require platform operators to provide/make or making investments/loans available to consumers, ahead of any transaction, information highlighting key matters relating to • Require platform operators to provide/make available to consumers, ahead of any transaction, information highlighting key matters relating to P2PL, such as expected risks, factors affecting returns, and restrictions on early exit • Require platform operators to provide key pre- contractual information about individual loans to prospective lenders/investors in business models allowing individual loan selection • Mandate warnings or disclaimers in key contexts to highlight risks for consumers and assist in balancing out inappropriately optimistic perceptions. • Information provided in an inadequate format • Require platform operators to give key information appropriate prominence on electronic channels • Require key information to be provided in a standardized format to assist clarity and comparability. (Also, see approaches for risks from digital disclosure summarized above in the context of digital microcredit). • Unbalanced or misleading marketing of P2PL • Require platform operators to comply with general investment/lending opportunities prohibition of providing misleading information (and, when necessary, clarify via more specific regulatory guidance the application of such prohibition to marketing of P2PL opportunities) • Impose targeted restrictions on specific P2PL circumstances that create higher risk of misleading investors. • Inadequate information about the ongoing • Require platform operators to provide information performance and status of their investments/loans. to lenders/investors at prescribed times or frequencies on matters affecting their investments/ loans specifically, such as defaults and changes to borrowers’ circumstances, or more generally, 52 Financial Consumer Protection and Fintech P2PL continued Risks to consumers Regulatory approaches such as performance of the operator and adverse events. Harm due to lenders’/investors’ lack of • Impose lending/investment caps on less sophistication or inexperience: sophisticated or more vulnerable lenders/investors (jurisdictions have done so on a variety of bases) Such as taking on risk of loss they cannot afford or do • Impose caps on the amount that individual not understand. borrowers may borrow through P2PL platforms as another way to reduce risk of loss to lenders/ investors • Consider compensation funds. Borrower fraud: • Require platform operators to comply with risk- management measures referred to above, as well Loss for lenders/investors due to borrower fraud. as targeted measures such as to obtain appropriate identification information and implement measures against fraudulent access to their platform (know your customer requirements under anti-money laundering and countering the financing of terrorism laws would also be relevant) • Impose creditworthiness assessment requirements on platform operators regardless of whether or not they are the lender of record. Additional risks for borrowers Inadequate loan-related information • Extend application of existing traditional credit disclosure requirements to platform operators even when they are not the lender of record • Address gaps in existing borrower disclosure regimes by developing requirements specific to P2PL. (Also, see approaches for risks relating to credit disclosure summarized above in the context of digital microcredit). Risks from digital distribution of P2PL credit: See approaches summarized above in the context of digital microcredit. Risks arising from digital distribution of credit, summarized above in the context of digital microcredit, can also affect digital distribution of P2P loans to borrowers. 53 Financial Consumer Protection and Fintech Investment-Based Crowdfunding Risks to consumers Regulatory approaches Investor inexperience and higher-risk nature of • Require risk warnings and disclosures about key investee companies: aspects of crowdfunding • Impose issuer caps—limitations on the size of an • Small business and start-up investee companies issue may constitute a riskier investment for retail • Impose investor caps—limitations on individual investors investments/exposures • Investors are often unlikely to possess sufficient • Require investor-suitability assessments to be knowledge or experience, or have access to undertaken by platform operators financial advice, to assess offers • Establish cooling-off periods for investors. • Investees may have majority shareholder and management arrangements