Following our submission to the Reserve Bank of India (RBI) on the reforms that would enable the market to realize the full potential of digital financial services in India, the RBI Committee on Comprehensive Financial Services for Small Businesses and Low-Income Households asked us to share our thoughts on the use of mobile network operators’ (MNOs) customer data to establish the financial status and credit worthiness of individuals.

Tackling the lack of financial history of many potential financial consumers is a huge challenge to pursue universal financial inclusion. MNO customer records could be mined and analysed to build a proxy indicator of a person’s credit-worthiness. Information available from the core telecommunications business includes customers’ usage profiles (pre-paid or post-paid), top up patterns (value and frequency), location information, credit limits for post-paid customers, loyalty profiles (e.g. loyalty points accumulated/redeemed), as well as emergency airtime advances usage and repayment history (where applicable). Mobile money data records, where available, substantially enrich MNO databases with payment transaction records, value stored, bill payments (value and frequency), and overall increasing insights as to the financial lives of the unbanked. With the exponential growth of mobile phone subscriptions in developing countries, the increasing popularity of mobile money, and mandatory SIM-registration requirements, the volume and quality of this information is expanding.

Some partnerships between MNOs and financial institutions are already exploring these opportunities. M-Shwari is a successful savings and loan product with over 2.4 million active customers (and with KES 1.8 Billion in deposits and KES 0.8 Billion in loans with non-performing loans at 3.8%) launched  by the Commercial Bank of Africa (CBA) in partnership with Safaricom  that rides on the M-PESA infrastructure. To qualify for an M-Shwari loan, a customer must be an M-PESA subscriber for at least six months, and then an algorithm, based on previous utilization of Safaricom services (M-PESA, bonga points, Okoa Jahazi airtime advances, voice and data) is used to determine the initial eligible loan limit. Each customer is asked to express his consent to the usage the information to build his/her credit-risk profile.

There are also some examples of MNOs making commercial arrangements with private third parties to provide credit scoring – i.e. Cignifi (Brazil), Experian MicroAnalytics (Philippines), and First-Access (Tanzania). And some companies in this space (i.e. Experian) have a vision to contribute to credit bureaus at a later stage.

These are all market dynamics that are commercially driven. While regulators could encourage the use of mobile data for credit scoring and ensure emerging initiatives are compliant with applicable regulations on privacy, mandating data sharing would be counterproductive and misalign incentives, potentially stifling innovation in this area. Any such proposals must consider a) the sensitive nature of data and the fiduciary relationship between MNOs and their customers, b) legal aspects and duty of confidentiality of the MNOs, and c) the market incentives for MNOs to effectively participate in any information sharing system like a credit bureau.

The information that MNOs have stored provides a significant and highly sensitive insight to customers’ financial well-being and stability, and may have significant implications for individuals, e.g., positive or negative credit information. However, this information is currently collected by MNOs to provide core services and/or meet legal obligations. Using such data for credit scoring and otherwise assessing the financial status or stresses of mobile users would fundamentally shift the nature of trust between customers and their MNOs, because the use of this information for credit scoring is not within the normal expectations of mobile users. Therefore if MNOs want to leverage their data for building profiles of their customers that help assess their financial status, it is critical a) that those customers are provided all the necessary information to understand why they would benefit from that, b) to ask customers to express (or deny) their consensus for the use of those data, and c) that all parties are compliant with the legislation aimed at protecting the consumer privacy and his/her information.

The analysis that we undertook of the Indian context can provide insights that are helpful to get a better understanding of these issues:

i) There are statutory restrictions on the disclosure of customer information as well as specific licensing conditions that may similarly mandate the maintenance of customer confidentiality. Such disclosure can therefore only be done with the express consent of the customer (with the rider that such consent may be withdrawn by the customer at any time). Moreover, in jurisdictions where MNOs are required to establish separate legal entities to operate the mobile money business, it could be particularly controversial for the licensed entities operating the mobile money business to gain access to customer information held by the licensed MNO.

In India there are also questions about the degree to which the broader legal framework supports the use of MNOs’ data for credit scoring because there isn’t an omnibus data protection law or any authority that would be able to supervise and sanction abuses. This is a major challenge. While efforts are underway to introduce a Data Protection Act – this effort is being supported by consultation with privacy regulators from the United Kingdom, Canada, the Netherlands, and the European Union – until the Act is passed there isn’t certainty regarding how the relevant data will be legally protected and therefore what regulatory regime could apply to their storage, disclosure and usage. Traffic, location and payment data are already considered “sensitive” under existing and proposed rules. For example, the credit regulations published by the Reserve Bank of India include a range of data protection principles such as fairness, purpose limitation and security of data. This would affect the capacity of MNOs to share those data with third parties. To gain a better understanding of if and how MNO data analytics could be used for credit scoring, a comprehensive due diligence of the relevant regulation should be always conducted

ii) Regarding the direct participation of MNOs into credit bureaus, the basic proposition would be that all other participating institutions (e.g., banks, merchants, lenders, and utilities companies) would share customer payment history, not only the defaulters list, and all contributors would be granted the same access to the customer profile and score.

Also, since participation would be on an opt-in basis, each institution should have the right incentive to participate: Traditional lending institutions have clear incentives to share customer information because they can access all the information in the bureau and they can benefit from the screening effect (improved capacity of the lending institution to prevent risky borrowers from obtaining loans and to mitigate adverse selection in credit markets) and the credit expansion effect (the expansion of lending as credit information increases). It is unlikely this incentive would be sufficient for MNOs if they were only allowed to offer retail transfer and payment services with low transactional limits. The risks and costs of sharing this information might not be worth it. The incentive could come from participating in an expanding economy and financial ecosystem, but this would appeal only if the whole regulatory framework enables an MNO to offer mobile financial services in a viable and sustainable way.

Sharing MNOs data analytics for credit scoring could only take place:

• with the express consent of individuals (obtaining this retrospectively would be a major challenge as would communicating information about what data will be used and why among a population with varying degrees of literacy);
• under clearly defined rules to limit abuse of data, in compliance with all relevant legislation for privacy and data protection;
• with clearly defined rules on accountability mechanisms, including audits, regulatory oversight and enforcement;
• if there is a strong business case for MNOs and they have the right incentives to participate in a sharing system.