Our previous article argued that “policy-frameworks, which regulate the fintech industry, should particularly make sure that they enable a safe and yet explorative deployment of AI technologies”. Whereas this last article focused on moral principles, this article will provide a few anecdotes about fintech-related regulations and laws in Sub-Saharan Africa. Especially, because cybersecurity and data privacy play an important role in relation with fintech, this article will not limit itself to one particular domain of the law, but look beyond. After providing a short summary about findings from a report by the Cambridge Centre for Alternative Finance (CCAF), this article will provide anecdotes on cybersecurity in the Nigerian fintech space.
Fintech-related Regulations and Laws in Sub-Saharan Africa
Findings from the CCAF Report: ‘Fintech Regulation in Sub-Saharan Africa’
In November 2021, the Cambridge Centre for Alternative Finance (CCAF) published its ‘FinTech Regulation in Sub-Saharan Africa’ report, which starts with the argument that “[w]hen sustainably developed and appropriately regulated, FinTech has the potential to extend the benefits of finance to millions of unbanked and underbanked people and businesses worldwide”. With the COVID-19 crisis having both contributed to a fintech boom and led to “an increase in consumer protection risk”, regulators in Sub-Saharan Africa have been on alert. Regulatory objectives have, among others, been related to promoting financial inclusion, market development and the digitization of financial services. By November 2021, 95% of 20 sampled jurisdictions across Sub-Saharan Africa had established regulatory frameworks for digital payments. Among the sampled jurisdictions were, for instance, Nigeria, Kenya, South Africa, Ghana and Cabo Verde.
Overall, the CCAF’s report illustrates that the boom of fintech and digital payments in Sub-Saharan Africa was accompanied by the development of regulatory frameworks. First, specifically with regard to digital payments and, on a more general basis, with regard to the aim of tackling cybersecurity risks. In a nutshell, 95% of sampled jurisdictions in the region have adopted regulatory frameworks for digital payments, 85% have established a cybersecurity framework and 55% have attempted to make the latter more comprehensive since the beginning of the COVID-19 crisis. Next to these developments, regulatory frameworks for financial consumer protection (82%), e-money (100%), P2P lending (35%) and equity crowdfunding (34%) are in place. Furthermore, the report highlights that Nigeria and Burundi are the only sampled jurisdictions, which have open banking regulatory frameworks in place, and that the demand from market firms for Electronic Know Your Customer (eKYC) regulatory frameworks is somewhat clashing with the fact that 10% of the sampled jurisdictions strictly forbid eKYC and 30% are lacking a respective regulatory framework.
Anecdotes about Fintech-related Regulations and Laws in Nigeria
As a publication by BFA Global and the CCAF states, “[t]here are generally no fintech-specific laws [in Nigeria], though this may change in the medium term”. However, there are regulations in place for (open) banking, payments, credit, insurance, investment, data protection, consumer protection, anti-money laundering, KYC, cybersecurity, competition, telecommunications, taxation and financial services etc. The fact that all of these domains somehow intersect with fintech, as well as the innovation, security and utilization of this field, might prove that the establishment of a comprehensive fintech law might coincide with the challenge of understanding how these particular domains and its regulations clash with one another. The digitization of services, and this does not limit itself to the domain of finance, leads to a transformation of human relationships and behaviours. The increased need for cybersecurity measures amid the fintech boom proves the latter.
Next to the above, it proves the point that fintech solutions will only be able to enhance access to finance and promote financial inclusion effectively in the long-term and at a broad-scale as long as cybercrime regulations effectively deal with the upsurge of criminal online behaviours. Whereas one might not be able to restrict such behaviours through criminal law only, the law could certainly play a role in determining minimum security operation standards for fintech service providers and for individuals and entities, which invest into fintech companies. In December 2021, SEON partnered up with two African neobank businesses operating in or founded in Nigeria – Carbon and FairMoney, seeking to prevent cybercrime and online fraud. The latter engagement underlines that fintech regulations might have to adequately pinpoint how business law, data protection and consumer protection are intertwined with the basic obligations of businesses in the finance sector and/or contributing to the digitization of essential services – public or private.
In Nigeria, the Cybercrime (Prohibition, Prevention, Etc) Act has been in place since 2015. As the Council of Europe (CoE) emphasizes, the adoption of this act was welcomed as a progressive step towards setting up “substantive criminal provisions, procedural rules and provisions on International cooperation”. Furthermore, the Cybercrime (Prohibition, Prevention, Etc) Act emphasizes the obligation of financial institutions (corporate or not) to implement measures to combat fraud. As Article 19 Section 3 states, “Financial institutions must as a duty to their customers put in place effective counter-fraud measures to safeguard their sensitive information”. Whereas the latter may sound promising, Section 3 continues, “…where a security breach occurs the proof of negligence lies on the customer to prove the financial institution in question could have done more to safeguard its information integrity”. Last but not least, because a huge extent of Nigeria’s roughly 36% unbanked population might also struggle with poverty and related issues such as access to basic services (i.e. electricity, education), the second part of Section 3 puts an insufficient emphasis on the duty of financial institutions (including fintech companies) to protect consumers.
Wherever online fraud occurs, especially when clients use fintech banking services whose operations they might not entirely grasp, the burden of proof cannot fall on the plaintiff. However, it also needs to be remarked that one may have to differentiate when it comes to addressing the duties of financial institutions. A medium-sized start-up, which provides fintech solutions to large banks, should probably not have the same obligations as the latter. Especially, because the digitization of financial services will only allow for optimization over time, there needs to be room for trial and error, but also for corporate accountability. According to the ‘Risk-Based Cyber-Security Framework and [the] Guidelines for Deposit Money Banks (DMB) and Payment Service Providers (2019)’, which were published by the Central Bank of Nigeria (CBN) in June 2018, it is expected that DMBs and Payment Service Providers (PSPs) “[e]stablish a Cyber-Threat Intelligence (CTI) programme which shall proactively identify, detect and mitigate potential cyber-threats and risks” (§6.1.1). What would be particularly interesting to analyze is how fintech start-ups could be supported with such a task by public and/or private actors irrespective of whether Nigeria’s fintech industry has received much attention from investors in recent years in comparison to other industries.
Centurion Plus
Are you a fintech start-up or a public/private investor with an interest in the fintech industry in Africa and/or Germany? Then, we would be humbled to support you on the legal side! We employ legal experts with knowledge across various African jurisdictions and have long-standing experience with giving advice on topics such as labour and immigration, tax and customs, contracts and negotiations, corporate governance and compliance as well as data protection. Next to our African offices, we have an office in Germany since 2020. That is to prove, we have an international mind…You too? Then contact us today to collaborate!