that present risks for minority shareholders such as external crowdfunding investors. Risks due to the nature of securities offered on • Prescribe disclosure requirements focused on crowdfunding platforms: emphasizing the illiquid nature of issued securities • Restrict the types of securities that can be issued • Securities are rarely traded on any kind of • Impose targeted product intervention organized market and may have limitations on • Require targeted warnings transferability—investors may not understand or • Introduce rules facilitating information exchanges be able to deal with risk of being unable to exit their and secondary trading. investment • Creation of complex hybrid securities by incorporating rights and restrictions for security holders to match issuer’s needs. Consumers are not provided with adequate • Introduce investment-related disclosure information: requirements • Introduce regulation of bulletin boards and • Crowdfunding issuers often tend to be small crowdfunding trading facilities (including secondary businesses or in their startup phase with a limited market) to assist information accuracy track record, limiting the availability of information • Apply fair marketing rules to investment-based • High separation between ownership by crowdfunding activities. crowdfunding investors and parties that control issuers—potential lack of information provided to crowdfunding investors • Retail investors in crowdfunding securities are also at risk from misleading marketing practices, potentially exacerbated as a result of issuers being new to making public offers. 54 Financial Consumer Protection and Fintech Investment-Based Crowdfunding continued Risks to consumers Regulatory approaches Platform operator misconduct or failure: • Introduce authorization and vetting requirements • Require business/service-continuity arrangements • Platform operators and related parties may engage • Require segregation of client funds in misconduct under a range of circumstances that • Impose rules and require policies to mitigate affect investors, from outright fraud to incompetent conflicts of interest administration to undertaking unfair conflicted • Apply risk-management requirements of the kinds behavior summarized above in the context of P2PL. • Failure of a platform can leave investors without services essential to the continued integrity of their investment. Issuer fraud: • Require platform operators to undertake due diligence. Consumers investing on crowdfunding platforms may suffer losses due to issuer fraud, such as sham offers or concealing or providing misleading information. E-Money Risks to consumers Regulatory approaches Gaps in regulatory perimeter: • Allow e-money activities to be undertaken only by licensed entities (that may include non-banks) Current requirements may not apply to all entities • Ensure consumer protection rules also apply on an offering e-money products, and, even if the licensing activities basis to providers of e-money rules are activities based, consumer protection • Ensure e-money is covered by any relevant rules may not apply to e-money as a product given definition of financial product or service. innovative differences. Fraud or other misconduct resulting in consumer • Impose licensing/registration, vetting, and loss: competence requirements on providers and related parties • Fraud or misconduct by issuers or related parties, • Impose rules specifically for agents, including including agents requirements for agent due diligence, requirements • Fraud by third parties.of issuers being new to for agency agreements, requirements for agents making public offers. to be trained and monitored, and clear provider responsibility and liability for agent conduct • Require operators to have in place adequate risk management and governance • Mandate transaction-authentication standards and require transaction-specific fraud-prevention 55 Financial Consumer Protection and Fintech E-Money continued Risks to consumers Regulatory approaches methods to be applied—for example, limits on transaction attempts • Limit consumers’ liability for an unauthorized transaction, except, for example, in case of fraud or gross negligence by the consumer • Require warnings and information about security risks to be provided to consumers • Require consumers to advise providers of matters relevant to potential fraud, such as lost or stolen devices or security credentials • Place the burden of proof on providers to show transactions were unauthorized • Require reporting of large-scale fraud/security breaches • Prohibit agents from charging unauthorized fees. (Also, see below for approaches to deal with platform/ technology vulnerability risks that may facilitate fraud). • Conflicts of interest between providers or • Impose conflict-mitigation obligations on agents and consumers (such as perverse providers to avoid conduct to their advantage and incentive arrangements for agents), leading to inconsistent with consumers’ interests, or similar consumer harm. conduct engaged in by agents. E-Money platform/technology vulnerability or • Mandate technology risk and cybersecurity- unreliability: management requirements • Place obligations on operators to ensure Platform/technology unreliability or vulnerability that appropriate/minimum levels of operational reliability causes or facilitates loss, inconvenience, or other • Require notice to users of anticipated/actual harm. service interruptions • Make a payer institution liable for transactions not being completed as instructed. Mistaken transactions: • Require a mechanism that enables the consumer to view transaction details before transaction A consumer’s funds are misdirected to an incorrect completion account/recipient as a result of error, rather than fraud. • Require providers to explain how to stop transfers • Require FSPs involved in a transaction to assist in resolving mistakes • Place the burden of proof on providers to show a transaction was authenticated and recorded accurately. 56 Financial Consumer Protection and Fintech E-Money continued Risks to consumers Regulatory approaches Provider insolvency or liquidity risks: • Require an e-money issuer to isolate and “ring fence” funds equal to outstanding e-money • A provider may become insolvent with insufficient balances funds to meet the demands of e-money holders • Limit activities e-money issuers can carry out to • E-money may also not be covered by deposit minimize insolvency risk insurance schemes • Mandate initial and ongoing capital requirements • A provider or their agents may not have enough • Require issuers to maintain sufficient liquidity and liquid funds to meet consumer demand, such as to ensure agents have sufficient liquidity to honor for cash-out transactions. cash-out obligations. E-money may not be covered by deposit insurance • Deposit insurance may be extended to e-money schemes: balances or to custodial accounts holding the e-money float depending on availability of schemes E-money balances may not have the benefit of deposit in the country. An alternative policy approach is to insurance, that applies to traditional accounts, in the exclude e-money balances from deposit insurance event of insolvency of either the e-money issuer or a schemes. (The arguments for and against each of custodial institution holding an e-money float (such as these options are beyond the scope of this note but a bank holding a trust account). are covered in other publications referenced in the e-money-specific chapter of the paper on which this note is based). E-money is not permitted to be redeemed for • Require funds to be redeemed at face/par/ face value: equivalent value. Providers may seek to apply a discount beyond transaction-processing fees. Consumers are not provided with adequate Information: • Key product information is not disclosed/available • Require compliance with general transparency upfront to consumers. and/or disclosure • Require public upfront disclosure of T&C and fees and charges through all applicable channels, as well as provision of written agreements at contracting stage • Require consumers to be given notice of changes • Require standard-form agreement to be lodged with regulator. • Inadequate ongoing information, such as about • Require written notice of changes to be provided to ongoing transactions, changes to the product, or consumers product suspension or withdrawal. • Require transaction receipts to be issued • Require periodic statements to be issued and/ or that consumers be able to access details of 57 Financial Consumer Protection and Fintech E-Money continued Risks to consumers Regulatory approaches previous transactions. • Disclosed information cannot be easily retained by • Require information to be in a form the customer a consumer can access and keep for future reference. • Disclosure format risks in a digital context. • See approaches for equivalent risks summarized above in the context of digital disclosure for digital microcredit. • Misleading marketing • Prohibit misleading marketing of e-money accounts. • Require disclosure of provider’s details in marketing materials to assist with recourse • Impose specific rules—for example, making risk statements prominent. Unsuitable e-money products: • Require providers to design and distribute e-money products to meet the needs and capabilities of E-money products may not be designed to be users in target markets suitable for consumer segments they are marketed to, • Impose individual suitability-assessment particularly some previously unserved or underserved requirements. consumers. 58 Financial Consumer Protection and Fintech Bibliography a) Legislation/Binding Rules and Regulatory Guidance Australia. Corporations Act. 2001. Australia. Corporations Amendment (Crowd‑sourced Funding for Proprietary Companies) Act. 2018 Australia. Corporations Amendment (Design and Distribution Obligations) Regulations. 2019. Australia. Electronic Transactions Act. 1999. Australia. National Consumer Credit Protection Act. 2009. Brazil. National Monetary Council Resolution Number 4,656. April 26, 2018. California (United States of America). Consumer Privacy Act. 2018. China. Guide to the Disclosure of Information on Business Activities of Peer-to-Peer Lending Information Intermediaries. China Banking Regulatory Commission. August 23, 2016. China. Interim Measures for the Administration of the Business Activities of Online Lending Intermediary Institutions. China Banking Regulatory Commission and other authorities. August 17, 2016. China. Peer-to-Peer Lending Information Intermediaries of Guangdong Province—Detailed Implementation Rules for Recordation and Registration (Exposure Draft). February 14, 2017. China. People’s Bank of China Measures for the Administration of Online Payment Business of Non-Bank Payment Institutions. 2016. Ethiopia. Licensing and Authorization of Payment Issuers Directive No. ONPS/02/2020. E.U. Directive 2008/48 on Consumer Credit Agreements. E.U. Directive 2015/2366 on Payments Services. 2015. Ghana. Payment Systems and Services Act. 2019. India. NBFC (Non-Banking Financial Company)—Peer to Peer Lending Platform (Reserve Bank) Directions. 2017. Indonesia. Financial Services Authority Circular Number 18/SEOJK.02/2017 Regarding Information Technology Risk Management and Management in Information Technology-Based Lending. 59 Financial Consumer Protection and Fintech Indonesia. Regulation of the Financial Services Authority Number 77/POJK.01/2016 Concerning Information Technology- Based Loan Services. Japan. Money Lending Business Act No. 32. May 13, 1983. Kenya. National Payment System Regulations. 2014. Malawi. Payment Systems (E-Money) Regulations. 2019. Malawi. Payment Systems (Interoperability of Retail Payment Systems) Directive. 2017. Malawi. Payment Systems Act. 2019. Malaysia. Bank Negara Malaysia Guideline on Electronic Money E-Money. 2016. Malaysia. Financial Services Act. 2013. Mexico. Financial Technology Institutions Law. 2018. Mexico. Law on Transparency for Financial Services. 2007. Philippines. Bangko Sentral ng Pilipinas E-Money Circular. 2009. Portugal. Banco de Portugal Circular Letter No. CC/2020/00000044 on Best Practices Applicable to the Selling of Retail Banking Products and Services through Digital Channels. U.K. Financial Conduct Authority Client Assets Sourcebook. October 2020. U.K. Financial Conduct Authority Conduct of Business Sourcebook. October 2020. U.K. Financial Conduct Authority Consumer Credit Sourcebook. October 2020. U.K. Financial Conduct Authority Principles for Businesses. October 2020. U.K. Financial Conduct Authority Senior Management Arrangements, Systems and Controls Sourcebook. October 2020. U.K. Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (SI 2001/544). U.S. Electronic Fund Transfer (Regulation E) 12 CFR 205. U.S. Regulation on Crowdfunding, General Rules and Regulations 17 CFR Part 227. U.S. Securities Act. 1933. U.S. Truth in Lending (Regulation Z). U.S. Truth in Lending Act. 1968. 60 Financial Consumer Protection and Fintech b) Other Sources AFI (Alliance for Financial Inclusion). “Digitally Delivered Credit: Consumer Protection Issues and Policy Responses to New Models of Digital Lending.” AFI Global. 2017. https://www.afi-global.org/sites/default/files/publications/2017-11/ AFI_CEMC_digital%20survey_AW2_digital.pdf. AFI. “Digitally Delivered Credit: Policy Guidance Note and Results from Regulator Survey.” AFI Global. 2015. https://www.afi-global.org/sites/default/files/publications/guidelinenote-17_cemc_digitally_delivered.pdf. ASBA (Association of Supervisors of Banks of the Americas) and IDB (Inter-American Development Bank). “Consumer Protection in the New Environment of Financial Technological Innovation: Regulatory and Supervisory Considerations.” ASBA and IDB. 2020. http://www.asbasupervision.com/en/bibl/publications-of-asba/working-groups/2378-consumer- protection-1/file. ASBA and IDB. “Global Fintech Regulation and Supervision Practices.“ ASBA and IDB. 2020. http://www.asbasupervision. com/en/bibl/publications-of-asba/working-groups/2205-global-fintech-regulation-and-supervision-practices/file. ASIC. “Facilitating Digital Financial Services Disclosures.” ASIC Regulatory Guide 221. March 2016. https://download.asic. gov.au/media/3798806/rg221-published-24-march-2016.pdf. ASIC. “Marketplace Lending (Peer-to-Peer Lending) Products” (Information Sheet 213). ASIC. 2016. https://asic.gov.au/ regulatory-resources/financial-services/marketplace-lending/marketplace-lending-peer-to-peer-lending-products/. ASIC. “Survey of Marketplace Lending Providers.” (Report 526). ASIC. 2017. Para 17–18. https://download.asic.gov.au/ media/4276660/rep-526-published-1-june-2017.pdf. ASIC. “Survey of Marketplace Lending Providers.” 2016–2017. Report 559. ASIC. 2017. Para 45–46. https://download. asic.gov.au/media/4573524/rep559-published-14-december-2017.pdf. ASIC. “Survey of Marketplace Lending Providers: 2017–2018.” Report 617. ASIC. 2019. https://download.asic.gov.au/ media/5074452/rep617-published-12-april-2019.pdf. Bae. H. “S. Korea to Place Investment Cap on Peer-to-Peer Lending.” The Korea Herald. March 30, 2020. http://www.koreaherald.com/view.php?ud=20200330000800#. BFA Global. “Dipstick Surveys: The Financial Impact of Covid-19 on Low-Income Populations.” BFA Global. 2020. https://bfaglobal.com/our-work/covid-19-impact/. Boeddu, G. and R. Grady. “Product Design and Distribution: Emerging Regulatory Approaches for Retail Banking Products.” Discussion Note. World Bank Group. 2019. http://documents1.worldbank.org/curated/en/993431567620025068/pdf/ Product-Design-and-Distribution-Emerging-Regulatory-Approaches-for-Retail-Banking-Products-Discussion-Note.pdf. Buku, M. and R. Mazer. “Fraud in Mobile Financial Services: Protecting Consumers, Providers, and the System.” CGAP Brief. April 2017. https://www.cgap.org/sites/default/files/Brief-Fraud-in-Mobile-Financial-Services-April-2017.pdf. Busara Center for Behavioral Economics. “Pricing Transparency, Switching Costs, and Accountability.” Final Report: Experimental Results and Analysis. 2017. 61 Financial Consumer Protection and Fintech Committee of Advertising Practice (U.K.). “Trivialisation in Short-Term High-Cost Credit Advertisements.” Advertising Guidance. June 2015. https://www.asa.org.uk/asset/3EE84177-B1BE-4E77-9292EA4F7CD5091E.FFBC27CC-F120- 4877-BD230015141DE7CE/. Committee on the Global Financial System and Financial Stability Board Working Group. “FinTech Credit: Market Structure, Business Models, and Financial Stability Implications.” Financial Stability Board and Committee on the Global Financial System. May 22, 2017. https://www.bis.org/publ/cgfs_fsb1.pdf. Deng, C. and X, Yu. “China’s Once-Hot Peer-to-Peer Lending Business Is Withering.” Wall Street Journal. February 2, 2020. https://www.wsj.com/articles/chinas-once-hot-peer-to-peer-lending-business-is-withering-11580644804. Dentons. “SEC Adopts Final Rules for Securities Crowdfunding under Title III of the JOBS Act.” Dentons. December 2015. https://www.dentons.com/en/~/media/7ee86097b5ad4e47a7469ea3cb554e87.ashx. Duoguang, B. “Growing with Pain: Digital Financial Inclusion in China.” Chinese Academy of Financial Inclusion. 2018. http://www.cafi.org.cn/upload/file/20190121/1548034976707794.pdf. EBA (European Banking Authority). “Final Report on Guidelines on Loan Origination and Monitoring.” EBA/GL/2020/06. EBA. 2020. https://eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2020/Guidelines%20 on%20loan%20origination%20and%20monitoring/884283/EBA%20GL%202020%2006%20Final%20Report%20on%20 GL%20on%20loan%20origination%20and%20monitoring.pdf. EBA. “Opinion of the European Banking Authority on Lending-Based Crowdfunding.” (EBA/Op/2015/03). EBA. February 26, 2015. https://eba.europa.eu/documents/10180/983359/EBA-Op-2015-03+%28EBA+Opinion+on+lending+b ased+Crowdfunding%29.pdf. EBA. “Second EBA Report on the Application of the Guidelines on Product Oversight and Governance (POG) Arrangements.” EBA/GL/2015/18, EBA/REP/2020/28. EBA. 2020. https://eba.europa.eu/sites/default/documents/files/document_library/ Publications/Reports/2020/935640/Second%20EBA%20report%20on%20the%20application%20of%20the%20POG%20 guidelines%20arrangements.pdf. EC (European Community). “Behavioral Study on the Digitalisation of the Marketing and Distance Selling of Retail Financial Services.” EC. April 2019. https://ec.europa.eu/info/sites/info/files/live_work_travel_in_the_eu/consumers/digitalisation_ of_financial_services_-_main_report.pdf. The Economist. “Created to Democratise Credit, P2P Lenders Are Going After Big Money.” The Economist. December 5, 2019. https://www.economist.com/finance-and-economics/2019/12/05/created-to-democratise-credit-p2p-lenders-are- going-after-big-money. Faridi, O. “P2P Fintech Lending Sector in Indonesia May Struggle Due to Risky Loans, as Lenders Rejected Over 50% of Restructuring Requests.” Crowdfund Insider. June 11, 2020. crowdfundinsider.com/2020/06/162599-p2p-fintech-lending- sector-in-indonesia-may-struggle-due-torisky-loans-as-lenders-rejected-over-50-of-restructuring-requests/. FCA. “The FCA’s Regulatory Approach to Crowdfunding (and Similar Activities.” CP13/13. FCA. October 2013. https://www.fca.org.uk/publication/consultation/cp13-13.pdf. FCA. “The FCA’s Regulatory Approach to Crowdfunding over the Internet, and the Promotion of Non-Readily Realisable Securities by Other Media: Feedback to CP13/13 and Final Rules.” PS14/04. FCA. 2014. https://www.fca.org.uk/publication/ policy/ps14-04.pdf. 62 Financial Consumer Protection and Fintech FCA. “Feedback Statement FS16/10 on Smarter Consumer Communications.” FCA. October 2016. https://www.fca.org. uk/publication/feedback/fs16-10.pdf. FCA. “Financial Lives Survey.” FCA. 2020. https://www.fca.org.uk/publications/research/understanding-financial-lives- uk-adults. FCA. “General Standards and Communication Rules for the Payment Services and E-money Sectors.” PS19/3. FCA. 2019. https://www.fca.org.uk/publication/policy/ps19-03.pdf. FCA. “Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms: Feedback on Our Post-Implementation Review and Proposed Changes to the Regulatory Framework.” CP18/20. FCA. 2018. https://www.fca.org.uk/publication/ consultation/cp18-20.pdf. FCA. “Loan-Based (‘Peer-to-Peer’) and Investment-Based Crowdfunding Platforms: Feedback to CP18/20 and Final Rules.” CP19/14. FCA, 2019. https://www.fca.org.uk/publication/policy/ps19-14.pdf. Financial Markets Authority of New Zealand. “Fair Dealing in Advertising and Communications—Crowdfunding and Peer- to-Peer Lending.” Financial Markets Authority, 2018. https://www.fma.govt.nz/compliance/guidance-library/advertising- and-comms-in-crowdfunding-and-p2p/. FinCoNet (International Financial Consumer Protection Organisation). “FinCoNet Annual General Meeting 2020.” Press release. November 2020. http://www.finconet.org/Press-release-FinCoNet_AGM-Nov-2020.pdf. FinCoNet. “FinCoNet Report on Responsible Lending.” FinCoNet. 2014. http://www.finconet.org/FinCoNet-Responsible- Lending-2014.pdf. FinCoNet. “Guidance to Supervisors on Digitalisation of Short-Term, High-Cost Consumer Credit.” FinCoNet. February 2019. http://www.finconet.org/Guidance_Supervisors_Digitalisation_STHCCC.pdf. FinCoNet. “Guidance to Supervisors on the Setting of Standards in the Field of Sales Incentives and Responsible Lending.” FinCoNet. 2016. FinCoNet. “Report on the Digitalisation of Short-Term, High-Cost Consumer Credit.” FinCoNet. November 2017. http://www.finconet.org/Digtalisation-Short-term-High-cost-Consumer-Credit.pdf. FinCoNet. “SupTech Tools for Market Conduct Supervisors.” FinCoNet. November 2020. http://www.finconet.org/FinCoNet- Report-SupTech-Tools_Final.pdf. G20/OECD (Organisation for Economic Co-operation and Development) Task Force on Financial Consumer Protection. “Considerations for the Application of the G20/OECD High-Level Principles on Financial Consumer Protection to Digital and Alternative Financial Services.” OECD. 2018. G20/OECD Task Force on Financial Consumer Protection. “Effective Approaches for Financial Consumer Protection in the Digital Age: FCP Principles 1, 2, 3, 4, 6 and 9.” OECD. 2019. http://www.oecd.org/finance/financial-education/Effective- Approaches-FCP-Principles_Digital_Environment.pdf. G20/OECD Task Force on Financial Consumer Protection. “Effective Approaches to Support the Implementations of the G20 High-Level Principles on Financial Consumer Protection.” OECD. 2014. https://www.oecd.org/g20/topics/financial- sector-reform/financialconsumerprotection.htm. 63 Financial Consumer Protection and Fintech G20/OECD Task Force on Financial Consumer Protection. “Financial Consumer Protection Policy Approaches in the Digital Age.” OECD. 2018. https://www.oecd.org/finance/G20-OECD-Policy-Guidance-Financial-Consumer-Protection- Digital-Age-2018.pdf. Gibbens, E. “Helping Small Businesses Navigate through COVID-19.” IFC Insights, IFC. March 20, 2020. https://www.ifc.org/wps/wcm/connect/news_ext_content/ifc_external_corporate_site/news+and+events/news/insights/ smes-covid-19. Grady, R., et al. “Financial Consumer Protection and New Forms of Data Processing Beyond. Credit Reporting.” Discussion Note. World Bank Group. 2018. http://documents.worldbank.org/curated/en/677281542207403561/pdf/132035-WP-FCP- New-Forms-of-Data-Processing.pdf. Havrylchyk, O. “Regulatory Framework for Loan-Based Crowdfunding Platforms.” Economics Department Working Papers No. 1513. OECD, 2018. http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=ECO/ WKP(2018)61&docLanguage=En. Hong Kong Monetary Authority. “Consumer Protection in Respect of Use of Big Data Analytics and Artificial Intelligence by Authorized Institutions.” Hong Kong Monetary Authority. 2019. https://www.hkma.gov.hk/media/eng/doc/key-information/ guidelines-and-circular/2019/20191105e1.pdf. Hornby, L. and A. Zhang. “China’s Middle Class Hit by Shadow Banking Defaults.” Financial Times. December 26, 2018. https://www.ft.com/content/c55901f0-ff7d-11e8-aebf-99e208d3e521. Huang, R. H. “Online P2P Lending and Regulatory Responses in China: Opportunities and Challenges.” European Business Organization Law Review 19, no. 1. 2018. 63–92. https://doi.org/10.1007/s40804-018-0100-z. IMF (International Monetary Fund). “Digital Financial Services and the Pandemic: Opportunities and Risks for Emerging and Developing Economies.” IMF Special Series on COVID-19. IMF. July 1, 2020. https://www.imf.org/en/Publications/ SPROLLs/covid19-special-notes. ITU-T Focus Group on Digital Financial Services. “Commonly Identified Consumer Protection Themes for Digital Financial Services.” International Telecommunications Union. May, 2016. https://www.itu.int/en/ITU-T/focusgroups/dfs/ Documents/09_2016/ConsumerProtectionThemesForBestPractices.pdf. ITU-T Focus Group on Digital Financial Services. “ITU Focus Group Digital Financial Services: Main Recommendations.” International Telecommunications Union. March, 2017. https://www.itu.int/en/ITU-T/focusgroups/dfs/Documents/201703/ ITU_FGDFS_Main-Recommendations.pdf. Jurd De Girancourt, F., M. Kuyoro, N. Ofosu-Amaah, E. Seshie, and F. Twum. “How the COVID-19 Crisis May Affect Electronic Payments in Africa.” McKinsey & Company Financial Services. June 4, 2020. https://www.mckinsey.com/ industries/financial-services/our-insights/how-the-covid-19-crisis-may-affect-electronic-payments-in-africa. Kaffenberger, M. and P. Chege. “Digital Credit in Kenya: Time for Celebration or Concern?” CGAP Blog. October 2016. https://www.cgap.org/blog/digital-credit-kenya-time-celebration-or-concern. Kaffenberger, M., and E. Totolo. “A Digital Credit Revolution: Insights from Borrowers in Kenya and Tanzania” Working Paper. Consultative Group to Assist the Poor. 2018. https://www.cgap.org/sites/default/files/publications/Working-Paper-A- Digital-Credit-Revolution-Oct-2018.pdf. 64 Financial Consumer Protection and Fintech Kyamutetera, M. “Hackers Break Into Mobile Money System, Make Off with Unspecified Billions Belonging to Airtel, MTN, Stanbic, and Other Financial Institutions.” The CEO East Africa. October 5, 2020. https://www.ceo.co.ug/hackers- break-into-mobile-money-system-make-off-with-unspecified-billions-belonging-to-airtel-mtn-stanbic-and-other-financial- institutions/. Lee, N., et al. “Algorithmic Bias Detection and Mitigation: Best Practices and Policies to Reduce Consumer Harms.” Brookings. May 22, 2019. https://www.brookings.edu/research/algorithmic-bias-detection-and-mitigation-best-practices- and-policies-to-reduce-consumer-harms/. Lenz, R. “Peer-to-Peer Lending—Opportunities and Risks.” European Journal of Risk Regulation 7, no. 4. 2016. 688–700. https://www.cambridge.org/core/journals/european-journal-of-risk-regulation/article/peertopeer-lending-opportunities-and- risks/9B9E21667A148330DDA491775A23AF5E. Lo, B. “If It Ain’t Broke: The Case for Continued SEC Regulation of P2P Lending.” Harvard Business Law Review Online 6. 2016. 87–110. https://www.hblr.org/hblr-online-volume-6-2016/. Makortoff, K. “Peer-to-Peer Lender Funding Secure Goes into Administration.” The Guardian. October 24, 2019. https:// www.theguardian.com/money/2019/oct/23/peer-to-peer-lender-funding-secure-administration-pawnbroker. Mazer, R. “Does Transparency Matter: Assessing the Impact of Improved Disclosure in Digital Financial Services in Kenya.” Slide deck. Consultative Group to Assist the Poor. 2018. https://www.cgap.org/sites/default/files/publications/ slidedeck/2018_03-Slidedeck-Does_Transparency_Matter.pdf. Mazer, R., J. Vancel, and A. Keyman. “Finding ‘Win-Win’ in Digitally-Delivered Consumer Credit.” CGAP Blog, January 13, 2016. https://www.cgap.org/blog/finding-win-win-digitally-delivered-consumer-credit. McKee, K., et al. “Doing Digital Finance Right: The Case for Stronger Mitigation on Customer Risks” (Focus Note 103). Consultative Group to Assist the Poor, 2015. https://www.cgap.org/sites/default/files/Focus-Note-Doing-Digital-Finance- Right-Jun-2015.pdf. Megaw, N. “Peer-to-Peer Groups Battle to Survive More Hostile Market.” Financial Times, June 9, 2019. https://www.ft.com/content/275c7d6a-8880-11e9-97ea-05ac2431f453. MicroSave. “Making Digital Credit Truly Responsible.” Center for Financial Inclusion. September, 2019. https://content. centerforfinancialinclusion.org/wp-content/uploads/sites/2/2019/09/Digital-Credit-Kenya-Final-report.pdf. MicroSave. “Where Credit Is Due: Customer Experience of Digital Credit in Kenya.” Center for Financial Inclusion. March, 2017. https://www.microsave.net/wp-content/uploads/2018/10/Where_Credit_Is_Due_Customer_Experience_of_ Digital_Credit_In_Kenya.pdf. OECD (Organisation for Economic Co-operation and Development). “Financial Consumer Protection Policy Approaches in the Digital Age—Protecting Consumers’ Assets, Data and Privacy.” OECD. 2020. https://www.oecd.org/daf/fin/financial- education/Financial-Consumer-Protection-Policy-Approaches-in-the-Digital-Age.pdf. OECD. “G20 High-Level Principles on Financial Consumer Protection.” OECD. 2011. https://www.oecd.org/daf/fin/financial- markets/48892010.pdf. OECD. “Short-Term Consumer Credit: Provision, Regulatory Coverage and Policy Responses.” OECD. 2019. http://www.oecd.org/daf/fin/financial-education/Short-term-consumer-credit-report.pdf. 65 Financial Consumer Protection and Fintech Owens, J. “Responsible Digital Credit.” Center for Financial Inclusion. 2018. https://content.centerforfinancialinclusion.org/ wp-content/uploads/sites/2/1970/01/Responsible_Digital_Credit_FINAL_2018.07.18.pdf. Oxera. “Crowdfunding from an Investor Perspective.” Oxera. 2015. https://ec.europa.eu/info/sites/info/files/file_ import/160503-study-crowdfunding-investor-perspective_en_0.pdf. Reuters. “Regulatory Problems Have Choked China’s P2P Lending Industry.” The Japan Times. September 6, 2019. https:// www.japantimes.co.jp/news/2019/09/06/business/regulatory-problems-choked-chinas-p2p-lending-industry/. SEC (U.S. Securities and Exchange Commission). “Facilitating Capital Formation and Expanding Investment Opportunities by Improving Access to Capital in Private Markets: A Proposed Rule by the Securities and Exchange Commission on 03/31/2020.” Federal Register. March 31, 2020. https://www.federalregister.gov/documents/2020/03/31/2020-04799/ facilitating-capital-formation-and-expanding-investment-opportunities-by-improving-access-to-capital. Stanbic Bank Uganda, MTN Uganda, and Airtel Uganda. “System Incident Impacting Bank to Mobile Money Transactions.” Press statement. October 5, 2020. https://www.mtn.co.ug/press-statement/. World Bank Group. “Global Experiences from Regulatory Sandboxes.” World Bank Group. 2020. https://openknowledge. worldbank.org/handle/10986/34789. World Bank Group. “Good Practices for Financial Consumer Protection, 2017 Edition.” World Bank Group. 2017. https:// openknowledge.worldbank.org/handle/10986/28996. World Bank Group. “The Next Wave of Suptech Innovation: Suptech Solutions for Market Conduct Supervision.” World Bank Group, 2021. http://documents.worldbank.org/curated/ en/735871616428497205/The-Next-Wave-of-Suptech- Innovation-Suptech-Solutions-for-MarketConduct-Supervision. World Bank Group. “Prudential Regulatory and Supervisory Practices for Fintech: Payments, Credit and Deposits.” World Bank Group. 2019. 19. https://openknowledge.worldbank.org/handle/10986/33221. World Bank Group and CCAF (Cambridge Centre for Alternative Finance). “Regulating Alternative Finance: Results from a Global Regulator Survey.” World Bank Group. 2019. https://openknowledge.worldbank.org/bitstream/ handle/10986/32592/142764.pdf. World Bank Group and International Committee on Credit Reporting. “Credit Scoring Approaches Guidelines.” World Bank Group. 2019. http://pubdocs.worldbank.org/en/935891585869698451/CREDIT-SCORING-APPROACHES-GUIDELINES- FINAL-WEB.pdf. World Bank Group and International Monetary Fund. “The Bali Fintech Agenda—Background Paper.” International Monetary Fund. 2018. https://www.imf.org/~/media/Files/Publications/PP/2018/pp101118-bali-fintech-agenda.ashx. 66